Federal Deposit
Insurance Corporation

{{5-31-99 p.C-4686}}
   [¶11,596] In the Matter of Pacific Thrift and Loan Company, Woodland Hills, California, FDIC Docket No. 99-021b (3-1-99)

   A cease and desist order was issued, based on findings by the FDIC that it had reason to believe that respondent had engaged in unsafe and unsound practices.

   [.1] Year 2000 Plan—Year 2000 Officer—Qualifications Specified
   [.2] Year 2000 Plan—Preparation Required
   [.3] Year 2000 Plan—Remediation Contingency Plan Required
   [.4] Year 2000 Plan—Business Resumption Contingency Plan Required
   [.5] Year 2000 Plan—Mission Critical Systems Tested
{{5-31-99 p.C-4687}}
   [.6] Year 2000 Plan—Future Testing and Verification Required
   [.7] Year 2000 Plan—Diligence Reviews
   [.8] Year 2000 Plan—Periodic Audits
In the Matter of
PACIFIC THRIFT AND LOAN
COMPANY

WOODLAND HILLS, CALIFORNIA
(Insured State Nonmember Institution)
ORDER TO
CEASE AND DESIST
FDIC-99-021b
   Pacific Thrift and Loan Company, Woodland Hills, California ("Institution"), having been advised of its right to a Notice of Charges and of Hearing detailing the unsafe or unsound banking practices alleged to have been committed by the Institution and of its right to a hearing on the alleged charges under Section 8(b)(1) of the Federal Deposit Insurance Act ("Act"), 12 U.S.C. §1818(b) (1), and having waived those rights, entered into a STIPULATION AND CONSENT TO THE ISSUANCE OF AN ORDER TO CEASE AND DESIST ("CONSENT AGREEMENT") with legal counsel for the Federal Deposit Insurance Corporation ("FDIC"), dated February 24, 1999, whereby, solely for the purpose of this proceeding and without admitting or denying the alleged charges of unsafe or unsound banking practices, the Institution consented to the issuance of an ORDER TO CEASE AND DESIST ("ORDER") by the FDIC.
   The FDIC considered the matter and determined that it had reason to believe that the Institution had engaged in unsafe or unsound banking practices. The FDIC, therefore, accepted the CONSENT AGREEMENT and issued the following:

   IT IS HEREBY ORDERED that the Institution, its institution-affiliated parties as that term is defined in Section 3(u) of the Act, 12 U.S.C. §1813(u), and its successors and assigns, cease and desist from the following unsafe and unsound banking practices.
   (a) operating with a Board of Directors which has failed to provide adequate supervision and direction to prevent unsafe and unsound practices with respect to the Institution's electronic information systems and other automated systems that are used by the Institution, or upon which the Institution depends for the conduct of its business ("Bank Information Systems"); and
   (b) failing to take appropriate measures to ensure that the Bank Information Systems are Year 2000 ready as defined in the Interagency Guidelines Establishing Year 2000 Safety and Soundness Standards (the "Guidelines") published in the Federal Register on October 15, 1998 and the FFIEC guidance papers referred to therein (the "FFIEC Guidance").
   IT IS FURTHER ORDERED, that the Institution, its institution-affiliated parties, and its successors and assigns, take affirmative action as follows:

   [.1]1. (a) Within 30 days from the effective date of this ORDER, the Institution shall retain the services of qualified management. The qualification of the Institution's management shall be assessed on its ability to:

   (i) comply with the requirements of this ORDER; and
   (ii) ascertain that the Bank Information Systems are Year 2000 ready and are appropriately tested to demonstrate such readiness.

   [.2]2. (a) Within 15 days from the effective date of this ORDER, the Institution shall develop and adopt a plan for achieving Year 2000 readiness ("Year 2000 Plan"). At a minimum, the Institution's Year 2000 Plan shall contain provisions to address all of the requirements of this ORDER and shall be in accordance with the Guidelines and the FFIEC Guidance including, but not limited to, the FFIEC May 5, 1997, Interagency Statement on Year 2000 Project Management Awareness.
   (b) The Year 2000 Plan shall be reviewed and approved by the Institution's Board of Directors prior to adoption, and such review and approval shall be recorded in the minutes of the Institution's Board of Directors meeting. Immediately following the adoption of the Institution's Year 2000 Plan, the Institution shall submit a copy of the plan to the Regional Director. The Institution's Board of Directors shall consider any comments on the Year 2000 Plan from the FDIC, and shall amend the Year 2000 Plan as necessary.
   (c) Thereafter, the Institution shall implement the Year 2000 Plan.

   [.3] 3. By April 15, 1999, the Institution shall develop and implement a Remediation Contingency Plan in accordance with the Guidelines and the FFIEC Guidance. The Remediation Contingency Plan shall set forth the Institution's alternate plans to assure continuity of operations in the event the Institution must retain Year 2000 ready replacement mission-critical systems, alternate external third party suppliers, or obtain Year 2000 ready replacement computer hardware or software from alternate sources. Such Remediation Contingency Plan shall be provided to the Regional Director for his review and comment. The Institution's Board of Directors shall review any comments from the FDIC and shall amend the Remediation Contingency Plan as necessary.

   [.4] 4. By June 30, 1999, the Institution shall develop a Business Resumption Contingency Plan in accordance with the Guidelines and the FFIEC Guidance. The Business Resumption Contingency Plan shall set forth the Institution's plans to mitigate risks associated with the failure of its systems at critical dates. The Business Resumption Contingency Plan shall include identification of the Institution's core business processes and a specific recovery plan for the possible failure of each core business process. The Institution shall provide a copy of the Business Resumption Contingency Plan to the Regional Director for his review and comment. The Institution's Board of Directors shall review any comments from the FDIC and shall amend the Business Resumption Contingency Plan as necessary.

   [.5] 5. By no later than June 30, 1999, the Institution shall have in place mission-critical systems that are Year 2000 ready. Such implementation shall include a written determination by the Institution that the mission-critical systems have been tested successfully to determine that such systems are Year 2000 ready. A copy of such written determination shall be provided to the Regional Director.

   [.6] 6. Upon the effective date of this ORDER, and for so long as this ORDER shall remain in effect, the Institution shall acquire or contract for the use of electronic information systems hardware, operating systems, and applications software only if such hardware, systems, and software have been successfully tested for Year 2000 readiness prior to use by the Institution. The Institution shall also ensure that any new Bank Information Systems and modifications to existing Bank Information Systems which have been previously verified as Year 2000 ready are Year 2000 ready.

   [.7] 7. (a) Within 30 days from the effective date of this ORDER, the Institution shall perform due diligence reviews to determine whether the Year 2000 readiness procedures of its service providers and software vendors, and the time frames for implementation of those procedures, are adequate. The Institution's due diligence reviews shall be conducted in accordance with the Guidelines and the FFIEC Guidance.
   (b) By March 31, 1999, the Institution shall implement an internal testing or verification process in accordance with the Guidelines and the FFIEC Guidance to establish that its software vendors are Year 2000 ready. Such testing shall be completed by June 30, 1999. If a software vendor is not Year 2000 ready by June 30, 1999, the Institution shall immediately implement the relevant portions of its Remediation Contingency Plan.