May 2012 Legal Briefs

  • Sole Proprietorships and General Partnerships
  • S.A.F.E. Act Guidance
  • Fair Lending
  • Common Violations in 2011
  • ’Tis the Season – For Tax Refund Fraud
  • Bureau Clarifies Reg Z Loan Officer Compensation Rule
  • Mining the OCC’s Citibank C&D for Nuggets
  • Mortgage Servicing Change is in the Wind

By Pauli D. Loeffler

Sole Proprietorships and General Partnerships

In the January 2012 Legal Update, I wrote about the documentation needed for accounts held by corporations and limited liability companies. This month, I will address sole proprietorships and general partnerships.

Sole Proprietorships: A sole proprietorship account is a business account generally set up with “Doing Business As” or DBA. It is owned either by one person, or despite the term “sole,” you may have a sole proprietorship account owned by husband and wife per Title 6 O.S. §907:
A deposit made in any bank or credit union by a husband and wife which is primarily for a business purpose may be treated, at the option of the depositors, as a sole proprietorship account, rather than a partnership account unless a formal partnership has been formed.

This means that if any two people OTHER than spouses claim to own the business, it cannot be a sole proprietorship. This also means that unless two people are considered legally married in Oklahoma, they are not eligible for a sole proprietorship account. Although same sex marriages are recognized in a number of states, Oklahoma does not recognize these (Title 43 O.S. Sec. 3.1).

On the other hand Oklahoma defines marriage in Title 43 O.S. Sec. 1 as:
Marriage is a personal relation arising out of a civil contract to which the consent of parties legally competent of contracting and of entering into it is necessary, and the marriage relation shall only be entered into, maintained or abrogated as provided by law.
This definition accommodates the recognition of marriage at common law which Oklahoma courts have done ever since statehood. Despite various attempts of the Oklahoma legislature to end its recognition, as well as institute Covenant Marriage, so far both measures have failed. I will advise you that there is pending legislation regarding both measures. The current bill to abolish common law marriages would end the recognition for any purported common law marriages entered into on or after January 1, 2014.

Common law marriage is an agreement between a man and a woman by holding themselves to be married while not suffering from any incapacity (must be of legal age, i.e., at least 18 years of age, mentally competent and not married to another person) and have consummated the marriage (had sexual intercourse with each other). The case law is somewhat confused whether this requires cohabitation or not. Later in this article I will address what you need when parties indicate that they are married at common law.

Unlike a corporation, an LLC, a partnership, an unincorporated association, a joint venture or a limited partnership, a sole proprietorship is a not a separate legal entity. A sole proprietorship is simply a “name” and nothing more. The “name” does not exist separate and apart from the person (or married couple) that claims it. This means that a garnishment, levy, subpoena, etc. against the individual(s) will reach these accounts while none of these would reach a corporation with a sole shareholder or even a sole member LLC using the members Social Security Number if directed against the individual.

Beyond the usual CIP, most if not all banks utilize an Affidavit of Sole Proprietorship. This document contains sworn statements of sole proprietor that he is the owner of a genuine business under the specific name of the business, and that he has no knowledge and no connection with any business using a similar name or acronym. Since crooks tend to lie, unless yours is a small town bank where everyone knows Joe Abraham owns Abraham’s Liquor Store, and you pass by the store on the way home from work every day, a little investigation beyond the Affidavit of Sole Proprietorship isn’t a bad idea to prevent fraud. You need to make sure that there REALLY is a business and this really is a sole proprietorship rather than an employee of another business who is converting money payable to that entity for his own account.

For instance, Marlo Johnson comes in and wants to open an account DBA Superior Roofing, and the bank has no prior dealings with Marlo. If you look up Superior Roofing on the Oklahoma Secretary of State’s website search for business entities, you find that there is a Superior Roofing, Inc. Since the bank has a legitimate business purpose, there is no need for Marlo’s consent to do pull a credit report which would show his employment history and determine whether or not Marlo is a current or former employee of Superior Roofing, Inc. Instead of pulling a credit report, you could require that Marlo obtain Consent to Use Similar Name from Superior Roofing, Inc. and file it with the Oklahoma Secretary of State.

A quick word about Trade Names is warranted here: Oklahoma does not require a sole proprietorship to file a Trade Name Report nor does it require any type of assumed name filing. If the customer has a common name such as Sooner Dairy, and has used this name for some time for his business, he probably is not going to be able to obtain it through a Trade Name Report. Unless the bank is making a loan where a there is a real threat of a lawsuit for trade name infringement or the name itself is connected with the good will of the business, requiring a Consent to Use of Similar Name is unnecessary.

Let’s take another example regarding a new and unknown customer wanting to open a sole proprietorship account. Toni Stuart comes in and wants to open an account DBA Toni’s Tasty Treats. Toni recently started selling custom made cake pops, and your search of the Oklahoma Secretary of State’s site show there are no entities with a similar name. You don’t know Toni from Adam, so you may want other supporting evidence of the business such as business cards, contracts Toni has with customers, the URL for Toni’s website, an ad in the phone book, tax returns, confirmation of EIN from the IRS (if the business has employees), or a business license if the business is one that requires one (think health inspector).

Turning now to issues with opening a sole proprietorship account for husband and wife, the bank not only faces the same issues as set out above but also the issue of whether there is a partnership, and if the last names are different, whether or not the parties are indeed husband and wife. The Affidavit of Sole Proprietorship could include a statement that the parties are husband and wife and have not formed a formal partnership. Requiring a copy of a marriage license or a joint tax return or asking if they have consummated their common law marriage if they are not cohabitating is not required unless your policy requires this.

As I indicated in the April Legal Update, a sole proprietorship account, whether for a single individual or for husband and wife, may be a NOW account. Further, a sole proprietorship may name one of more PODs, and authorized signers are allowed. Finally, a sole proprietorship account may be held under the name of a revocable trust as provided by the trust and use the grantor’s SSN. Sole proprietorships may have more than one DBA on a single account.

General Partnerships: In a perfect world, when opening a partnership account you will be given a partnership agreement and maybe a Statement of Partnership Authority Agreement that has been filed with the Oklahoma Secretary of State and, if required, a Certificate of Partnership Fictitious Name, but unfortunately, this is not a perfect world, and unfortunately for the bank, none of these documents are absolutely necessary.

If you are sitting there in shock, this is the usual response I get when I drop this bomb on a caller wanting to know if she can open a partnership account without having a written partnership agreement. However, Title 54 O.S. Section 1-101 provides:
(6) "Partnership" means an association of two or more persons to carry on as co-owners a business for profit formed under Section 10 of this act, predecessor law, or comparable law of another jurisdiction.

(7) "Partnership agreement" means the agreement, whether written, oral, or implied, among the partners concerning the partnership, including amendments to the partnership agreement; and a partnership agreement binds a partner of a partnership or a transferee of an economic interest regardless of whether the partner or transferee executes the partnership agreement.

This means that unless your CIP policy specifically states that a partnership agreement is required, it is unnecessary to open an account!

So what do you do if your CIP policy does not require a partnership agreement? Let’s suppose Mike Littlesmith and John Wheelwright come in and want to open a partnership account and have an EIN for Littlesmith & Wheelwright but don’t have a written partnership agreement. At this point we are in luck because Title 54 O.S. Sections 81, 83 require that they file with the Oklahoma Secretary of State for a Certificate of Partnership Fictitious Name:

Except as otherwise provided by law, every partnership transacting business in this state under a fictitious name, or a designation not showing the names of the persons interested as partners in the business, must file for recording with the Secretary of State, a certificate, stating the names in full of all the members of the partnership, their resident street addresses, the state or other jurisdiction of its organization and the physical office address of the partnership. (Sec. 81, Emphasis added)
The certificate required by Section 81 of this title shall be signed by at least two of the partners. Persons doing business as partners, under a fictitious name, contrary to the provisions of this article, shall not maintain any action on or on account of any contracts made or transactions had in their partnership name in any court of this state until they have first filed the certificate; provided however, that if the partners shall at any time comply with the provisions of Sections 81 through 86 of this title, the partnership shall have the right to maintain an action in all partnership contracts and transactions entered into prior to as well as after compliance, and the disabilities imposed on partnerships for failure to comply shall be thereby removed. (Sec. 83)

Unless the full names of all of the partners are used in the name of the partnership (not just the last names), Oklahoma requires the filing for Certificate of Partnership Fictitious Name. This will have to be amended each time a partner is added or removed. This requirement means that the bank will either set up an account using the full names of all partners that matches the EIN on the letter from the IRS (EVERY partnership MUST have an EIN), or the Certificate of Partnership Fictitious Name will have to presented to the bank before opening the account.

One way or the other, we now know who all the partners are, but the question is: who do we need to sign the account agreement? The answer here is both simple and difficult. Any general partner of a partnership can bind the partnership unless the partnership agreement makes other provisions per Title 54 O.S. Section 1-103:

Subject to the effect of a statement of partnership authority under Section 15 of this act:

(1) Each partner is an agent of the partnership for the purpose of its business. An act of a partner, including the execution of an instrument in the partnership name, for apparently carrying on in the ordinary course the partnership business or business of the kind carried on by the partnership binds the partnership, unless the partner had no authority to act for the partnership in the particular matter and the person with whom the partner was dealing knew or had received a notification that the partner lacked authority.

(2) An act of a partner which is not apparently for carrying on in the ordinary course the partnership business or business of the kind carried on by the partnership binds the partnership only if the act was authorized by the other partners.

If there is no written partnership agreement, you will need only one partner to sign the account agreement in to open the account UNLESS the partnership has filed a Statement of Authority with the Oklahoma Secretary of State. The filing of the Statement of Authority is permissive which means that it is NOT required. If one has been filed, it will designate the partners necessary for signing the account agreement. Note that IF a Statement of Authority has been filed, a person named therein may file with the Secretary of State a statement of denial with regarding a person’s authority or status as a partner.

May someone other than a partner be an authorized signer on the account? Yes, unless the partnership agreement or the Statement of Authority would prevent this, non-partner authorized signers may be added to the account. May a partnership have one or more DBAs? Again, this is possible but would require a Trade Name Report for each DBA.

By Andy Zavoina

SAFE Act Guidance

The Secure and Fair Enforcement for Mortgage Licensing Act of 2008 (“SAFE Act”), has been with us since July 30, 2008, and is the Consumer Financial Protection Bureau’s (CFPB) Reg. G, 12 CFR Part 1007. The SAFE Act prohibits a person from acting in the capacity of a mortgage loan originator without first meeting and then maintaining certain requirements. We have a law and implementing regulation to define what must be done, and now we are beginning to receive some additional guidance from the CFPB. On April 19, 2012, the CFPB issued Bulletin 2012-05 which addresses Transitional Loan Originator Licensing.

Under the SAFE Act state licensed Mortgage Loan Officers (MLO) must pass a written test, complete pre-licensure education requirements and meet annual continuing education requirements. A bank MLO has fewer requirements to act as an MLO as they must submit their fingerprints to the Nationwide Mortgage Licensing System (NMLS) for submission to the FBI for a criminal background check. They will register and receive a unique identification code. The MLO must then maintain that registration. The initial period for registration ended July 29, 2011 so banks should now be in the mode of watching for maintenance items such as adding new MLOs, deleting ones who have left that position, updating name changes (such as in a marriage or divorce) and preparing for the annual renewals in November and December.

When the bank hires a new MLO the registry information on the NMLS database must be updated. If the fingerprints on file are more than three years old, new fingerprints must be submitted. Other information pertaining to the MLO and the bank may also have to be updated. But what happens if a new MLO comes to Oklahoma from another state?

The CFPB has received numerous questions from state regulators inquiring if they may rely on another state’s license when they receive a request for a transitional license. Reg H which was transferred from the Department of Housing and Urban Development (HUD) to the CFPB allows states to do this if that state chooses to. The preamble to the SAFE Act says that it will not limit what one state may consider about the findings of another state. This allowance to transfer from one state to another is dependent on the license being transferred, however.

Because the state licensing requirements are more stringent, a state licensed MLO from a non-bank mortgage lender may transfer to another state but a bank registered MLO may not transfer directly into a licensed position. “Regulation H does not allow states to provide for a transitional license for a registered loan originator who leaves a federally regulated institution to act as a loan originator while pursuing a SAFE Act state license,” the CFPB bulletin states. So a bank MLO who leaves the bank must meet the licensing requirements in the new state they are going to. They will not receive a transitional license while they pursue the new state’s requirements.

On a related note, the OCC issued on April 16, 2012 its SAFE Act Examination Procedures. OCC Bulletin 2012-11 contains a link to the procedures, which were adopted on an interagency basis. Bankers we are hearing from have indicated that some examiners are not yet reviewing compliance with the SAFE Act while others are asking only if the bank has policies and procedures in place. Having policies and procedures is a requirement of the SAFE Act. General content requirements include:
1. Establishing a process to identify those employees covered by the SAFE Act. This review should be done periodically to ensure that the definition of duties remains constant and work doesn’t shift, causing someone to become an MLO unknowingly.
2. Ensuring that all employees who are acting as MLOs are informed of the registration requirements.
3. Having procedures to comply with the requirements involving the unique identifier
4. Ensuring your procedures not only identify MLOs, but that it includes controls that verify the accuracy of the information submitted
5. Ensuring your procedures both track and monitor compliance with the registration requirements
6. Providing for annual independent testing of compliance with the SAFE Act
7. Includes steps to take if the employee fails to meet SAFE Act obligations
8. Includes a process for the review of criminal history background checks, and
9. Ensure that third parties comply with the SAFE Act as well.
If you are looking for a SAFE Act policy template, has one, along with a PowerPoint training presentation available for download on the Banker Tools page. We anticipate hearing of more detailed exams as the examiners themselves are more familiar with these interagency exam procedures and they are included in the exam workflows.

Fair Lending

Many bankers who are surveyed about upcoming priorities are including fair lending as a “front burner” item. Now the CFPB has published on its blog a “Fair Notice on Fair Lending,” which seems to be an attempt to both educate the public and warn creditors that illegal practices will be sought out. The notice first provides information touting the advantages of credit, such as to buy a home, car, or pay for educational expenses. It states that “It (discriminatory practices) keeps worthy borrowers from the tools they need to reach their financial goals.” Further in the post it describes disparate impact and reiterates to lenders that have practices deemed to be disparate are “unlawful unless they meet a legitimate business need that can’t be met by an alternative that has a less disparate impact. Discrimination that disparately impacts borrowers in violation of the law hurts consumers and can threaten the economic stability of our communities. That is why the law has long recognized this form of unlawful credit discrimination.”

The blog post then links to CFPB Bulletin 2012-04 dated April 18, 2012. This is a basic advisory reiterating the protections consumers have under the Equal Credit Opportunity Act and Reg. B. It also reviews the still valid 1994 Interagency Task Force on Fair Lending document which described lending discrimination as fitting into one of three categories: 1. overt discrimination, 2. disparate treatment; and 3. disparate impact. This document may be printed by your compliance area and used as refresher training of lenders, management and even for review and training by your board.

There was to be a case of fair lending and disparate impact heard before the U.S. Supreme Court. The City of Saint Paul, MN, was involved in a lawsuit because of the city’s vigorous enforcement of its housing code. Articles published indicated that some landlords subjected renters to very poor living conditions, but the landlords were fighting back in court. The problem was that if the city was successful, and it believed it would be, the argument could have nullified any arguments of disparate impact under the Fair Housing Act and the Equal Credit Opportunity Act. The city requested that the case be dismissed. It was later revealed in the Wall Street Journal and by Reuters that the city dropped its case at the insistence of the Department of Justice. It was believed that if the Justices had found disparate impact illegal under the Fair Housing Act, one of the government’s biggest hammers against banks and others would disappear. On the Saint Paul city website, Mayor Chris Coleman said “As we saw recently with the United States Department of Justice’s settlement against Countrywide Mortgage, which provided $335 million of relief to homeowners who have been discriminated against, disparate impact recovery is an important tool in fighting predatory lending and economic injustice.” This was a settlement actually entered into by Bank of America as it acquired Countrywide in 2008.

Common Violations in 2011

The Federal Reserve recently published some of the common violations seen at banks across the country. This list can help you identify what examiners see as common problems. You should be reviewing these items during your quality control checks and compliance audits. The common violations include:
Reg. B – spousal signatures
This is an example of a fair lending issue. When a married applicant applies for credit individually and meets the bank’s underwriting criteria, unless an exception exists the bank should not require the spouse’s signature on the debt instrument. Exceptions include a state requirement when the spouse’s signature is necessary to secure the bank’s interest in collateral pledged in a secured loan, or assets relied upon in an unsecured loan that may be available in the event of death or default.
If an application is made jointly, the joint intent must be evidenced at the time of application. Getting the signatures on a joint financial statement with an application or on a promissory note at closing is not sufficient to demonstrate joint intent at application. This interpretation is a result of Ag and commercial lenders not getting joint intent and the applicants later complaining. This is not a problem that’s isolated to consumer loans.

Reg. B –adverse action notices:
Examiners are finding two different violations with Adverse Action Notices. The banks are failing to list the reasons for adverse action, and the reasons listed are not specific enough. The statement of reasons must indicate the principal reasons for the adverse action, which “must relate to and accurately describe the factors actually considered or scored by a creditor.” It is recommended that the bank list the most severe reasons first, especially those which are hardest to correct. It is also recommended that the bank list no more than four reasons. Listing more is not believed to be helpful. And by listing the most severe and uncorrectable you avoid the applicant making easy corrections and then reapplying and being denied for more substantial reasons.

Reasons such as “credit score below bank policy” or “outside of risk tolerance” are not specific and are of little use to an applicant who wants to make any corrections available to them and reapply for credit.

As a result of errors in the past many banks have adopted a second review process so that applications are seen by a second set of eyes. This affords the opportunity to both review the applicant’s qualifications and look for a way to make a good loan, as well as verify the accuracy of the reasons for denial.

Reg. X RESPA – tolerance violations
HUD-1 Settlement Statements should be compared to the Good Faith Estimate and certain settlement costs have a limited tolerance of variance between the two. There are three categories of settlement charges and each has a different tolerance level. If these tolerance levels are exceeded and an exception (§ 1024.7(f)) doesn’t apply, the bank is expected to cure this violation within 30 days of settlement by reimbursing the borrower(s) the amount by which the tolerance was exceeded. This should be accompanied by a new HUD-1 showing the corrections.

Some banks are exceeding the tolerance levels and failing to make necessary reimbursements in a timely manner. The FRB report indicates that “a creditor does not automatically violate Regulation X when exceeding the tolerance. A violation occurs only if a creditor exceeds a tolerance and fails to cure it in a timely manner.”

If the bank has a quality control review of recently closed loans, ensuring that reimbursements are made in a timely manner will avoid the citation of a violation. Essentially it isn’t a violation unless it isn’t cured.

Flood – force placed insurance
When a property is in a Special Flood Hazard Area and coverage that is required lapses, the bank is to send a letter allowing the borrower 45 days to obtain that coverage. The regulatory agencies have stated they expect the bank to force place coverage on the 46th day.

Banks are not maintaining a sufficient tickler file to monitor flood coverage, send the required notice and force place in a timely manner. So far this year there have been thirty civil money penalties cited for violations of the flood rules. Banks have paid over $310,000 in fines. And the average fine this year is $10,340 as compared to last year when it was $9,673.

Reg. C – Rate spreads, loan purposes and action taken
When a reportable loan has a variance equal to or greater than 1.5 percentage points for first-lien loans or 3.5 percentage points for subordinate-lien loans, between the loans APR and the Average Prime Offer Rate for a comparable loan, the rate spread must be identified. The Loan Application Register submissions and what is later seen in credit files are not agreeing. More attention to detail is required on the part of HMDA reporting banks.

Another area requiring more attention is in the loan purpose fields. Some entries are simply incorrect as they should be reported as home purchase (code 1), home improvement (code 2), or refinancing (code 3). If the loan is multi-purpose, say it is a home-purchase loan as well as a home-improvement loan or a refinancing, the loan will always be reported as a purchase loan. If the loan is for both refinancing and home improvement, it should be reported as a home-improvement loan. The loan purpose hierarchy appears in the HMDA Official Staff Commentary to § 1003.2.

Banks are still confusing “application approved but not accepted” with “application withdrawn.” If an application is approved but the applicant fails to respond to the notification within the specified time, “approved but not accepted” should be used, while “application withdrawn” is used only when the consumer expressly withdraws the application before a credit decision is made. Emphasis is on “before” the credit decision is made.

By John S. Burnett

 ’Tis the Season – For Tax Refund Fraud

On March 30, FinCEN issued Advisory 2012-A005 on the subject of Tax Refund Fraud and Related Identity Theft. Among the warning signs your institution should be watching for as indicators of possible tax refund fraud are:
1. Multiple direct deposits of federal and/or state taxes for different individuals are made to a checking or prepaid access account in the name of a single accountholder.
2. Attempts to open accounts on behalf of individuals who are not present, with the fraudulent actor being named as an authorized signer. Subsequent deposits are all tax refund direct deposits. This is often a method used to defraud elders, minors, prisoners, and the disabled, and may involve alleged returns for recently deceased individuals.
3. The opening of multiple prepaid card accounts by one individual using different names and valid TINs, with all the cards mailed to the same address. Then ACH credits for federal or state refunds are received for the card accounts, quickly followed by ATM withdrawals or POS purchases.
4. Business accountholders processing third-party tax refund checks in volumes inconsistent with normal practices or in a manner inconsistent with their stated business model (such as a pizza parlor suddenly cashing tax refund checks)
5. Individuals processing third-party tax refund checks through their personal accounts with no apparent lawful purpose.
6. Patterns of deposited tax refund checks inconsistent with expected transactions, such as
• Large volume of tax refund checks in comparison to other types of checks, such as payroll checks
• Large volume of refund checks with out-of-area/out-of-state addresses
• Multiple refunds checks for the same or nearly the same amounts
• Treasury refund checks or bank checks from electronic refunds are sequentially numbered
• Checks deposited exceeds the amounts of cash being withdrawn to cash them
7. Multiple prepaid cards associated with the same address, telephone number, email address or IP address, which receive tax refunds as their primary source of funds
8. A new check cashing business account is opened, followed by deposits of a high volume of tax refund checks with addresses across the country
9. Sudden increases in deposits of cashed checks by an existing account, consisting of tax refund checks from across the country.
FinCEN asked that banks filing SARs involving suspected tax refund fraud use the phrase “tax refund fraud” in the narrative portion of those filings, and include a detailed description of the suspicious activity.

Bureau Clarifies Reg Z Loan Officer Compensation Rule

When the CFPB thinks that its “host” organization, the Fed, has misspoken on a consumer protection regulation, it’s not bashful about saying so. Such was the case on April 2, when the Bureau, as the agency now charged with interpreting Regulation Z, “clarified” an earlier position taken by the Fed concerning the applicability of Regulation Z §1026.36 Loan Officer Compensation Rule to retirement and bonus plans. In its Bulletin 2012-02, the CFPB stated its view that “the Compensation Rules permit employers to contribute to Qualified Plans out of a profit pool derived from loan originations. That is, financial institutions may make contributions to Qualified Plans for loan originators out of a pool of profits derived from loans originated by employees under the Compensation Rules.”

The Bulletin only covers contributions to qualified profit-sharing, 401(k), and employee stock ownership plans (“Qualified Plans”). The Bureau said it anticipates providing more clarifications on the Compensation Rule’s effect on contributions to profit sharing arrangements or plans that are not Qualified Plans when it issues its proposed rule on currently-unimplemented loan origination provisions in the Dodd-Frank Act. That proposal is expected “in the near future,” since the Bureau must have a final rule in place by January 21, 2013 to avoid the “self-effectuating” provisions in MRAPLA (Title XIV of Dodd-Frank).

Mining the OCC’s Citibank C&D for Nuggets

On April 4, the OCC issued a consent cease and desist order to Citibank, N.A., relating to “identified deficiencies in the Bank’s overall program for Bank Secrecy Act/anti-money laundering … compliance.” But what are the specific shortcomings that resulted in the OCC’s enforcement action? According to the Order, the OCC alleges a number of “critical deficiencies” that might be found in a bank that had rapidly acquired a number of other banks without integrating them fully (thus leaving some disconnected operating systems and/or procedures) and/or a bank that had added new lines of business without a full appreciation for the added BSA/AML risk involved in those lines or implementation of controls reasonably designed to control or mitigate the added risk. [It should be noted that Citibank did not admit to any such shortcomings, but did consent to the issuance of the C&D Order.] For example, the OCC said that Citibank
• Had internal control weaknesses including incomplete ID of high risk customers in multiple areas of the bank, inability to assess and monitor high risk customers on an enterprise-wide basis, inadequate scope of periodic customer reviews, inadequate validation of the bank’s automated transaction monitoring system, and inadequate customer due diligence (CDD)
• Failed to adequately conduct CDD and enhanced due diligence on its foreign correspondent customers, retail banking customers, and international personal banking customers, including a failure to obtain and analyze information to determine the risk and expected activity of particular customers
• Admitted to having failed to adequately monitor its remote deposit capture/ international cash letter instrument processing in connection with foreign correspondent banking
• Failed to identify systemic deficiencies (which were found by the OCC during an exam)
Failure to adequately control or monitor foreign customer relationships is a recurring theme in this Order, as well as in other recent high-profile C&D or Civil Money Penalty orders such as those involving Zions First National Bank (February 2011, OCC and FinCEN) and HSBC Bank USA (October 2010, Fed and OCC).

What lessons can be learned from the Citibank Order? Banks can reduce the risk of being cited for these types of deficiencies if they –
• Ensure that, before adding any new product or service, a thorough analysis is made of the BSA/AML (and other) risks involved, and that monitoring and other controls are implemented to mitigate and manage that risk.
• Make certain that the bank has sufficient trained staff to manage the product or service.
• Ensure that appropriate policies, procedures and systems are in place for the service or product at anticipated business volume levels.
• Develop and maintain a corporate culture that makes senior management and each business unit accountable for implementing bank policies and procedures, and for compliance with laws and regulations including BSA/AML and OFAC obligations.
• Ensure that the bank’s board includes BSA and OFAC compliance in the performance evaluation process for senior and business line management, and that bank policies and procedures clearly outline compliance responsibilities of senior management and relevant business line employees.
• Have a BSA Compliance staff with appropriate authority to implement the bank’s BSA/AML program and to question account relationships and business plans. Compliance staff must be independent from business lines, and not subject to evaluation or performance input from business lines.
• Demand that the annual review of the bank’s BSA/AML compliance program be conducted independently by persons with sufficient background and expertise to provide a competent and unbiased evaluation, together with a comprehensive assessment of the bank’s BSA/AML risk.