FEDERAL
DEPOSIT INSURANCE CORPORATION
WASHINGTON,
D.C.
|
|
|
|
|)
|
|In the Matter of
|)
|
|
|)
|
|EUROBANK
|)
|
ORDER
TO CEASE AND
DESIST
|HATO REY, PUERTO
RICO
|)
|
|
|)
|
FDIC-07-018b
|(INSURED STATE NONMEMBER
BANK)
|)
|
|
|)
|
Eurobank,
Hato Rey, Puerto Rico (“Insured Institution”), having been advised of its right
to a Notice of Charges and of Hearing detailing the unsafe or unsound banking
practices and violations of law and/or regulations alleged to have been
committed by the Insured Institution and of its right to a hearing on the
alleged charges under section 8(b)(1) of the Federal Deposit Insurance Act
(“Act”), 12 U.S.C. § 1818(b)(1), and having waived those rights, entered
into a STIPULATION AND CONSENT TO THE ISSUANCE OF AN ORDER TO CEASE AND DESIST
(“CONSENT AGREEMENT”) with counsel for the Federal Deposit Insurance Corporation
(“FDIC”), dated March 19, 2007, whereby solely for the purpose of this
proceeding and without admitting or denying the alleged charges of unsafe or
unsound banking practices and violations of law and/or regulations, the Insured
Institution consented to the issuance of an ORDER TO CEASE AND DESIST (“ORDER”)
by the FDIC.
The
FDIC
considered the matter and determined that it had reason to believe that the
Insured Institution had engaged in unsafe or unsound banking practices and
had
committed violations of law and/or regulations.
-
2
-
The
FDIC,
therefore, accepted the CONSENT AGREEMENT and issued the following:
ORDER
TO CEASE AND DESIST
IT
IS
HEREBY ORDERED that the Insured Institution, its directors, officers, employees,
agents and other institution-affiliated parties (as that term is defined in
section 3(u) of the Act, 12 U.S.C. § 1813(u)), and its successors and assigns
cease and desist from engaging in the alleged unsafe or unsound banking
practices and committing the alleged violations of law and/or regulations
specified below:
(a) operating
with inadequate management supervision and oversight by the Insured
Institution’s board of directors (“Board”) to prevent unsafe or unsound
practices and violations of the Bank Secrecy Act, as amended, 12 U.S.C. § 1829b,
12 U.S.C. §§ 1951-1959, and 31 U.S.C. §§ 5311-5332, and implemented by rules and
regulations issued by the United States Department of Treasury, 31 C.F.R. Part
103 and 12 C.F.R. Part 353, and 12 U.S.C. § 1818(s) and its implementing
regulation, 12 C.F.R.
§
326.8
(hereafter collectively referred to as “BSA”);
(b) operating
with an inadequate BSA/Anti-money Laundering(“AML”)Compliance Program (“BSA/AML
Compliance Program”) to monitor and assure compliance with the BSA;
and
(c) operating
with ineffective policies, procedures and processes to adequately screen,
monitor and verify account transactions to ensure compliance with the
regulations promulgated by the United States Department of Treasury’s Office of
Foreign Assets Control (“OFAC”), 31 C.F.R. Part 500, as well as all statutes,
regulations, rules and/or guidelines issued or administered by OFAC (“OFAC
Provisions”).
-
3
-
IT
IS
FURTHER ORDERED that the Insured Institution, its institution-affiliated
parties, and its successors and assigns, shall take affirmative action as
follows:
CORRECTION
AND PREVENTION
1. Beginning
on the
effective date of this ORDER, the Insured Institution shall take any and all
steps necessary, consistent with other provisions of the ORDER and sound banking
practices, to correct and prevent the unsafe or unsound banking practices and
violations of law and/or regulations in the FDIC's and Office of the
Commissioner of Financial Institutions of the Commonwealth of Puerto Rico’s
joint Report of Examination ("ROE") dated August 31, 2006, address each
deficiency identified in the ROE and ensure that the Insured Institution is
operated with adequate management supervision and Board oversight to prevent
any
future unsafe or unsound banking practices and violations of law and/or
regulations.
-
4
-
SYSTEM
OF BSA INTERNAL CONTROLS
2. Within
120 days from the effective date of this ORDER, the Insured Institution shall
develop, adopt, and implement a system of internal controls designed to ensure
full compliance with the BSA (“BSA Internal Controls”) taking into consideration
its size and risk profile. At a minimum, such system of BSA Internal Controls
shall include policies, procedures and processes addressing the following
areas:
(a) Risk
Assessment:
The
Insured Institution shall conduct an expanded and comprehensive BSA/AML risk
assessment of the Insured Institution’s operations (“Risk Assessment”) taking
into consideration its customers, their geographic locations, the types of
accounts, products and services offered and the geographic areas in which these
accounts, products and services are offered to enable it to stratify its
customers, products, services and geographies by risk category and determine
the
Insured Institution’s overall risk profile. The Insured Institution shall
establish written policies, procedures and processes to conduct periodic Risk
Assessments and to adjust its stratifications and risk profile as appropriate,
but in no event less frequently than every twelve to eighteen
months;
-
5
-
(b) Customer
Due Diligence:
The
Insured Institution shall develop, adopt and implement written
policies, procedures and processes to operate in conjunction with the customer
identification program required by subparagraph (h) below for:
|(i)
|
establishing
customer profiles based upon source of funds and wealth, the business
activity, ownership structure, anticipated or actual volume and types
of
transactions, including those transactions involving high-risk
jurisdictions, of that customer and determining whether the customer
should be subject to the Insured Institution’s enhanced due diligence
policies, procedures and processes required by subparagraph (d)
below;
|(ii)
|
assigning
risk ratings to each customer based upon their profile and the results
of
the Risk Assessment required by subparagraph (a)
above;
|(iii)
|
maintaining
and periodically updating customer profiles and risk ratings;
and
|(iv)
|
resolving
issues when insufficient or inaccurate information is obtained to
appropriately establish and validate a customer profile and risk
rating;
-
6
-
(c) High-Risk
Account Identification and Monitoring:
The
Insured Institution shall adopt adequate policies, procedures and processes
to
identify and monitor its high-risk accounts on a transaction basis as well
as on
an account and customer basis;
(d) Enhanced
Due Diligence:
The
Insured Institution shall develop, adopt and implement policies,
procedures and processes to operate in conjunction with the customer
identification program and due diligence policies, procedures and processes
required by subparagraphs (b) and (c) above and subparagraphs (e),(f), (g)
and
(h) below with respect to high-risk customers to:
|(i)
|
determine
whether additional information, such as the purpose of the account,
source
of funds and wealth, the beneficial owners of the account, if any,
customer’s occupation or type of business, financial statements, banking
references, domicile of the customer’s business, proximity of customer’s
residence, place of employment or place of business to the Insured
Institution, description of primary trade area of customer or beneficial
owner and whether international transactions are expected to be routine,
description of the business operations, the anticipated volume of
currency
and total sales and a list of major customers and suppliers and
explanations for changes in account activity should be required and
collected for that customer’s profile;
-
7
-
|(ii)
|
determine
whether on-site visits to collect and verify information for the
customer
profile are warranted and establish procedures to ensure periodic
on-site
visits are documented; and
|(iii)
|
monitor
account activity commensurate with the level of risk and document
the
monitoring process on an ongoing
basis.
(e) Account
and Transaction Monitoring:
The
Insured Institution shall develop, adopt and implement policies, procedures
and
processes appropriate to the Insured Institution considering its size and risk
profile (based upon the Risk Assessment) to operate in conjunction with the
policies, procedures and processes required by subparagraphs (f),(g) and (h)
below to monitor and aggregate currency activity, funds transfer activity,
and
monetary instrument sales to ensure the timely, accurate and complete filing
of
Currency
Transaction Reports (“CTRs”), Reports of International Transportation of
Currency or Monetary Instruments (“CMIRs”), Reports of Foreign Bank and
Financial Accounts (“FBARs”) and any other similar
or related reports required by law or regulation.
-
8
-
(f) Suspicious
Activity Monitoring and Reporting:
The
Insured Institution shall, taking into account its size and risk profile (based
upon the Risk Assessment), develop, adopt and implement appropriate policies,
procedures, processes and systems for monitoring, detecting and reporting
suspicious activity being conducted within or through the Insured Institution.
These policies, procedures, processes and systems should:
|(i)
|
collect
and analyze data from each branch and business area of the Insured
Institution on a centralized basis for the production of periodic
reports
designed to identify unusual or suspicious activity, to monitor and
evaluate unusual or suspicious activity, and to maintain accurate
information needed to produce and file Suspicious Activity Reports
(“SARs”);
|(ii)
|
be
able to identify related accounts, countries of origin, location
of the
customer’s businesses and residences to evaluate patterns of activity;
|(iii)
|
cover
a broad range of timeframes, including individual days, a number
of days,
and a number of months, as appropriate, and should segregate transactions
that pose a greater than normal risk for non-compliance with
BSA;
-
9
-
|(iv)
|
establish
risk based monitoring of high-risk customers enabling the Insured
Institution to identify transactions for further monitoring, analysis
and
possible reporting;
|(v)
|
establish
periodic
testing and appropriate adjustment and updating on an ongoing basis
to the
policies, procedures and processes utilized to monitor high risk
customers;
|(vi)
|
ensure
adequate referral of information about potentially suspicious activity
through appropriate levels of management, including a policy for
determining action to be taken in the event of multiple filings of
SARs on
the same customer, or in the event a correspondent or other customer
fails
to provide due diligence information. Such procedures shall describe
the
circumstances under which an account should be closed and the processes
and procedures to be followed in doing
so;
-
10
-
|(vii)
|
require
the documentation of management’s decisions to file or not to file a SAR;
ensure the timely, accurate and complete filing of required SARs
and any
other similar or related reports required by law or regulation;
and
|(viii)
|
ensure
the confidentiality of any SARs
filed.
(g) Wire
Transfer Transactions:
The
Insured Institution shall develop, adopt and implement policies,
procedures and processes with respect to wire transfer monitoring and
recordkeeping, including requirements for complete information on beneficiaries
and originators, as required by 31 C.F.R. 103.33;
(h) Customer
Identification Program:
The
Insured Institution shall develop, adopt and implement written policies,
procedures and processes enhancing its customer identification program (“CIP”)
required by section 326.8(b) of the FDIC’s Rules and Regulations, 12 C.F.R. §
326.8(b), to ensure that the Insured Institution’s CIP contains at a minimum:
-
11
-
|(i)
|
account
opening procedures specifying the identifying information required
for
each customer type;
|(ii)
|
risk-based
procedures for verifying the identity of new customers within a reasonable
time after the account is opened;
|(iii)
|
procedures
for circumstances in which the Insured Institution is unable to form
a
reasonable belief that it knows the true identity of a
customer;
|(iv)
|
risk
based procedures for reviewing existing customers to determine whether
sufficient information has been obtained to establish the customer
profiles and risk ratings required by subparagraph (b) above; and
procedures for obtaining any information necessary for such profiles
and
risk ratings;
|(v)
|
procedures
for recordkeeping and retention;
|(vi)
|
procedures
to determine whether a customer appears on any federal government
list of
known or suspected terrorists or terrorist organizations when such
list is
generated;
-
12
-
|(vii)
|
procedures
to provide adequate notice to customers that the Insured Institution
will
be requesting information to verify their
identities;
|(viii)
|
procedures
to ensure that the CIP is updated on an ongoing basis as necessary
to
incorporate amendments to the BSA and the rules and regulations
thereunder;
|(ix)
|
if
applicable, procedures for reliance upon another financial institution
to
perform one or more elements of its CIP. Such procedures shall require
at
a minimum, confirmation that the relied-upon financial institution
is
subject to a rule implementing the program requirements of 31 U.S.C.
§
5318(h) and is regulated by federal functionally regulator, confirmation
that the customer at issue has an account or is opening an account
at the
relied-upon financial institution, a determination that the Insured
Institution’s reliance upon the financial institution is justified under
the circumstances and confirmation that the relied-upon financial
institution has entered into a contract with the Insured Institution
requiring it to certify annually to the Insured Institution that
it has
implemented its BSA/AML Compliance Program and will perform the specified
requirements of the Insured Institution’s CIP;
and
-
13
-
(i) BSA/AML
Staffing and Resources:
The
Insured Institution shall review BSA/AML compliance staffing and resources
taking into consideration its size and risk profile (based upon the Risk
Assessment) and make such modifications as are appropriate. The
Insured Institution shall establish written policies, procedures and processes
requiring the periodic review of and appropriate adjustment to its BSA/AML
staffing and resources.
SYSTEM
OF OFAC INTERNAL CONTROLS
3. Within
30
days of the effective date of this ORDER, the Insured Institution shall develop,
adopt, and implement a system of internal controls designed to ensure full
compliance with the OFAC Provisions (“OFAC Internal Controls”) taking into
consideration its customers, their geographic locations, the types of accounts,
products and services it offers these customers and the geographic areas in
which these accounts, products and services are offered. At a minimum, such
system of OFAC Internal Controls shall include:
-
14
-
(a) written
policies, procedures and processes for conducting OFAC searches of each
department or business line of the Insured Institution;
(b) written
policies, procedures, and processes for conducting OFAC searches of customers
and account parties, including, but not limited to, beneficiaries, guarantors,
principals, beneficial owners, nominee shareholders, directors, signatories
and
powers of attorney;
(c) written
policies, procedures and processes for obtaining and updating OFAC lists or
filtering criteria;
(d) written
policies, procedures and processes for identifying and investigating potential
OFAC matches;
(e) written
policies, procedures and processes for blocking and rejecting
transactions;
(f) written
policies, procedures and processes to inform OFAC and the Insured Institution’s
Board or its designee of blocked or rejected transactions;
(g) written
policies, procedures and procedures to manage blocked accounts; and
(h) written
policies, procedures and processes to retain OFAC records in accordance with
the
OFAC Provisions.
-
15
-
INDEPENDENT
TESTING
4. Within
180 days from the effective date of this ORDER, the
Insured Institution shall establish independent testing programs for compliance
with the BSA and OFAC Provisions, to be performed on no less than an annual
basis. The scope of the testing procedures to be performed, and testing results,
shall be documented in writing and approved by the Insured Institution’s Board
or its designee.
The
testing procedures, at a minimum, should include the following:
(a) compliance
testing for all appropriate business lines conducted by qualified staff who
are
independent of the Insured Institution’s compliance, BSA/AML and OFAC
functions;
(b) formal,
documented testing programs, including adequately detailed reports and
workpapers;
(c) testing
of the adequacy of the Insured Institution’s Risk Assessment;
(d) testing
of the adequacy of the BSA and OFAC Internal Controls designed to ensure
compliance with both the BSA and OFAC Provisions;
(e) testing
of the adequacy of the Insured Institution’s Training Program, as that term is
defined in paragraph 5;
(f) a
risk-based approach that includes transactional testing and verification of
data
for higher risk accounts;
(g) review
of
independent testing results by senior management;
-
16
-
(h) procedures
to ensure that senior management institutes appropriate actions in response
to
independent testing results; and
(i) direct
lines of reporting between the independent testing function and the Board or
its
designee.
TRAINING
5. Beginning
on the effective date of the ORDER, the Insured Institution shall take all
steps
necessary, consistent
with sound banking practices, to ensure that all appropriate personnel are
aware
of, and can comply with, the requirements of the BSA and OFAC Provisions
applicable to the individual’s specific responsibilities to assure the Insured
Institution’s compliance with the BSA and OFAC Provisions.
6. Within
60
days from the effective date of this ORDER, the
Insured Institution shall develop, adopt and implement effective training
programs designed for the Board, management and staff and their specific
compliance responsibilities on all relevant aspects of laws, regulations, and
Insured Institution policies, procedures and processes relating to the BSA
and
the OFAC Provisions (“Training Program”). The
Training Program shall ensure that all appropriate personnel are aware of,
and
can comply with, the requirements of both the BSA and OFAC Provisions on an
ongoing basis. The
Training Program shall include:
(a) an
overview of BSA and OFAC Provisions for new staff along with specific risk-based
training designed for their specific duties and responsibilities upon
hiring;
-
17
-
(b) training
on the Insured Institution’s BSA/AML policies, procedures and processes along
with new rules and requirements as they arise for appropriate personnel designed
to address their specific duties and responsibilities;
(c) training
on the Insured Institution’s OFAC policies, procedures and processes along with
new rules and requirements as they arise for appropriate personnel designed
to
address their specific duties and responsibilities;
(d) a
requirement that the Board fully document the training of each employee with
respect to both the BSA/AML and OFAC policies, procedures and processes,
including the designated BSA and OFAC Compliance Officer(s); and
(e) a
requirement that training in these areas be conducted no less frequently than
annually.
INTERNAL
AUDIT FUNCTION
7.
(a)
Within 180 days from the effective date of this ORDER, the Insured Institution
shall amend its policies, procedures, and processes with regard to its internal
audit function (“Audit Function”) so that the Insured Institution reviews, at
least on annual basis, compliance with both the BSA and OFAC Provisions as
part
of its routine internal audit function.
(b) The
amended and enhanced Audit Function shall establish an internal audit plan
to
include a review of the Insured Institution’s branch operations.
-
18
-
(c) The
Insured Institution shall ensure that its Audit Function is managed by a
qualified officer who is supported by adequate staffing levels and
resources.
(d) The
Insured Institution's internal Audit Function shall provide for written reports
which document the testing results and recommendations for improvement and
provides for monitoring and follow-up of audit exceptions. Such reports shall
be
provided directly to the Audit Committee of the Insured Institution’s Board on a
timely basis.
8. Beginning
on the effective date of this ORDER, the Insured Institution shall provide
periodic reports to the Audit Committee of the Insured Institution’s Board
setting forth any law enforcement inquiry that relates in any way to the BSA
or
OFAC Provisions, any criminal subpoena received by the Insured Institution
and
any action taken or response provided with respect to such inquiry or
subpoena.
THIRD
PARTY LOOK BACK REVIEW
9. (a)Within
20
days from the effective date of this ORDER, the Insured Institution shall engage
a qualified independent consultant("Consultant") acceptable to the Regional
Director of the FDIC’s New York Regional Office (“Regional Director”) to conduct
a review of account and transaction activity for the time period beginning
September 1, 2006 through the effective date of this ORDER to determine whether
suspicious activity involving any accounts or transactions at, by, or through
the Insured Institution was properly identified and reported in accordance
with
the applicable suspicious activity reporting requirements (“SAR Review"). Within
10 days of the engagement of the Consultant, but prior to the commencement
of
the SAR Review, the Insured Institution shall submit to the Regional Director
for approval or non-objection an engagement letter that sets forth:
-
19
-
|(i)
|
the
scope of the SAR Review, including the types of accounts and transactions
to be reviewed, which shall, at a minimum, include cash intensive
business
accounts, customers with high, frequent or international wire transactions
and customers with financial transactions in locations linked to
terrorist, drug trafficking or money laundering, including, but not
limited to, the transactions or accounts identified in the ROE as
requiring additional investigation by the Insured
Institution;
|(ii)
|
the
methodology for conducting the SAR Review, including any sampling
procedures to be followed; and
|(iii)
|
the
expertise and resources to be dedicated to the SAR
Review.
-
20
-
(b) Within
120 days from the effective date of this ORDER, the SAR Review shall be
completed and the Consultant shall be required to provide a copy of its report
detailing its findings to the Regional Director at the same time the report
is
provided to the Insured Institution.
(c) Within
30
days of its receipt of the SAR Review, the Insured Institution shall ensure
that
all matters or transactions required to be reported, that have not previously
been reported, are reported in accordance with applicable laws and regulations
and submit copies of any additional SARs filed to the Regional
Director.
(d) The
Regional Director may, in her sole discretion, require the Insured Institution
to expand the time period of the SAR Review conducted pursuant to this Paragraph
9 to include the period January 1, 2006 through August 31, 2006. Such additional
SAR Review shall be commenced by the Consultant within 20 days of the Insured
Institution’s receipt of written notice from the Regional Director and shall be
completed within 120 days of such written notice. A copy of this expanded SAR
Review shall be provided to the Regional Director at the same time the expanded
SAR Review is provided to the Insured Institution and any additional matters
or
transactions required to be reported shall be reported in accordance with
applicable laws and regulations. Copies of any additional SARs filed shall
be
submitted to the Regional Director.
-
21
-
SHAREHOLDERS
10. Following
the effective date of this ORDER, the Insured Institution shall send to its
parent holding company the ORDER or otherwise furnish a description of this
ORDER in conjunction with the Insured Institution's next communication with
such
parent holding company. The description shall fully describe the ORDER in all
material respects.
COMPLIANCE
COMMITTEE
11. (a)
Within 30 days from the effective date of this ORDER, the Insured Institution’s
Board shall appoint a committee ("Compliance Committee") composed of at least
three directors who are not now, and have never been, involved in the daily
operations of the Insured Institution, and whose composition is acceptable
to
the Regional Director, to monitor the Insured Institution's compliance with
this
ORDER.
(b)
Within 30 days of the acceptance or non-objection to the composition of the
Compliance Committee by the Regional Director, and at monthly intervals
thereafter, such Compliance Committee shall prepare and present to the Insured
Institution's Board a written report of its findings, detailing the form,
content, and manner of any action taken to ensure compliance with this ORDER
and
the results thereof, and any recommendations with respect to such compliance.
Such progress reports shall be included in the minutes of the Insured
Institution's Board meetings. Nothing contained herein shall diminish the
responsibility of the entire Board to ensure compliance with the provisions
of
this ORDER.
-
22
-
PROGRESS
REPORTS
12. By
the
30th
day
after the end of the calendar quarter following the effective date of this
ORDER, and by the 15th
day
after the end of every calendar quarter thereafter while this ORDER is in
effect, the Insured Institution shall furnish written progress reports to the
Regional Director detailing the form, content, and manner of any actions taken
to secure compliance with this ORDER, and the results thereof. The Insured
Institution shall continue to submit the quarterly progress reports until
written notice from the Regional Director.
OTHER
ACTIONS
13. It
is
expressly and clearly understood that if, at any time, the Regional Director
shall deem it appropriate in fulfilling the responsibilities placed upon him
or
her under applicable law to undertake any further action affecting the Insured
Institution, nothing in this ORDER shall in any way inhibit, estop, bar or
otherwise prevent him or her from doing so, including, but not limited to,
the
imposition of civil money penalties.
14. It
is
expressly and clearly understood that nothing herein shall preclude any
proceedings brought by the Regional Director to enforce the terms of this ORDER,
and that nothing herein constitutes, nor shall the Insured Institution contend
that it constitutes, a waiver of any right, power, or authority of any other
representatives of the United States or agencies thereof, Department of Justice
or any other representatives of the Commonwealth of Puerto Rico or any other
agencies thereof, including any prosecutorial agency, to bring other actions
deemed appropriate.
-
23
-
ORDER
EFFECTIVE
15. The
effective date of this ORDER shall be immediately upon the date of
issuance.
16. The
provisions of this ORDER shall be binding upon the Insured Institution, its
directors, officers, employees, agents, successors, assigns, and other
institution-affiliated parties of the Insured Institution.
17. The
provisions of this ORDER shall remain effective and enforceable except to the
extent that, and until such time as, any provisions of this ORDER shall have
been modified, terminated, suspended, or set aside in writing by the
FDIC.
Pursuant
to delegated authority.
Dated:
March 15, 2007
|
|
|
|
|
|
|
|
|
|
|/s/ Doreen
R.
Eberley
|
|
Doreen
R. Eberley
|
|
Regional
Director