Federal Deposit
Insurance Corporation

   [¶12,236] In the Matter of MemphisFirst Community Bank, Memphis, Tennessee, Docket No. 04-132b (7-12-04).

   A cease and desist order was issued, based on findings by the FDIC that it had reason to believe that Respondent was engaged in unsafe and unsound practices. (This order was terminated by order of the FDIC dated 9-30-05; see ¶16,438.)

   [.1] Bank Operations—Capital Markets Department Investments Products policy, re-adopt

   [.2] Bank Operations—Training Program Required

   [.3] Bank Operations—User Manual Required

   [.4] Bank Operations—Employee Access

   [.5] Bank Operations—New Accounts

   [.6] Information Technology Plan—Implementation of Plan Required

   [.7] Disaster Recovery Plan—Required

   [.8] Information Technology Plan—Appointment of Knowledgeable Individual Required

   [.9] Bank Operations—Review Documentation for the JHA System

   [.10] Bank Operations—Risk Assessment Required

   [.11] Information Technology Plan—Revise Audit Policies

   [.12] Shareholders—Disclosure of Cease and Desist Order Required

   [.13] Progress Report—Written Report Required
 

In The Matter of:
MEMPHISFIRST COMMUNITY BANK
MEMPHIS, TENNESSEE
(Insured State Nonmember Bank)
ORDER TO CEASE AND DESIST

FDIC-04-132b

   MemphisFirst Community Bank, Memphis, Tennessee ("Bank"), having been advised of its right to a Notice of Charges and of Hearing detailing the unsafe or unsound banking practices and alleged to have been committed by the Bank and of its right to a hearing on the alleged charges under section 8(b)(1) of the Federal Deposit Insurance Act ("Act"), 12 U.S.C. §1818(b)(1), and having waived those rights, entered into a STIPULATION AND CONSENT TO THE ISSUANCE OF AN ORDER TO CEASE AND DESIST ("CONSENT AGREEMENT") with counsel for the Federal Deposit Insurance Corporation ("FDIC"), dated July 1, 2004, whereby solely for the purpose of this proceeding and without admitting or denying the alleged charges of unsafe or unsound banking practices and violations of law and/or regulations, the Bank consented to the issuance of an ORDER TO CEASE AND DESIST ("ORDER") by the FDIC.

   The FDIC considered the matter and determined that it had reason to believe that the Bank had engaged in unsafe or unsound banking practices and had committed violations of law and/or regulations. The FDIC, therefore, accepted the CONSENT AGREEMENT and issued the following:

   IT IS HEREBY ORDERED that the Bank, its directors, officers, employees, agents, and other institution-affiliated parties (as that term is defined in Section 3(u) of the Act, 12 U.S.C. §1813(u)), and its successors and assigns, cease and desist from the following unsafe or unsound banking practices: operating without adequate oversight of the Bank's government securities dealer activities and operating without adequate oversight of the Bank's information systems.

   IT IS FURTHER ORDERED that the Bank, its institution-affiliated parties, successors and assigns take the affirmative actions as follows:

   [.1] 1. Within 60 days of the entry of this ORDER, the Bank shall re-adopt and fully implement its Capital Markets Department Investments Products policy dated July 1999, as amended in October 2003; or within 10 days of the entry of this ORDER, the Bank shall cease transactioning all Government Securities Dealer activities.

   [.2] 2. Within 60 days of the effective date of the ORDER, the Bank shall develop comprehensive data entry training for employees. This training will include orientation on the various Board approved Information Technology policies, proper data entry procedures and the proper handling of confidential customer data.

   [.3] 3. Within 60 days of the effective date of the ORDER, the Bank shall utilize all available documentation on the Jack Henry and Associates ("JHA") system as well as the commentary concerning "User Manual Documentation" found on page 12 through 22 in the Federal Financial Institution Examination Council's 1996 Information Systems Examination Handbook to develop comprehensive user manuals for use by Bank employees. These user manuals will address: data entry, account maintenance, and account reconciliation. The Bank shall establish a training program fully explaining and demonstrating how to work within JHA's operating environment. The training will be conducted periodically and will also be conducted prior to an employee's accepting new job responsibilities.

   [.4] 4. Within 60 days of the effective date of the ORDER, the Bank shall evaluate all employee user access levels, and determine whether each employee's assigned access level is appropriate based upon the requirements of their assigned job, as well as providing for the appropriate level of duty separation. Procedures shall also be implemented to provide for at least quarterly reviews of user access levels to ensure appropriate levels are maintained.

   [.5] 5. Within 30 days of the effective date of the ORDER, the Bank shall develop procedures to insure: that all accounts, loans, other data entry requests, and file maintenance is supported by a written input document; and that a knowledgeable, independent party compares the input document with the system report maintenance log detailing the transaction, to insure that the information was appropriately authorized and correctly entered into the system.

   [.6] 6. Within 60 days of the effective date of the ORDER, the Bank shall insure that all of its Information Technology related services are provided pursuant to written contracts. These contracts shall comply with the Information Technology guidelines set out in Appendix B to Part 364 of the FDIC Rules and Regulations. They shall also address all of the Information Technology areas discussed in Chapter 22 of the Federal Financial Institution Examination Council's 1996 Information Systems Examination Handbook, specify the services to be provided, the responsibilities of all parties to the contract, and provide a system for measuring the quality of the services provided pursuant to the contract.

   [.7] 7. Within 90 days of the effective date of the ORDER, the Bank shall revise its Disaster Recovery / Contingency Plan to insure that the procedures and arrangements needed to continue operations during an emergency or after a disaster are compatible with the Bank's processing arrangements with JHA. Once the plan has been developed, it shall be approved by the Board of Directors, and tested within 90 days of Board approval.

   [.8] 8. Within 30 days of the effective date of the ORDER, the Bank shall appoint a knowledgeable individual to oversee its Information Technology operation as well as its processing arrangements with JHA.

   [.9] 9. Within 30 days of the effective date of the ORDER, the Bank shall review the documentation for the JHA system and determine what activity and exception reports, detailing such items as user activities, system utilization, and data file changes, are available to assist management in overseeing all operations of the bank that are impacted by work processed through the core application system. Procedures will also be adopted for the production and review of these reports by knowledgeable independent individual(s) on a regular basis.

   [.10] 10. Within 90 days of the effective date of the ORDER, the Bank shall conduct a risk assessment taking into consideration the new processing environment, and arrange to have the Information Security Program independently tested. These activities will follow the guidelines for such activities outlined in Appendix B of Part 364 of the FDIC Rules and Regulations.

   [.11] 11. Within 180 days of the effective date of the ORDER, the Bank shall revise its audit policies and programs to ensure that all Information Technology risk-related areas are effectively and appropriately audited.

   [.12] 12. Following the effective date of this ORDER, the Bank shall send to its shareholder or otherwise furnish a description of this ORDER, (i) in conjunction with the Bank's next shareholder communication, and also (ii) in conjunction with its notice or proxy statement preceding the Bank's next shareholder meeting. The description shall fully describe the ORDER in all material respects. The description and any accompanying communication, statement, or notice shall be sent to the FDIC, Accounting & Securities Unit, 550 17th Street, N.W., Room F-6043, Washington, DC. 20429 for review at least 20 days prior to dissemination to shareholder. Any changes requested to be made by the FDIC shall be made prior to dissemination of the description, communication, notice, or statement.

   [.13] 13. On the twentieth day of each quarter following the effective date of this ORDER, the Bank shall furnish written progress reports to the Regional Director of the Dallas Region/Memphis Area Office ("Regional Director") and the Commissioner of the Department of Financial Institutions for the State of Tennessee ("Commissioner") detailing the form and manner of any actions taken to secure compliance with this ORDER and the results thereof. Such reports may be discontinued when the corrections required by this ORDER have been accomplished and the Regional Director and Commissioner have released the Bank in writing from making further reports.

   The provisions of this ORDER shall be binding upon the Bank, its directors, officers, employees, agents, successors, assigns and other institution-affiliated parties of the Bank.

   The provisions of this ORDER shall remain effective and enforceable except to the extent that, and until such time as, any provisions of this order shall, have been modified, terminated, suspended, or set aside by the FDIC.

   This ORDER shall become effective ten (10) days after issuance.

   Dated: July 12, 2004.