MEETING REGULATORY EXPECTATIONS THROUGH TECHNOLOGY ASSESSMENTS

December 14, 2011

BACKGROUND ON A&M

ABOUT ALVAREZ & MARSAL

3

For nearly three decades, Alvarez & Marsal has set the standard for working with organizations to tackle complex business issues, boost operating performance and maximize stakeholder value.

About A&M Founded in 1983 by co-CEOs Tony Alvarez II and Bryan Marsal 1,700+ professionals 39 cities; 17 nations; 4 continents 300+ Managing Directors

North AmericaNew York (Global HQ)AtlantaBirminghamBostonCalgaryCharlotteChicagoDallasDenverDetroitHoustonKansas City

Los AngelesMiamiNashvillePhiladelphiaPhoenixSan AntonioSan FranciscoSeattleTorontoVancouverWashington, D.C.

Europe and the Middle EastLondon (European HQ)AmsterdamAthensDubaiMadridMilan

Latin AmericaSão Paulo (Latin American HQ)Mexico City

AsiaHong Kong (Asian HQ)BeijingMumbaiShanghai

MoscowMunichParisWarsaw

THE A&M DIFFERENCE

4

A&M’s operational heritage and depth of senior resources allows us to rapidly diagnose and execute practical solutions in complex business environments.

SPEED TO EXECUTION AND BIAS TOWARD ACTION

– Focus on delivering rapid results

– Coordinate short- and medium-term objectives and credible plans with achievable milestones

PRACTICAL BOTTOM-LINE ORIENTATION

– Keen awareness of what can be implemented in a turnaround environment

– Overarching focus on improving bottom-line results

SENIOR RESOURCE DEPTH

– Global reach

– Executives drawn from commerce, professional services firms and financial institutions

– Majority of professionals Director grade and above have extensive Board-level operational experience

LEADERSHIP

– Focusing senior resources at every stage of the delivery process

– Forging consensus around credible, executable solutions

– Engaging and partnering with the organization

OPERATIONAL HERITAGE

– Proven, fact-based, financial approach

– Nearly 30 years of operational experience

– Ability to provide interim executives for rapid implementation

MANAGING COMPLEXITY

– Proven track record in managing complex, high-profile situations

– Delivery through assured leadership and execution

WHO ARE OUR CLIENTS?

98

20%

19

300+

50%

18 out of 205

of AmLaw 100 firms

of the Fortune Global 500

of the FTSE 100

Mid- and Large-Cap Private Equity Firms

of all Fortune 100 companies

of the largest banks in the United States

© Copyright 2011 Alvarez & Marsal Holdings, LLC. All rights reserved. ALVAREZ & MARSAL®, ® and A&M® are trademarks of Alvarez & Marsal Holdings, LLC.

TOPICS FOR DISCUSSIONI. Cash Remains King

II. Wachovia Bank, National Association – Consent Order

III. Common Threads

IV. What Should be on Your Radar

V. Striking the Balance Through Technology Assessment

VI. Rapid Independent Technology Assessment Approach

CASH CONTINUES TO BE THE KING OF ALL TRANSACTIONS

In the United States, cash represents 65% of all transactions

In Asia, the percent grows to 79%

For Latin America, 72% of Business-to-Business Payments are made in cash

Cash transactions are significantly less expensive for merchants

The cost to a merchant to process cash is the least expensive form of payment and for small transactions can be the difference between a profit and a loss

Cash provides a sense of anonymity whereas check, debit and credit cards do not

While prepaid cards are making small inroads and potentially will compete with debit cards and checks, cash remains the king of all transactions

7

SO, WHAT DOES THIS MEAN FOR BANKING ORGANIZATIONS?

It is never business as usual

Customer and transaction monitoring continues to become more complex

Experienced staffing and effective systems are critically important to have in place

Regulatory expectations remain at an all time high

Enforcement actions and Civil Money Penalties will be assessed for non-compliance

8

Consent Order – Zions First National Bank

The OCC placed Zions under a Consent Order and issued a Civil Money Penalty in February of 2011

The Comptroller found the Bank:– Failed to adequately monitor $5.4 billion of activity in 2006 and 2007 for a new product initiative – Remote

Deposit Capture (“RDC”)– Failed to adequately monitor wire activity of its former foreign correspondent customers, including $7.9 billion of

wire activity with CDC customers in 2006 and 2007, before the Bank exited the business in 2008– Had inadequate SARS process for its former CDC and foreign correspondent customers and failed to file SARS

on a timely basis– Failed to comply with the Bank’s internal policies and statutory requirements regarding customer due diligence

and enhanced due diligence for its former correspondent customers for a period of over 2 years (2006 – 2008)

The OCC further cited 2 significant violations of law:– 31 USC 5318(G) and 12 CFR 21.21: Failing to adequately monitor CDC and other high risk foreign

correspondent accounts to fulfill its suspicious activity reporting obligations and by failing to file timely SARS involving suspicious transactions conducted through the Bank

– 31 USC 5318(I) and 31 CFR 103.176: Failing to adequately implement a due diligence program that enables the Bank to detect and report, on an ongoing basis, any known or suspected money laundering activity conducted through or involving any of its foreign correspondent accounts

Zions First National Bank was assessed an $8,000,000 Civil Money Penalty

9

TAKE AWAYS FROM THE ZIONS FIRST NATIONAL BANK CONSENT ORDER

Risks associated with offering RDC to foreign correspondent customers, especially to CDCs

Risks associated with offering wire services to foreign correspondent customers, especially to CDCs

Inadequate oversight and non-compliance with internal policies related to CDD and EDD of foreign correspondent customers

10

WHAT SHOULD BE ON YOUR RADAR

Comprehensive Iran Sanctions, Accountability and Divestment Act (“CISADA”)

Signed into Law on July 1, 2010

David S. Cohen (Undersecretary of the Treasury) addressed the Senate Committee on Banking, Housing and Urban Affairs on October 13, 2011. He stated:– “The key focus on our efforts remains Iranian banks that either directly facilitate Iran’s WMD

and missile proliferation activity, or that provide material support to banks that have been designated for engaging in that activity.”

His comments went on to state:– “CISADA offers a clear choice: A foreign financial institution can have access to the largest

and most important financial sector in the world – the United States – or it can do business with the Iranian banks sanctioned for facilitating Iran’s illicit activity, but it cannot do both.”

In early October, Treasury issued a final rule to implement section 104(E) of CISADA that established reporting requirements for US banks that will complement the efforts to identify CISADA-sanctionable activity by foreign banks

The regulators have made it very clear that if they become aware of possible CISADA violations they will seek prompt resolution

Is it clear that banks must further strengthen their CDD and EDD efforts along with close monitoring to ensure compliance with CISADA

11

WHAT SHOULD BE ON YOUR RADAR (CONTINUED)

Remote Deposit Capture (RDC)

As covered in the Zions Consent Order – the regulators are viewing RDC very closely. They do not view it as a new service, they view it as a new delivery system and require both effective safeguards to be in place and comprehensive due diligence for access granted to foreign correspondent customers

Cover Payments

While not specifically covered in the Zions Consent Order, reading between the lines, it is clear the regulators had concern over potential cover payments

One example of enforcement is the action taken against Lloyds TSB. In the complaint, Lloyds was found to have deliberately removed material information (such as customer names, bank names and addresses) from payment messages so that wire transfers would pass undetected through filters at US financial institutions– Lloyds was assessed a $350,000,000 Civil Money Penalty for its actions

12

THE ASSESSMENT STACK

Striking the right balance…

13

Balance

Technology Assessment Results and Corrective

Actions

Drivers

MEETING REGULATORY EXPECTATIONS

Sanctions Compliance – CISADA– Requires that screening goes beyond the account holder (know your customer’s customer --

KYCC)– Requires real-time monitoring of accounts and transactions– Potential creation of sub-structures that complement the customer/account profiles

Remote Data Capture– Additional due diligence will be required for those customers deemed high risk or where the

RDC capture device is located– Risk complexity varies depending upon the RDC implementation and exposure faced by the

institution » Image exchange versus ACH network» Use of RDC by foreign correspondent financial institutions and foreign MSBs to replace

pouch and clearing activities» Legal risk exposure related to poor controls over the process used by the image capture or

exchange

Cover Payments– Current messaging practices do not ensure full transparency– Lack of originator and beneficiary information can complicate the intermediary bank’s ability to

properly assess risk with correspondent and clearing operations– Presents potential for hidden risks where information is deliberately left off the message

14

TRANSACTION MONITORING

USA PATRIOT Act is the key driver for financial institutions to establish reasonably successful programs to detect and report suspicious transactions related to money laundering

After more than a decade, original assumptions still govern compliances’ business-as-usual, resulting in – Poor alert quality– TM environments have become difficult to manage and audit– Software monitoring algorithms have varied little over time

Regulators’ acceptance to status quo providing a symbolic level of assurance

Technology and staffing spend has gone beyond any reasonable expectation

15

Transaction Monitoring System (TM) is considered the nucleus of the AML program within a financial institution.

RISK AREAS WITHIN THE TRANSACTION MONITORING PROCESS

SOURCESYSTEM DATA

Customer / Account ProfilesTransactions by LobWatch ListsOther

DATA TRANSFORMATION

Mapping StagingLoadingData Exceptions

COMPLIANCERULES

Suspicious PatternsThresholds

DATAANALYSIS

16

input controls processing controls output controls

ALERT REVIEWALERT REVIEW

SCENARIOS, SCENARIOS, SCORING AND SCORING AND

ALERT ALERT GENERATIONGENERATION

DATA INGESTIONDATA INGESTIONCLIENT, ACCOUNT AND TRANSACTION

DATA

NOTABLE POTENTIAL RISK AREAS

Source System Feedback and Suggested Updates Data Remediation Calibration Updates

EFFECTIVENESS OF CONTROLS

Regulators’ focus is now shifting towards evaluating the quality of the alerts generated from data capture (at the source) to investigation, therefore requiring a deeper review of internal controls at each level of the process flow– Input controls – Process controls– Output controls

Control monitoring is the assessment of the internal control performance overtime– Ensures that internal controls are adequately designed, properly executed and effective – Input Controls

» Review of source data through ingestion and load process– Process Controls

» Perform a comprehensive review of transformation rules relative to scenarios and scoring» Review thresholds parameters

– Output Controls» Review audit trails to ensure completeness and accuracy» Ensures that output risk is keep at a reasonable level

17

TRANSACTIONAL DATA

Data quality, at all levels, is still a significant challenge and vexing issue for almost all financial institutions– Directly impacts sanctions compliance due to poor or incomplete data– Dilutes the quality of alerts generated resulting additional overhead costs, incorrect threshold

calibrations – Disparate databases across an enterprise as a result of “siloed” businesses, new acquisitions

and out-dated monitoring environments

The amount of data being loaded into the transaction monitoring environment should be “right sized”– Eliminate unnecessary data elements – Focus on the data elements that are relevant to

» Scenarios and filtering» Scoring and threshold calibration

18

CDD AND EDD

Decreases the efficiency of the monitoring program by drawing attention away from potential laundering activities– Perceived low risk customers may be reviewed on a period basis– Experienced money launders will make sure they fall within a low risk profile

Disproportionate number of high risk customers

Expensive process to maintain over time

Use of outdated criteria and methods for risk ranking

19

Risk ranking, a method of providing a more focused review, while easing the compliance burden has resulted in mixed reviews.

ONGOING MONITORING IS VITAL…

…UPDATED CUSTOMER INFORMATION IS CRITICAL

20

CUSTOMER / ACCOUNT BEHAVIOR

Select specific transactions, customers and accounts for reviewObtain appropriate systems related documentation include historical testing results relative to parameter and threshold settings, etc.Regulatory, audit reviews and corresponding commentary

Identify specified transaction flow – from source through target including scenarios, scoring parameters, alert generation, etc.Analyze and evaluate using a selected approach and tools Document salient results and score accordinglyReview results with complianceObtain consensus and buy-in

Categorize and prioritize recommendations (i.e., Source Data, Mapping, scenarios, scoring parameters, etc.) Develop remediation plan, listing detail activities and timelinesFinalize all workpapers for audit review (if required)

CONDUCTING THE TECHNOLOGY ASSESSMENT

21

Rapid Independent Technology Assessment (RITA)

STEP 3STEP 3

RECOMMEND AND RECOMMEND AND REMEDIATEREMEDIATE

STEP TWOSTEP TWO

TRACK AND ANALYZETRACK AND ANALYZE

STEP ONE

SELECT AND GATHER

PROFESSIONAL BIOGRAPHIES

Craig D. Stone

23

Senior Director

FIRAS

Craig D. Stone is a Senior Director with Alvarez & Marsal Financial Industry Regulatory Advisory Services in Houston, Texas. Mr. Stone brings a unique and varied background with substantial and proven financial service experience, focusing on risk identification and controls. With more than 27 years in regulatory bank supervision, Mr. Stone has been directly involved in troubled bank oversight, compliance risk management and fiduciary activities risks assessment. Mr. Stone possess a broad set of skills with experience in wide-variety of banking activities including enterprise-wide risk management, corporate governance and consumer compliance.

Prior to joining A&M, Mr. Stone was the Deputy Ombudsman for the Comptroller of the Currency (OCC) charged with the day-to-day management of the Customer Assistance Group (CAG). In this role, he was responsible for leading a staff of more than 70 professionals including, National Bank Examiners, consumer compliance specialists and information technology experts. Mr. Stone was a key contributor in the creation of early warning tools and measures to identify emerging industry and/or institution specific risks, through the leveraging of customer complaints received by CAG. In addition, Mr. Stone led or provided support in the analysis and processing of complex regulatory disputes and appeals received by the Ombudsman from national banks. Furthermore, he pioneered the concept and branding of a consumer-based internet site which automated select business support functions and expanded customer self-service.

Previously, Mr. Stone served as a National Bank Examiner with a focus on retail banking and compliance management. In this role, he was directly involved in reviews and examinations of many of the largest banking organizations in the country. Mr. Stone has also provided expert witness testimony in Federal Court on allegations involving fraudulent lending and improper insider transactions. Mr. Stone began his regulatory career in the analysis and examination of bank fiduciary activities and asset management, earning a National Trust Examiner commission.

Mr. Stone received a bachelor’s degree in Banking and Finance from Texas State University. He later attended the United States Treasury Executive Leadership Program at Charlottesville, Virginia. Mr. Stone is a founding member of the International Network of Financial Service Ombudsman. In addition, he is a frequent speaker at industry conferences on Financial Institution Risks, Consumer Compliance and Customer Service.

Donna DeMartino

24

Senior Director

GFD – FTS

Donna DeMartino is a Senior Director with Alvarez & Marsal’s Global Forensic and Dispute Services in New York. She brings more than 20 years of management consulting experience in leading and managing complex technology implementation efforts, investigations, forensic audit projects. She is currently heading up the BSA/AML , Fraud and FCPA technology service line with a specific focus on technology assessments , application augmentation, data ingestion , scenario review and threshold calibration.

Ms. DeMartino specializes in managing large technology projects that focus on, but are not limited to, audit restatements, fraud investigations, anti-money laundering and litigation support. She possess a strong background in information technology, business process improvement, technology risk assessment, data management and systems development lifecycle methodologies. Her technical experience extends across a wide spectrum of industries, including financial services – banking and brokerage, manufacturing and consumer business. 

Ms. DeMartino managed several data mining assignments that supported the financial audit for both manufacturing and investment banking clients. She also provided project management oversight for global IT audit clients that focused on resource allocation planning, enhancing the overall approach, while minimizing costs through the use of data mining techniques and internal audit risk assessment reviews.

Prior to joining A&M, Ms. DeMartino was with the Data, Quality and Integrity practice in the Audit and Enterprise Risk Services group at Deloitte & Touche. She was also a Senior Manager with the Analytic and Forensic Technology within Deloitte’s Financial Advisory Services practice, where she focused on anti-money laundering engagements, forensic investigations, litigation support and business interruption projects.

At Deloitte, Ms. DeMartino also focused on systems integration projects to support ERP implementations, and specialized in Customer Relationship Management software selection for financial services industry clients.

Prior to Deloitte, Ms. DeMartino was with Pinkerton Consulting and Booz Allen & Hamilton, where she was responsible for managing a number of application development efforts, providing business improvement and IT strategy expertise in the Financial Services Sector.

Ms. DeMartino earned a dual bachelor's degree in arts and sciences from Syracuse University with honors. She is also a Certified Fraud Examiner and Anti-Money Laundering Specialist.