Attached files
| file | filename |
|---|---|
| EX-99.3 - EX-99.3 - FULTON FINANCIAL CORP | d761329dex993.htm |
| EX-99.4 - EX-99.4 - FULTON FINANCIAL CORP | d761329dex994.htm |
| EX-99.6 - EX-99.6 - FULTON FINANCIAL CORP | d761329dex996.htm |
| 8-K - FORM 8-K - FULTON FINANCIAL CORP | d761329d8k.htm |
| EX-99.1 - EX-99.1 - FULTON FINANCIAL CORP | d761329dex991.htm |
| EX-99.2 - EX-99.2 - FULTON FINANCIAL CORP | d761329dex992.htm |
Exhibit 99.5
UNITED STATES OF AMERICA
DEPARTMENT OF THE TREASURY
COMPTROLLER OF THE CURRENCY
|
In the Matter of: |
) | |||
| FNB Bank, N.A. | ) | AA-EC-2014-68 | ||
| Danville, Pennsylvania |
) |
CONSENT ORDER
The Comptroller of the Currency of the United States of America (“Comptroller”), through his authorized representative, has supervisory authority over FNB Bank, N.A., Danville, Pennsylvania (“Bank”).
The Bank, by and through its duly elected and acting Board of Directors (“Board”), has executed a “Stipulation and Consent to Issuance of Consent Order” dated July 14, 2014, accepted by the Comptroller. By this Stipulation and Consent, incorporated by reference, the Bank has consented to the issuance of this Consent Order (“Order”) by the Comptroller.
Pursuant to the authority vested in it by the Federal Deposit Insurance Act, as amended, 12 U.S.C § 1818, the Comptroller hereby orders that:
ARTICLE I
COMPLIANCE COMMITTEE
(1) Within fifteen (15) days of the date of this Order, the Board shall establish a Compliance Committee comprised of at least one (1) director, a majority of which shall not be an employee or controlling shareholder of the Bank or any of its affiliates (as the term “affiliate” is defined in 12 U.S.C. § 371c(b)(1)), or a family member of any such person. Upon appointment, the names of the members of the Compliance Committee and, in the event of a change of the membership, the name of any new member shall be submitted in writing to the Assistant Deputy
1
Comptroller. The members of the Compliance Committee shall be the Bank’s representatives to the Special Joint Board Compliance Committee of Fulton Financial Corporation, the Bank’s holding company, and its affiliate banks. The Compliance Committee, including through participation of its member(s) in the Special Joint Board Compliance Committee, shall be responsible for monitoring and coordinating the Bank’s adherence to the provisions of this Order.
(2) The Compliance Committee shall meet at least monthly.
(3) Within thirty (30) days of the end of each quarter, the Compliance Committee shall submit a written progress report to the Board setting forth in detail:
| (a) | actions taken to comply with each Article of this Order; |
| (b) | the results and status of those actions; and |
| (c) | a description of the actions needed to achieve full compliance with each Article of this Order. |
(4) The Board shall forward a copy of the Compliance Committee’s report, with any additional comments by the Board, to the Assistant Deputy Comptroller within ten (10) days of receiving such report. All submissions required to be made pursuant to this Order shall be addressed to:
Julie A. Thieman, Assistant Deputy Comptroller
Office of the Comptroller of the Currency
Philadelphia Field Office
1150 Northbrook Drive, Suite 303
Trevose, Pennsylvania 19053
2
ARTICLE II
BANK SECRECY ACT RISK ASSESSMENT
(1) Within ninety (90) days of this Order, the Board shall ensure Bank management reviews, updates, and implements an enhanced written institution-wide, ongoing Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) Risk Assessment process that timely and accurately identifies the BSA risks posed to the Bank after consideration of all pertinent information (“Risk Assessment”). The Risk Assessment process shall reflect a comprehensive analysis of the Bank’s vulnerabilities to money laundering and financial crimes activity and provide strategies to control risk and limit any identified vulnerabilities. The Risk Assessment methodology shall follow the risk assessment expectations and logic set forth in the 2010 FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual (Rev. April 29, 2010) (“FFIEC BSA/AML Examination Manual”) and shall include:
| (a) | the identification of all activities and other elements that pose BSA/AML risk to the Bank, including, but not limited to, the Bank’s: (i) products and services; (ii) customers and entities; (iii) transactions; (iv) geographic locations; and (v) methods that the Bank uses to interact with its customers (collectively, the “specific risk categories”); |
| (b) | a detailed analysis of all pertinent data obtained regarding the specific risk categories, including but not necessarily limited to: (i) volumes and types of transactions and services by geographic location, and (ii) numbers of customers that typically pose higher BSA/AML risk, both by type of risk and by geographic location, so as to permit the Bank to revise or develop, as necessary, and implement appropriate policies, processes, and |
3
| procedures to monitor and mitigate the Bank’s BSA/AML risks within those risk categories. The analysis to be conducted shall include an evaluation of all relevant information obtained through the Bank’s Customer Identification Program (“CIP”), Customer Due Diligence Process (“CDD”), and Enhanced Due Diligence Process (“EDD”); |
| (c) | an assessment of BSA/AML risk both individually within the Bank’s business lines and on a consolidated basis across all Bank activities and product lines; |
| (d) | that the Risk Assessment be updated at least every twelve (12) months so as to identify and respond to changes in the Bank’s risk profile (such as when new products or services are introduced, existing products or services change, there is a material change to high-risk customer accounts or profiles, or the Bank expands through mergers or acquisitions); |
| (e) | maintenance of appropriate documentation, including customer due diligence (“CDD”) and enhanced due diligence (“EDD”) information, so as to be able to support the Risk Assessment’s conclusions; and |
| (f) | independent testing to validate the accuracy and reasonableness of the most recent Risk Assessment. The written results of the independent testing shall be completed not more than ninety days (90) after the effective date of this Order. |
(2) Within ninety (90) days of this Order, and at least annually thereafter, the Board shall ensure Bank management reviews, updates, and implements an enhanced written institution-wide, ongoing Office of Foreign Assets Control (“OFAC”) Risk Assessment process that is separate from the BSA/AML process, which assessment shall include the criteria in Paragraph (1) of this Article, as applicable.
4
(3) Within one-hundred twenty (120) days of this Order, the Board shall review and approve the BSA Risk Assessment and OFAC Risk Assessment processes and actual assessments. The Board shall review and approve each Risk Assessment at least annually thereafter, and upon receipt of any updates or changes to the Risk Assessment.
(4) The Board shall ensure that the Bank has processes, personnel, and control systems to implement and adhere to the Risk Assessment program developed pursuant to this Article.
ARTICLE III
CUSTOMER DUE DILIGENCE, ENHANCED DUE DILIGENCE, AND
HIGH-RISK CUSTOMER IDENTIFICATION
(1) Within ninety (90) days of this Order, the Board shall ensure that Bank management reviews and updates its risk-based process to obtain and analyze appropriate CDD information at the time of account opening and on an ongoing basis, and effectively uses this information to monitor for, and investigate, suspicious or unusual activity, that includes:
| (a) | risk-based program requirements regarding the identification of customers and the scope of due diligence information to be collected, analyzed, and documented at account opening; and |
| (b) | updates to CDD to reflect changes in customer’s behavior, activity profile, derogatory information, periodic reviews of the customer relationship, or other factors that impact the risk. |
5
(2) Within ninety (90) days of the date of this Order, the Board shall ensure that the Bank revises, implements, and thereafter ensures that the Bank adheres to an enhanced written program of policies and procedures to provide for compliance with the BSA, as amended (31 U.S.C. §§ 5311 et seq.), the regulations promulgated thereunder at 31 C.F.R. Chapter X, as amended, and 12 C.F.R. Part 21, Subparts B and C (collectively referred to as the “Bank Secrecy Act” or “BSA”); and to provide for the appropriate identification, analyzing, and monitoring of customers and transactions that pose greater than normal risk for compliance with the BSA. This program shall include:
| (a) | consideration of the findings of the Risk Assessment completed pursuant to Article II; and |
| (b) | enhanced policies and procedures for recording, maintaining, and recalling information about customers and transactions that pose greater than normal risk for compliance with the BSA. |
(3) The BSA program shall include expanded account-opening procedures for all accounts that pose greater than normal risk for compliance with the BSA. The policies and procedures shall include, at a minimum:
| (a) | identification of account owners and beneficial owners to the extent required by applicable rules, regulations, and regulatory guidance; |
| (b) | documentation for all customers that pose greater than normal risk for compliance with the BSA, consistent with that required by the FFIEC BSA/AML Examination Manual addressing EDD for “high risk” customers, including but not limited to: |
| (i) | purpose of the account; |
| (ii) | source of the customer’s funds and wealth; |
6
| (iii) | occupation or type of business conducted by the customer; |
| (iv) | domicile of the business; |
| (v) | any relevant financial information concerning the customer; |
| (vi) | proximity of the customer’s residence, place of employment, or place of business to the Bank; |
| (vii) | description of the customer’s primary trade area and whether international transactions are expected to be routine; |
| (viii) | description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers; |
| (ix) | explanations for changes in account activity; and |
| (x) | any other due diligence required by this Order, the BSA Officer, or the Bank. |
(4) The BSA Program shall include policies and procedures for ongoing monitoring of all accounts that pose greater than normal risk for compliance with the BSA. These policies and procedures shall include, at a minimum:
| (a) | obtaining the information required in the preceding Paragraph (3) of this Article when there is a material change in an existing customer’s account; |
| (b) | maintenance of an accurate and complete list of high-risk customers, including use of CDD and EDD information, to establish normal and expected account activity; |
7
| (c) | periodic risk-based review to reaffirm risk ratings, no less than annually, on all higher-risk customers that include: |
| (i) | the name of the customer; |
| (ii) | the officers, directors, and major shareholders of any corporate customer, and the partners of any partnership customer; |
| (iii) | identification of account owners and beneficial owners in compliance with applicable rules, regulations and regulatory guidance; |
| (iv) | any related accounts of the customer at the Bank; |
| (v) | any action the Bank has taken on the account; |
| (vi) | the purpose and balance of the account; and |
| (vii) | any unusual activity for each account or any significant deviations between actual activity compared to expected activity as set forth in the Bank’s CDD and EDD file. |
(5) The Board shall ensure that the Bank has processes, personnel, and control systems to implement and adhere to the program developed pursuant to this Article.
ARTICLE IV
SUSPICIOUS ACTIVITY MONITORING AND REPORTING
(1) Within ninety (90) days of this Order, the Board shall ensure that Bank management develops, implements, and thereafter maintains adherence to an enhanced written risk-based program of internal controls and processes to ensure compliance with the requirements to file suspicious activity reports (“SARs”) set forth in 12 C.F.R. § 21.11, as amended. At a minimum, this written program shall:
8
| (a) | include procedures for identifying, monitoring and reporting suspicious activity, known or suspected violations of Federal law, violations of the BSA, or suspicious transactions related to potential money laundering activity across all lines of business, including suspicious activity relating to the opening of new accounts, the monitoring of current accounts, and the transfer of funds through the Bank, consistent with the Suspicious Activity Reporting section of the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual; |
| (b) | include application of appropriate thresholds and filters for automated surveillance systems in monitoring all types of transactions, accounts, customers, products, services, and geographic areas that include, at a minimum: |
| (i) | meaningful thresholds and alert scenarios for filtering accounts and customers for further monitoring, review, and analyses; |
| (ii) | maintenance of documentation supporting the Bank’s methodology for establishing and altering thresholds and filters; and |
| (iii) | periodic independent validation of thresholds and filters for their appropriateness to the Bank’s customer base, products, services, and geographic area; |
| (c) | establish appropriate linkage between EDD information and suspicious activity monitoring functions to ensure BSA Department staff appropriately use EDD information in suspicious activity investigations; |
| (d) | include procedures to address cases where there is on-going suspicious activity to ensure appropriate management review and determination of whether the customer relationship should be continued; |
9
| (e) | provide for meaningful, accurate, and timely reporting to the Board and management of suspicious activity investigations and SAR filings; |
| (f) | provide for review of any new surveillance systems to ensure it has the capacity to operate on multiple platforms and is appropriate for the Bank’s size and complexity; |
| (g) | ensure the Bank files SARs within the time frames specified in the applicable rules, regulations, and regulatory guidance, and files follow-up SARs every ninety (90) days in cases where suspicious activity is ongoing; and |
| (h) | ensure the Bank thoroughly documents individual SAR decisions. |
(2) The Board shall ensure that the Bank has processes, personnel, and control systems to implement and adhere to the program developed pursuant to this Article.
ARTICLE V
CLOSING
(1) Although the Board is by this Order required to submit certain proposed actions and plans for the review or prior written determination of no supervisory objection of the Assistant Deputy Comptroller, the Board has the ultimate responsibility for proper and sound management of the Bank.
(2) It is expressly and clearly understood that if, at any time, the Comptroller deems it appropriate in fulfilling the responsibilities placed upon it by the several laws of the United States of America to undertake any action affecting the Bank or its institution-affiliated parties (as defined by 12 U.S.C. §1813(u)), nothing in this Order shall in any way inhibit, estop, bar or otherwise prevent the Comptroller from so doing.
10
(3) Each citation or referenced guidelines included in this Order includes any subsequent guidance that replaces, supersedes, amends, or revised the cited law, regulation or guidance.
(4) Any time limitations imposed by this Order shall begin to run from the effective date of this Order. Such time limitations may be extended in writing by the Assistant Deputy Comptroller for good cause upon written application by the Board.
(5) The provisions of this Order are effective upon issuance of this Order by the Comptroller, through his authorized representative whose hand appears below, and shall remain effective and enforceable, except to the extent that, and until such time as, any provisions of this Order shall have been amended, suspended, waived, or terminated in writing by the Comptroller.
(6) In each instance in this Order in which the Board or a Board committee is required to ensure adherence to, and undertake to perform certain obligations of the Bank, including the obligation to implement plans, policies or other actions, it is intended to mean that the Board or Board committee shall:
| (a) | authorize and adopt such actions on behalf of the Bank as may be necessary for the Bank to perform its obligations and undertakings under the terms of this Order; |
| (b) | require the timely reporting by Bank management of such actions directed by the Board to be taken under the terms of this Order; |
| (c) | follow-up on any noncompliance with such actions in a timely and appropriate manner; and |
| (d) | require corrective action be taken in a timely manner of any noncompliance with such actions. |
11
(7) This Order is intended to be, and shall be construed to be, a final order issued pursuant to 12 U.S.C. § 1818(b), and expressly does not form, and may not be construed to form, a contract binding on the Comptroller or the United States.
(8) The terms of this Order, including this Paragraph, are not subject to amendment or modification by any extraneous expression, prior agreements or prior arrangements between the parties, whether oral or written.
IT IS SO ORDERED, this 14th day of July, 2014.
| /s/ Kristin A. Kiefer Kristin A. Kiefer |
July 14, 2014 Date | |||
| Associate Deputy Comptroller | ||||
| Northeastern District Office |
12