MetaBank Order to Cease and Desist, dated July 15, 2011

	)
In the Matter of	)	Order No.: CN 11-25
	)
	)
METABANK	)	Effective Date: July 15, 2011
	)
	)
Storm Lake, Iowa	)
OTS Docket No. 05902	)
	)

WHEREAS, MetaBank, Storm Lake, Iowa, OTS Docket No. 05902 (Association), by and through its Board of Directors (Board), has executed a Stipulation and Consent to Issuance of an Order to Cease and Desist (Stipulation); and

WHEREAS, the Association, by executing the Stipulation, has consented and agreed to the issuance of this Order to Cease and Desist (Order) by the Office of Thrift Supervision (OTS) pursuant to 12 U.S.C. § 1818(b); and

WHEREAS, pursuant to delegated authority, the OTS Regional Director for the Central Region (Regional Director) is authorized to issue Orders to Cease and Desist where a savings association has consented to the issuance of an order; and

1.              The Association, its institution-affiliated parties,1 and its successors and assigns, shall cease and desist from any action (alone or with others) for or toward, causing, bringing about, participating in, counseling, or aiding and abetting violations of the following laws or regulations cited in the April 5, 2010 Report of Examination of the Association (2010 ROE) delivered to the Association on December 28, 2010:

(a)            12 C.F.R. § 563.177(c)(1) (requiring the development of a system of internal controls to assure ongoing compliance with Bank Secrecy Act and Anti Money Laundering (BSA/AML) regulations);

(b)            12 C.F.R. § 563.177(b)(2) (requiring the implementation of a customer identification program as part of the BSA compliance program);

(c)            15 U.S.C. § 45(a)(1) (prohibiting unfair or deceptive acts or practices); and

(d)            12 C.F.R. § 563.27 (prohibiting savings associations from using any advertising or making any representation that is inaccurate in any particular way or misrepresents in any way its services, contracts, investments, or financial condition).

2.              The Association, its institution-affiliated parties, and its successors and assigns, shall cease and desist from any action (alone or with others) for or toward, causing, bringing about, participating in, counseling, or aiding and abetting of the unsafe or unsound practices that resulted in the Association operating: (a) without adequate internal controls, management information systems, and internal audit reviews of its third party sponsorship arrangements; and (b) without adequate information technology (“IT”) policies and procedures as described in the 2010 ROE.

 

3.              By July 15, 2011, the Association shall submit a written plan (Remuneration Plan), acceptable to the Regional Director, to provide restitution to any iAdvance Line of Credit borrower affected by the Association’s failure to implement a recurring use plan (Borrowers). At a minimum, the Remuneration Plan shall:

(a)            identify the methodology and total dollar amount of restitution that Borrowers will receive;

(b)            require the Association to provide the Regional Director by August 31, 2011 with a list of Borrowers who shall receive restitution and shall specify the amount of restitution that each Borrower will receive (Borrower List);

(c)            require the Association to complete all requirements of the Remuneration Plan in accordance with the timetable set forth in the Remuneration Plan; and

(d)            require the submission of written progress reports to the Regional Director on a monthly basis that detail the actions taken and to be taken to comply with the Remuneration Plan.

4.              The Remuneration Plan and the Borrower List are both incorporated by reference into this Order. Accordingly, any violation of the Remuneration Plan is a violation of this Order.

5.              Effective immediately, the Association shall not, without the prior written approval of the Regional Director:

(a)            enter into any new third party relationship agreement or materially amend any such existing agreement concerning any credit product, deposit product (including

prepaid cards), or automatic teller machine, except for amendments to achieve compliance with applicable laws, regulations or regulatory guidance, including but not limited to Thrift Bulletin 82a;

(b) originate tax refund anticipation loans (RALs) directly or through any third party;

(c)            offer a tax refund transfer processing service directly or through any third party; or

(d)            offer or originate iAdvance lines of credit to new customers or permit draws on existing iAdvance lines of credit, either directly or through any third party;

until such time as the Association has completed the requirements of Paragraphs 6 through 23 and Paragraph 28 below. Before resuming any of the activities described in Subparagraphs (a) through (d) above, the Association shall submit a written request to the Regional Director containing the Association’s proposed strategic plan for the activity to be resumed and receive a written non-objection letter from the Regional Director.

6.              By July 15, 2011, the Association shall develop and submit to the Regional Director written due diligence, monitoring, training, and oversight procedures to ensure that its third party providers perform services and conduct activities on its behalf in a safe and sound manner, and in compliance with applicable laws and regulations. (Third Party Risk Management Program). The Association shall allocate resources to the Association’s Third Party Risk Management Program that are commensurate with the size and level of complexity of the Association’s current and projected operations. The Third Party Risk Management Program shall include, at a minimum:

(a)            on-going oversight of the third party's activities and performance, including the designation of an Association officer responsible for the administration and oversight of

third party relationships, and assignment of sufficient staff with the necessary expertise to:

(i)             monitor the third party's financial condition;

(ii)            monitor the third party's controls, including review of audit information, policies relating to IT internal controls and security, business resumption contingency planning and testing, and compliance with applicable state and federal laws and regulations;

(iii)           monitor key third party personnel changes and assess how such changes may impact the Association;

(iv)           review information documenting the third party's performance relative to service level agreements and determine whether contractual terms and conditions are being met, or whether any revisions to service-level agreements or other terms are needed;

(v)            document and follow-up on third party provider performance problems in a timely manner; and

(vi)           periodically meet with third party providers to discuss performance and operational issues;

(b)            documentation of the Association’s oversight of third party provider activities and performance including:

(i)             a list of third parties deemed material to the operation of the Association;

(ii)            maintenance of true, accurate, and complete contracts between the Association and its third party providers;

(iii)           business plans for new lines of business or products that identify management's planning process, decision making and due diligence in selecting a

third party provider;

(iv)           regular risk management and performance information received from the third party provider (e.g., external and internal audit information, security reviews, reports or information indicating compliance with service-level agreements); and

(v)            regular reports to the Board, or its delegated committee, of the results of the Association's ongoing oversight of its sponsorship activities;

(c)            development of management information systems that ensure each product offered and service performed by a third party provider on behalf of the Association is in compliance with all applicable federal and state laws, regulations, and regulatory guidance as well as applicable policies and procedures of the Association;

(d)            written policies and procedures governing the Association’s lending products, including subprime lending products, offered through third party providers to ensure that the Association’s lending is consistent with applicable state and federal laws, regulations, and regulatory guidance and includes, at a minimum:

(i)             comprehensive written underwriting standards for each type of sponsorship lending approved by the Board;

(ii)            a requirement that current and satisfactory credit information be obtained on each borrower prior to the granting of credit demonstrating the ability to repay;

(iii)           a requirement that the anticipated source of repayment for each borrower be documented in the loan file;

(iv)           establishment of reasonable, maximum debt (including any add-ons such as credit life, credit disability, force placed insurance and service contracts) to

income ratios;

(v)            establishment of reasonable loan maturity terms, amortization periods, and loan renewal policies;

(vi)           the identification and establishment of management information systems to monitor adherence to and exceptions from established policies, procedures, and underwriting standards for all loan originations by the Association through its sponsorship lending program, regardless of whether the loans or receivables are sold without recourse; and

(vii)          a documented methodology and analysis which supports the Association's quantification of the amount of capital necessary to offset the additional risk posed by the third party provider’s risk and the Association’s retained lending portfolio; and

(e)            a requirement that the Association’s outsourcing of IT services to third party providers be consistent with applicable laws, regulations, and regulatory guidance, including the following booklets of the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook: Outsourcing Technology Services, Supervision of Technology Service Providers, Information Security, Business Continuity Planning, Wholesale Payment Systems, and Retail Payment Systems.

7.              Upon written notification from the Regional Director that the Third Party Risk Management Program is acceptable, the Association shall implement and adhere to the Third Party Risk Management Program. The Board’s review of the Third Party Risk Management Program shall be documented in the Board meeting minutes. A copy of the Third Party Risk

Management Program shall be provided to the Regional Director within five (5) days of adoption by the Board.

8.              Within sixty (60) days of receipt of the Regional Director’s written acceptance notice of the Third Party Risk Management Program, the Association shall review each of its current sponsorship arrangements with a third party provider and prepare a written analysis detailing whether and how each arrangement complies with the Third Party Risk Management Program. The Association's analysis shall include an evaluation of the third party’s performance under the terms and conditions of the contract and the Association's Third Party Risk Management Program. For each sponsorship arrangement that does not meet the requirements of the Third Party Risk Management Program, or in the event any third party provider is not meeting its obligations under the terms of an existing contract, the Association shall prepare and submit to the Regional Director, within sixty (60) days of completing its review, a written plan of the steps it will take to address any identified deficiencies, including how the Association will terminate the arrangement in the event the third party provider is unable to address an identified deficiency. In the event the written plan, or any portion thereof, is not implemented, the Association shall immediately advise the Regional Director, in writing, of specific reasons the plan or portion of the plan has not been implemented.

9.              Effective immediately, the Association shall submit to the Regional Director within thirty (30) days after each meeting of the Association’s Third Party Risk Committee and MPS Credit Committee, a copy of the meeting minutes, including all reports and materials made available to the committee members before, during, or after the meeting.

10.            By August 31, 2011, the Association shall revise its written consumer compliance management program (Compliance Management Program) to ensure that it addresses all corrective actions set forth in the 2010 ROE relating to consumer compliance by third party providers performing services on behalf of the Association. The Association’s Compliance Management Program shall comply with all applicable consumer and other compliance laws, regulations and regulatory guidance (Compliance Laws and Regulations)2 and be appropriate for the Association’s size, complexity, product lines and business operations. At a minimum, the Compliance Management Program shall:

(a)            require that the Association’s Compliance Officer be responsible for supervising compliance with the Compliance Laws and Regulations by the Association and by the Association’s third party providers performing services on behalf of the Association;

(b)            require that the Association allocate resources to the compliance area that are commensurate with the Association’s size, complexity, product lines, and projected business operations to ensure the implementation of an adequate Compliance Management Program, including appropriate staffing levels with qualified and experienced personnel;

(c)            require appropriate formal training programs that provide for ongoing training in Compliance Laws and Regulations for all appropriate Association employees, Board members, and third party providers performing services on behalf of the Association;

(d)            require a written consumer compliance review process before implementing new

______________________________________

or changed products and services by third party providers on behalf of the Association; and

(e)            require written record retention requirements, reporting requirements, and internal control systems to facilitate the oversight of the effectiveness of the Compliance Management Program by the Board and Senior Executive Officers.

11.            Upon written notification from the Regional Director that the Compliance Management Program is acceptable, the Association shall implement and adhere to the Compliance Management Program. The Board’s review of the Compliance Management Program shall be documented in the Board meeting minutes. A copy of the Compliance Management Program shall be provided to the Regional Director within five (5) days of adoption by the Board.

12.            By August 31, 2011, the Association shall revise and submit to the Regional Director its BSA/AML policies, procedures and systems (BSA/AML Compliance Program) to address all corrective actions in the 2010 ROE related to the Currency and Foreign Transactions Reporting Act, as amended by the USA Patriot Act and other laws (the Bank Secrecy Act or BSA), 31 U.S.C. §§ 5311 et seq., and the related regulations issued and/or administered by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), 31 C.F.R. §§ 103.11 et seq., and the related BSA regulations issued by the OTS, 12 C.F.R. § 563.177 (collectively, the BSA Laws and Regulations), the FinCEN regulations governing SARs set forth at 31 C.F.R. § 103.18 and the OTS SAR regulation set forth at 12 C.F.R. § 563.180 (collectively, the SAR Regulations). The Association shall ensure that its third party providers are in compliance with all applicable BSA Laws and Regulations, SAR Regulations, and OFAC

Regulations while performing services or conducting activities on behalf of the Association. The Association’s BSA/AML Compliance Program shall, at a minimum:

(a)            require the Association to conduct a thorough assessment of its BSA, AML and OFAC risk exposure (BSA/AML/OFAC Risk Assessment), based upon the specific products, services, customers, entities, and geographic locations unique to the Association, including all products and services offered and/or processed by or through third party providers on behalf of the Association, that may expose it to money laundering, terrorism financing, and/or other illegal activities, taking into consideration information collected from the Association’s customer identification policies, procedures and processes (CIP Policy) and customer due diligence process (CDD) that shall identify the accounts that are potentially medium or high risk and the basis for such determination;

(b)            require that the third party providers processing banking products or services on behalf of the Association adopt and comply with the Association’s CIP Policy and CDD policies, procedures and processes to identify Association customers and customer groups with heightened BSA/AML and OFAC risk;

(c)            require that the Association implement a system of internal controls to ensure its third party providers processing banking products or services on behalf of the Association comply with the BSA Laws and Regulations and SAR Regulations based on the Association’s BSA/AML Risk Assessment;

(d)            require the Association to obtain periodic independent tests of its third party providers with respect to compliance with the Association’s BSA/AML Compliance

Program and BSA Laws and Regulations to be performed by a qualified independent employee or independent third party (BSA Independent Testing), which shall be: (i) performed with an appropriate level of frequency; (ii) fully documented; and (iii) conducted with an appropriate segregation of duties; and

(e)            require the Association to timely and effectively monitor, in compliance with applicable laws, regulations, and regulatory guidance, all cash transactions processed by the third party providers on behalf of the Association for possible structuring activities to evade reporting under the BSA Laws and Regulations and to timely report such structuring activities, if appropriate, pursuant to the SAR Regulations.

13.            Upon written notification from the Regional Director that the BSA/AML Compliance Program is acceptable, the Association shall implement and adhere to the BSA/AML Compliance Program. The Board’s review of the BSA/AML Compliance Program shall be documented in the Board meeting minutes. A copy of the BSA/AML Compliance Program shall be provided to the Regional Director within five (5) days of adoption by the Board.

14.            By August 31, 2011, the Association shall adopt and submit to the Regional Director a written internal audit program (Internal Audit Program) sufficient to:

(a)            detect irregularities and weak practices in the Association's Third Party Risk Management Program, Compliance Management Program, and IT Third Party Management Program;

(b)            determine the level of compliance by the Association and its third party providers with all applicable laws, rules, and regulations;

(c)            assess and report the effectiveness of policies, procedures, controls, and

management oversight relating to accounting and financial reporting, including accounting and financial reporting supplied to the Association by third party providers;

(d)            adequately cover all areas, including transactional testing of third party provider systems, to validate processes that monitor for unusual or suspicious activity, and the filing of cash transaction reports;

(e)            document the risk assessments for auditable areas at the Association and its third party providers, to include, at a minimum:

(i)             the nature of transactions (volume, size, etc.);

(ii)            the nature of the operating environment, including compliance with laws and regulations, complexity of transactions, changes in volume, degree of system and reporting centralization, and the economic and regulatory environment;

(iii)           internal controls, security, and management information systems; and

(iv)           taffing resources, including experience of management and staff, turnover, competence, and degree of delegation; and

(f)            establish an annual audit plan that details the frequency and scope of each audit, using a risk based approach sufficient to achieve these objectives.

15.            In addition, the Association shall ensure that its Internal Audit Program:

(a)            is independent;

(b)            has resources allocated to it that are commensurate with the size and level of complexity of the Association’s current and projected operations;

(c)            requires internal audit staff to have access to any records necessary for the proper conduct of its activities;

(d)            requires the Internal Auditor to report directly to the Audit Committee of the

Board;

(e)            requires all reports prepared by the internal audit staff be filed directly with the Board and not through any intervening party; and

(f)             requires all internal audit reports to be in writing and clearly state the severity of issues, violations of laws and regulations, noncompliance with policies and procedures, and whether identified issues are repeat in nature.

16.            Upon written notification from the Regional Director that the Internal Audit Program is acceptable, the Association shall implement and adhere to the Internal Audit Program. The Board’s review of the Internal Audit Program shall be documented in the Board meeting minutes. A copy of the Internal Audit Program shall be provided to the Regional Director within five (5) days of adoption by the Board.

17.            The Board or a designated committee thereof shall ensure that immediate actions are undertaken by Association management to remedy deficiencies cited in internal audit reports and that the Internal Auditor maintain a written tracking report describing those actions. The Internal Auditor shall verify the adequacy of corrective actions prior to reporting the issue as corrected and submit such written tracking report to the Board at least quarterly.

18.            By August 31, 2011, the Association shall revise its written program for identifying, monitoring, and controlling risks associated with concentrations of assets and liabilities (Concentration Policy) to address the corrective actions set forth in the 2010 ROE relating to concentrations of assets and liabilities. The Concentration Policy shall comply with all applicable laws, regulations, and regulatory guidance and shall:

 

(a)            establish comprehensive concentration limits expressed as a percentage of Tier 1 (Core) Capital plus the allowance for loan and lease losses (ALLL) for subcategories of the Association’s concentrations of assets and liabilities and document the appropriateness of such limits based on the Association’s risk profile; and

(b)            establish enhanced risk analysis, monitoring, and management for each concentration limit.

19.            A copy of the Concentration Policy shall be provided to the Regional Director within five (5) days of adoption by the Board.

20.            By September 30, 2011, the Board shall develop and submit to the Regional Director a plan for Board membership development and succession (Director Development Plan). The Director Development Plan shall require that the composition of the Board reflect the ethics, experience, objectivity and diverse perspectives necessary for effective governance and, at a minimum, shall:

(a)            require that the Board conduct an assessment of the skills and experience possessed by the current members of the Board no later than August 31, 2011;

(b)            require that the Board discuss and determine at a Board meeting no later than August 31, 2011 whether the capabilities of the Board as a whole would be enhanced through the addition of persons with particular skills and experience;

(c)            establish minimum qualifications for directors of the Association;

(d)            develop an education plan for the Board that identifies the training to be provided, which shall include training relating to a director’s fiduciary responsibilities and the provision of information necessary to perform director responsibilities as contained in the

OTS Directors’ Guide to Responsibilities and the OTS Directors’ Guide to Management Reports; and

(e)            contain a specific timetable for completion of the actions set forth in the Director Development Plan.

21.            Upon receipt of written notification from the Regional Director that the Director Development Plan is acceptable, the Association shall implement and adhere to the Director Development Plan. The Board’s review of the Director Development Plan shall be documented in the Board meeting minutes. A copy of the Director Development Plan shall be provided to the Regional Director within five (5) days after the Board meeting.

22.            By August 31, 2011, the Association shall submit a written plan (Business and Capital Plan) for the period beginning July 1, 2011 through December 31, 2013 addressing the requirements of this Order and including capital enhancement strategies acceptable to the Regional Director. At a minimum, the Business and Capital Plan shall:

(a)            establish a minimum Tier 1 (Core) Capital Ratio and Total Risk-Based Capital Ratio commensurate with the Association’s risk profile;

(b)            detail the Association’s capital preservation and enhancement strategies with specific time frames to achieve and maintain the Board-established minimum capital ratios;

(c)            contain operating strategies with stated limits on growth commensurate with the Association’s risk profile and operating strategies to improve core earnings from interest income;

(d)            include quarterly financial projections (balance sheet and income statement), including Tier 1 (Core) and Total Risk-Based Capital Ratios, for the period covered by the Business and Capital Plan; and

(e)            identify all relevant assumptions made in formulating the Business and Capital Plan and include a requirement that documentation supporting such assumptions be retained by the Association.

23.            Upon receipt of written notice of non-objection from the Regional Director to the Business and Capital Plan, the Association shall implement and adhere to the Business and Capital Plan. A copy of the Business and Capital Plan shall be provided to the Regional Director within five (5) days after Board approval.

24.            Any material modifications3 to the Business and Capital Plan must receive the prior written non-objection of the Regional Director. The Association shall submit proposed material modifications to the Regional Director at least forty-five (45) days prior to implementation.

25.            By December 31, 2011, and each December 31st thereafter, the Business and Capital Plan shall be updated and submitted to the Regional Director pursuant to Paragraph 22 above and shall incorporate the Association’s budgeted income statement and balance sheet for the next two (2) fiscal years taking into account any material revisions to the Association’s loan, investment and operating policies.

26.            Within sixty (60) days after the end of each quarter, after implementation of the Business and Capital Plan, the Board shall review written quarterly variance reports on the Association’s compliance with its Business and Capital Plan (Variance Reports). The Board’s review of

______________________________________

Variance Reports and compliance with the Business and Capital Plan shall include a review of the internal and external risks affecting the Association’s ability to successfully implement the Business and Capital Plan. The minutes of the Board meeting shall fully document the Board’s review and discussion. The Variance Reports shall:

(a)            identify variances in the Association’s actual performance during the preceding quarter as compared to the projections set forth in the Business and Capital Plan;

(b)            contain an analysis and explanation of identified material4 variances; and

(c)            discuss the specific measures taken or to be taken by the Association to address identified material variances.

27.            A copy of each Variance Report shall be provided to the Regional Director within five (5) days after Board approval.

28.            By August 31, 2011, the Association shall ensure that all violations of law and/or regulation discussed in the 2010 ROE are corrected and that adequate policies, procedures and systems are established or revised and thereafter implemented to prevent future violations.

29.            Effective immediately, the Association shall not publish advertising using any type of media or make any representation that is inaccurate in any way or misrepresents its products, services, contracts, investments, or financial condition. In addition, the Association shall ensure that its third party providers performing services on behalf of the Association do not publish advertising using any type of media or make any representation that is inaccurate in any way or misrepresents the Association’s products, services, contracts, investments, or financial condition.

______________________________________

30.            Effective immediately, the Association shall not make any golden parachute payment5 unless, with respect to such payment, the Association has complied with the requirements of 12 C.F.R. Part 359.

31.            Effective immediately, the Association shall comply with the prior notification requirements for changes in directors and Senior Executive Officers6 set forth in 12 C.F.R. Part 563, Subpart H.

32.            Effective immediately, the Association shall not enter into, renew, extend, or revise any contractual arrangement relating to compensation or benefits for any Senior Executive Officer or director of the Association, unless it first provides the Regional Director with not less than thirty (30) days prior written notice of the proposed transaction. The notice to the Regional Director shall include a copy of the proposed employment contract or compensation arrangement or a detailed, written description of the compensation arrangement to be offered to such director or officer, including all benefits and perquisites. The Board shall ensure that any contract, agreement, or arrangement submitted to the Regional Director fully complies with the requirements of 12 C.F.R. Part 359, 12 C.F.R. §§ 563.39 and 563.161(b), and 12 C.F.R. Part 570 – Appendix A.

______________________________________

33.            This Order is effective on the Effective Date as shown on the first page. The Stipulation is made a part hereof and is incorporated herein by this reference.

34.            This Order shall remain in effect until terminated, modified, or suspended, by written notice of such action by the OTS, acting by and through its authorized representatives.

35.            Calculation of time limitations for compliance with the terms of this Order run from the Effective Date and shall be based on calendar days, unless otherwise noted.

36.            The Regional Director or an OTS authorized representative may extend any of the deadlines set forth in the provisions of this Order upon written request by the Association that includes reasons in support for any such extension. Any OTS extension shall be made in writing.

37.            All submissions, including any reports, to the OTS that are required by or contemplated by this Order shall be submitted within the specified timeframes.

38.            Except as otherwise provided herein, all submissions, requests, communications, consents, or other documents relating to this Order shall be in writing and sent by first class U.S. mail (or by reputable overnight carrier, electronic facsimile transmission, or hand delivery by messenger) addressed as follows:

Regional Director

Office of Thrift Supervision

One South Wacker Drive, Suite 2000

Chicago, Illinois 60606

Facsimile: (312) 917-5001

(b)           To the Association:

Chairman of the Board

MetaBank

121 East Fifth Street

Storm Lake, Iowa 50588

Facsimile: (712) 732-7105

Chief Executive Officer

MetaBank

5501 South Broadband Lane

Sioux Falls, South Dakota 57108

Facsimile: (605) 338-0596

39.            Following the Transfer Date, see Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. Law No. 111-203, § 311, 124 Stat. 1520 – 21 (2010), all submissions, requests, communications, consents or other documents relating to this Order shall be directed to the Comptroller of the Currency, or to the individual, division, or office designated by the Comptroller of the Currency.

40.            Nothing in this Order or the Stipulation shall be construed as allowing the Association, its Board, officers, or employees to violate any law, rule, or regulation.

	OFFICE OF THRIFT SUPERVISION
	By:	/s/ Daniel T. McKee
		Daniel T. McKee
		Regional Director, Central Region

 

 

MetaBank

Order to Cease and Desist

Page 21 of 21

 

---