|(a)
|
a description of the actions needed to achieve full compliance with each Article of this Agreement, including the names of the parties responsible for completing those actions and the specific timeframe for completion of each action;
|(b)
|
actions taken to comply with each Article of this Agreement; and
|(c)
|
the results and status of those actions.
|(a)
|
an analysis of the Board’s composition and committee structure, including committee composition and responsibility, and whether current members possess the knowledge and skills to oversee management of the Bank in a sound manner, with specific recommendations to address any identified weaknesses;
|(b)
|
an assessment of whether Board members are receiving adequate information on the operation of the Bank to enable them to fulfill their fiduciary responsibilities and other responsibilities under law, and specific recommendations to expand the scope, frequency and sufficiency of information provided to the Board by management to address any identified weaknesses;
|(c)
|
an assessment of whether the content of the Board and committee minutes adequately reflect discussions and decisions, specifically in the areas of the Bank’s internal and external audit activities, compliance management program, BSA/AML program and vendor management practices.
|(d)
|
the identification of present and future management and staffing requirements of each area of the Bank, with particular emphasis given to the Executive Management Group, and the Risk Management, Internal Audit, Compliance, and BSA/AML areas;
|(e)
|
an assessment of the adequacy of written job descriptions for all executive officers and for the direct department heads of Internal Audit, Compliance and the BSA/AML area, including whether accountabilities are appropriately defined;
|(f)
|
an evaluation of the qualifications and abilities of each individual identified in (e) above and a determination of whether each individual possesses the experience and other qualifications required to perform present and anticipated duties of his/her position;
|(g)
|
recommendations as to whether management or staffing changes should be made, including the need for additions to or deletions from the current management team;
|(h)
|
assessment of the objectives by which management's effectiveness is measured and the standards by which employees are held accountable through the Bank’s performance management and compensation programs, with recommendations for any enhancements; and
|(i)
|
an evaluation of current lines of authority, reporting responsibilities and delegation of duties for all officers, including identification of any overlapping duties or responsibilities.
|(a)
|
ensure the development and maintenance of a risk-based audit plan, covering both financial and non-financial areas of the Bank, that includes risk assessments to support the frequency and scope of reviews for all areas covered by the plan;
|(b)
|
ensure that the risk-based audit plan is annually approved by the Board or its designated committee;
|(c)
|
ensure that any deviation of sixty (60) days or more from the Board approved audit plan requires, and only occurs with, the prior written approval of the Board or its designated committee;
|(d)
|
ensure that the Board or its designated committee maintains a process to track adherence to the approved audit plan;
|(e)
|
detect irregularities and weak practices in the Bank's operations;
|(f)
|
determine the Bank's level of compliance with all applicable laws, rules and regulations, including consumer compliance and BSA/AML related laws and regulations;
|(g)
|
assess and report the effectiveness of policies, procedures, controls, and management oversight relating to each area covered by the audit plan;
|(h)
|
evaluate the Bank’s adherence to established policies, procedures and programs, including the Bank’s adherence to the consumer compliance, BSA/AML and third party management programs required to be developed under the terms of this Agreement; and
|(i)
|
ensure an appropriate level of testing to support the audit findings in all areas, including in the BSA/AML area, testing that covers the adequacy of the Bank’s:
|(i)
|
customer risk identification practices;
|(ii)
|
systems for monitoring transactions and accounts for suspicious activity; and
|(iii)
|
identification of suspicious activity and compliance with suspicious activity reporting requirements.
|(a)
|
written descriptions of the duties and responsibilities of the Compliance Officer and other key positions in the Compliance area, that clearly define authority and accountability;
|(b)
|
adequate internal controls to ensure compliance with consumer protection laws, rules, and regulations, including quality assurance reviews to periodically evaluate compliance;
|(c)
|
a policies and procedures manual covering all applicable consumer protection laws, rules and regulations for use by appropriate Bank personnel in the performance of their duties and responsibilities, which identifies employee accountability for required procedures;
|(d)
|
updates of the written policies and procedures at least semi-annually, or as required by more frequent changes in laws or regulations, to ensure the program remains current;
|(e)
|
a formal compliance review process for new or changed products and services;
|(f)
|
procedures to ensure that exceptions noted in the audit reports are corrected and responded to by appropriate Bank personnel; and
|(g)
|
an education and training program for all appropriate Bank personnel in the requirements of all applicable federal and state consumer protection laws, rules and regulations, with training tailored to each individual’s responsibilities and duties.
|(a)
|
Enhanced policies and procedures, including written criteria, for identification of transactions that pose greater than normal risk for compliance with the Bank Secrecy Act and for the enhanced monitoring of such transactions;
|(b)
|
formal evaluation of the knowledge of the Bank’s operational and supervisory personnel of the Bank’s policies and procedures for identifying transactions that pose greater than normal risk for compliance with the Bank Secrecy Act;
|(c)
|
enhanced training for bank personnel appropriately tailored to the roles and responsibilities of each job function, and to address any weaknesses identified as a result of the evaluation required in (b);
|(d)
|
periodic evaluation of the Bank’s BSA training program to ensure on-going effectiveness of training provided;
|(e)
|
enhanced policies and procedures for recording, maintaining, and recalling information about transactions that pose greater than normal risk for compliance with the Bank Secrecy Act;
|(f)
|
enhanced policies and procedures for risk rating the bank’s customer base;
|(g)
|
on-going risk focused assessment of the Bank’s customer base, products, services, and geographic locations;
|(h)
|
well-defined policies and procedures for investigating and resolving the Bank’s response to transactions that have been identified as posing greater than normal risk for compliance with the Bank Secrecy Act;
|(i)
|
adequate controls and procedures to ensure that all suspicious and large currency transactions are identified and reported;
|(j)
|
adequate controls and procedures to ensure Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs) are filed accurately and timely, including procedures to ensure that errors noted in internal or external reports are addressed and remedied within specified timeframes;
|(k)
|
a method for introducing new products and services that ensures that the policies and procedures governing new products and services are consistent with the Bank’s program for compliance with the Bank Secrecy Act.
|(l)
|
a policy that addresses the circumstances under which customer transactions are permitted to be conducted through Bank related accounts with specific documentation requirements to ensure sufficient customer information is obtained and maintained.
|(a)
|
reviews of cash purchases of monetary instruments on a periodic basis commensurate with risk;
|(b)
|
reviews of wire and cash transactions on a periodic basis commensurate with risk;
|(c)
|
analysis of aggregate cash, monetary instrument, and wire activity on a periodic basis commensurate with risk;
|(d)
|
analysis of Currency Transaction Report filings on a periodic basis commensurate with risk;
|(e)
|
enhanced review of accounts, customers, products, services, and geographic areas that pose greater than normal risk for compliance with the Bank Secrecy Act; and
|(f)
|
submission of SARs based on these reviews and analyses, as required.
|(a)
|
meaningful thresholds for filtering accounts and customers for further monitoring, review, and analyses;
|(b)
|
an analysis of the filtering thresholds established by the Bank; and
|(c)
|
periodic testing and monitoring of thresholds for their appropriateness to the Bank’s customer base, products, services, and geographic area.
|(a)
|
identification of all account owners and beneficial owners in compliance with 31 C.F.R. § 103.121;
|(b)
|
identification of the officers, directors, major shareholders or partners, as applicable;
|(c)
|
documentation of the following information:
|(i)
|
any relevant financial information concerning the customer;
|(ii)
|
the type of business conducted by the customer;
|(iii)
|
the customer’s source of income or wealth; and
|(iv)
|
any other due diligence required by this Agreement, the BSA Officer or the Bank.
|(a)
|
the Bank’s system shall be able to link related accounts to evaluate patterns of activity and generate a list of all accounts associated with a relationship;
|(b)
|
The Bank’s system shall include information on all high risk customers or accounts (newly established, renewed or modified), which shall be maintained and kept current, including the following information:
|(i)
|
the name of the customer;
|(ii)
|
the officers, directors and major shareholder of any corporate customer and the partners of any partnership customer;
|(iii)
|
any other accounts maintained by the customer and, as applicable, its officers, directors, major shareholders or partners;
|(iv)
|
a detailed analysis of the due diligence performed on the customer and, as applicable, its officers, directors, major shareholders or partners;
|(v)
|
any related accounts of the customer at the Bank;
|(vi)
|
any action the Bank has taken on the account;
|(vii)
|
the purpose and balance of the account; and
|(viii)
|
any unusual activity for each account;
|(c)
|
The periodic reports shall cover one day, a number of days, and include monthly reports and shall segregate transactions that pose a greater than normal risk for compliance with the Bank Secrecy Act;
|(d)
|
The periodic reports shall include reports on any type of subpoena received by the Bank and on any law enforcement inquiry directed to the Bank and any action taken by the Bank on the affected account; and
|(e)
|
The periodic reports shall include reports deemed necessary or appropriate by the BSA Officer or the Bank.
|(a)
|
an analysis of how the relationship fits into the Bank’s overall business strategy and objectives;
|(b)
|
identification of the strategic purposes, benefits, legal aspects, costs and risks associated with the third party relationship;
|(c)
|
assessment of internal Bank expertise to evaluate and manage the activity and the third-party relationship;
|(d)
|
an initial and on-going due diligence process that identifies qualitative and quantitative aspects, both financial and operational, of the third party to assess whether the third party can help the bank achieve its strategic goals;
|(e)
|
the execution of enforceable contracts that clearly define the expectations and obligations of the each party and include, as appropriate, the following:
|(i)
|
scope of the arrangement, including the frequency, content and format of the services to be provided, training of bank employees, customer service, and whether or not the service provider may subcontract any of its obligations;
|(ii)
|
performance measures that clearly specify the expectations and responsibilities for both parties;
|(iii)
|
identification of the frequency and content of specific reports the third party is required to provide to the Bank to assess performance, service levels, and risks;
|(iv)
|
thresholds and procedures for notifying the Bank when service disruptions, security breaches or other events that pose a material risk to the Bank occur;
|(v)
|
the right to audit the third party (and any of its subcontractors) as needed to monitor contract performance and identification of the types and frequency of audit information the Bank is entitled to receive from the third party;
|(vi)
|
a full description of the compensation, fees, calculations for base services or any special charges that may be imposed, including conditions under which the cost structure may be changed, and to the extent applicable, standards and documentation required for reimbursement of any expenses chargeable to the Bank;
|(vii)
|
whether and how the third party has the right to use the Bank’s data and whether any records generated by the third party are the property of the Bank;
|(viii)
|
standards for maintaining the confidentiality and security of the Bank’s information;
|(ix)
|
provision and standards for business resumption and contingency plans;
|(x)
|
stipulation of events constituting default, available remedies and opportunities to cure defaults, and identification of termination rights, including a provision that enables the Bank to terminate the contract, upon reasonable notice and without penalty, in the event the OCC formally objects to the particular third-party arrangement; and
|(xi)
|
to the extent terms limiting third party liability are included, only limits on liability that are proper in proportion to the amount of loss the Bank might experience as a result of the third party’s failure to perform.
|(f)
|
on-going oversight of the third party’s activities and performance, including the designation of a bank officer responsible for the administration and oversight of third party relationships, and assignment of sufficient staff with the necessary expertise to:
|(i)
|
monitor the third party’s financial condition;
|(ii)
|
monitor the third party’s controls, including review of audit information; policies relating to internal controls and security; business resumption contingency planning and testing; and compliance with applicable laws and regulations, including the BSA and consumer laws and regulations;
|(iii)
|
monitor key third party personnel changes and assess how such changes may impact the Bank;
|(iv)
|
review information documenting the third party’s performance relative to service level agreements and determine whether contractual terms and conditions are being met, or whether any revisions to service-level agreements or other terms are needed;
|(v)
|
document and follow-up on performance problems in a timely manner;
|(vi)
|
determine the adequacy of training provided to bank employees;
|(vii)
|
periodically meet with contract parties to discuss performance and operational issues;
|(g)
|
documentation of the Bank’s oversight of third party activities and performance including:
|(i)
|
a list of third parties deemed critical to the operation of the Bank or for which the Bank spends substantial amounts of money;
|(ii)
|
valid, current and complete contracts;
|(iii)
|
business plans for new lines of business or products that identify management’s planning process, decision making and due diligence in selecting a third party;
|(iv)
|
regular risk management and performance information received from the third party (e.g., audit information, security reviews, reports or information indicating compliance with service-level agreements); and
|(v)
|
regular reports to the Board, or its delegated committee, of the results of the Bank’s ongoing oversight activities.
|(a)
|
legal counsel was involved in the negotiation of any contracts executed with the third party;
|(b)
|
prior to entering into any contract executed within one year from the effective date of this Agreement, the Board or Bank counsel reviewed any existing contract with the third party to determine whether the third party was already obligated to provide any of the services covered under the terms of the new contract, and the Board or Bank counsel’s determination in that regard; and
|(c)
|
the contract is on market terms and fair and equitable to the Bank.
|/s/ Jennifer Kelly
|January 29, 2007
|
Jennifer Kelly
Deputy Comptroller
Midsize and Credit Card Bank Supervision
|
Date
|/s/ Gary L. Nalbandian
|January 26, 2007
|
/s/ James R. Adair
|
Date
January 26, 2007
|
/s/ John J. Cardello
|
Date
January 26, 2007
|
/s/ Douglas S. Gelder
|
Date
January 26, 2007
|
/s/ Alan R. Hassman
|
Date
January 26, 2007
|
/s/ Howell C. Mette
|
Date
January 26, 2007
|
/s/ Michael A. Serluco
|
Date
January 26, 2007
|
/s/ Samir J. Srouji, MD
|
Date
January 26, 2007
|
Date