FEDERAL DEPOSIT INSURANCE CORPORATION

WASHINGTON, D.C.

	)
	)
In the Matter of	)
	)
DORAL BANK	)	ORDER TO CEASE AND DESIST
CATANO, PUERTO RICO	)	FDIC—07-281b
	)
	)
(INSURED STATE NONMEMBER BANK)	)
	)

Doral Bank, Catano, Puerto Rico (“Insured Institution”), having been advised of its right to a Notice of Charges and of Hearing detailing the unsafe or unsound banking practices and violations of law and/or regulation alleged to have been committed by the Insured Institution and of its right to a hearing on the alleged charges under section 8(b)(1) of the Federal Deposit Insurance Act (“Act”), 12 U.S.C. § 1818(b)(1), and having waived those rights, entered into a STIPULATION AND CONSENT TO THE ISSUANCE OF AN ORDER TO CEASE AND DESIST (“CONSENT AGREEMENT”) with counsel for the Federal Deposit Insurance Corporation (“FDIC”), dated February 6, 2008, whereby solely for the purpose of this proceeding and without admitting or denying the alleged charges of unsafe or unsound banking practices and violations of law and/or regulation, the Insured Institution consented to the issuance of an ORDER TO CEASE AND DESIST (“ORDER”) by the FDIC.

The FDIC considered the matter and determined that it had reason to believe that the Insured Institution had engaged in unsafe or unsound banking practices and had committed violations of law and/or regulation. The FDIC, therefore, accepted the CONSENT AGREEMENT and issued the following:

ORDER TO CEASE AND DESIST

IT IS HEREBY ORDERED that the Insured Institution, its directors, officers, employees, agents and other institution— affiliated parties (as that term is defined in Section 3(u) of the Act, 12 U.S.C. § 1813(u)), and its successors and assigns cease and desist from engaging in the unsafe or unsound banking practices and committing the violations of law and/or regulation specified below:

(a) operating in violation of the Bank Secrecy Act, 31 U.S.C. § 5311 et seq., 12 U.S.C. § l829b and 12 U.S.C. §§ 1951 - 959, and its implementing regulation, 31 C.F.R. Part 103, and 12 U.S.C. § 1818(s) and its implementing regulation, 12 C.F.R. § 326.8 (collectively referred to as “BSA”);

(b) operating with an inadequate BSA/Anti—Money Laundering Compliance Program (“BSA/AML Compliance Program”) to monitor and assure compliance with the BSA; and

(c) operating with ineffective policies, procedures and processes to adequately screen, monitor and verify account transactions to ensure compliance with the regulations promulgated by the United States Department of Treasury’s Office of Foreign Assets Control (“OFAC”), 31 C.F.R. Part 500, as well as all statutes, regulations, rules and/or guidelines issued or administered by CFAC (“OFAC Provisions”).

IT IS FURTHER ORDERED that the Insured Institution, its institution—affiliated parties, and its successors and assigns, shall take affirmative action as follows:

CORRECTION AND PREVENTION

1. The Insured Institution shall take all steps necessary, consistent with other provisions of the ORDER and sound banking practices, to correct and prevent the unsafe or unsound banking practices and violations of law and/or regulation identified in, the FDIC’s March 26, 2007 Report of Examination (“ROE”), address each deficiency identified and implement each recommendation made in the ROE and ensure the Insured Institution is operated in a manner designed to prevent any future unsafe or unsound banking practices and violations of law and/or regulation.

2. The Insured Institution shall appropriately amend its policies, procedures and processes to implement any recommendations made in the Anti-Money Laundering Compliance Program Assessment (March 9, 2007) (the “Assessment”) and shall address any concerns or deficiencies noted in the Assessment. Within 120 days of the effective date of this ORDER, the Insured Institution shall provide a written report to the Regional Director outlining the steps it has taken to address the Assessment’s concerns, deficiencies and recommendations. If the Insured Institution fails to implement any of the Assessment’s recommendations or address any of the concerns or deficiencies noted in the Assessment, its response to the Regional Director must include a comprehensive explanation of its rationale for not addressing any of the noted concerns or deficiencies and/or not implementing one or more of the Assessment’s recommendations.

SYSTEM OF BSA INTERNAL CONTROLS

3. Within 120 days from the effective date of this ORDER, the Insured Institution shall complete and implement any and all enhancements to its system of internal controls necessary to ensure full compliance with the BSA (“BSA Internal Controls”) taking into consideration its size and risk profile. At a minimum, such system of BSA Internal Controls shall include policies, procedures and processes addressing the following areas:

(a) Risk Assessment: The Insured Institution shall ensure that it has conducted an expanded BSA/AML risk assessment of the Insured Institution’s operations (“Risk Assessment”) taking into consideration its customers, their geographic locations, the types of accounts, products and services offered and the geographic areas in which these accounts, products and services are offered to enable it to stratify its customers, products, services and geographies by risk category and determine the Insured Institution’s overall risk profile. The Insured Institution shall conduct periodic Risk Assessments and adjust its stratifications and risk profiles as appropriate, but in no event less frequently than every twelve to eighteen months;

(b) Customer Due Diligence: The Insured Institution shall enhance and implement its written policies, procedures and processes to operate in conjunction with the customer identification program required by subparagraph (h) below for:

(i) establishing customer profiles based upon the business activity, ownership structure, anticipated or actual volume and types of transactions (including those transactions involving high—risk jurisdictions) of that customer and determining whether the customer should be subject to the Insured Institution’s enhanced due diligence policies, procedures and processes required by subparagraph (c) below;

(ii) assigning risk ratings to each customer based upon their profile and the results of the Risk Assessment required by subparagraph (a) above;

(iii) maintaining and periodically updating customer profiles and risk ratings; and

(iv) resolving issues when insufficient or inaccurate information is obtained to appropriately establish a customer profile and risk rating;

(c) Enhanced Due Diligence: The Insured Institution shall enhance and implement policies, procedures and processes to operate in conjunction with the due diligence policies, procedures and processes required by subparagraph (b) above and the customer identification program required by subparagraph (h) below with respect to high-risk customers to:

(i) determine whether additional information, such as the purpose of the account, source of funds and wealth, the beneficial owners of the account, customer’s occupation or type of business, financial statements, banking references, domicile of the customer’s business, proximity of customer’s residence, place of employment or place of business to the Insured Institution, description of primary trade area of customer or beneficial owner and whether international transactions are expected to be routine, description of the business operations, the anticipated volume of currency and total sales and a list of major customers and suppliers and explanations for changes in account activity should be required and collected for that customer’s profile; and

(ii) determine whether on—site visits to collect and verify information for the customer profile are warranted;

(d) Account/Transaction Monitoring: The Insured Institution shall enhance and implement policies, procedures and processes appropriate to the Insured Institution considering its size and risk profile and in a manner that is responsive to the findings of the Risk Assessment to operate in conjunction with the policies, procedures and processes required by subparagraph (e) below and to monitor and aggregate currency activity, funds transfers, and monetary instrument sales to ensure the timely, accurate and complete filing of Currency Transaction Reports (“CTRs”), Reports of International Transportation of Currency or Monetary Instruments (“CMIRs”), Reports of Foreign Bank and Financial Accounts (“FBARs”) and any other similar or related reports required by law or regulation;

(e) Suspicious Activity Reporting: The Insured Institution shall, taking into account its size and risk profile and in a manner that is responsive to the findings of the Risk Assessment, enhance and implement appropriate policies, procedures, processes and systems for monitoring, detecting and reporting suspicious activity being conducted within or through the Insured Institution. These policies, procedures, processes and systems should:

(i) collect and analyze data from each branch and business area of-the Insured Institution on a centralized basis for the production of periodic reports designed to identify unusual or suspicious activity, to monitor and evaluate unusual or suspicious activity, and to maintain accurate information needed to produce these reports;

(ii) be able to identify related accounts, countries of origin, location of the customer’s businesses and residences to evaluate patterns of activity;

(iii) cover a broad range of timeframes, including individual days, a number of days, and a number of months, as appropriate, and should segregate transactions that pose a greater than normal risk for non-compliance with BSA;

(iv) establish risk based monitoring of high—risk customers enabling the Insured Institution to identify transactions for further monitoring, analysis and possible reporting;

(v) establish periodic testing and appropriate adjustment to the policies, procedures and processes utilized to monitoring high risk customers;

(vi) ensure adequate referral of information about potentially suspicious activity through appropriate levels of management, including a policy for determining action to be taken in the event of multiple filings of SARs on the same customer, or in the event a correspondent or other customer fails to provide due diligence information. Such procedures shall describe the circumstances under which an account should be closed and the processes and procedures to be followed in doing so;

(vii) require the documentation of management’s decisions to file or not to file a SAR; and

(viii) ensure the timely, accurate and complete filing of required SARs and any other similar or related reports required by law or regulation;

(f) Wire Transfer Transactions: The Insured Institution shall enhance and implement policies, procedures and processes with respect to wire transfer recordkeeping, including requirements for complete information on beneficiaries and originators, as required by 31 C.F.R. 103.33;

(g) Monetary Instrument Sales: The Insured Institution shall enhance and implement written policies, procedures and processes with respect to monetary instrument sales recordkeeping, as required by 31 C.F.R. 103.29;

(h) Customer Identification Program: The Insured Institution shall enhance and implement written policies, procedures and processes enhancing the customer identification program (“CIP”) required by 12 C.F.R. § 326.8(b) to ensure that the Insured Institution’s CIP contains at a minimum:

(i) account opening procedures specifying the identifying information required for each customer type;

(ii) risk-based procedures for verifying the identity of new customers within a reasonable time after the account is opened;

(iii) procedures for circumstances in which the Insured Institution is unable to form a reasonable belief that it knows the true identity of a customer;

(iv) risk-based procedures for reviewing existing customers to determine whether sufficient information has been obtained to establish the customer profiles and risk ratings required by subparagraph (b) above; and procedures for obtaining any information necessary for such profiles and risk ratings;

(v) procedures for recordkeeping and retention;

(vi) procedures to determine whether a customer appears on any federal government list of known or suspected terrorists or terrorist organizations when such list is generated;

(vii) procedures to provide adequate notice to customers that the Insured Institution will be requesting information to verify their identities;

(viii) if applicable, procedures for reliance upon another financial institution to perform one or more elements of its CIP. Such procedures shall require at a minimum, confirmation that the relied—upon financial institution is subject to a rule implementing the program requirements of 31 U.S.C. § 5318(h) and is regulated by federal functional regulator, confirmation that the customer at issue has an account or is opening an account at the relied-upon financial institution, a determination that the Insured Institution’s reliance upon the financial institution is justified under the circumstances and confirmation that the relied-upon financial institution has entered into a contract with the Insured Institution requiring it to certify annually to the Insured Institution that it has implemented its BSA/AML Compliance Program and will perform the specified requirements of the Insured Institution’s CIP;

(i) Information Sharing: The Insured Institution shall enhance its written policies, procedures and processes regarding information sharing to ensure the Insured Institution’s compliance with 31 C.F.R. §S 103.100 and 103.110. These enhanced policies, procedures and processes should, at a minimum:

(i) designate a point of contact within the Insured Institution for receiving information requests;

(ii) ensure that the confidentiality of requested information is adequately safeguarded;

(iii) establish a process for responding to requests from the Financial Crime Enforcement Network, FinCEN;

(iv) establish a process for determining whether and when a SAR should be filed; and

(v) establish appropriate recordkeeping procedures and provide for appropriate retention and maintenance of these records; and

(j) BSA/AML Staffing and Resources: The Insured Institution shall review BSA/AML compliance staffing and resources taking into consideration its size and risk profile (based upon the Risk Assessment) and make such modifications as are appropriate. The Insured Institution shall periodically review and shall appropriately adjust its BSA/AML staffing and resources.

SYSTEM OF OFAC INTERNAL CONTROLS

3. Within 120 days of the effective date of this ORDER, the Insured Institution shall complete and implement any and all enhancements to its system of internal controls necessary to ensure full compliance with the OFAC Provisions (“OFAC Internal Controls”) taking into consideration its customers, their geographic locations, the types of accounts, products and services it offers these customers and the geographic areas in which these accounts, products and services are offered. At a minimum, such system of OFAC Internal Controls shall include:

(a) written policies, procedures and processes for conducting OFAC searches of each department or business line of

the Insured Institution;

(b) written policies, procedures, and processes for conducting OFAC searches of customers and account parties, including, but not limited to, beneficiaries, guarantors, principals, beneficial owners, nominee shareholders, directors, signatories and powers of attorney;

(c) written policies, procedures and processes for obtaining and updating OFAC lists or filtering criteria;

(d) written policies, procedures and processes for identifying and investigating potential OFAC matches;

(e) written policies, procedures and processes for blocking and rejecting transactions;

(f) written policies, procedures and processes to inform OFAC and the Insured Institution’s board of directors (“Board”) or its designee of blocked or rejected transactions;

(g) written policies, procedures and processes to manage blocked accounts; and

(h) written policies, procedures and processes to retain OFAC records in accordance with the OFAC Provisions.

INDEPENDENT TESTING

4. Within 120 days from the effective date of this ORDER, the Insured Institution shall ensure that its independent testing programs for compliance with the BSA and OFAC Provisions, are performed on no less than an annual basis. The scope of the testing procedures to be performed, and testing results, shall be documented in writing and approved by the Insured Institution’s Board or its designee. The testing procedures, at a minimum, should include the following:

(a) compliance testing for all appropriate business lines conducted by qualified staff independent of the Insured Institution’s compliance, BSA/AML and OFAC functions;

(b) formal, documented testing programs, including adequately detailed reports and workpapers;

(c) testing of the adequacy of the Insured Institution’s Risk Assessment;

(d) testing of the adequacy of the BSA and OFAC Internal Controls designed to ensure compliance with both the BSA and OFAC Provisions;

(e) testing of the adequacy of the BSA and OFAC training program;

(f) a risk-based approach that includes transactional testing and verification of data for higher risk accounts;

(g) review of independent testing results by senior management;

(h) procedures to ensure that senior management institutes appropriate actions in response to independent testing results; and

(i) direct lines of reporting between the independent testing function and the Board or its designee.

THIRD PARTY LOOK BACK REVIEW

5. (a) Within 30 days from the effective date of this ORDER, the Insured Institution shall engage a qualified independent firm (“Consultant”) acceptable to the Regional Director to conduct a review of account and transaction activity for the time period beginning April 1, 2006 through March 31, 2007 or such other period acceptable to the Regional Director to determine whether suspicious activity involving any accounts of or transactions within or through the Insured Institution was properly identified and reported in accordance with the applicable suspicious activity reporting requirements (“Initial Look Back Review”).

(b) Within 10 days of the engagement of the Consultant, but prior to the commencement of the Initial Look Back Review, the Insured Institution shall submit to the Regional Director for approval an engagement letter that sets forth:

(i) the scope of the Initial Look Back Review, including the types of accounts and transactions to be reviewed;

(ii) the methodology for conducting the Initial Look Back Review, including any sampling procedures to be followed;

(iii) the expertise and resources to be dedicated to the Initial Look Back Review; and

(iv) the anticipated date of the completion of the Initial Look Back Review.

(c) Upon completion of the Initial Look Back Review and any subsequent Look Back Reviews, the Consultant shall provide a copy of the report detailing its findings to the Regional Director at the same time the report is provided to the Insured Institution. The Regional Director may determine, in her sole discretion, that one or more additional Look Back Reviews must be performed. Any additional Look Back Review shall be conducted by the Consultant in the same manner as the Initial Look Back Review and shall be for the time period established by the Regional Director.

(d) Within 30 days of its receipt of the Look Back Review report and any subsequent Look Back Reviews, the Insured Institution shall ensure that all matters or transactions required to be reported, that have not previously been reported, are reported in accordance with applicable laws and regulations.

AUDIT POLICY

6. Within 120 days from the effective date of this ORDER, the Insured Institution shall amend its policies, procedures, and processes with regard to both internal and external audits so that the Insured Institution periodically reviews compliance with both the BSA and OFAC Provisions as part of its routine auditing in a manner acceptable to the Regional Director.

PROGRESS REPORTS

7. Within 45 days from the effective date of this ORDER, and at monthly intervals thereafter, the Insured Institution shall furnish written progress reports to the Regional Director detailing the form, content, and manner of any actions taken to secure compliance with this ORDER, and the results thereof.

8. Within 45 days from the effective date of this ORDER, and at monthly intervals thereafter, the Insured Institution shall prepare and present to the Audit Committee of Insured Institution’s parent holding company, Doral Financial Corporation, a written report of its findings, detailing the form, content, and manner of any action taken to ensure compliance with this ORDER and the results thereof, and any recommendations with respect to such compliance. Such progress reports shall also be included in the minutes of the Insured Institution’s Board meetings. Nothing contained herein shall diminish the responsibility of the Board to ensure compliance with the provisions of this ORDER.

SHAREHOLDERS

9. Following the effective date of this ORDER, the Insured Institution shall send to its parent holding company, Doral Financial Corporation, the ORDER or otherwise furnish a description of the ORDER in conjunction with the Insured Institution’s next communication with such parent holding company. The description shall fully describe the ORDER in all material respects.

OTHER ACTIONS

10. It is expressly and clearly understood that if, at any time, the Regional Director shall deem it appropriate in fulfilling the responsibilities placed upon him or her under applicable law to undertake any further action affecting the Insured Institution, nothing in this ORDER shall in any way inhibit, estop, bar or otherwise prevent him or her from doing so, including, but not limited to, the imposition of civil money penalties.

11. It is expressly and clearly understood that nothing herein shall preclude any proceedings brought by the Regional Director to enforce the terms of this ORDER, and that nothing herein constitutes, nor shall the Insured Institution contend that it constitutes, a waiver of any right, power, or authority of any other representatives of the United States or agencies thereof, Department of Justice or any other representatives of the Commonwealth of Puerto Rico or any other agencies thereof, including any prosecutorial agency, to bring other actions deemed appropriate.

ORDER EFFECTIVE

12. The effective date of this ORDER shall be the date of issuance.

13. The provisions of this ORDER shall be binding upon the Insured Institution, its directors, officers, employees, agents, successors, assigns, and other institution-affiliated parties of the Insured Institution.

14. The provisions of this ORDER shall remain effective and enforceable except to the extent that, and until such time as, any provisions of this ORDER shall have been modified.

Pursuant to delegated authority.

Dated:	February 19, 2008.
		/S/ Doreen R. Eberly
		Doreen R. Eberly Regional Director

162002.1