Home > Regulation & Examinations > Bank Examinations > FDIC Enforcement Decisions and Orders |
|||
FDIC Enforcement Decisions and Orders
{{01-31-05 p.C-12318.1}} A cease and desist order was issued, based on findings by the FDIC that it had reason to believe that respondent was engaged in unsafe and unsound practices. [.1] ManagementQualifications Specified [.2] Bank Secrecy Act Compliance Program [.3] Bank Secrecy ActStaffing Requirements [.4] Compliance ProgramWritten Compliance Plan Required [.5] Bank OperationsData Processing Center [.6] Information Technology PlanWeekly Report Required [.7] Information Technology PlanMinimum Requirements [.8] Security ControlsInformation Security Program [.9] Bank OperationsReview Computer User Access Levels [.10] Suspicious Activity ReportImplement Policy [.11] Disaster Recovery PlanRequired [.12] Profit PlanPreparation of Plan Required [.13] Strategic PlanPreparation of Required [.14] Violations of LawCorrections of Violations Required [.15] DividendsDividends Restricted [.16] ShareholdersDisclosure of Cease and Desist Order Required [.17] Progress ReportWritten Report Required
In the Matter of:
The Farmers Bank, Hamburg, Arkansas ("Bank"), through its board of directors, having been advised of its right to the issuance and service of a NOTICE OF CHARGES AND OF HEARING detailing the unsafe or unsound banking practices and violations of law or regulations alleged to have been committed by the Bank and of its right to a hearing on the alleged charges under section 8(b) of the Federal Deposit Insurance Act ("Act"), 12 U.S.C. §1818(b) and having waived those rights, entered into a STIPULATION AND CONSENT TO THE ISSUANCE OF AN ORDER TO CEASE AND DESIST ("CONSENT AGREEMENT") with counsel for the Federal Deposit Insurance Corporation ("FDIC") dated November 3, 2004, whereby, solely for the purpose of this proceeding and without admitting or denying the alleged charges of unsafe or unsound banking practices and violations of law or regulations, the Bank consented to the issuance of an ORDER TO CEASE AND DESIST ("ORDER") by the FDIC. The FDIC considered the matter and determined that it had reason to believe that the Bank had engaged in unsafe or unsound banking practices and had violated laws or regulations. The FDIC, therefore, accepted the CONSENT AGREEMENT and issued the following: ORDER TO CEASE AND DESIST IT IS ORDERED, that the Bank, its institution-affiliated parties, as that term is defined in section 3(u) of the Act, 12 U.S.C. §1813(u), and its successors and assigns, cease and desist from the following unsafe or unsound banking practices and violations of laws or regulations. (a) Operating the Bank without adequate supervision and direction by the Bank's board of directors over the management of the Bank to prevent unsafe and unsound banking practices and violations of laws or regulations; (b) Operating the Bank in violation of applicable Federal and State
laws and regulations, including violations of the Bank Secrecy Act, 12
U.S.C. §§
1951 - 1959 and 31 U.S.C. §§
5311-5332 ("BSA");
the FDIC's Bank Secrecy Act Compliance Regulations, 12 C.F.R. Part
326; Financial Recordkeeping Regulations, 31 C.F.R. Part 103; Section
39 of the Act, 12 U.S.C. §1831p and in contravention of Appendix B
to the FDIC Standards for Safety and Soundness, 12 C.F.R. Part 364,
Appendix B;
(c) Operating the Bank without an adequate information technology
program, to meet the needs and requirements of the Bank; and
(d) Operating the Bank with inadequate earnings to fund growth and
augment capital.
IT IS FURTHER ORDERED, that the Bank, its institution-affiliated parties and its successors and assigns take affirmative action as follows: [.1] 1. (a) Within 30 days after the effective date of this ORDER, the Bank shall have and maintain sufficient qualified management and staff to manage the day-to-day operations of the Bank. Such person(s) shall include person(s) who are knowledgeable or have expertise in the areas of: Information Technology; the Bank Secrecy Act, and compliance therewith; and meeting the goals set out in the Bank's profit and strategic plans. Such person(s) shall be provided the necessary written authority to implement the provisions of this ORDER. Bank management, including its board of directors, shall be assessed on its ability to: (i) Comply with the requirements of this ORDER; (ii) Operate the Bank in a safe and sound manner; (iii) Comply with applicable laws and regulations; and (iv) Maintain all aspects of the Bank in a safe and sound condition, including asset quality, capital adequacy, earnings, and management effectiveness. (b) While this ORDER is in effect, the Bank shall notify the
Regional Director of the Dallas Region-Memphis Area Office
("Regional Director") and the Commissioner of the Arkansas Bank
Department ("Commissioner") in writing of any changes in any of
the Bank's directors or Senior Executive Officers. For purposes of
this ORDER, "Senior Executive Officer" is defined as in Section
303.101(b) of the FDIC Rules and Regulations, 12 C.F.R. §303.101(b).
Prior to the addition of any individual to the board of directors or
the employment of any individual as a Senior Executive Officer, the
Bank shall comply with the requirements of Section 32 of the Act, 12
U.S.C. §1831i, and Subpart F of Part 303 of the FDIC Rules and
Regulations, 12 C.F.R. §§
303.100 - 303.103.
[.2] 2. (a) Within 60 days from the effective date of this ORDER, the Bank
shall provide for an acceptable written BSA Compliance Program. The BSA
Compliance Program shall be submitted to the Regional Director and
Commissioner for review and comment. No more than 30 days after the
receipt of any comment from the Regional Director and Commissioner, the
board of directors shall approve the BSA Compliance Plan. Such approval
shall be recorded in the minutes of the board of director's meeting.
The BSA Compliance Program shall be implemented immediately.
(b) The BSA Compliance Program shall be designed to assure
on-going compliance with 31 CFR Part 103 (Financial Recordkeeping), 13
CFR §326.8 (Bank Secrecy Act Compliance), 12 CFR Part 353
(Suspicious Activity Reports), and the guidance set forth in Financial
Institution Letter 29-96 (May 14, 1996).
(c) The BSA Compliance Program, shall provide for an effective system
of internal controls to assure ongoing compliance with the BSA. The
system of internal controls shall include, at a minimum:
(i) Identify reportable transactions and gather the information
necessary to properly complete the required reporting forms;
(ii) Ensure that all required reports are accurate, proper, complete,
and timely filed;
(iii) Ensure that customer exemptions are properly granted and
documented; and
(iv) Provide for separation of duties to ensure personnel completing
required reports are not responsible for filing them.
(d) The board of directors shall appoint a Bank official who meets
the qualifications set forth in Financial Institution Letter 29-96 (May
14, 1996), to coordinate and monitor the Bank's compliance with the
BSA. This individual shall have the authority to make and enforce
policies to ensure compliance with the BSA.
(e) The Bank shall implement a training program covering 31 C.F.R.
Section 103, for all appropriate personnel. This training shall be
completed within 90 days from the effective date of this ORDER.
Employees receiving the training shall include, but not be limited to
all current or new employees employed by the Bank as tellers, new
accounts personnel, lending personnel, bookkeeping personnel and wire
transfer personnel. The training program shall also ensure that senior
Bank management and the board of directors are informed of any changes
to, or developments in, the BSA and the Bank's responsibility
thereunder.
(f) Within 90 days of the effective date of this ORDER and at least
annually thereafter, the Bank shall independently test the BSA
Compliance Program to ensure proper controls are in place to comply
with the requirements of 31 C.F.R. Part 103, 12 CFR §326.8, and 12
CFR Part 353. The independent test shall be completed by a qualified
person or entity independent of the Bank's BSA Compliance Program. The
independent testing program shall, at a minimum:
(i) Test the Bank's internal procedures for monitoring
compliance with the BSA, including interviews of employees who handle
cash transactions;
(ii) Sample the large currency transactions followed by a review of the
currency transaction report filings;
(iii) Test the validity and reasonableness of the customer exemptions
granted by the Bank;
(iv) Test the Bank's recordkeeping system to ensure compliance with 31
C.F.R. Part 103 and 12 C.F.R. Part 353; and
(v) Document the scope of the testing procedures performed and the
findings of the test.
(g) The results of each independent test as well as any apparent
exceptions noted during the testing shall be presented to the board of
directors. The board shall record the steps taken to correct any
exceptions noted and address any recommendations made during each
independent test in the minutes of its meetings.
[.3] 3. Within 90 days from the effective date of this ORDER, the Bank shall
complete an independent review of the staff responsible for ensuring
the Bank's compliance with the BSA. The review shall be conducted by a
qualified party with the requisite
ability to perform such an analysis, and a written report shall
be presented to the Bank's board of directors. The written report shall
be submitted to the Regional Director and Commissioner for review and
comment.
[.4] 4. (a) Within 60 days from the effective date of this ORDER, the Bank
shall provide for, and document, an adequate system designed to detect
and report any known or suspected criminal violations committed or
attempted against the Bank or involving a transaction(s) through the
Bank involving or aggregating $5,000 or more.
(b) This system shall ensure the Bank's compliance with Part 353
of the FDIC Rules and Regulations, 12 C.R.F. Part 353. A description of
the system devised by the Bank shall be submitted to the Regional
Director and Commissioner for review and comment.
[.5] 5. Within 60 days of the effective date of the ORDER, the Bank shall
acquire, install and test the requisite software and hardware to ensure
the continuity of the Bank's core processing operations and the
integrity of its financial records. In addition, the Bank shall enter
into appropriate vendor support contracts to ensure adequate and
ongoing support of its core applications.
[.6] 6. Within 10 days of the effective date of this ORDER, the board of
directors shall take all action necessary to ensure that it receives
regular, weekly, written reports on the status of the Bank's
Information Technology ("IT") conversion activities including,
but not limited to, its acquisition of new software and/or hardware and
full, successful, conversion to a software platform that is adequately
supported by vendors. The weekly report shall be submitted to the
Regional Director and Commissioner, and shall be submitted until such
time as the Regional Director and Commissioner determine that all major
IT conversion issues, including those related to the Bank's IT
servicers, applications software, and vendor support contracts have
been resolved.
[.7] 7. Within 60 days of the effective date of the ORDER, the Board shall
fully implement a written IT audit program, which shall at a minimum
accomplish the following:
(i) Undertaking an annual IT audit with a scope that is
appropriate for the size, complexity, and profile of the Bank;
(ii) Selecting a qualified firm or individual who has the knowledge,
expertise and capability to perform sound IT audits;
(iii) Tracking and monitoring audit and examination findings and
submitting regular, written, reports to the board of directors; and
(iv) Appointing a knowledgeable individual or firm to act as the
Bank's internal auditor, who is charged with providing regular,
written reports to the board of directors.
[.8] 8. Within 90 days of the effective date of this ORDER, the Bank shall
develop and implement an Information Security Program which meets all
the requirements of section 39 of the Act, 12 U.S.C. §1831p, and
complies with Appendix B to Part 364 of the FDIC Rules and Regulations,
12 C.F.R. Part 364, Appendix B. The Bank's Information Security
Program shall be approved by the board of directors and be submitted to
the Regional Director and Commissioner for review and comment and, at a
minimum include the following:
(i) Perform a formal risk assessment of potential internal and
external threats that could result in unauthorized access to customer
information or systems;
(ii) Manage and control risks to customer information by considering
whether security measures and controls are appropriate;
(iii) Ensure that staff is trained to implement the Bank's Information
Security Program;
(iv) Regularly test the key controls, systems and procedures of the
Information Security Program. Tests shall be conducted or reviewed by
independent third parties or staff independent of those that develop or
maintain the security programs; and
(v) Ensure that each Bank service provider is contractually required to
implement appropriate measures to meet the objectives of the guidelines
of Part 364, Appendix B.
[.9] 9. Within 60 days of the effective date of this ORDER, and quarterly
after that, the Bank shall conduct an in-depth review of computer user
access levels to ensure user access is restricted only to the level
needed to perform their assigned duties while ensuring adequate
separation of duties. The results of this review shall be presented to
the
board of directors and shall be recorded in the minutes of the
board of directors' meeting.
[.10] 10. Within 60 days of the effective date of this ORDER, the board of
directors will designate a knowledgeable and independent staff member,
and fully implement procedures, to ensure a daily review of the:
activity reports, exception reports, security logs, file maintenance
activity, automatic transfer activity (including failed sign on
attempts, and attempts at unauthorized access by unauthorized users) is
conducted and that discrepancies and suspicious activities are reported
to Bank management and the board of directors.
[.11] 11. Within 90 days of the effective date of this ORDER, the Board shall
implement a Disaster Recovery/Business Continuity Plan that fully
provides for the Bank's continuing operations during and after
emergencies and disasters. The Disaster Recovery/Business Continuity
Plan shall include a provision requiring that the Plan be tested no
less than every twelve months, in accordance with recommended testing
guidelines set forth in the Federal Financial Institutions Examination
Council's "Business and Contingency Planning," IT Examination
Handbook (March 2003).
[.12] 12. (a) Within 90 days after the effective date of this ORDER for 2005,
and within the first 30 days of each calendar year thereafter, the
board of directors shall develop or revise a written Profit Plan
consisting of goals and strategies for improving the earnings of the
Bank for each calendar year. The written Profit Plan shall include, at
a minimum:
(i) Identification of the major areas in, and means by, which the
board of directors will seek to improve the Bank's operating
performance including target levels for total assets and asset mix
deemed necessary to safely and soundly reach profitability;
(ii) Realistic and comprehensive budgets, which specifically address:
legal expenses, retirement expenses, IT related expenses and salaries;
(iii) budget review process to monitor the income and expenses of the
Bank to compare actual figures with budgetary projections, with a
report to the Bank's board of directors on not less than a monthly
basis; and
(iv) A description of the operating assumptions that form the basis for
and support major projected income and expense components.
(b) Such written Profit Plan and any subsequent modification
thereto shall be submitted to the Regional Director and the
Commissioner for review and comment. No more than 30 days after the
receipt of any comment from the Regional Director and the Commissioner,
the board of directors shall approve the written Profit Plan. Such
approval shall be recorded in the minutes of the board of directors'
meeting. Thereafter, the Bank, its directors, officers, and
employees shall follow the written Profit Plan and any subsequent
modification.
[.13] 13. (a) Within 90 days after the effective date of this ORDER, the Bank
shall formulate and adopt a revised, comprehensive Strategic Plan. The
Plan required by this paragraph shall contain an assessment of the
Bank's current financial condition and operating assumptions, both
with and without the inclusion of capital augmentation through a
non-recurring recovery from the United States Department of Agriculture
("USDA"); its market area; and a description of the operating
assumptions that form the basis for major projected income and expense
components other than the potential recovery from the USDA.
(b) The written Strategic Plan shall address, at a minimum:
(i) Formulation of a mission statement establishing the board's
vision for the future of the Bank;
(ii) Formulation of a comprehensive assessment of the Bank's
competitive strengths and weaknesses, including identification of the
Bank's primary competitive advantage;
(iii) Formulation of written strategies for maximizing the Bank's
primary competitive advantage and limiting the impact of competitive
weaknesses;
(iv) Goals for managing the Bank in the absence of a recovery from the
USDA;
(v) Plans for attracting and retaining qualified individuals to fill
vacancies in the lending and operations functions;
(vi) Plans for sustaining adequate liquidity, including back-up lines
of credit
to meet any unanticipated deposit withdrawals; and
(vii) Other financial goals, including realistic pro forma statements
for asset growth, capital adequacy, and earnings.
(c) The Bank shall submit the Strategic Plan to the Regional
Director and the Commissioner for review and comment. No more than 30
days after the receipt of any comment from the Regional Director and
Commissioner, the board of directors shall approve the Strategic Plan.
Such approval shall be recorded in the minutes of the board of
directors' meeting. Thereafter, the Bank shall implement and follow
the Strategic Plan.
(d) Within 30 days from the end of each calendar quarter following the
effective date of this ORDER, the Bank's board of directors shall
evaluate the Bank's performance in relation to the Strategic Plan
required by this paragraph and record the results of the evaluation,
and any actions taken by the Bank, in the minutes of the board of
directors' meeting at which such evaluation is undertaken.
(e) The Strategic Plan required by this ORDER shall be revised and
submitted to the Regional Director and the Commissioner for review and
comment 30 days after the end of each calendar year for which this
ORDER is in effect. Within 30 days of receipt of all such comments from
the Regional Director, and the Commissioner, the Bank shall approve the
revised Strategic Plan, and record such approval in the minutes of a
board of directors' meeting. Thereafter, the Bank shall implement the
revised plan.
[.14] 14. (a) Within 90 days after the effective date of this ORDER, the Bank
shall eliminate and/or correct all violations of law and regulation
noted in the Report of Examination.
(b) Within 90 days after the effective date of this ORDER, the
Bank shall implement procedures to ensure future compliance with all
applicable laws and regulations.
[.15] 15. While this ORDER is in effect, the Bank shall not declare or pay
any cash dividends on its capital stock without the prior written
approval of the Regional Director and Commissioner.
[.16] 16. Following the effective date of this ORDER, the Bank shall send to
its shareholders or otherwise furnish a description of this ORDER, (i)
in conjunction with the Bank's next shareholder communication, and
also (ii) in conjunction with its notice or proxy statement preceding
the Bank's next shareholder meeting. The description shall fully
describe the ORDER in all material respects. The description and any
accompanying communication, statement, or notice shall be sent to the
FDIC, Accounting & Securities Unit, 550 17th Street, N.W., Room F-6043,
Washington, D.C. 20429 for review at least 20 days prior to
dissemination to shareholders. Any changes requested to be made by the
FDIC shall be made prior to dissemination of the description,
communication, notice, or statement.
[.17] 17. On the twentieth day of each quarter following the effective date
of this ORDER, the Bank shall furnish written progress reports to the
Regional Director and the Commissioner detailing the form and manner of
any actions taken to secure compliance with this ORDER and the results
thereof. Such reports may be discontinued when the corrections required
by this ORDER have been accomplished and the Regional Director and
Commissioner have released the Bank in writing from making further
reports.
This ORDER shall be binding on the Bank, its
institution-affiliated parties, successors and assigns.
This ORDER shall become effective ten (10) calendar days after issuance.
Date: November 3, 2004.
|
||
Last Updated 4/16/2005 | legal@fdic.gov |