FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C. ) In the Matter of ) ) EUROBANK ) ORDER TO CEASE AND DESIST HATO REY, PUERTO RICO ) ) FDIC-07-018b (INSURED STATE NONMEMBER BANK) ) )

 

	)
In the Matter of	)
	)
EUROBANK	)	ORDER TO CEASE AND DESIST
HATO REY, PUERTO RICO	)
	)	FDIC-07-018b
(INSURED STATE NONMEMBER BANK)	)
	)

 

Eurobank, Hato Rey, Puerto Rico (“Insured Institution”), having been advised of its right to a Notice of Charges and of Hearing detailing the unsafe or unsound banking practices and violations of law and/or regulations alleged to have been committed by the Insured Institution and of its right to a hearing on the alleged charges under section 8(b)(1) of the Federal Deposit Insurance Act (“Act”), 12 U.S.C. § 1818(b)(1), and having waived those rights, entered into a STIPULATION AND CONSENT TO THE ISSUANCE OF AN ORDER TO CEASE AND DESIST (“CONSENT AGREEMENT”) with counsel for the Federal Deposit Insurance Corporation (“FDIC”), dated March 19, 2007, whereby solely for the purpose of this proceeding and without admitting or denying the alleged charges of unsafe or unsound banking practices and violations of law and/or regulations, the Insured Institution consented to the issuance of an ORDER TO CEASE AND DESIST (“ORDER”) by the FDIC.

 

The FDIC considered the matter and determined that it had reason to believe that the Insured Institution had engaged in unsafe or unsound banking practices and had committed violations of law and/or regulations.

 

 

- 2 -

 

The FDIC, therefore, accepted the CONSENT AGREEMENT and issued the following:

 

 

IT IS HEREBY ORDERED that the Insured Institution, its directors, officers, employees, agents and other institution-affiliated parties (as that term is defined in section 3(u) of the Act, 12 U.S.C. § 1813(u)), and its successors and assigns cease and desist from engaging in the alleged unsafe or unsound banking practices and committing the alleged violations of law and/or regulations specified below:

 

(a)  operating with inadequate management supervision and oversight by the Insured Institution’s board of directors (“Board”) to prevent unsafe or unsound practices and violations of the Bank Secrecy Act, as amended, 12 U.S.C. § 1829b, 12 U.S.C. §§ 1951-1959, and 31 U.S.C. §§ 5311-5332, and implemented by rules and regulations issued by the United States Department of Treasury, 31 C.F.R. Part 103 and 12 C.F.R. Part 353, and 12 U.S.C. § 1818(s) and its implementing regulation, 12 C.F.R.

§ 326.8 (hereafter collectively referred to as “BSA”);

 

(b)  operating with an inadequate BSA/Anti-money Laundering(“AML”)Compliance Program (“BSA/AML Compliance Program”) to monitor and assure compliance with the BSA; and

 

(c)  operating with ineffective policies, procedures and processes to adequately screen, monitor and verify account transactions to ensure compliance with the regulations promulgated by the United States Department of Treasury’s Office of Foreign Assets Control (“OFAC”), 31 C.F.R. Part 500, as well as all statutes, regulations, rules and/or guidelines issued or administered by OFAC (“OFAC Provisions”).

 

 

- 3 -

 

IT IS FURTHER ORDERED that the Insured Institution, its institution-affiliated parties, and its successors and assigns, shall take affirmative action as follows:

 

 

1. Beginning on the effective date of this ORDER, the Insured Institution shall take any and all steps necessary, consistent with other provisions of the ORDER and sound banking practices, to correct and prevent the unsafe or unsound banking practices and violations of law and/or regulations in the FDIC's and Office of the Commissioner of Financial Institutions of the Commonwealth of Puerto Rico’s joint Report of Examination ("ROE") dated August 31, 2006, address each deficiency identified in the ROE and ensure that the Insured Institution is operated with adequate management supervision and Board oversight to prevent any future unsafe or unsound banking practices and violations of law and/or regulations.

 

 

- 4 -

 

2.  Within 120 days from the effective date of this ORDER, the Insured Institution shall develop, adopt, and implement a system of internal controls designed to ensure full compliance with the BSA (“BSA Internal Controls”) taking into consideration its size and risk profile. At a minimum, such system of BSA Internal Controls shall include policies, procedures and processes addressing the following areas:

 

(a)  Risk Assessment: The Insured Institution shall conduct an expanded and comprehensive BSA/AML risk assessment of the Insured Institution’s operations (“Risk Assessment”) taking into consideration its customers, their geographic locations, the types of accounts, products and services offered and the geographic areas in which these accounts, products and services are offered to enable it to stratify its customers, products, services and geographies by risk category and determine the Insured Institution’s overall risk profile. The Insured Institution shall establish written policies, procedures and processes to conduct periodic Risk Assessments and to adjust its stratifications and risk profile as appropriate, but in no event less frequently than every twelve to eighteen months;

 

 

 

 

- 5 -

 

(b)  Customer Due Diligence: The Insured Institution shall develop, adopt and implement written policies, procedures and processes to operate in conjunction with the customer identification program required by subparagraph (h) below for:

 

(i)

establishing customer profiles based upon source of funds and wealth, the business activity, ownership structure, anticipated or actual volume and types of transactions, including those transactions involving high-risk jurisdictions, of that customer and determining whether the customer should be subject to the Insured Institution’s enhanced due diligence policies, procedures and processes required by subparagraph (d) below;

 

(ii)	assigning risk ratings to each customer based upon their profile and the results of the Risk Assessment required by subparagraph (a) above;

 

(iii)

maintaining and periodically updating customer profiles and risk ratings; and

 

(iv)	resolving issues when insufficient or inaccurate information is obtained to appropriately establish and validate a customer profile and risk rating;

 

 

- 6 -

 

(c)  High-Risk Account Identification and Monitoring: The Insured Institution shall adopt adequate policies, procedures and processes to identify and monitor its high-risk accounts on a transaction basis as well as on an account and customer basis;

 

(d)  Enhanced Due Diligence: The Insured Institution shall develop, adopt and implement policies, procedures and processes to operate in conjunction with the customer identification program and due diligence policies, procedures and processes required by subparagraphs (b) and (c) above and subparagraphs (e),(f), (g) and (h) below with respect to high-risk customers to:

 

(i)

determine whether additional information, such as the purpose of the account, source of funds and wealth, the beneficial owners of the account, if any, customer’s occupation or type of business, financial statements, banking references, domicile of the customer’s business, proximity of customer’s residence, place of employment or place of business to the Insured Institution, description of primary trade area of customer or beneficial owner and whether international transactions are expected to be routine, description of the business operations, the anticipated volume of currency and total sales and a list of major customers and suppliers and explanations for changes in account activity should be required and collected for that customer’s profile;

 

 

- 7 -

 

(ii)	determine whether on-site visits to collect and verify information for the customer profile are warranted and establish procedures to ensure periodic on-site visits are documented; and

 

(iii)

monitor account activity commensurate with the level of risk and document the monitoring process on an ongoing basis.

 

(e)  Account and Transaction Monitoring: The Insured Institution shall develop, adopt and implement policies, procedures and processes appropriate to the Insured Institution considering its size and risk profile (based upon the Risk Assessment) to operate in conjunction with the policies, procedures and processes required by subparagraphs (f),(g) and (h) below to monitor and aggregate currency activity, funds transfer activity, and monetary instrument sales to ensure the timely, accurate and complete filing of Currency Transaction Reports (“CTRs”), Reports of International Transportation of Currency or Monetary Instruments (“CMIRs”), Reports of Foreign Bank and Financial Accounts (“FBARs”) and any other similar or related reports required by law or regulation.

 

 

- 8 -

 

(f)  Suspicious Activity Monitoring and Reporting: The Insured Institution shall, taking into account its size and risk profile (based upon the Risk Assessment), develop, adopt and implement appropriate policies, procedures, processes and systems for monitoring, detecting and reporting suspicious activity being conducted within or through the Insured Institution. These policies, procedures, processes and systems should:

 

(i)

collect and analyze data from each branch and business area of the Insured Institution on a centralized basis for the production of periodic reports designed to identify unusual or suspicious activity, to monitor and evaluate unusual or suspicious activity, and to maintain accurate information needed to produce and file Suspicious Activity Reports (“SARs”);

 

(ii)	be able to identify related accounts, countries of origin, location of the customer’s businesses and residences to evaluate patterns of activity;

 

(iii)

cover a broad range of timeframes, including individual days, a number of days, and a number of months, as appropriate, and should segregate transactions that pose a greater than normal risk for non-compliance with BSA;

 

 

- 9 -

 

(iv)	establish risk based monitoring of high-risk customers enabling the Insured Institution to identify transactions for further monitoring, analysis and possible reporting;

 

(v)	establish periodic testing and appropriate adjustment and updating on an ongoing basis to the policies, procedures and processes utilized to monitor high risk customers;

 

(vi)

ensure adequate referral of information about potentially suspicious activity through appropriate levels of management, including a policy for determining action to be taken in the event of multiple filings of SARs on the same customer, or in the event a correspondent or other customer fails to provide due diligence information. Such procedures shall describe the circumstances under which an account should be closed and the processes and procedures to be followed in doing so;

 

 

- 10 -

 

(vii)

require the documentation of management’s decisions to file or not to file a SAR; ensure the timely, accurate and complete filing of required SARs and any other similar or related reports required by law or regulation; and

 

(viii)

ensure the confidentiality of any SARs filed.

 

(g)  Wire Transfer Transactions: The Insured Institution shall develop, adopt and implement policies, procedures and processes with respect to wire transfer monitoring and recordkeeping, including requirements for complete information on beneficiaries and originators, as required by 31 C.F.R. 103.33;

 

(h)  Customer Identification Program: The Insured Institution shall develop, adopt and implement written policies, procedures and processes enhancing its customer identification program (“CIP”) required by section 326.8(b) of the FDIC’s Rules and Regulations, 12 C.F.R. § 326.8(b), to ensure that the Insured Institution’s CIP contains at a minimum:

 

 

- 11 -

 

(i)	account opening procedures specifying the identifying information required for each customer type;

 

(ii)	risk-based procedures for verifying the identity of new customers within a reasonable time after the account is opened;

 

(iii)

procedures for circumstances in which the Insured Institution is unable to form a reasonable belief that it knows the true identity of a customer;

 

(iv)	risk based procedures for reviewing existing customers to determine whether sufficient information has been obtained to establish the customer profiles and risk ratings required by subparagraph (b) above; and procedures for obtaining any information necessary for such profiles and risk ratings;

 

(v)	procedures for recordkeeping and retention;

 

(vi)	procedures to determine whether a customer appears on any federal government list of known or suspected terrorists or terrorist organizations when such list is generated;

 

 

- 12 -

 

(vii)

procedures to provide adequate notice to customers that the Insured Institution will be requesting information to verify their identities;

 

(viii)

procedures to ensure that the CIP is updated on an ongoing basis as necessary to incorporate amendments to the BSA and the rules and regulations thereunder;

 

(ix)

if applicable, procedures for reliance upon another financial institution to perform one or more elements of its CIP. Such procedures shall require at a minimum, confirmation that the relied-upon financial institution is subject to a rule implementing the program requirements of 31 U.S.C. § 5318(h) and is regulated by federal functionally regulator, confirmation that the customer at issue has an account or is opening an account at the relied-upon financial institution, a determination that the Insured Institution’s reliance upon the financial institution is justified under the circumstances and confirmation that the relied-upon financial institution has entered into a contract with the Insured Institution requiring it to certify annually to the Insured Institution that it has implemented its BSA/AML Compliance Program and will perform the specified requirements of the Insured Institution’s CIP; and

 

 

- 13 -

 

(i)  BSA/AML Staffing and Resources: The Insured Institution shall review BSA/AML compliance staffing and resources taking into consideration its size and risk profile (based upon the Risk Assessment) and make such modifications as are appropriate. The Insured Institution shall establish written policies, procedures and processes requiring the periodic review of and appropriate adjustment to its BSA/AML staffing and resources.

 

3. Within 30 days of the effective date of this ORDER, the Insured Institution shall develop, adopt, and implement a system of internal controls designed to ensure full compliance with the OFAC Provisions (“OFAC Internal Controls”) taking into consideration its customers, their geographic locations, the types of accounts, products and services it offers these customers and the geographic areas in which these accounts, products and services are offered. At a minimum, such system of OFAC Internal Controls shall include:

 

 

- 14 -

 

(a) written policies, procedures and processes for conducting OFAC searches of each department or business line of the Insured Institution;

 

(b) written policies, procedures, and processes for conducting OFAC searches of customers and account parties, including, but not limited to, beneficiaries, guarantors, principals, beneficial owners, nominee shareholders, directors, signatories and powers of attorney;

 

(c) written policies, procedures and processes for obtaining and updating OFAC lists or filtering criteria;

 

(d) written policies, procedures and processes for identifying and investigating potential OFAC matches;

 

(e) written policies, procedures and processes for blocking and rejecting transactions;

 

(f) written policies, procedures and processes to inform OFAC and the Insured Institution’s Board or its designee of blocked or rejected transactions;

 

(g) written policies, procedures and procedures to manage blocked accounts; and

 

(h) written policies, procedures and processes to retain OFAC records in accordance with the OFAC Provisions.

 

 

- 15 -

 

 

4. Within 180 days from the effective date of this ORDER, the Insured Institution shall establish independent testing programs for compliance with the BSA and OFAC Provisions, to be performed on no less than an annual basis. The scope of the testing procedures to be performed, and testing results, shall be documented in writing and approved by the Insured Institution’s Board or its designee. The testing procedures, at a minimum, should include the following:

 

(a) compliance testing for all appropriate business lines conducted by qualified staff who are independent of the Insured Institution’s compliance, BSA/AML and OFAC functions;

 

(b) formal, documented testing programs, including adequately detailed reports and workpapers;

 

(c) testing of the adequacy of the Insured Institution’s Risk Assessment;

 

(d) testing of the adequacy of the BSA and OFAC Internal Controls designed to ensure compliance with both the BSA and OFAC Provisions;

 

(e) testing of the adequacy of the Insured Institution’s Training Program, as that term is defined in paragraph 5;

 

(f) a risk-based approach that includes transactional testing and verification of data for higher risk accounts;

 

(g) review of independent testing results by senior management;

 

 

- 16 -

 

(h) procedures to ensure that senior management institutes appropriate actions in response to independent testing results; and

 

(i) direct lines of reporting between the independent testing function and the Board or its designee.

5. Beginning on the effective date of the ORDER, the Insured Institution shall take all steps necessary, consistent with sound banking practices, to ensure that all appropriate personnel are aware of, and can comply with, the requirements of the BSA and OFAC Provisions applicable to the individual’s specific responsibilities to assure the Insured Institution’s compliance with the BSA and OFAC Provisions.

 

6.  Within 60 days from the effective date of this ORDER, the Insured Institution shall develop, adopt and implement effective training programs designed for the Board, management and staff and their specific compliance responsibilities on all relevant aspects of laws, regulations, and Insured Institution policies, procedures and processes relating to the BSA and the OFAC Provisions (“Training Program”). The Training Program shall ensure that all appropriate personnel are aware of, and can comply with, the requirements of both the BSA and OFAC Provisions on an ongoing basis. The Training Program shall include:

 

(a)  an overview of BSA and OFAC Provisions for new staff along with specific risk-based training designed for their specific duties and responsibilities upon hiring;

 

 

- 17 -

 

(b)  training on the Insured Institution’s BSA/AML policies, procedures and processes along with new rules and requirements as they arise for appropriate personnel designed to address their specific duties and responsibilities;

 

(c)  training on the Insured Institution’s OFAC policies, procedures and processes along with new rules and requirements as they arise for appropriate personnel designed to address their specific duties and responsibilities;

 

(d)  a requirement that the Board fully document the training of each employee with respect to both the BSA/AML and OFAC policies, procedures and processes, including the designated BSA and OFAC Compliance Officer(s); and

 

(e)  a requirement that training in these areas be conducted no less frequently than annually.

 

 

7.     (a) Within 180 days from the effective date of this ORDER, the Insured Institution shall amend its policies, procedures, and processes with regard to its internal audit function (“Audit Function”) so that the Insured Institution reviews, at least on annual basis, compliance with both the BSA and OFAC Provisions as part of its routine internal audit function.

 

(b)  The amended and enhanced Audit Function shall establish an internal audit plan to include a review of the Insured Institution’s branch operations.

 

 

- 18 -

 

(c)  The Insured Institution shall ensure that its Audit Function is managed by a qualified officer who is supported by adequate staffing levels and resources.

 

(d)  The Insured Institution's internal Audit Function shall provide for written reports which document the testing results and recommendations for improvement and provides for monitoring and follow-up of audit exceptions. Such reports shall be provided directly to the Audit Committee of the Insured Institution’s Board on a timely basis.

 

8.  Beginning on the effective date of this ORDER, the Insured Institution shall provide periodic reports to the Audit Committee of the Insured Institution’s Board setting forth any law enforcement inquiry that relates in any way to the BSA or OFAC Provisions, any criminal subpoena received by the Insured Institution and any action taken or response provided with respect to such inquiry or subpoena.

 

 

9.  (a)Within 20 days from the effective date of this ORDER, the Insured Institution shall engage a qualified independent consultant("Consultant") acceptable to the Regional Director of the FDIC’s New York Regional Office (“Regional Director”) to conduct a review of account and transaction activity for the time period beginning September 1, 2006 through the effective date of this ORDER to determine whether suspicious activity involving any accounts or transactions at, by, or through the Insured Institution was properly identified and reported in accordance with the applicable suspicious activity reporting requirements (“SAR Review"). Within 10 days of the engagement of the Consultant, but prior to the commencement of the SAR Review, the Insured Institution shall submit to the Regional Director for approval or non-objection an engagement letter that sets forth:

 

 

- 19 -

 

(i)

the scope of the SAR Review, including the types of accounts and transactions to be reviewed, which shall, at a minimum, include cash intensive business accounts, customers with high, frequent or international wire transactions and customers with financial transactions in locations linked to terrorist, drug trafficking or money laundering, including, but not limited to, the transactions or accounts identified in the ROE as requiring additional investigation by the Insured Institution;

(ii)	the methodology for conducting the SAR Review, including any sampling procedures to be followed; and

(iii)

the expertise and resources to be dedicated to the SAR Review.

 

 

- 20 -

 

(b) Within 120 days from the effective date of this ORDER, the SAR Review shall be completed and the Consultant shall be required to provide a copy of its report detailing its findings to the Regional Director at the same time the report is provided to the Insured Institution.

 

(c)  Within 30 days of its receipt of the SAR Review, the Insured Institution shall ensure that all matters or transactions required to be reported, that have not previously been reported, are reported in accordance with applicable laws and regulations and submit copies of any additional SARs filed to the Regional Director.

 

(d)  The Regional Director may, in her sole discretion, require the Insured Institution to expand the time period of the SAR Review conducted pursuant to this Paragraph 9 to include the period January 1, 2006 through August 31, 2006. Such additional SAR Review shall be commenced by the Consultant within 20 days of the Insured Institution’s receipt of written notice from the Regional Director and shall be completed within 120 days of such written notice. A copy of this expanded SAR Review shall be provided to the Regional Director at the same time the expanded SAR Review is provided to the Insured Institution and any additional matters or transactions required to be reported shall be reported in accordance with applicable laws and regulations. Copies of any additional SARs filed shall be submitted to the Regional Director.

 

 

- 21 -

 

 

10.  Following the effective date of this ORDER, the Insured Institution shall send to its parent holding company the ORDER or otherwise furnish a description of this ORDER in conjunction with the Insured Institution's next communication with such parent holding company. The description shall fully describe the ORDER in all material respects.

 

 

11.  (a) Within 30 days from the effective date of this ORDER, the Insured Institution’s Board shall appoint a committee ("Compliance Committee") composed of at least three directors who are not now, and have never been, involved in the daily operations of the Insured Institution, and whose composition is acceptable to the Regional Director, to monitor the Insured Institution's compliance with this ORDER.

 

(b) Within 30 days of the acceptance or non-objection to the composition of the Compliance Committee by the Regional Director, and at monthly intervals thereafter, such Compliance Committee shall prepare and present to the Insured Institution's Board a written report of its findings, detailing the form, content, and manner of any action taken to ensure compliance with this ORDER and the results thereof, and any recommendations with respect to such compliance. Such progress reports shall be included in the minutes of the Insured Institution's Board meetings. Nothing contained herein shall diminish the responsibility of the entire Board to ensure compliance with the provisions of this ORDER.

 

 

- 22 -

 

 

12.  By the 30^th day after the end of the calendar quarter following the effective date of this ORDER, and by the 15^th day after the end of every calendar quarter thereafter while this ORDER is in effect, the Insured Institution shall furnish written progress reports to the Regional Director detailing the form, content, and manner of any actions taken to secure compliance with this ORDER, and the results thereof. The Insured Institution shall continue to submit the quarterly progress reports until written notice from the Regional Director.

 

 

13.  It is expressly and clearly understood that if, at any time, the Regional Director shall deem it appropriate in fulfilling the responsibilities placed upon him or her under applicable law to undertake any further action affecting the Insured Institution, nothing in this ORDER shall in any way inhibit, estop, bar or otherwise prevent him or her from doing so, including, but not limited to, the imposition of civil money penalties.

 

14.  It is expressly and clearly understood that nothing herein shall preclude any proceedings brought by the Regional Director to enforce the terms of this ORDER, and that nothing herein constitutes, nor shall the Insured Institution contend that it constitutes, a waiver of any right, power, or authority of any other representatives of the United States or agencies thereof, Department of Justice or any other representatives of the Commonwealth of Puerto Rico or any other agencies thereof, including any prosecutorial agency, to bring other actions deemed appropriate.

 

 

- 23 -

 

 

15.  The effective date of this ORDER shall be immediately upon the date of issuance.

 

16.  The provisions of this ORDER shall be binding upon the Insured Institution, its directors, officers, employees, agents, successors, assigns, and other institution-affiliated parties of the Insured Institution.

 

17.  The provisions of this ORDER shall remain effective and enforceable except to the extent that, and until such time as, any provisions of this ORDER shall have been modified, terminated, suspended, or set aside in writing by the FDIC.

 

Pursuant to delegated authority.

Dated: March 15, 2007

		/s/ Doreen R. Eberley
		Doreen R. Eberley
		Regional Director