UNITED STATES OF AMERICA DEPARTMENT OF THE TREASURY COMPTROLLER OF THE CURRENCY
Exhibit 10.2
UNITED STATES OF AMERICA
DEPARTMENT OF THE TREASURY
COMPTROLLER OF THE CURRENCY
In the Matter of: | ) | |
Flagstar Bank, FSB | ) | |
Troy, Michigan | ) |
CONSENT ORDER
The Comptroller of the Currency of the United States of America (Comptroller or OCC), through his authorized representatives, has supervisory authority over Flagstar Bank, FSB, Troy, Michigan (Bank).
The Bank, by and through its duly elected and acting Board of Directors (Board), has executed a Stipulation and Consent to the Issuance of a Consent Order, dated October 23, 2012, that is accepted by the Comptroller. By this Stipulation and Consent, which is incorporated by reference, the Bank has consented to the issuance of this Consent Order (Order) by the Comptroller.
Pursuant to the authority vested in it by the Federal Deposit Insurance Act, as amended, 12 U.S.C. § 1818, the Comptroller hereby orders that:
ARTICLE I
COMPLIANCE COMMITTEE
(1) Within thirty (30) days of the date of this Order, the Board shall re-designate its Regulatory Oversight Committee as its Compliance Committee, which Committee shall consist of at least three (3) outside directors, of which no more than two (2) shall be an employee or controlling shareholder of the Bank or any of its affiliates (as the term affiliate is defined in 12 U.S.C. § 371c(b)(1)), or a family member of any such person. Upon appointment, the names of the members of the Compliance Committee and, in the event of a change of the membership, the
1
name of any new member shall be submitted in writing to the Assistant Deputy Comptroller. The Compliance Committee shall be responsible for monitoring and coordinating the Banks adherence to the provisions of this Order.
(2) The Compliance Committee shall meet at least monthly.
(3) Beginning with the quarter ending December 31, 2012, the Compliance Committee shall submit a quarterly written progress report to the Board within sixty (60) days of the quarter end setting forth in detail:
(a) | a description of the action needed to achieve full compliance with each Article of this Order; |
(b) | actions taken to comply with each Article of this Order; and |
(c) | the results and status of those actions. |
(4) The Board shall forward a copy of the Compliance Committees report, with any additional comments by the Board, to the Assistant Deputy Comptroller within ten (10) days of receiving such report.
ARTICLE II
CAPITAL PLAN
(1) Within one hundred twenty (120) days of the date of this Order, and at least annually thereafter, the Board shall review and revise the Banks written capital plan dated August 28, 2012 (Capital Plan) to cover at least the next three (3) years. The capital planning process shall be consistent with OCC Bulletin 2012-16, dated June 7, 2012 (Guidance for Evaluating Capital Planning and Adequacy), and shall ensure the integrity, objectivity, and consistency of the process through adequate governance. The Board shall submit all updated Capital Plans to the Assistant Deputy Comptroller for written determination of no supervisory objection. After the Bank receives a written determination of no supervisory objection, the Board shall adopt, implement, and thereafter ensure Bank adherence to the updated Capital Plan.
2
(2) The Capital Plan shall establish projections for the Banks overall risk profile, earnings performance, growth expectations, balance sheet mix, off-balance sheet activities, liability and funding structure, and capital and liquidity adequacy that the Bank intends to achieve, and at a minimum, address or include:
(a) | the maintenance of adequate capital, which shall in no event be less than the capital levels that are set forth in the Boards Capital Plan, or an updated Capital Plan that has received a written determination of no supervisory objection from the Assistant Deputy Comptroller; |
(b) | specific actions to monitor, control and reduce, where appropriate, significant areas of risk, including asset, liability, and revenue concentrations; |
(c) | a requirement that the Bank obtain a prior written determination of no supervisory objection from the Assistant Deputy Comptroller before offering or introducing new products or services, or entering new market segments; |
(d) | projections of the sources and timing of additional capital to meet the Banks current and future needs; |
(e) | a contingency capital funding plan in accordance with paragraph (3) of this Article that forecasts capital needs and capital sources under various potential capital stress scenarios, including: |
(i) | a description of each potential capital stress scenario; |
3
(ii) | the projected effect of each potential capital stress scenario on the Banks capital adequacy and ability to maintain adequate capital as prescribed in the Boards approved Capital Plan; and |
(iii) | action plans on how management will address each potential capital stress scenario. |
(3) The Capital Plan shall establish a contingency capital funding process and plan that identifies alternative capital sources should the primary source(s) not be available. At a minimum, the contingency capital funding process and plan shall address or identify:
(a) | the amount needed to maintain capital adequacy; |
(b) | timing of needed capital; |
(c) | contingent sources and form of capital ranked by preference; and |
(d) | financial analysis of the parent companys ability and willingness to inject needed capital. |
(4) The Bank may pay a dividend or make a capital distribution only when the following conditions are met:
(a) | the Bank is in compliance with its approved Capital Plan and will remain in compliance with the Capital Plan immediately after making the dividend or capital distribution; and |
(b) | following OCC approval in accordance with 12 C.F.R. Part 163, Subpart E. |
4
ARTICLE III
ALLOWANCE FOR LOAN AND LEASE LOSSES AND
REPRESENTATION AND WARRANTY RESERVE
(1) Within ninety (90) days of the date of this Order, the Board shall adopt written policies and procedures for maintaining adequate Allowance for Loan and Lease Losses (ALLL) in accordance with U.S. generally accepted accounting principles (GAAP). The ALLL policies and procedures shall be consistent with the guidance set forth in OCC Bulletin 2006-47, dated December 13, 2006 (Guidance and Frequently Asked Questions on the ALLL) (Interagency Statement) and shall at a minimum include:
(a) | procedures for determining whether a loan is impaired and measuring the amount of impairment, consistent with GAAP (including FASB ASC 310- 10, Receivables Overall Subsequent Measurement Impairment); |
(b) | procedures for segmenting the loan portfolio and estimating loss or groups of loans that are consistent with GAAP (including FASB ASC 450-20, Loss Contingencies). These procedures shall require the Bank to document and fully support its estimation of credit losses and its analysis of the nine qualitative factors set forth in the Interagency Statement; |
(c) | procedures for validating the ALLL methodology; and |
(d) | a process for summarizing and documenting, for the Boards prior review and approval, the amount to be reported in the Consolidated Reports of Condition and Income (Call Reports) for the ALLL. |
(2) The policies and procedures shall provide for a review of the ALLL by the Board at least once each calendar quarter. Any deficiency in the ALLL shall be remedied in the quarter
5
it is discovered, prior to the filing of the Call Report, by additional provisions from earnings. Written documentation shall be maintained indicating the factors considered and conclusions reached by the Board in determining the adequacy of the ALLL.
(3) Within ninety (90) days of the date of this Order, the Board shall adopt written policies and procedures for maintaining adequate representation and warranty reserves in accordance with GAAP. The policies and procedures shall be consistent with FASB Interpretation Number 45 and shall at a minimum include:
(a) | a methodology for calculating representation and warranty reserves based on expected charges from indemnification payments and loan repurchases; |
(b) | processes to address loan repurchases in the pipeline, expected demand for repurchases, and the impact of loan performance on repurchase activity; and |
(c) | procedures for validating the methodology. |
(4) Upon adoption, the Board shall submit a copy of both the ALLL and representation and warranty reserve policies and procedures required by this Article, or any subsequent amendments or changes to those policies and procedures, to the Assistant Deputy Comptroller for determination of no supervisory objection. Upon receiving a determination of no supervisory objection from the Assistant Deputy Comptroller, the Bank shall implement and thereafter ensure Bank adherence to the programs.
6
ARTICLE IV
LIQUIDITY
(1) Within sixty (60) days of the date of this Order, the Board shall adopt a comprehensive written liquidity risk management policy that systematically requires the Bank to reduce liquidity risk and is consistent with OCC Bulletin 2010-13, dated March 22, 2010 (Interagency Policy Statement on Funding and Liquidity Risk Management). The Banks policy shall address, at a minimum, the following requirements:
(a) | a statement of the Boards overall funds management strategy; |
(b) | consideration of the liquidity, maturity, and pledging status of the investment portfolio; |
(c) | limits on concentration of funding sources, with particular emphasis on non-core liabilities such as borrowings, escrow deposits held on behalf of others, public funds, Internet deposits, deposits obtained through the Certificate of Deposit Account Registry Service (CDARS), and other brokered deposits; |
(d) | procedures for Board approval of funding concentrations above the Board-established limits; |
(e) | development of a contingency funding plan that, among other things, addresses ways to improve the Banks liquidity position and maintain adequate sources of stable funding given the Banks anticipated liquidity and funding needs under various stress scenarios, including events leading to temporary, as well as intermediate or longer-term funding disruptions. The Bank shall update the contingency funding plan at least quarterly. |
7
(f) | procedures for periodic testing of unused sources of liquidity and periodic review of the Banks adherence to the policy adopted pursuant to this Article; and |
(g) | adequate management reports that enable the Board and management to monitor the Banks liquidity position on an ongoing basis and maintain liquidity at an adequate level. The reports shall include: |
(i) | cash flow gaps; |
(ii) | cash flow projections, including a statement of critical assumptions used in the projections; |
(iii) | rollover risk; |
(iv) | asset and funding concentrations; |
(v) | key early warning or risk indicators; |
(vi) | funding availability; |
(vii) | the status of contingent funding sources; and |
(viii) | collateral usage. |
(2) A copy of the policy, or any subsequent amendments or changes to the policy, shall be forwarded to the Assistant Deputy Comptroller for review and determination of no supervisory objection. Upon receiving a determination of no supervisory objection from the Assistant Deputy Comptroller, the Board shall implement and thereafter ensure Bank adherence to the policy.
8
ARTICLE V
INTERNAL AUDIT
(1) Within sixty (60) days of the date of this Order, the Board shall adopt, implement, and thereafter ensure Bank adherence to an independent, internal audit program covering all areas of the Bank, sufficient to:
(a) | detect irregularities and weak practices in the Banks operations; |
(b) | determine the Banks level of compliance with all applicable laws, rules and regulations; |
(c) | assess and report the effectiveness of policies, procedures, controls, and management oversight relating to accounting and financial reporting; |
(d) | evaluate the Banks adherence to established policies and procedures; and |
(e) | establish an annual audit plan using a risk-based approach sufficient to achieve these objectives. |
(2) As part of this audit program, the Board shall evaluate the audit reports of any party providing internal audit services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports.
(3) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described above shall report directly to the Board or a designated committee of the Board, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed directly with the Board or its designated committee and not through any intervening party, including an individual director.
(4) All audit reports shall be in writing and shall include the root causes of any identified significant deficiencies. Management shall identify and implement appropriate actions to remedy deficiencies identified in audit reports, and the Board shall ensure that management has taken appropriate actions. The Bank shall maintain a written record describing these actions.
9
(5) The audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the audit staff and any other parties working on the Banks behalf.
ARTICLE VI
ENTERPRISE RISK MANAGEMENT
(1) Within ninety (90) days of the date of this Order, the Board shall develop and adopt a written enterprise risk management program consistent with the Bank Supervision Process booklet of the Comptrollers Handbook that is designed to ensure that the Bank effectively identifies, monitors, and controls its enterprise-wide risks, including developing risk limits for each line of business. The program shall include, at a minimum:
(a) | a statement from the Board communicating its underlying values, principles, and risk tolerances; |
(b) | identification of existing credit, interest rate, liquidity, operational, compliance, strategic, reputation, and price risks, and a written analysis of those risks; |
(c) | action plans and time frames to reduce risk where exposure is high, as fully discussed in the Report of Examination dated October 3, 2011 (ROE); |
(d) | policies, procedures or standards which limit the degree of risk the Board is willing to incur, consistent with the Banks business plan and financial condition, including analyzing and limiting the risks associated with any |
10
new lines of business which the Board undertakes (these procedures shall ensure that strategic direction and risk tolerances are effectively communicated and followed throughout the Bank and shall describe the actions to be taken where noncompliance with risk policies is identified); |
(e) | systems to measure and control risks within the Bank that provide timely and accurate risk reports by customer, by department or division, and Bank-wide as appropriate; |
(f) | procedures to ensure that Bank employees have the necessary skills to supervise effectively the current and the new business risks within the Bank, and procedures to describe the actions to be taken to address deficiencies in staff levels and skills; and |
(g) | procedures for stress testing, including procedures for stress testing various business variables that affect risk to capital and liquidity. |
(2) A copy of the program, or any subsequent amendments or changes to that program, shall be forwarded to the Assistant Deputy Comptroller for a determination of no supervisory objection. Upon receiving a determination of no supervisory objection from the Assistant Deputy Comptroller, the Board shall promptly implement and thereafter ensure Bank adherence to the program.
ARTICLE VII
INTERNAL LOAN REVIEW
(1) Within ninety (90) days of the date of this Order, the Board shall adopt, implement, and thereafter ensure Bank adherence to an independent, ongoing loan review system to review the Banks loan and lease portfolios. The system shall provide for a written report to
11
be filed with the Board after each review and shall use a loan and lease risk grading system consistent with the guidelines set forth in Rating Credit Risk booklet of the Comptrollers Handbook, dated April 2001, OCC Bulletin 2006-47, dated December 13, 2006 (ALLL Interagency Policy Statement), and 12 C.F.R. § 160.160. Such reports shall include, at a minimum, conclusions regarding:
(a) | the overall quality of the loan and lease portfolios; |
(b) | the identification, type, rating, and amount of problem loans and leases; |
(c) | an assessment of the accuracy of internal loan gradings; |
(d) | the identification and amount of delinquent loans and leases; |
(e) | credit and collateral documentation exceptions; |
(f) | the identification and status of credit related violations of law, rule or regulation; |
(g) | the identity of the loan officer who originated each loan reported in accordance with subparagraphs (b) through (f) of this Article; |
(h) | compliance with accounting requirements, including impairment analysis, troubled debt restructure recognition, and accrual determinations; |
(i) | concentrations of credit; and |
(j) | loans and leases not in conformance with the Banks lending and leasing policies, and exceptions to the Banks lending and leasing policies. |
(2) The Board shall evaluate the internal loan and lease review report(s) and shall ensure that immediate, adequate, and continuing remedial action, if appropriate, is taken upon all findings noted in the report(s).
12
The loan review staff shall have access to any records necessary for proper conduct of its activities. The OCC shall have access to all reports and work papers of the loan review staff and any other parties working on its behalf.
ARTICLE VIII
CONCENTRATIONS
(1) Within ninety (90) days of the date of this Order, the Board shall establish and adopt written policies and procedures designed to identify, measure, monitor, and control concentrations consistent with the Concentrations of Credit booklet of the Comptrollers Handbook, as revised December 2011, and OCC Bulletin 2011-48, dated December 13, 2011 (Concentrations of Credit). The policies and procedures shall include, but not be limited to, the following:
(a) | identification of the Banks known and potential asset, liability, and revenue concentrations, including but not limited to, the Banks concentrations identified in the ROE; |
(b) | analysis of the risk that the Banks known and potential concentrations pose to the Banks earnings, capital, and operating strategy under stressed market conditions, economic downturns, and periods of general market illiquidity as well as normal market conditions; |
(c) | establishment of specific limits by total committed exposure for each of the Banks known and potential concentrations relative to capital, based on the analysis performed under subparagraphs 1(b) of this Article; |
13
(d) | development and implementation of action plans approved by the Board to reduce the risk of any concentration that exceeds the limitations established pursuant to subparagraph 1(c) of this Article; and |
(e) | management information systems designed to ensure timely and accurate reporting of concentrations to the Board. |
(2) The Board shall ensure that all concentrations are subjected to the analysis required by subparagraph 1(b) of this Article at least annually, and, if that analysis demonstrates that the concentration subjects the Bank to undue risk, the Board shall take immediate steps to mitigate such risk.
(3) A copy of the policies and procedures, or any subsequent amendments or changes to the policies and procedures, shall be forwarded to the Assistant Deputy Comptroller for review and determination of no supervisory objection. Upon receiving a determination of no supervisory objection from the Assistant Deputy Comptroller, the Board shall implement and thereafter ensure Bank adherence to the policies and procedures.
ARTICLE IX
BANK SECRECY ACT RISK ASSESSMENT
(1) Within ninety (90) days of the date of this Order, the Board shall review, revise, and thereafter ensure Bank adherence to the Banks written, Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Risk Assessment first approved by the Board on May 17, 2012 to ensure BSA/AML risks posed to the Bank are accurately identified after consideration of all pertinent information (Risk Assessment). The Risk Assessment shall reflect a comprehensive analysis of the Banks vulnerabilities to money laundering and financial crimes activity and provide strategies to control risk and limit any identified vulnerabilities. The Risk Assessment
14
methodology shall follow the risk assessment expectations and logic set forth in the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual (dated April 29, 2010) (FFIEC BSA/AML Examination Manual) and shall, at a minimum, include:
(a) | the identification of all operations and activities that pose BSA/AML risk to the Bank, including, but not limited to products, services, customers, entities, transactions, countries or geographic locations, and methods that the Bank uses to interact with its customers (collectively, specific risk categories); |
(b) | a detailed analysis of all pertinent data obtained regarding the specific risk categories, including but not limited to volumes and types of transactions and services by country or geographic location and numbers of high-risk customers (by type of risk and by geographic location) to allow the Bank to review, establish, and implement appropriate policies, processes, and procedures to monitor and mitigate the Banks BSA/AML risks within those risk categories. This analysis shall include an evaluation of all relevant information obtained through the Banks Customer Identification Program and Customer Due Diligence Program (CDD); |
(c) | an assessment of BSA/AML risk within each of the Banks business lines and on a consolidated basis across all Bank activities and product lines; |
(d) | a provision requiring that the Bank update the Risk Assessment at least every twelve (12) months to identify and respond to changes in the Banks risk profile (such as new products or services, changes in existing products or services, opening or closing of high-risk customers accounts, or Bank expansion through growth of existing business lines, strategic initiatives, mergers or acquisitions); |
15
(e) | a provision requiring maintenance of appropriate documentation, including CDD information, so as to be able to support the Risk Assessments conclusions; and |
(f) | a provision requiring testing to confirm the reasonableness of the Risk Assessment. Test results shall be documented in writing and maintained in the Banks records. |
ARTICLE X
BANK SECRECY ACT PROGRAM AND INTERNAL CONTROLS
(1) Within ninety (90) days of the date of this Order, the Board shall review, revise, and thereafter ensure Bank adherence to the written program of policies and procedures first approved by the Board on May 17, 2012 to provide for compliance with the BSA, as amended (31 U.S.C. §§ 5311 et seq.), the regulations promulgated thereunder at 31 C.F.R. Part 103, as amended, 12 C.F.R. §§ 163.177 and 163.180, and the rules and regulations of the Office of Foreign Assets Control (OFAC) (collectively referred to as the Bank Secrecy Act or BSA). At all times, the written BSA program shall include the following:
(a) | enhanced policies and procedures for timely identification and monitoring of transactions that pose greater than normal risk for compliance with the BSA; |
(b) | enhanced policies and procedures for timely investigation and resolution of transactions that have been identified as posing greater than normal risk for compliance with the BSA; |
16
(c) | enhanced policies and procedures for recording, maintaining, and recalling information about transactions that pose greater than normal risk for compliance with the BSA; |
(d) | operating procedures for both the opening of new accounts and the monitoring of existing accounts, including collecting customers identifying information, verifying customers identification, maintaining identification records, and determining whether customers appear on any list of suspected terrorists or terrorist organizations; and |
(e) | procedures for identification of varying risk factors and characteristics among those customers identified as high-risk. |
(2) The BSA program shall include policies and procedures for the Bank to produce and aggregate periodic reports designed to identify, monitor, and evaluate unusual or suspicious activity, including patterns of unusual or suspicious activity on a consolidated basis, and to maintain accurate information needed to produce these reports, to include at a minimum:
(a) | daily, weekly, and monthly reports to identify transactions that pose a greater than normal risk for compliance with BSA; |
(b) | periodic reports of all high-risk accounts that are newly-established, renewed, or modified; and |
(c) | other periodic reports deemed necessary or appropriate by the BSA Officer or the Bank. |
17
(3) The BSA program shall include policies and procedures to provide for the application of appropriate thresholds for monitoring, both manual and automated systems, all types of transactions, accounts, customers, products, services, and geographic areas that pose greater than normal risk for compliance with the BSA. At a minimum, these policies and procedures shall establish:
(a) | meaningful thresholds for filtering accounts and customers for further monitoring, review, and analyses; and |
(b) | periodic testing and monitoring of thresholds for their appropriateness to the Banks customer base, products, services, and geographic area, including maintenance of documentation supporting the Banks methodology establishing and developing the testing thresholds. |
(4) The BSA program shall include expanded account-opening procedures for all accounts that pose greater than normal risk for compliance with the BSA by requiring:
(a) | identification of all account owners and beneficial owners in compliance with applicable rules, regulations, and regulatory guidance; |
(b) | documentation for all deposit account customers that pose greater than normal risk for compliance with the BSA consistent with that required by the FFIEC BSA/AML Examination Manual addressing enhanced due diligence for higher risk customers; and |
(c) | any other due diligence required by this Order, the BSA Officer, or the Bank. |
(5) The Bank shall obtain the information required in the preceding paragraph (4) of this Article before renewing or modifying an existing customers account within the scope of the preceding paragraph (4).
(6) Within ninety (90) days of the date of this Order, the Board shall update the status of its plan and timeline for the implementation of enhanced BSA/AML internal controls, including an enhanced transaction monitoring and suspicious activity identification system. The plan shall include:
(a) | enhanced automated and manual methods of transaction monitoring for identifying suspicious and unusual activity; |
18
(b) | enhanced standards for review of customer activity, such as the use of customer profiles, CDD, and customer risk ratings; |
(c) | enhanced documentation standards for customer and transaction reviews, and investigations; and |
(d) | an enhanced high-risk country identification methodology. |
(7) A copy of the plan and timeline, or any subsequent amendments or changes to the plan and timeline, shall be forwarded to the Assistant Deputy Comptroller for review and determination of no supervisory objection. Upon receiving a determination of no supervisory objection from the Assistant Deputy Comptroller, the Board shall implement and thereafter ensure Bank adherence to the plan and timeline.
ARTICLE XI
BANK SECRECY ACT CUSTOMER DUE DILIGENCE
(1) Within ninety (90) days of the date of this Order, the Board shall review, revise and thereafter ensure Bank adherence to its risk-based processes to obtain and analyze appropriate CDD information at the time of account opening and on an ongoing basis, and effectively use this information to monitor for, and investigate, suspicious or unusual activity. The revised risk-based CDD processes shall include:
(a) | risk-based policy requirements regarding the identification of customers and the scope of due diligence information to be collected and documented; |
19
(b) | for high-risk accounts, a requirement that Bank management shall conduct and document its analyses of enhanced due diligence gathered to facilitate ongoing monitoring efforts, including expectations for customer activities that are supported and periodically reviewed for reasonableness, are used as part of the ongoing monitoring process, and are adequately documented; |
(c) | updates to CDD to reflect changes in customers behavior, activity profile, derogatory information, periodic reviews of the customer relationship, or other factors that impact AML risk; |
(d) | periodic evaluations of employee knowledge of, and adherence to, Bank policies and procedures for identifying customers and for gathering, analyzing, and documenting due diligence in order to determine whether additional or enhanced training should be conducted; and |
(e) | procedures to address cases where there is ongoing suspicious activity to ensure appropriate management review and determination of whether the customer relationship should be continued. |
20
ARTICLE XII
BANK SECRECY ACT INDEPENDENT TESTING
(1) Within ninety (90) days of the date of this Order, the Board shall review, revise, and thereafter ensure Bank adherence to its BSA independent testing program (whether performed by the audit staff not directly involved with BSA activities at the Bank or an independent third party). The revised program shall include appropriate scope, depth, timing, reporting, and documentation. At a minimum, the revised independent testing program shall include:
(a) | evaluation of the overall adequacy and effectiveness of the BSA/AML compliance program, including policies, procedures, processes, and internal controls; |
(b) | review and evaluation of the BSA/AML risk assessment for reasonableness given the Banks risk profile (products, services, customers, entities, and geographic locations); |
(c) | appropriate risk-based transaction testing to verify the Banks adherence to BSA recordkeeping and reporting requirements; |
(d) | review of staff training for adequacy, accuracy, and completeness; |
(e) | review and evaluation of the effectiveness of the suspicious activity monitoring systems (automated, manual, or combination) used for BSA/AML compliance; and |
(f) | assessment of the process for identifying and reporting suspicious activity, including the accuracy, timeliness, completeness, and effectiveness of Suspicious Activity Reporting forms. |
21
(2) Within thirty (30) days of receiving an independent audit report pursuant to this Article, the Board, or a designated committee of the Board, shall evaluate the reports of any party providing independent testing services to the Bank, shall assess the impact on the Bank of any deficiencies cited in such reports, and shall remedy or develop a plan to remedy any deficiencies identified. The Bank shall maintain a written record describing action taken pursuant to this Article.
(3) Within thirty (30) days of completion, the Board, or a designated committee of the Board, shall submit all finalized independent audit reports prepared in accordance with this Article to the Assistant Deputy Comptroller.
ARTICLE XIII
COMPLIANCE MANAGEMENT
(1) Within ninety (90) days of the date of this Order, the Board shall adopt, implement and thereafter ensure Bank adherence to a written program to improve the Banks compliance management process. The program shall include, at a minimum:
(a) | a requirement that, at all times, a qualified individual will serve as the Banks compliance officer. This individual shall be responsible for the supervision and administration of the Banks compliance management program and provide effective compliance oversight for all areas of the Bank; |
(b) | a requirement that the compliance department has sufficient staffing, including subject matter experts, to maintain the program and assist the compliance officer in providing sufficient oversight for all areas of the Bank; |
22
(c) | clear reporting lines and responsibilities for compliance staff and management; |
(d) | sufficient compliance policies and procedures throughout the Bank to provide standards and guidance for all business lines; |
(e) | processes for updating compliance policies and procedures to address changes in applicable laws and regulations; |
(f) | a sufficient compliance risk assessment process that includes qualitative and quantitative factors for measuring risk; |
(g) | an effective monitoring and testing or quality assurance process to provide for ongoing assessment of compliance efforts between audits; |
(h) | a customer complaint tracking and resolution process; and |
(i) | the development and implementation of a bank-wide compliance training program that includes an ongoing evaluation of training needs, assesses the adequacy of training performed, identifies training gaps, and tracks training completed. |
(2) A copy of the program, or any subsequent amendments or changes to the program, shall be forwarded to the Assistant Deputy Comptroller for review and determination of no supervisory objection. Upon receiving a determination of no supervisory objection from the Assistant Deputy Comptroller, the Board shall implement and thereafter ensure adherence to the program.
23
ARTICLE XIV
FLOOD INSURANCE
(1) Within sixty (60) days of the date of this Order, the Board shall adopt, implement, and thereafter ensure Bank adherence to written Flood Disaster Protection Act (42 U.S.C. § 4002 and 12 C.F. R. § 172) policies and procedures detailing a coordinated program to ensure Bank compliance with laws and regulations. At a minimum, the program shall include:
(a) | a policy addressing major provisions of the Flood Disaster Protection Act (FDPA), staff roles and responsibilities, internal controls, review processes, and internal testing expectations; |
(b) | written FDPA procedures for all applicable business lines covering, at a minimum, the following: |
(i) | flood hazard zone determinations; |
(ii) | flood zone discrepancy resolution processes; |
(iii) | notices to borrowers requiring purchase of flood insurance; |
(iv) | flood insurance coverage calculation methodologies, including methodologies for multiple properties or multiple buildings on a property; |
(v) | the implementation of flood calculation worksheets to document flood calculations; |
(vi) | life of loan monitoring to ensure adequate flood insurance coverage; and |
(vii) | force placement of flood insurance, including customer notifications; |
24
(c) | pre-closing flood compliance verification reviews for Bank generated loans as well as loans generated from third parties; and |
(d) | development and appointment of a FDPA subject matter expert responsible for administering the Banks FDPA compliance program. |
(2) Within sixty (60) days of the date of this Order, the Board shall adopt, implement, and thereafter ensure Bank adherence to a comprehensive FDPA training program for all applicable lending staff to ensure awareness of their responsibility for compliance with the requirements of the FDPA. This comprehensive training program shall include strategies for mandatory attendance, the frequency of training, processes to ensure the training remains current, and the method for delivering training. Documentation of training shall be maintained in the Banks records.
ARTICLE XV
INFORMATION TECHNOLOGY
(1) Within one hundred eighty (180) days of the date of this Order, the Board shall adopt a comprehensive, written business continuity plan (BCP). The BCP shall be consistent with guidance communicated in the Business Continuity Planning booklet of the FFIEC Information Technology Examination Handbook. At a minimum, the BCP shall include:
(a) | a business impact analysis that includes: |
(i) | the identification of the potential impact of uncontrolled, non-specific events on the institutions business processes and its customers; and |
(ii) | an estimation of the maximum allowable downtime and acceptable levels of data, operations, and financial losses. |
25
(b) | a risk assessment process that includes: |
(i) | the prioritization of potential business disruptions based upon severity and likelihood of occurrence; |
(ii) | a gap analysis comparing the institutions existing business resumption plans, if any, to what is necessary to achieve recovery time and point objectives; and |
(iii) | an analysis of threats based upon the impact on the institution, its customers, and the financial markets, not just the nature of the threat. |
(c) | a risk monitoring process that includes: |
(i) | testing of the BCP on at least an annual basis; |
(ii) | independent audit and review of the BCP; and |
(iii) | updating the BCP based upon changes to personnel and the internal and external environments. |
(2) A copy of the BCP, or any subsequent amendments or changes to the BCP, shall be forwarded to the Assistant Deputy Comptroller for review and determination of no supervisory objection. Upon receiving a determination of no supervisory objection from the Assistant Deputy Comptroller, the Board shall implement and thereafter ensure Bank adherence to the BCP.
ARTICLE XVI
CLOSING
(1) Although the Board is by this Order required to submit certain proposed actions and programs for the review or prior written determination of no supervisory objection of the Assistant Deputy Comptroller, the Board has the ultimate responsibility for proper and sound management of the Bank.
26
(2) It is expressly and clearly understood that if, at any time, the Comptroller deems it appropriate in fulfilling the responsibilities placed upon it by the several laws of the United States of America to undertake any action affecting the Bank, nothing in this Order shall in any way inhibit, estop, bar or otherwise prevent the Comptroller from so doing.
(3) Any time limitations imposed by this Order shall begin to run from the effective date of this Order. Such time limitations may be extended in writing by the Assistant Deputy Comptroller for good cause upon written application by the Board.
(4) The provisions of this Order are effective upon issuance of this Order by the Comptroller, through his authorized representative whose hand appears below, and shall remain effective and enforceable, except to the extent that, and until such time as, any provisions of this Order shall have been amended, suspended, waived, or terminated in writing by the Comptroller.
(5) In each instance in this Order in which the Board is required to ensure adherence to, and undertake to perform certain obligations of the Bank, it is intended to mean that the Board shall:
(a) | authorize and adopt such actions on behalf of the Bank as may be necessary for the Bank to perform its obligations and undertakings under the terms of this Order, including ensuring that the Bank has necessary processes, control systems, and staff (with respect to both the experience level and number of individuals employed, whether staffed internally by Bank personnel or outsourced to an independent third party and control systems); |
27
(b) | require the timely reporting by Bank management of such actions directed by the Board to be taken under the terms of this Order; |
(c) | follow-up on any non-compliance with such actions in a timely and appropriate manner; and |
(d) | require corrective action be taken in a timely manner of any non-compliance with such actions. |
(6) This Order is intended to be, and shall be construed to be, a final order issued pursuant to 12 U.S.C. § 1818(b), and expressly does not form, and may not be construed to form, a contract binding on the Comptroller or the United States.
(7) The terms of this Order, including this paragraph, are not subject to amendment or modification by any extraneous expression, prior agreements or prior arrangements between the parties, whether oral or written.
(8) All submissions to the Assistant Deputy Comptroller required to be made pursuant to this Order shall be addressed to:
Joel Denkert
Assistant Deputy Comptroller
Office of the Comptroller of the Currency
1 South Wacker Drive, Suite 2000
Chicago, Illinois 60606
IT IS SO ORDERED, this 23 day of October, 2012.
/s/ William D. Haas |
William D. Haas |
Deputy Comptroller |
Midsize Bank Supervision |
28