Federal Deposit
Insurance Corporation

{{9-30-94 p.C-3714}}
   [¶11,014] In the Matter of Bank of Holland, Holland, New York, Docket No. FDIC-94-95b (7-22-94).

   Bank to cease and desist from such unsafe or unsound practices as failing to provide adequate supervision over the Bank's affairs; operating in violation of applicable consumer laws and regulations; and failing to ascertain credit needs of its community.

[.1] Bank Secrecy Act—Compliance Program Required
[.2] Bank Secrecy Act—Reports to FDIC Required
[.3] Consumer Laws—Compliance Program Required
[.4] Consumer Laws—Compliance Officer Required
[.5] Violations of Law—Eliminate/Correct
[.6] Community Reinvestment Act—Written Policy Required
[.7] Bank Operations—Data Processing System—Security
[.8] Board of Directors—Committee to Review Compliance with Cease and Desist Order

In the Matter of

BANK OF HOLLAND
HOLLAND, NEW YORK
(Insured State Nonmember Bank)
ORDER TO CEASE AND DESIST
FDIC-94-95b
   Bank of Holland, Holland, New York ("Bank"), having been advised of its right to a Notice of Charges and of Hearing detailing the unsafe or unsound banking practices and violations of law and/or regulations alleged to have been committed by the Bank and of its right to a hearing on the alleged charges under section 8(b) of the Federal Deposit Insurance Act ("Act"), 12 U.S.C. § 1818(b), and having waived those rights, entered into a STIPULATION AND CONSENT TO THE ISSUANCE OF AN ORDER TO CEASE AND DESIST ("CONSENT AGREEMENT") with counsel for the Federal Deposit Insurance Corporation ("FDIC"), dated July 22, 1994, whereby, solely for the purpose of this proceeding and without admitting or denying the alleged charges of unsafe or unsound banking practices and violations of law and/or regulations, the Bank consented to the issuance of an ORDER TO CEASE AND DESIST ("ORDER") by the FDIC.
   The FDIC considered the matter and determined that it had reason to believe that the Bank had engaged in unsafe or unsound banking practices and had committed violations of law and/or regulations. The FDIC, therefore, accepted the CONSENT AGREEMENT and issued the following:

{{9-30-94 p.C-3715}}

   IT IS HEREBY ORDERED that the Bank, its successors, assigns, directors, officers, employees, agents, and other "institution-affiliated parties," as defined in section 3(u) of the Act, 12 U.S.C. § 1813(u), CEASE AND DESIST from the following unsafe or unsound banking practices and violations:
   (a) Operating the Bank with a board of directors which has failed to provide adequate supervision over and direction to the operating management of the Bank to insure compliance with applicable Consumer Laws and Regulations. For the purposes of this ORDER, "Consumer Laws and Regulations" means those laws and regulations referenced in the FDIC Compliance Examination Manual, including the laws and regulations referred to in the Compliance Report of Examination of the Bank by the FDIC as of January 3, 1994 ("January Compliance Report");
   (b) Operating the Bank in violation of section 326.8 of the FDIC's Rules and Regulations, 12 C.F.R. § 326.8;
   (c) Operating the Bank in violation of sections 230.5(b) and 230.8(c) of Regulation DD of the Board of Governors of the Federal Reserve System, 12 C.F.R. §§ 230.5(b) and 230.8(c), as more fully described on page 2 of the January Compliance Report;
   (d) Operating the Bank in violation of section 338.7(a)(2)(iii) of the FDIC's Rules and Regulations, 12 C.F.R. § 338.7(a)(2)(iii), as more fully described on page 2-A of the January Compliance Report;
   (e) Operating the Bank in violation of sections 3500.7(a) and 3500.7(e) of the Real Estate Settlement Procedures Act Regulations of the Department of Housing and Urban Development, 24 C.F.R. §§ 3500.7(a) and 3500.7(e), as more fully described on pages 2-A and 2-B of the January Compliance Report;
   (f) Operating the Bank in violation of section 339.5 of the FDIC's Rules and Regulations, 12 C.F.R. § 339.5, as more fully described on page 2-A of the January Compliance Report;
   (g) Operating the Bank in violation of section 203.4(a) of Regulation C of the Board of Governors of the Federal Reserve System, 12 C.F.R. § 203.4(a), as more fully described on page 2-A-1 of the January Compliance Report;
   (h) Operating the Bank in violation of section 103.22 of the Financial Recordkeeping and Reporting of Currency and Foreign Transactions Regulations of the Department of the Treasury, 31 C.F.R. § 103.22, as more fully described on page 2-A-1 of the January Compliance Report;
   (i) Operating the Bank in violation of section 615(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681m(a), as more fully described on page 2-B of the January Compliance Report;
   (j) Failing to take appropriate steps to enable the Bank to ascertain and help meet the credit needs of its local community, pursuant to the Community Reinvestment Act of 1977, 12 U.S.C. §§ 2901-2906 ("CRA"), and its implementing regulations as set forth in Part 345 of the FDIC's Rules and Regulations, 12 C.F.R. Part 345, and as more fully described in the January Compliance Report;
   (k) Operating the Bank in violation of section 202.9(a)(1) of Regulation B of the Board of Governors of the Federal Reserve System, 12 C.F.R. § 202.9(a)(1), as more fully described on page 2-B of the January Compliance Report; and
   (l) Operating the Bank with a board of directors which has failed to provide adequate supervision over and direction to the operating management of the Bank to ensure a secure and control-conscious environment for the Bank's automated data.
   IT IS FURTHER ORDERED that the Bank take AFFIRMATIVE action as follows:

   [.1] 1. (a) Within 75 days from the effective date of this ORDER, the Bank shall review and revise its written Bank Secrecy Act compliance program ("BSA Program") to ensure its conformance with section 326.8(c) of the FDIC's Rules and Regulations, 12 C.F.R. § 326.8(c).
   (b) Such BSA Program, as revised, shall, at a minimum:

   (i) provide for each of the elements listed in sections 326.8(c)(1)-(4) of the Regulations, 12 C.F.R. §§ 326.8(c)(1)-(4), and in the FDIC's Policy Statement entitled "Guidelines for Monitoring Bank Secrecy Act Compliance," FDIC bank letter (BL-16-87) dated May 18, 1987;
{{9-30-94 p.C-3716}}
   (ii) provide for the continued administration of the BSA Program, reasonably designed to assure and monitor compliance with the recordkeeping and reporting requirements set forth in the Bank Secrecy Act, 31 U.S.C. §§ 5311–5326, and its implementing regulations, 31 C.F.R. Part 103.

   (c) The board of directors shall approve the BSA Program and any subsequent modification thereto, and such approvals shall be recorded in the minutes of the board of directors. Thereafter, the Bank shall implement and follow the written BSA Program and any subsequent modification thereto.
   (d) Within 45 days from the effective date of this ORDER, the Bank shall designate or reaffirm the designation of:

   (i) the individual or individuals responsible for coordinating and monitoring day-to-day compliance with the Bank Secrecy Act and implementing regulations;
   (ii) the individual or individuals qualified and responsible for conducting independent testing of the Bank's compliance with the Bank Secrecy Act and its implementing regulations; and
   (iii) the individual or individuals qualified and responsible for training appropriate Bank personnel in the requirements of and compliance with the Bank Secrecy Act and implementing regulations.

The board of directors shall approve such designations, and such approvals shall be recorded in the minutes of the board of directors. Thereafter, the board of directors shall regularly and thoroughly review and monitor the performance and activities of the designated individuals.
   (e) A copy of the revised written BSA Program, as required by paragraph 1(a) of this ORDER, and the identity of the individuals designated pursuant to paragraph 1(d) of this ORDER, as well as any additional or replacement personnel so designated in the future, shall be submitted to the Regional Director of the FDIC's New York Regional Office ("Regional Director") for review and comment.

   [.3] 3. (a) Within 90 days from the effective date of this ORDER, the Bank shall develop and implement a written compliance program ("Compliance Program") which, at a minimum, shall include the following:

   (i) comprehensive training in Consumer Laws and Regulations conducted at least once a year for all Bank employees whose duties and responsibilities include ensuring compliance with Consumer Laws and Regulations; and
   (ii) procedures for monitoring the Bank's compliance with Consumer Laws and Regulations, including an internal audit of the Compliance Program to be performed or supervised by the compliance officer each calendar quarter. The compliance officer shall report the results of said audit to the board of directors, and the board of directors shall record the results of said audit and any recommendations by the compliance officer and/or the board of directors in the minutes of the meeting of the board of directors.

   (b) The board of directors shall approve the Compliance Program and any subsequent modification thereto, and such approvals shall be recorded in the minutes of the board of directors. Thereafter, the Bank shall follow the Compliance Program and/or any subsequent modification thereto.

   [.4] 4. (a) (i) Within 60 days from the effective date of this ORDER, the Bank shall have and thereafter retain a quali- {{9-30-94 p.C-3717}}fied compliance officer who shall be given stated written authority by the Bank's board of directors to implement and supervise the Bank's Compliance Program, including but not limited to, providing training for the Bank's employees in all Consumer Laws and Regulations, establishing internal controls and procedures designed to prevent violations of Consumer Laws and Regulations, and performing or supervising periodic internal audits to ascertain compliance with Consumer Laws and Regulations and the Bank's Compliance Program. The compliance officer shall report directly to the board of directors.
   (ii) The Bank shall promptly notify the Regional Director of the identity of said compliance officer. The Bank shall comply with the requirements of section 32 of the Act, 12 U.S.C. § 1831i, and section 303.14 of the FDIC's Rules and Regulations, 12 C.F.R. § 303.14, prior to the addition of the compliance officer to such position.
   (b) The Bank's compliance officer shall be evaluated on his or her ability to comply with the requirements of this ORDER and to comply with applicable Consumer Laws and Regulations.

   [.6] 6. Within 90 days from the effective date of this ORDER, the Bank shall adopt a written CRA policy which provides for CRA goals and objectives, employee training, and a methodology for periodic self-assessment of the Bank's CRA performance. Such a policy shall also include:

   (a) A provision providing for the oversight by and involvement of the board of directors in the CRA process. The board of directors' minutes shall document all discussion and review of the Bank's CRA related activity;
   (b) A formal strategy designed to inform the community of the Bank's available credit products;
   (c) Internal review of advertising efforts to ensure that all areas of the delineated community are made aware of the Bank's credit services and deposit products;
   (d) A formal strategy to effectively ascertain community credit needs by direct contact with various community members. Outreach with groups representing minorities should be in proportion to their percentage of the total population, with the results of such contacts being documented;
   (e) Increased analysis of the geographic distribution of credit applications, denials, and loans. The results of this analysis should be reviewed by the board of directors and incorporated into the CRA process; and
   (f) Implementation of policies, procedures, and training to ensure that the Bank does not discriminate in the granting of credit. The policies, procedures and training should be reviewed by the board of directors.

   a. Providing for and enforcing appropriate segregation of duties between key automation functions, including, but not limited to, computer and proof operations responsibilities;
   b. Providing for daily review of the SPO Log by an individual not having functional responsibilities in computer operations;
   c. Identifying all system utilities and commands with data altering capability and devising procedures to identify and control their use;
   d. Reviewing personnel responsibilities and implementing the available security system to ensure that personnel access levels permit access only to areas of responsibility, such that effective segregation of duties is assured through the security access levels assigned, and that security system administration responsibility is assigned to an individual without conflicting operating responsibilities;
   e. Providing for effective independent review of all file maintenance reports pro-
{{9-30-94 p.C-3718}}duced by the computer system applications;
   f. Providing for effective audit review of the data processing function;
   g. Developing, documenting, and testing emergency and contingency plans capable of providing appropriate continuity of processing for various disaster/emergency scenarios, including establishing and following a formal off-site file rotation policy and a policy for periodic plan review and update; and
   h. Appropriately addressing the remaining matters detailed in the Electronic Data Processing Report of Examination of the Bank by the FDIC as of January 24, 1994.