Banking Department Issues Order to Cease and Desist To First American International Bank
THE SUPERINTENDENT OF BANKS OF THE STATE OF NEW YORK
|In The Matter of
FIRST AMERICAN INTERNATIONAL BANK
|Order to Cease and Desist
Issued Upon Consent
WHEREAS, in recognition of their common goals to ensure compliance with all applicable federal and state laws, rules and regulations by First American International Bank (“FAIB” or “Bank”), a state chartered institution, the deposits of which are insured by the Federal Deposit Insurance Corporation ("FDIC"), and to effectively manage the legal, reputational and compliance risks of FAIB, the New York State Banking Department (the "Department") and FAIB have mutually agreed to enter into this Order to Cease and Desist Issued Upon Consent (the "ORDER");
WHEREAS, after the performance of an examination of FAIB, the Department has determined that the Bank must take immediate action to correct apparent violations and deficiencies, as more fully described below;
WHEREAS, on July 26, 2007, the board of directors of FAIB, at a duly constituted meeting, adopted a resolution:
- Authorizing and directing Mr. Alfonso Lau, President of FAIB to enter into this Order on behalf of the Bank, and to consent to compliance on behalf of the Bank with each and every provision of this Order;
- Waiving the Bank’s right to notice and a hearing for the purpose of taking evidence on any and all matters set forth in this Order;
- Waiving any and all rights to judicial review of this Order; and
- Waiving any and all rights to challenge or contest the validity, effectiveness, terms or enforceability of the provisions of this Order.
NOW, THEREFORE, before the taking of testimony or the making of any findings of fact or conclusions of law, and without this Order constituting an admission of wrongdoing or an adoption, approval or admission of any allegation made by the Department in connection with this proceeding, and solely for the purpose of settling the instant proceeding without protracted or extended hearings, and pursuant to the aforesaid resolution:
IT IS HEREBY ORDERED that the Bank shall cease and desist from engaging in the unsafe or unsound banking practices and committing the violations of law and/or regulation specified below:
- Operating in violation of the Bank Secrecy Act, as amended, 12 U.S.C. § 1829b, 12 U.S.C. §§ 1951-1959, and 31 U.S.C. §§ 5311-5332, and implemented by rules and regulations issued by the United States Department of Treasury, 31 C.F.R. Part 103 and 12 C.F.R. Part 353, and 12 U.S.C. §§ 1818(s) and its implementing regulation, 12 C.F.R. § 326.8 (hereafter, collectively, the “BSA”) and 3 N.Y.C.R.R. Part 300;
- operating with ineffective policies, procedures and processes to adequately screen, monitor and verify account transactions to ensure compliance with the regulations promulgated by the United States Department of Treasury’s Office of Foreign Assets Control (“OFAC”), 31 C.F.R. Part 500, as well as all statutes, regulations, rules and/or guidelines issued or administered by OFAC (“OFAC Provisions”);
- operating with inadequate management supervision and oversight by the Bank’s board of directors (“Board”) to prevent unsafe or unsound practices and violations of the BSA and OFAC Provisions;
- operating with an inadequate BSA/Anti-Money Laundering Compliance Program (“BSA/AML Compliance Program”) to monitor and assure compliance with the BSA;
- operating with an inadequate system of internal controls for compliance with the BSA and OFAC Provisions;
- operating with an inadequate system of independent testing for compliance with the BSA and OFAC Provisions;
- failing to provide adequate training in BSA and OFAC Provisions;
- operating with ineffective policies, procedures and processes to adequately comply with the United States Department of Treasury’s Financial Recordkeeping and Reporting Regulations, 31 C.F.R. Part 103;
- operating in violation of FDIC Rules and Regulations, sections 353.3(a)(4)(i) and (iii) and United States Department of Treasury Rules and Regulations, section 103.18, 31 U.S.C. § 5318(g), and 3 N.Y.C.R.R. Part 300, for failing to file suspicious activity reports (“SARs”); and
- failing to conform to generally accepted appraisal standards in violation of 12 C.F.R. Part 323.
IT IS FURTHER ORDERED that the Bank shall take the following affirmative actions:
CORRECTION AND PREVENTION
- Beginning on the effective date of this Order, the Bank shall take all steps necessary, consistent with other provisions of the ORDER and sound banking practices, to correct and prevent the unsafe or unsound banking practices and violations of law and/or regulations identified in the December 4, 2006 report of examination ("ROE"), prepared by the Department and the FDIC and the January 31, 2007 visitation letter issued by both agencies, and address each deficiency identified in the ROE and ensure that the Bank is operated with adequate management supervision and Board oversight to prevent any future unsafe or unsound banking practices and violations of law and/or regulations.
SYSTEM OF BSA INTERNAL CONTROLS
- Within 90 days from the effective date of this ORDER, the Bank shall develop, adopt, and implement a system of internal controls designed to ensure full compliance with the BSA (“BSA Internal Controls”) taking into consideration its size and risk profile. At a minimum, such system of BSA Internal Controls shall include policies, procedures and processes addressing the following areas:
- Risk Assessment: The Bank shall conduct an initial BSA/AML risk assessment of the Bank’s operations (“Risk Assessment”), taking into consideration its customers, their geographic locations, the types of accounts, products and services offered and the geographic areas in which these accounts, products and services are offered to enable it to stratify its customers, products, services and geographies by risk category, and determine the Bank’s overall risk profile. The Bank shall establish written policies, procedures and processes to conduct periodic Risk Assessments and to adjust its stratifications and risk profile as appropriate, but in no event less frequently than once every twelve months;
- Customer Due Diligence: The Bank shall develop, adopt and implement written policies, procedures and processes to operate in conjunction with the customer identification program required by paragraph 2(j) below for:
- establishing customer profiles for individual and business customers based upon the activity of the customer, location, financial information, ownership structure, anticipated or actual volume and types of transactions (including those transactions involving high-risk jurisdictions) of that customer, including anticipated or actual volume of wire transfers of that customer, and determining whether the customer should be subject to the Bank’s enhanced due diligence policies, procedures and processes required by paragraph 2(c) below;
- assigning risk ratings to each customer based upon their profile and the results of the Risk Assessment required by paragraph 2(a) above;
- maintaining and periodically updating customer profiles and risk ratings;
- resolving issues when insufficient or inaccurate information is obtained to appropriately establish a customer profile and risk rating; and
- developing risk-based monitoring of customer activity measured against customer profiles to determine whether suspicious activity exists;
- Enhanced Due Diligence: The Bank shall develop, adopt and implement policies, procedures and processes to operate in conjunction with the due diligence policies, procedures and processes required by paragraph 2(b) above, and the customer identification program required by paragraph 2(j) below, with respect to high-risk customers to:
- determine whether additional information, such as the purpose of the account, source of funds and wealth, the beneficial owners of the account, customer’s occupation or type of business, financial statements, banking references, domicile of the customer’s business, proximity of customer’s residence, place of employment or place of business to the Bank, description of primary trade area of customer or beneficial owner and whether international transactions are expected to be routine, description of the business operations, the anticipated volume of currency and total sales and a list of major customers and suppliers and explanations for changes in account activity should be required and collected for that customer’s profile; and
- determine whether on-site visits to collect and verify information for the customer profile are warranted;
- Currency Transaction Reports: The Bank shall establish policies, procedures and processes that address the preparation, filing and retention of Currency Transaction Reports (“CTRs”), including a requirement that cash deposits and the purchase of monetary instruments for cash are included in the aggregation process;
- Customer Exemptions: The Bank shall revise its policies, procedures and processes regarding customer exemptions in accordance with applicable law and regulations, including ensuring that policies, procedures and processes clearly distinguish between Phase I and Phase II exemptions (exemptions pursuant to 31 C.F.R. § 103.22(d)(2)(i) – (v) and 31 C.F.R. § 103.22(d)(2)(vi) – (vii), respectively) and the requirements of each;
- Account/Transaction Monitoring: The Bank shall develop, adopt and implement BSA/AML monitoring policies, procedures and processes appropriate to the Bank, considering its size and risk profile (based upon the Risk Assessment) to operate in conjunction with the policies, procedures and processes required by paragraph 2(g) below and to:
- establish parameters to determine which customers require further review;
- establish a tracking mechanism to assist the reviewer in identifying a customer with a pattern of structuring or engaging in suspicious activity;
- monitor and aggregate all currency activity, funds transfers, and monetary instrument sales to ensure the timely, accurate and complete filing of CTRs and any other similar or related reports required by law or regulation;
- ensure that the monitoring of sales of monetary instruments includes a review of common payees; and
- ensure that monetary instrument logs note the amount of currency used for the purchase of the instrument and the customer’s name and account number, if applicable;
- Suspicious Activity Reporting: The Bank shall, taking into account its size and risk profile (based upon the Risk Assessment), develop, adopt and implement appropriate policies, procedures, processes and systems for monitoring, detecting and reporting suspicious activity being conducted within or through the Bank. These policies, procedures, processes and systems should:
- ensure that data is collected and analyzed from each branch and business area of the Bank on a centralized basis for the production of periodic reports designed to identify unusual or suspicious activity, to monitor and evaluate unusual or suspicious activity, and to maintain accurate information needed to produce and file SARs;
- be able to identify related accounts, countries of origin, location of the customer’s businesses and residences to evaluate patterns of activity;
- cover a broad range of timeframes, including individual days, a number of days, and a number of months, as appropriate, and should segregate transactions that pose a greater than normal risk for non-compliance with BSA;
- establish risk-based monitoring of high-risk customers enabling the Bank to identify transactions for further monitoring, analysis and possible reporting;
- establish periodic testing and appropriate adjustment to the policies, procedures and processes utilized to monitor high-risk customers;
- ensure adequate referral of information about potentially suspicious activity through appropriate levels of management, including a policy for determining action to be taken in the event of multiple filings of SARs on the same customer, or in the event a correspondent bank or other person or entity fails to provide requested information. Such procedures shall describe the circumstances under which an account should be closed and the processes and procedures to be followed in doing so;
- require the documentation of management’s decision to file or not to file a SAR;
- ensure the timely, accurate and complete filing of required SARs and any other similar or related reports required by law or regulation, including ensuring that SARs are filed in accordance with 31 C.F.R. Part 103.18, 12 C.F.R. Part 353, and 3 N.Y.C.R.R. Part 300, after reportable suspicious activity is detected, that SARs reflect whether the suspect is a customer or non-bank customer, and that SARs involving wire transfers include information on beneficiaries of the wire transfers; and
- ensure that SARs are properly tracked and maintained, including being stored in a confidential manner.
- Wire Transfer Transactions: The Bank shall develop, adopt and implement policies, procedures and processes with respect to wire transfer activities and recordkeeping that include the following:
- requiring that complete information on beneficiaries and originators is obtained and maintained, as required by 31 C.F.R. 103.33;
- the establishment of monitoring systems and parameters, taking into account the Bank’s size and risk profile, to identify and report suspicious activity. Such systems and parameters shall, at a minimum, include:
- parameters that will generate exception reports capturing customer and non-customer (if any) wire transfer activities that take into account aggregate activities that could reasonably be construed as attempts to circumvent the $3,000 reporting threshold; and
- an aggregation system or parameter that would capture and report wire transfers occurring at the end of a month and the beginning of the following month;
- a requirement that wire transfers of customers be processed through their accounts;
- a requirement that customer identification information be accurately and completely recorded and properly matched to the information on the wire transfer applications;
- appropriate identification and verification procedures for non-bank customers (if any) engaging in wire transfer activities, including specification of the acceptable identification records and non-documentary procedures;
- a requirement that monthly exception reports are reviewed for suspicious activity, and appropriately followed up; and
- a dollar threshold identification requirement for non-customer (if any) wire transfers that is consistent with sound industry practice;
- BSA/AML Staffing and Resources: The Bank shall review BSA/AML compliance staffing and resources, taking into consideration its size and risk profile (based upon the Risk Assessment) and make such modifications as are appropriate. The Bank shall establish written policies, procedures and processes requiring the periodic review of and appropriate adjustment to its BSA/AML staffing and resources;
- Customer Identification Program: The Bank shall develop, adopt and implement written policies, procedures and processes to enhance its customer identification program (“CIP”), required by 31 U.S.C. § 5318 (1) and 12 C.F.R. § 326.8(b), to ensure that the Bank’s CIP contains at a minimum:
- account opening procedures specifying the identifying information required for each customer type, including a clear statement of the four required identifying elements (name, date of birth, address, and identification number), as well as a clear statement of the types of acceptable identification documents;
- procedures to provide adequate notice to customers in English and the customer’s native language, as appropriate, that the Bank will be requesting information to verify their identities; and
- deletion of any provision which allows a bank officer to approve the opening of an account without required CIP documentation.
SYSTEM OF OFAC INTERNAL CONTROLS
- Within 30 days of the effective date of this ORDER, the Bank shall develop, adopt, and implement a system of internal controls designed to ensure full compliance with the OFAC Provisions (“OFAC Internal Controls”), taking into consideration its customers, their geographic locations, the types of accounts, products and services it offers these customers, and the geographic areas in which these accounts, products and services are offered. At a minimum, such system of OFAC Internal Controls shall include:
- written policies, procedures and processes for identifying and reviewing transactions and accounts for possible violations of OFAC Provisions, including procedures for comparing names provided on a list from OFAC (“OFAC List”) against the names on accounts at the Bank and names associated with transactions performed at the Bank, including transactions involving sanctioned countries(“OFAC Searches”);
- written policies, procedures, and processes for conducting OFAC Searches of customers and account parties, including, but not limited to, new account holders, beneficiaries, guarantors, principals, beneficial owners, nominee shareholders, directors, signatories and powers of attorney;
- written policies, procedures and processes for obtaining and updating OFAC lists and filtering criteria;
- written policies, procedures and processes for identifying and investigating potential matches to names on OFAC Lists;
- written policies, procedures and processes for blocking and rejecting transactions;
- written policies, procedures and processes to inform OFAC and the Board, or a Board committee, of blocked or rejected transactions;
- written policies, procedures and processes to manage blocked accounts; and
- written policies, procedures and processes to retain documentation of OFAC Searches on new accounts, the existing customer base and specific transactions, as warranted, in accordance with the OFAC Provisions.
- Within 180 days from the effective date of this ORDER, the Bank shall establish independent testing programs for compliance with the BSA and OFAC Provisions, to be performed on no less than an annual basis. The scope of the testing procedures to be performed, and testing results, shall be documented in writing and approved by the Board or a Board committee. The testing procedures, at a minimum, should include the following:
- compliance testing for all appropriate business lines conducted by qualified staff independent of the Bank’s compliance, BSA/AML and OFAC functions;
- formal, documented testing programs, including adequately detailed reports and workpapers;
- testing of the adequacy of the Bank’s Risk Assessment;
- testing of the adequacy of the BSA and OFAC Internal Controls designed to ensure compliance with both the BSA and OFAC Provisions, including adequate transaction testing in the areas of wire transfers, CTRs and searches of the Bank’s records conducted pursuant to a request from FinCEN pursuant to Section 314 (a);
- testing of the adequacy of the Bank’s Training Program, as that term is defined in paragraph 5;
- a risk-based approach that includes transaction testing and verification of data for higher risk accounts;
- review of independent testing results by senior management;
- procedures to ensure that senior management institutes appropriate actions in response to independent testing results;
- direct lines of reporting between the independent testing function and the Board or a Board committee; and
- testing of the adequacy of the Bank’s wire transfer monitoring on at least an annual basis, including the Bank’s adherence to 31 C.F.R. § 103.33(3) (recordkeeping requirements) and 31 C.F.R. § 103.33(g)(the travel rule), and whether the Bank is identifying and accurately reporting SARs in a timely manner.
- Beginning on the effective date of the ORDER, the Bank shall take all steps necessary, consistent with sound banking practices, to ensure that all appropriate personnel are aware of, and can comply with, the requirements of the BSA and OFAC Provisions applicable to the individual’s specific job responsibilities to assure the Bank’s compliance with the BSA and OFAC Provisions.
- Within 60 days from the effective date of this ORDER, the Bank shall develop, adopt and implement effective training programs designed for the Board, management and staff and their specific compliance responsibilities on all relevant aspects of laws, regulations, and Bank policies, procedures and processes relating to the BSA and the OFAC Provisions (“Training Program”). The Training Program shall ensure that all appropriate personnel are aware of, and can comply with, the requirements of both the BSA and OFAC Provisions on an ongoing basis. The Training Program shall include:
- an overview of BSA/AML and OFAC Provisions for new staff, along with specific training designed for their specific duties and responsibilities, upon hiring;
- training on the Bank’s BSA/AML policies, procedures and processes along with new rules and requirements as they arise for appropriate personnel designed to address their specific duties and responsibilities, including but not limited to training on funds transfers, recordkeeping, purchase and sale of monetary instruments and customer due diligence and enhanced due diligence;
- training on the Bank’s OFAC policies, procedures and processes and changes thereto, along with new rules and requirements as they arise for appropriate personnel designed to address their specific duties and responsibilities;
- a requirement that the Board fully document the training of each employee with respect to both the BSA/AML and OFAC policies, procedures and processes, including the designated BSA and OFAC Compliance Officer(s);
- a requirement that training in these areas be conducted no less frequently than annually; and
- training on the proper completion, filing, tracking and maintenance of SARs, including ensuring the confidentiality of SARs.
- Within 90 days of the effective date of this ORDER, the Bank shall develop, adopt and implement policies, procedures and processes to ensure full compliance with Section 314(a) of the USA PATRIOT Act, including procedures to ensure that timely, responsive searches are performed and the types of information searched, including monetary instruments. Said policies, procedures and processes should also establish the following key functions:
- receiving information requests from FinCEN;
- scanning the names and responding to FinCEN;
- maintaining the Section 314(a) log;
- investigating and reviewing the procedures to determine a true or false hit;
- determining when a SAR should be filed;
- recordkeeping requirements; and
- maintaining the importance of confidentiality.
- Within 180 days from the effective date of this ORDER, the Bank shall amend its policies, procedures, and processes with regard to internal and/or external audits so that the Bank periodically reviews compliance with both the BSA and OFAC Provisions as part of its routine auditing. The Bank's audit policy should address, at a minimum:
- the objectives of the audit work program;
- the identification of all areas to be reviewed, as well as the required frequency of such reviews;
- the tracking and inter-period reporting requirements as performed within the matrix;
- workpaper retention requirements;
- submission of confidential and anonymous concerns to the Bank’s Audit Committee about questionable accounting or internal routine and control practices; and
- contingency planning in the event of loss of audit coverage, particularly for high-risk areas.
- As long as this ORDER shall remain in effect, the Bank's internal and/or external audits shall include a review of these areas, with significant exceptions reported directly to the Bank's Audit Committee and the Board.
- Beginning on the effective date of this ORDER, the Bank shall provide periodic reports to the Audit Committee of the Board, setting forth any law enforcement inquiry that relates in any way to the BSA or OFAC Provisions, any criminal subpoena received by the Bank and any action taken or response provided with respect to such inquiry or subpoena.
THIRD PARTY LOOK BACK REVIEW
- Within 20 days from the effective date of this ORDER, the Bank shall engage a qualified independent firm ("Consultant"), acceptable to the Superintendent of Banks (“Superintendent”), to conduct a review of account and transaction activity for the time period beginning January 1, 2006 through the effective date of this ORDER to determine whether suspicious activity involving any accounts or transactions within or through the Bank was properly identified and reported in accordance with the applicable suspicious activity reporting requirements, and activity of suspects included on the Section 314(a) subject lists provided by FinCEN through its Secure Information Sharing System involving any accounts or transactions at, by or through the Bank was properly identified and reported to FinCEN (“Look Back Review").
- Within 10 days of the engagement of the Consultant, but prior to the commencement of the Look Back Review, the Bank shall submit to the Superintendent for approval an engagement letter that sets forth:
- the scope of the Look Back Review, including the types of accounts and transactions to be reviewed which shall, at a minimum, include the Bank’s foreign branch accounts, cash intensive business accounts, customers with high, frequent or international wire transactions and customers with financial transactions in locations linked to terrorist, drug trafficking or money laundering, including, but not limited to, the transactions or accounts identified in the ROE as requiring additional investigation by the Bank;
- the methodology for conducting the Look Back Review, including any sampling procedures to be followed;
- the expertise and resources to be dedicated to the Look Back Review; and
- the anticipated date of the completion of the Look Back Review;
- Within 120 days of the effective date of this ORDER, the Look Back Review shall be completed and the Consultant shall provide a copy of its report detailing its findings to the Superintendent at the same time the report is provided to the Bank; and
- Within 30 days of its receipt of the Look Back Review report, the Bank shall ensure that all matters or transactions required to be reported, that have not previously been reported, are reported in accordance with applicable laws and regulations.
THIRD PARTY REVIEW
- Within 210 days of the effective date of this ORDER, an independent third party, engaged by the Bank, shall begin a comprehensive review ("Review") of the actions taken by the Bank in connection with paragraphs 1 through 10 of this ORDER and the Bank’s compliance with the BSA and OFAC Provisions. At a minimum, this Review shall include the effectiveness of the policies, procedures and processes adopted by the Bank pursuant to this ORDER and their implementation. The independent third party shall prepare and submit a written report of its findings (the “Review Report”) to the Board and the Superintendent within 30 days of the completion of the Review.
- Within 30 days of receipt of the Review Report, the Board shall appropriately amend its policies, procedures and processes to implement any recommendations made in the Review Report and address any concerns or deficiencies noted in the Review Report; and
- Within 45 days of receipt of the Review Report, the Board shall provide a written response to the Review Report to the Superintendent outlining the steps it has taken to implement the recommendations made in the Review Report and to address any concerns or deficiencies noted in the Review Report. If the Board fails to implement any of the Review Report’s recommendations or address any concerns or deficiencies noted in the Review Report, it shall provide to the Superintendent in its response a comprehensive explanation of its rationale for not implementing the Review Report’s recommendations or addressing any concerns or deficiencies noted in the Review Report.
- Beginning on the effective date of this ORDER, the Bank shall ensure that all appraisals for “federally related transactions,” as that term is defined in 12 C.F.R. § 323.2, comply with the generally accepted appraisal standards as evidenced by the Uniform Standards of Professional Appraisal Practice and as required by 12 C.F.R. § 323.4(a).
- Following the effective date of this ORDER, the Bank shall send to its parent holding company the ORDER or otherwise furnish a description of the ORDER in conjunction with the Bank’s next communication with such parent holding company. The description shall fully describe the ORDER in all material respects.
- Within 30 days from the effective date of this ORDER, the Board shall appoint a committee ("Compliance Committee") composed of at least three directors who are not now, and have never been, involved in the daily operations of the Bank, and whose composition is acceptable to the Superintendent, to monitor the Bank's compliance with this ORDER. Within 30 days from the effective date of this ORDER, and at monthly intervals thereafter, such Compliance Committee shall prepare and present to the Bank's Board a written report of its findings, detailing the form, content, and manner of any action taken to ensure compliance with this ORDER and the results thereof, and any recommendations with respect to such compliance. Such progress reports shall be included in the minutes of the Board’s meetings. Nothing contained herein shall diminish the responsibility of the entire Board to ensure compliance with the provisions of this ORDER.
- By the 30th day after the end of the calendar quarter following the effective date of this ORDER, and by the 15th day after the end of every calendar quarter thereafter, the Bank shall furnish written progress reports to the Superintendent detailing the form, content, and manner of any actions taken to secure compliance with this ORDER, and the results thereof. The Bank shall continue to submit the quarterly reports until it receives written notice from the Superintendent that such reports are no longer required.
- It is expressly and clearly understood that if, at any time, the Superintendent shall deem it appropriate in fulfilling the responsibilities placed upon him under applicable law to undertake any further action affecting the Bank, including the imposition of civil money penalties, nothing in this ORDER shall in any way inhibit, estop, bar or otherwise prevent him from doing so.
- It is expressly and clearly understood that nothing herein shall preclude any proceedings brought by the Superintendent to enforce the terms of this ORDER, and that nothing herein constitutes, nor shall the Bank contend that it constitutes, a waiver of any right, power, or authority of any other representatives of the United States or agencies or departments thereof, or any representatives of the State of New York or any other agencies or departments thereof, including any prosecutorial agency, to bring other actions deemed appropriate.
- All communications regarding this ORDER shall be sent to:
Mr. Robert A. Mengani
New York State Banking Department
1 State Street Plaza
New York, New York 10004
- The provisions of this ORDER shall be binding on the Bank and each of its successors and assigns.
- Each provision of this ORDER shall remain effective and enforceable until stayed, modified, terminated or suspended in writing by the Department.
- Notwithstanding any provision of this ORDER, the Department may, in its sole discretion, grant extensions of time to the Bank to comply with any provision of this ORDER.
By ORDER of the Superintendent of Banks of the State of New York, effective this 3rd day of August, 2007.
NEW YORK STATE