(i) develop
a comprehensive IT policy and general control procedures to prevent employees
from providing customer information from databases containing electronic
customer information and transmission for applications which transmit customer
information to unauthorized individuals who may seek to obtain information
through fraudulent means;
(ii) monitor
employees with direct access to sensitive databases outside of the mainframe
environment;
(iii) monitor
system activity for business unit applications;
(iv)
perform social engineering testing to validate the effectiveness of employee
security awareness training;
(v)
identify specific internal controls already in place to mitigate
identified risks;
(vi) perform
wire transfers audits at least annually;
(vii) provide
formal training for information security staff; and
(viii)
resolve
all recommendations from the external audit of Information Security Department
and the Digital Resources Group Risk Assessment Report.
Such plan
and its implementation shall be satisfactory to the Regional Director and the
Commissioner as determined at subsequent examinations and/or
visitations.
TRUST
ACTIVITIES
17. Within
60 days from the effective date of this Order, the Bank shall revise, adopt, and
implement a written trust plan that shall at a minimum address the
following:
(i) comply
with FDIC's Statement of Principles of Trust Department Management;
(ii) provide
comprehensive training to trust officers and personnel; and
(iii) establish
comprehensive written policies and procedures for governing the Pacific
Financial Management accounts.
Such plan
and its implementation shall be satisfactory to the Regional Director and the
Commissioner as determined at subsequent examinations and/or
visitations.
PROGRESS
REPORT
18. Within
30 days of the end of the first quarter following the effective date of this
Order, and within 30 days of the end of each quarter thereafter, the Bank shall
furnish written progress reports to the Regional Director and the Commissioner
detailing the form and manner of any actions taken to secure compliance with
this Order and the results thereof. Such reports shall include a copy
of the Bank's Reports of Condition and Income. Such reports may be
discontinued when the corrections required by this Order have been accomplished
and the Regional Director and the Commissioner have released the Bank in writing
from making further reports. Such plan and its implementation shall
be satisfactory to the Regional Director and the Commissioner as determined at
subsequent examinations and/or visitations.
SHARHOLDER
DISCLOSURE
19. Following
the effective date of this Order, the Bank shall provide a copy of the Order or
otherwise furnish a description of the Order to its shareholder(s) in
conjunction with:
(a) the
Bank's next shareholder communication; and
(b) the
notice or proxy statement preceding the Bank's next shareholder
meeting.
The
description shall fully describe the Order in all material
respects. The description and any accompanying communication,
statement, or notice shall be sent to the FDIC, Division of Supervision and
Consumer Protection, Accounting and Securities Disclosure Section, 550 17th
Street, N.W., Washington, D.C. 20429, at least 20 days prior to dissemination to
shareholders. Any changes requested to be made by the FDIC shall be
made prior to dissemination of the description, communication, notice, or
statement.
The
provisions of this Order shall not bar, estop, or otherwise prevent the FDIC,
the HDFI, or any other federal or state agency or department from taking any
other action against the Bank or any of the Bank's current or former
institution-affiliated parties.
This
Order will become effective upon its issuance by the FDIC and the
HDFI.
The
provisions of this Order shall be binding upon the Bank, its
institution-affiliated parties,
and any successors and assigns thereof.
The
provisions of this Order shall remain effective and enforceable except to the
extent that and until such time as any provision has been modified, terminated,
suspended, or set aside by the FDIC and the HDFI.
Pursuant
to delegated authority
Dated at
San Francisco, California, this 8th day
of December, 2009.