Each depositor insured to at least $250,000 per insured bank


Home > Regulation & Examinations > Bank Examinations > FDIC Enforcement Decisions and Orders





FDIC Enforcement Decisions and Orders



ED&O Home | Search Form | Text Search | ED&O Help


{{11-30-05 p.12463.1}}

[12,463] In the Matter of MemphisFirst Community Bank, Memphis, Tennessee, Docket No. 05-103b (8-22-05).

A cease and desist order was issued, based on findings by the FDIC that it had reason to believe that respondent was engaged in unsafe and unsound practices.
{{11-30-05 p.12463.2}}

[.1] Management—Qualifications Specified

[.2] Violations of Law—Corrections of Violations Required

[.3] Compliance Program—Written Compliance Plan Required

[.4] Bank Operations—Conflict of Interest Policy Regarding Insiders Required

[.5] Information Technology Plan— Implementation of Required

[.6] Information Technology Plan— Audit Required

[.7] Shareholders—Disclosure of Cease and Desist Order Required

[.8] Board of Directors—Committee to Review Compliance with Cease and Desist Order Required

[.9] Definitions—Outside Director

[.10] Progress Report—Written Report Required

In the Matter of
MEMPHISFIRST COMMUNITY BANK
MEMPHIS, TENNESSEE
(Insured State Nonmember Bank)
ORDER TO CEASE AND DESIST

FDIC-05-103b

MEMPHISFIRST COMMUNITY BANK, Memphis, Tennessee ("Bank"), having been advised of its right to a Notice of Charges and of Hearing detailing the unsafe or unsound banking practices and violations of laws or regulations alleged to have been committed by the Bank and of its right to a hearing on the alleged charges under section 8(b)(1) of the Federal Deposit Insurance Act ("Act"), 12 U.S.C. §1818(b)(1), and having waived those rights, entered into a STIPULATION AND CONSENT TO THE ISSUANCE OF AN ORDER TO CEASE AND DESIST ("CONSENT AGREEMENT") with counsel for the Federal Deposit Insurance Corporation ("FDIC"), dated August 22, 2005, whereby solely for the purpose of this proceeding and without admitting or denying the alleged charges of unsafe or unsound banking practices and violations of laws or regulations, the Bank consented to the issuance of an ORDER TO CEASE AND DESIST ("ORDER") by the FDIC.

The FDIC considered the matter and determined that it had reason to believe that the Bank had engaged in unsafe or unsound banking practices and had committed violations of laws or regulations. The FDIC, therefore, accepted the CONSENT AGREEMENT and issued the following:

ORDER TO CEASE AND DESIST

IT IS HEREBY ORDERED that the Bank, its directors, officers, employees, agents, and other institution-affiliated parties (as that term is defined in section 3(u) of the Act, 12 U.S.C. §1813(u)), and its successors and assigns cease and desist from the following unsafe or unsound banking practices and violations:

    (a) Operating in violation of section 23A of the Federal Reserve Act, 12 U.S.C. §371c, made applicable to state nonmember banks by section 18(j)(1) of the Act, 12 U.S.C. §1828(j)(1); sections 215.4, 215.5, 215.6, and 215.8 of the Board of Governors of the Federal Reserve System Regulation O, 12 C.F.R. §§215.4, 215.5, 215.6 and 215.8; and Board of Governors of the Federal Reserve System Regulation F, 12 C.F.R. Part 206.5(b);

    (b) Operating in violation of the Currency and Foreign Transactions Reporting Act (31 U.S.C. §5311 et seq.) (the Bank Secrecy Act) ("BSA") and the rules and regulations implementing the BSA issued by the U.S. Department of the Treasury (31 C.F.R. Part 103) ("Financial Recordkeeping"); the FDIC's BSA Compliance Regulations, 12 C.F.R. Part 326 ("BSA Compliance"); and the FDIC's Suspicious Activity Report Regulations, 12 C.F.R. Part 353 ("Suspicious Activity Reports"); and

    (c) Operating with a board of directors that has failed to provide adequate supervision over and direction to the active management of the Bank.

IT IS FURTHER ORDERED that the Bank, its institution-affiliated parties, and its successors and assigns take affirmative actions as follows:
{{11-30-05 p.12463.3}}

[.1] 1. (a) During the life of this ORDER, the Bank shall and thereafter retain qualified management to restore and maintain the Bank to a sound condition. Each member of management shall have the qualifications and experience commensurate with his or her duties and responsibilities at the Bank. Such management shall include a BSA Officer who is qualified and responsible for the implementation and oversight of the Bank's BSA Compliance Program.

(b) The qualifications of management shall be assessed on its ability to:

    (i) Comply with the requirements of this ORDER;

    (ii) Operate the Bank in a safe and sound manner, including the safe and sound operation of the Bank's BSA Compliance Program;

    (iii) Comply with all applicable State and Federal laws, rules, and regulations, including, but not  limited to, all BSA laws, rules, and regulations; and

    (iv) Restore all aspects of the Bank to a safe and sound condition, including the Bank's BSA Compliance Program.

(c) During the life of this ORDER, the Bank shall notify the Regional Director and the Commissioner in writing of any changes in any of the Bank's directors and senior executive officers, including the Bank's BSA Compliance Officer. For purposes of this ORDER, "senior executive officer" is defined as in Section 32 of the Act, ("Section 32), 12 §1831(i), and section 303.101(b) of the FDIC Rules and Regulations, 12 C.F.R. §303.101(b), and includes any person identified by the FDIC and the Tennessee Department of Financial Institutions, whether or not hired as an employee, with significant influence over, or who participates in, major policymaking decisions of the Bank.

(d) Prior to the addition of any individual to the board of directors or the employment of any individual as a senior executive officer, including the Bank's BSA Compliance Officer, the Bank shall comply with the requirements of Section 32 and subpart F of Part 303 of the FDIC Rules and Regulations, 12 C.F.R. §§303.100–303.104. Further, the Bank shall request and obtain the Regional Director and the Commissioner's written approval prior to the addition of any individual to the board of directors and the employment of any individual as a senior executive officer, including the Bank's BSA Compliance Officer.

[.2]2. (a) Within 60 days from the effective date of this ORDER, the Bank shall correct all violations of laws or regulations cited in the Report of Examination of the Bank as of January 18, 2005 ("2005 Examination").

(b) Within 60 days from the effective date of this ORDER, the Bank shall implement procedures to ensure future compliance with all applicable laws, rules, and regulations.

[.3] 3. (a) Within 60 days from the effective date of this ORDER, the Bank shall adopt a comprehensive, written BSA Compliance Program. The BSA Compliance Program shall be submitted to the Regional Director and Commissioner for review and comment. Within 30 days from the receipt of all such comments from the Regional Director and the Commissioner and after revising the plan as necessary, the Bank shall adopt the plan. Such adoption shall be recorded in the minutes of the Bank's board of directors' meeting. The BSA Compliance Program shall be implemented immediately upon adoption by the Bank's board of directors.

(b) The BSA Compliance Program shall provide for an effective system of internal controls to ensure compliance with the BSA, Financial Recordkeeping, BSA Compliance, and Suspicious Activity Reports.

(c) The system of internal controls shall require the Bank to, at a minimum:

    (i) Identify reportable transactions and gather the information necessary to properly complete the required reporting forms;

    (ii) Ensure that all required reports are accurate, proper, complete, and timely filed.

    (iii) Ensure that customer exemptions are properly granted and documented; and

    (iv) Provide for separation of duties to ensure personnel completing required reports are not responsible for filing them.

(d) The Bank's board of directors shall appoint a qualified BSA Compliance Officer to coordinate and monitor the Bank's compliance with the BSA, Financial Recordkeeping, BSA Compliance, and Suspicious Activity Reports. This individual shall have the authority to recommend and enforce policies to ensure compliance with the BSA, Financial Recordkeeping, BSA Compliance and Suspicious Activity Reports.
{{11-30-05 p.12463.4}}

(e) The Bank shall implement a training program for all appropriate personnel covering compliance with the BSA, Financial Recordkeeping, BSA Compliance, and Suspicious Activity Reports. The initial training shall be completed within 90 days from the effective date of this ORDER. The Bank shall thereafter conduct additional training on a regular basis, but not less than annually. Employees receiving the initial and subsequent training shall include, but not be limited to, all current or new employees employed by the Bank as tellers, new accounts personnel, lending personnel, bookkeeping personnel, and wire transfer personnel. The training program shall also ensure that senior Bank management and the Bank's board of directors are informed of any changes to or developments in the BSA, Financial Recordkeeping, BSA Compliance, and Suspicious Activity Reports regulations, and any changes in the Bank's BSA responsibilities.

(f) Within 90 days of the effective date of this ORDER and at least annually thereafter, the Bank shall independently test the BSA Compliance Program to ensure proper controls are in place to comply with the BSA, Financial Recordkeeping, BSA Compliance, and Suspicious Activity Reports regulations. The independent test shall be conducted by a qualified person or entity independent of the Bank's BSA Compliance Program. The independent testing program shall, at a minimum:

    (i) Test the Bank's internal procedures for monitoring compliance with the BSA, Financial Recordkeeping, BSA Compliance, and Suspicious Activity Reports, including interviews of employees who handle cash transactions;

    (ii) Test the large currency transactions followed by a review of the currency transaction report filings;

    (iii) Test the validity and reasonableness of the customer exemptions granted by the Bank;

    (iv) Test the Bank's recordkeeping system to ensure compliance with Financial Recordkeeping, BSA Compliance, and Suspicious Activity Reports; and

    (v) Document the scope of the testing procedures performed and the findings of the test.

(g) The results of each independent test as well as any apparent exceptions noted during the testing shall be presented to the Bank's board of directors. The board shall record the steps taken to correct any exceptions noted, address any recommendations made during each independent test, and record its actions in the minutes of the Bank's board of directors' meetings.

(h) Within 60 days from the effective date of this ORDER, the Bank shall develop and adopt written procedures designed to detect and report any known or suspected criminal violations committed or attempted against the Bank or involving a transaction(s) through the Bank aggregating $5,000 or more. A copy of such written procedures shall be submitted to the Regional Director and the Commissioner for review and comment. Within 30 days from the receipt of all such comments from the Regional Director and the Commissioner, and after revising the procedures as necessary, the Bank shall adopt the procedures. Such adoption shall be recorded in the minutes of the Bank's board of directors' meeting.

[.4]4. (a) Within 60 days of the effective date of this ORDER, the Bank's board of directors shall develop written policies and procedures pertaining to agreements with insiders for the provision of any goods or services to the Bank by such insider ("Insider Vendor Agreements"). Such written policies and procedures shall, at a minimum, require the Bank's board of directors to demonstrate and document in the minutes of its board of directors' meetings that all Insider Vendor Agreements are in the Bank's best interest; and detail the duties and responsibilities of each of the parties to the Insider Vendor Agreements. Such written policies and procedures shall be submitted to the Regional Director and Commissioner for review and comment. Within 30 days from the receipt of all such comments from the Regional Director and the Commissioner, and after revising the policies and procedures as necessary, the Bank's board of directors shall adopt the policies and procedures. Such adoption shall be recorded in the minutes of the Bank's board of directors' meeting. Such policies and procedures, once adopted, shall apply to all Insider Vendor Agreements, whether in existence on the date of adoption of the policies and procedures, or arising after such date. For purposes of this ORDER,

    (i) "Insider" means all Bank executive officers, directors, principal shareholders, and their related interests.

    (ii) "Related interest" means a company that is controlled by an executive officer,


{{11-30-05 p.12463.5}}

    director, or principal shareholder of the Bank.

    (iii) A "company" means any corporation, partnership, trust (business or otherwise) association, joint venture, pool syndicate, sole proprietorship, unincorporated association, or any other form of business entity not specifically listed herein.

(b) All Insider Vendor Agreements pertaining to Information Technology shall comply with recommendations set forth in the Federal Financial Institutions Examination Council's ("FFIEC") June 2004 Information Technology Handbook entitled "Outsourcing Technology Services," as more fully set forth in the section entitled "Contract Issues."

(c) Within 30 days of the effective date of this ORDER, the Bank's board of directors shall determine and document in the minutes of its board of directors' meetings that all Insider Vendor Agreements existing as of the effective date of this ORDER are in the Bank's best interest. Upon expiration of any existing Insider Vendor Agreements, the Bank's board of directors shall comply with the provisions of this paragraph 4 and the Bank's adopted policies and procedures before executing any new Insider Vendor Agreements.

(d) If the Bank requires Information Technology goods or services that fall outside the scope of any existing Insider Vendor Agreements pertaining to Information Technology, the Bank shall establish written policies and procedures governing procurement of such goods or services. Such written policies and procedures shall be submitted to the Regional Director and Commissioner for review and comment. Within 30 days from the receipt of all such comments from the Regional Director and the Commissioner, and after revising the policies and procedures as necessary, the Bank's board of directors shall adopt the policies and procedures. Such adoption shall be recorded in the minutes of the Bank's board of directors' meeting. At a minimum, the written policies and procedures shall require the Bank to:

    (i) determine the most cost effective method for the Bank to acquire the goods or services;

    (ii) establish minimum dollar amounts for such goods or services that will require review and approval by Bank officers and/or the Bank's board of directors before the Bank incurs such expense;

    (iii) establish written procedures for obtaining competitive bids for such goods or services; and

    (iv) determine and document that invoices submitted for such goods or services correctly reflects the agreement between the Bank and the provider.

[.5]5. (a) Within 30 days of the effective date of this ORDER, the Bank shall establish procedures to ensure that its server room, which houses the network servers and related IT equipment, is physically secured, with physical access limited to authorized personnel only.

(b) Within 30 days of the effective date of this ORDER, the Bank shall correct all deficiencies noted on page 21 of the January 18, 2005, IT Examination of the Bank in the section entitled "Housekeeping" and shall thereafter ensure that such deficiencies do not recur.

(c) Within 60 days from the effective date of this ORDER, the Bank shall contract with an off-site data recovery center to ensure that the Bank may continue operations if the Bank's computer system becomes inoperable. Within 60 days of the contract's execution, the Bank and the off-site data recovery center shall complete a comprehensive disaster recovery test to verify system compatibility between the Bank and the off-site data recovery center. The test shall: replicate emergency conditions; use only backup data files, programs, or other materials at their off-site storage location; and utilize Bank personnel in the same manner as if an emergency existed.

(d) Within 30 days of the completion of the comprehensive disaster recovery test, the Bank shall obtain a written report from Bank personnel who participated in the test. The written report shall detail the test's scope, results, and recommendations based upon the test results. The report shall be presented to the Bank's board of directors, who shall document in the minutes of the Bank's board of directors' meeting all action taken with respect to the recommendations contained in the report.

(e) Within 60 days of the effective date of this ORDER, the Bank shall ensure that its network topology complies with every recommendation contained in the January 18,
{{11-30-05 p.12463.6}}

2005, IT Examination and in the "Network Components and Topology" section of the June 2004 FFIEC IT Examination Handbook entitled "Operations."

(f) Within 60 days of the effective date of this ORDER, the Bank shall establish controls and procedures necessary to protect its network and the data residing therein from internal or external intrusions. The controls and procedures shall, at a minimum, include the installation and regular maintenance of an appropriate firewall device, the daily generation and review of reports on network activity and attempts to circumvent the Bank's firewall, the development of an incident response plan, and quarterly vulnerability and penetration testing in the Bank's network. The controls and procedures shall comply with the "Intrusion Detection and Response" section of the December 2002 FFIEC IT Examination Handbook entitled "Information Security."

[.6]6. Within 60 days of the effective date of this ORDER, the Bank shall establish and implement an effective, written Information Technology audit program to include both internal and external audits. The Bank's board of directors shall approve the audit program and record such approval in the minutes of its meetings. The internal audit program shall be coordinated with and complement the Bank's external audit program and shall ensure that all information technology related areas, including the Bank's virtual private network connection, are reviewed on a regular, periodic basis. The periodic basis upon which each of the areas is reviewed shall be based upon a risk assessment methodology that ranks the risk areas and establishes a periodic audit schedule consistent with the risk rankings.

[.7]7. Following the effective date of this ORDER, the Bank shall send to its shareholders or otherwise furnish a description of this ORDER (i) in conjunction with the Bank's next shareholder communication, and (ii) in conjunction with its notice or proxy statement preceding the Bank's next shareholder meeting. The description shall fully describe the ORDER in all material respects. The description and any accompanying communication, statement, or notice shall be sent to the FDIC, Accounting & Securities Unit, 550 17th Street, N.W., Room F-6043, Washington, D.C. 20429 for review at least 20 days prior to dissemination to shareholders. Any changes requested to be made by the FDIC shall be made prior to dissemination of the description, communication, notice, or statement.

[.8]8. Within 30 days from the effective date of this ORDER, the Bank's board of directors shall establish a committee of the board of directors with the responsibility to ensure that the Bank complies with the provisions of this ORDER. At least a majority of the members of such committee shall be independent, outside directors as defined in paragraph 9. The committee shall report monthly to the entire board of directors, and a copy of the monthly report and any discussion relating to the monthly report or this ORDER shall be included in the minutes of the Bank's board of directors' meetings. Nothing contained herein shall diminish the responsibility of the entire board of directors to ensure compliance with the provisions of this ORDER.

[.9]9. For the purposes of this ORDER, an "outside director" shall be an individual:

    (a) Who shall not be employed, in any capacity, by the Bank or its affiliates other than as a director of the Bank or an affiliate;

    (b) Who shall not own or control more than 5 percent of the voting stock of the Bank or its Holding Company;

    (c) Who shall not be indebted to the Bank or any of its affiliates in an amount greater than 5 percent of the Bank's equity capital and reserves;

    (d) Who shall not be related to any directors, principal shareholders of the Bank or affiliates of the Bank; and

    (e) Who shall be a resident of, or engage in business in, the Bank's Memphis, Tennessee, trade area.

[.10]10. The Bank shall furnish written progress reports to the Regional Director and the Commissioner detailing the form and manner of any actions taken to secure compliance with this ORDER and the results thereof. Such reports shall be received by the Regional Director and the Commissioner no later than 30 calendar days from the beginning of each calendar quarter (i.e., January 30, April 30, July 30, and October 30 of each calendar year). Such reports may be discontinued when the corrections required by this ORDER have been accomplished and the Regional Director and the Commissioner have released the Bank in writing from making further reports.
{{11-30-05 p.12465.1}}

The provisions of this ORDER shall be binding upon the Bank, its directors, officers, employees, agents, successors, assigns, and other institution-affiliated parties of the Bank.

This ORDER shall become effective 10 calendar days from the date of its issuance by the FDIC. The provisions of this ORDER shall remain effective and enforceable except to the extent that, and until such time as, any provisions of this ORDER shall have been modified, terminated, suspended, or set aside by the FDIC.

Pursuant to delegated authority.

Dated: August 22nd, 2005.



ED&O Home | Search Form | Text Search | ED&O Help






Last Updated 12/21/2005 legal@fdic.gov