Holding Company Examinations/Inspections Policy

STATE OF LOUISIANA OFFICE OF FINANCIAL INSTITUTIONS BATON ROUGE, LOUISIANA

July 29, 2014

POLICY NO. HC-01-2014 (B,T,TC,HC)

[Rescinds Policy Nos. HC-02-2008, HC-01-97 and BHC-01-92]

HOLDING COMPANY (HC) EXAMINATIONS/INSPECTIONS¹

I. PURPOSE: To define the frequency and procedures to be utilized in the inspections and expanded reviews of HCs.

II. SCOPE: This policy covers the inspections and expanded reviews of all HCs of banks, savings banks, savings and loan associations (S&Ls), and trust companies.

III. AUTHORITY: Bank Holding Companies: LSA-R.S. 6:515(B)(2); Thrift Holding Companies: LSA-R.S. 6:907; Bank and Thrift Holding Companies: LAC 10:I.1503(A)(H), LR 31:2894 (November 2005); Trust Companies: LAC 10:I.1303(J), LR 34:871 (May 2008); LSA-R.S. 6:578(D).

IV. GENERAL: Beginning on January 1, 2008, the Louisiana Office of Financial Institutions (OFI) included an expanded review of small, non-complex, fundamentally sound HCs as a part of its subsidiary financial institution's examination. The expanded review focuses on the impact of the affiliated relationship on the financial institution, and the findings are embedded in the subsidiary financial institution's examination report. There is no hourly charge for this expanded review. OFI will continue to conduct full-scope examinations of its most complex or troubled HCs for which an hourly charge will be assessed. The full-scope examinations are generally stand-alone examination reports; however, they may be embedded in the subsidiary financial institution's examination report when conducted jointly with the Federal Reserve Bank. Guidelines for these two types of examinations follow:

V. GUIDELINES:

A. Inspections or expanded reviews of in-state, state-chartered bank/thrift/trust company HCs—In general, expanded reviews of in-state HCs in which a state-chartered bank, thrift, or trust company is the primary financial subsidiary, will be conducted concurrently with the bank, thrift, or

¹ The terms 'examinations' and 'inspections' are used interchangeably for procedures used beyond an expanded review.

---

POLICY NO. HC-01-2014 HOLDING COMPANY EXAMINATIONS/INSPECTIONS July 29, 2014 Page 2 of 5

trust company examination utilizing expanded techniques to closely review the affiliate relationship.

EXCEPTIONS: A full-scope inspection of an in-state HC in which a state-chartered bank, thrift, or trust company is the primary financial subsidiary is REQUIRED whenever the composite rating for the subsidiary institution (or the composite rating based on the weighted-impact of a multi-institution HC) is 4 or 5 and MAY be necessary when one or more of the situations listed below are present at the Compliance Examiner (DOM's) discretion with approval from the appropriate Deputy Chief Examiner (DCE) and Chief Examiner (CE).

• Consolidated assets are in excess of $1 billion
• Ratio of parent debt to the book value of the bank/thrift's stock is 100 percent or greater
• Nonbank subsidiary or subsidiaries (other than trust companies) make up 25 percent or more of the consolidated entity's total assets
• Management or composite rating for any one of the subsidiary financial institutions is 3 or worse
• First inspection of a newly formed HC
• Other negative indicators of the subsidiary institution that may similarly affect HC operations

Since a full-scope inspection must be conducted on an in-state HC whenever the subsidiary institution's composite rating is a 4 or 5 and the final decision for the rating is determined upon the completion of the subsidiary institution's examination report, the EIC should consult with the appropriate DCE and CE to determine the likelihood of a composite 4 or 5 rating being assigned. If there is a strong chance that the subsidiary institution and therefore the HC will be rated a 4 or 5, the DCE will approve a full-scope inspection erring on the side of conducting a full-scope inspection.

Whenever a full-scope inspection is conducted independently by OFI, a separate HC report will be issued. There may be a charge for any non-training or non-travel time an OFI examiner participated on a joint HC inspection even though the report is embedded in the bank/thrift examination report.

B. New Holding Companies—In general, a new holding company is formed after a new financial institution is formed. Within the first four months of a new HC's formation, a visit will be conducted in which the examiner will ensure that all of the appropriate written policies and procedures are in place and that HC management is aware of their new responsibilities regarding its operation consistent with the various state and federal laws, rules, and best practices. The first inspection of a HC should be conducted within its first

---

POLICY NO. HC-01-2014 HOLDING COMPANY EXAMINATIONS/INSPECTIONS July 29, 2014 Page 3 of 5

year of operation or longer with the DCE's approval in order to coordinate the inspection with the examination of the subsidiary financial institution.

C. New Holding Companies—In general, a new holding company is formed after a new financial institution is formed. Within the first four months of a new HC's formation, a visit will be conducted in which the examiner will ensure that all of the appropriate written policies and procedures are in place and that HC management is aware of their new responsibilities regarding its operation consistent with the various state and federal laws, rules, and best practices. A summary letter will communicate the findings of this visit, and there will be an hourly charge. The first inspection of a HC should be conducted within its first two years of operation. The timing of the inspection will be coordinated with the examination of the subsidiary financial institution.

D. Inspections of out-of-state HCs—At the discretion of the Commissioner, OFI may examine HCs in which its subsidiary(ies) are only state bank(s). In the event that an out-of-state HC owns bank/thrift/trust company subsidiary(ies) chartered by this office, the Commissioner will consider the impact the Louisiana state-chartered institution has on the HC and the other state regulator's role in the supervision of the HC. Once the Commissioner's approval to be involved in the supervision of the HC is given, the inspections will be coordinated by the appropriate DCE with the involvement of the appropriate federal regulator and any other participating state's regulators.

E. Inspections of national bank or federal thrift HCs—LSA-R.S. 6:515(B)(2) states, in part, that "The office may examine a bank holding company having more than one bank subsidiary, one of which is a national bank whenever the commissioner knows or has reasonable cause to believe that an unsafe or unsound practice or condition exists or is likely to occur in any state bank subsidiary of such bank holding company." Similar thrift HC examination requirements are contained in LAC 10:III.4545(B)(2), LR 14:224 (April 1988). Therefore, a HC whose primary financial subsidiary is not a state-chartered institution will only be examined should the need, arise AND ONLY with the permission and direction of the Commissioner.

F. Pre-inspection program—Approximately two weeks to one month prior to the start of a full-scope HC inspection or expanded review, a pre-inspection packet will be sent to HC management. Included in this pre-inspection packet are the items needed to conduct the inspection or expanded review and questionnaire for HC management to prepare for the inspection/expanded review (Attachments 1 and 2). If the bank/thrift/trust company is a secondary financial subsidiary of a multi-institution HC, only a condensed questionnaire should be completed by the institution that is included as Attachment 3. The full questionnaire and other items needed to conduct the inspection or expanded review will be requested when the

---

POLICY NO. HC-01-2014 HOLDING COMPANY EXAMINATIONS/INSPECTIONS July 29, 2014 Page 4 of 5

examination of the primary financial subsidiary is conducted. In addition, HC management will be given the approximate time of arrival and number of examiner(s) expected to participate in the HC inspection/expanded review so that work space, as well as any special requirements, may be furnished. The Examiner-in-Charge (EIC) of the HC inspection/expanded review may arrange to pick up a portion of this information in advance so that some of the routine inspection assignments may be performed "off-site" prior to the commencement of the on-site inspection. In this way, the examiner(s) will be better prepared for a more efficient and effective inspection/expanded review and cause less of a disruption to the financial institution. On a case-by-case basis, this office along with the appropriate federal regulator may elect not to send a pre-inspection packet reserving the prerogative to perform surprise inspections when deemed appropriate.

G. Hourly assessment for HC inspections—The HC will be charged $50 per hour for every OFI examiner performing duties during the course of a full-scope HC examination whether conducted independently or jointly with the appropriate federal regulator. A full-scope inspection may also result in a separate report. Off-site preparation will be included in total inspection time; however, time spent for travel, training, reviewing the report, and any exit meeting to discuss the findings of the inspection will not be included in inspection time, as this is included in the $50 per hour charge.

There will not be a charge for the expanded affiliate review conducted as part of the bank/thrift examination.

H. Assigning a rating—The EIC will assign a HC rating in accordance with the Bank Holding Company Rating System definitions. The main components of the rating system represent Risk management (R), Financial condition (F); and potential Impact (I) of the HC and nondepository subsidiaries of the subsidiary depository institution(s). A fourth component, Depository institution (D), will generally mirror the overall assessment of the subsidiary depository institution(s). Thus, the primary component and composite ratings are displayed as RFI/C(D). A simplified version of the rating system that requires only the assignment of the risk management component rating and composite rating (R/C) will be applied to noncomplex HCs with assets below $1 billion. The definitions of the numeric composite ratings are included as Attachment 4.

I. Meeting with HC management—The findings of the HC inspection or expanded review and ratings assigned will be presented at the exit or board meeting for the primary financial subsidiary whenever possible. If the boards/management of the HC and the bank/thrift/trust company are different AND management requests that the information for the HC NOT be included in the bank/thrift/trust company examination report, all pertinent information concerning the HC will be reported in a separate transmittal letter to the board of the HC and discussed separately with HC management.

---

POLICY NO. HC-01-2014 HOLDING COMPANY EXAMINATIONS/INSPECTIONS July 29, 2014 Page 5 of 5

J. Separate copy of bank/thrift/trust company examination report will be sent to the HC—To ensure that the HC board is officially notified of the results of the subsidiary institution's examination findings, a separate copy of the bank/thrift/trust company examination report will be sent to the HC's address even though the management or the address are the same as the bank/thrift/trust company. The copy of the report submitted to the HC will include a separate Signature of Directors page for HC directors to acknowledge receipt and review of the report.

K. Off-site monitoring of HCs—The off-site monitoring of HCs will be done as part of the financial institution's off-site monitoring. BHCPRs are available online quarterly at http://www.ffiec.gov/nicpubweb/nicweb/SearchForm.aspx for HCs with total assets of $500 million or more. Any declining trends or significant deficiencies discovered during the off-site monitoring of HCs, including sharp or steady increases in the debt level, will be researched further until a satisfactory resolution is reached. The resolution may include a phone call to the HC's management.

Any deviations from this policy require the prior approval of the Commissioner.

[Signature] John Ducrest Commissioner of Financial Institutions

7/29/14 Date

Attachments:

1. List of Items to be Requested for Review of Holding Company
2. Holding Company Questionnaire
3. Limited Scope Questionnaire (for secondary financial subsidiary of a multi-bank/thrift/trust company HC)
4. Holding Company Rating System

SES/KLM

---

Attachment 1 July 29, 2014 Page 1

ITEMS NEEDED FOR REVIEW OF HOLDING COMPANY

1. Parent-company-only comparative financial statements as of the most recent quarter-end and the most recent year-end.
2. Nonbank subsidiaries' financial statements for most recent quarter-end and most recent year-end.
3. Copies of the last two federal tax returns.
4. Only provide copies of written policies that have been amended since OFI's last review or inspection or any new policies approved by the Board of Directors since OFI's last review or inspection. [General list of policies included in Item #3 of questionnaire attached.]
5. Copies of any "key man" or "split-dollar" life insurance policies held/owned by the holding company.
6. Access to or copies of holding company Board minutes.
7. Holding company stockholder list.
8. Holding company checkbook or check registers.
9. Holding company checking account statements since last OFI review or inspection.
10. Copies of any of the following reports filed with the Federal Reserve System since the last OFI review or inspection. (does not apply to trust companies)

FR Y-4 Notification for Prior Approval to Engage Directly or Indirectly in Certain Nonbanking Activities

FR Y-6 Annual Report of Bank Holding Companies

This report is filed by all top-tier bank holding companies and consists of the requirement that top-tier bank holding companies not registered with the Securities and Exchange Commission (SEC) submit a copy of its an annual report to shareholders if one is created. The FR Y-6 also requires the submission of an organizational chart and includes information on the identity, percentage ownership, and business interests of principal shareholders, directors, and executive officers.

FR Y-8 The Bank Holding Company Report of Insured Depository Institutions' Section 23A Transactions with Affiliates.

This report collects information on transactions between an insured depository institution and its affiliates that are subject to section 23A of the Federal Reserve Act. The FR Y-8 comprises a cover page, a declaration page, and a fourteen-item report form page.

FR Y-9C Consolidated Financial Statements for Bank Holding Companies

This report collects basic financial data from a domestic bank holding company (BHC) on a consolidated basis in the form of a balance sheet, an income statement, and detailed supporting schedules, including a schedule of off balance-sheet items.

FR Y-9ES Financial Statements for Employee Stock Ownership Plan Bank Holding Companies

FR Y-9LP Parent Company Only Financial Statements for Large Bank Holding Companies

This report collects basic financial data from a domestic bank holding company (BHC) on a consolidated, parent-only basis in the form of a balance sheet, an income statement, and supporting schedules relating to investments, cash flow, and certain memoranda items.

FR Y-9SP Parent Company Only Financial Statements for Small Bank Holding Companies

---

Attachment 1 July 29, 2014 Page 2

FR Y-9SP Parent Company Only Financial Statements for Small Bank Holding Companies

This report collects basic financial data from small domestic one-bank holding companies on a consolidated, parent-only basis in the form of a balance sheet, an income statement, and a schedule for certain memoranda items.

FR Y-10 Report of Changes in Organizational Structure

This report provides data on organizational structural changes for the reportable companies listed in the Respondent Panel section below. There are six schedules: the Banking Schedule; the Nonbanking Schedule; the Merger Schedule; the 4(k) Schedule; the Branch, Agency, and Representative Office Schedule; and the Foreign Branches of U.S. Banking Organizations Schedule.

FR Y-11/11S Financial Statements of U.S. Nonbank Subsidiaries of U.S. Bank Holding Companies

These reports collect selected financial information for individual U.S. nonbank subsidiaries of domestic bank holding companies (BHCs). The FR Y-11 consists of a balance sheet and income statement; information on changes in equity capital, changes in the allowance for loan and lease losses, off-balance-sheet items, and loans; and a memoranda section. The FR Y-11S collects four financial data items for less significant subsidiaries.

FR Y-12 Consolidated Bank Holding Company Report of Equity Investments in Nonfinancial Companies

This report collects information from certain domestic bank holding companies (BHCs) on their equity investments in nonfinancial companies on four schedules: Type of Investments, Type of Security, Type of Entity within the Banking Organization and Nonfinancial Investment Transactions During the Reporting Period.

---

Attachment 2 July 29, 2014 Page 1

HOLDING COMPANY QUESTIONNAIRE

BOARD AND SENIOR MANAGEMENT OVERSIGHT

1. Explain any differences in the membership of the boards of the bank, thrift, or trust company and the holding company. If different, do you have an objection to the results of the holding company inspection being included in the bank/thrift/trust company examination report?

2. Identify any activities or transactions with or on behalf of subsidiaries and affiliates. Indicate whether they are reported to the holding company Board of Directors.

3. Please provide, if applicable, the date the board of directors of the holding company last reviewed each item. Please indicate if item is not applicable.

Budget – Audit Policy – Tax Allocation Policy – Dividend Policy – Fidelity Insurance Program – Cash Flow Statement –

4. Since the last review or inspection, has the holding company engaged in any new activity, formed a subsidiary, dissolved a subsidiary, acquired an equity interest in another company, or increased its ownership of another company? If yes, please identify the affected business entities and the types of businesses involved.

5. Has the holding company or any of its nonbank/thrift/trust company subsidiaries been named as a defendant in a lawsuit?

6. Does the holding company have any dual employees? If yes, please identify those employees.

7. Is the holding company a party to any employment contracts, incentive programs, severance packages, split-dollar life insurance policies, or retirement programs for directors and officers and are these agreements reviewed annually by the holding company Board of Directors? If yes, please identify the employees involved and the amount of any unfunded pension liability.

---

Attachment 2 July 29, 2014 Page 2

HOLDING COMPANY QUESTIONNAIRE

8. Are the financial statements of service providers and vendors which provide critical services or products to the holding company reviewed annually by the holding company directorate?

9. Exclusive of employment contracts, does the holding company have any contracts or agreements with directors, officers, or their related interests for products or services? If yes, please identify.

10. Does the holding company have any outstanding commitments to OFI or the Federal Reserve Bank? If yes, please describe.

11. Has there been a change in management or the board of directors since the last OFI review or inspection? Please identify the changes.

FINANCIAL

12. Has the holding company conducted a transaction with any party for the acquisition, sale, exchange or transfer of real estate, or entered in to a lease or rental agreement pertaining to real estate or any other property, since the last review or inspection? If yes, please describe.

13. Has the holding company incurred any additional debt since the last review or inspection such as overdrafts at a bank/thrift/trust company subsidiary, subordinated debt, trust preferred securities, issued a guarantee, or otherwise endorsed debt on its own behalf or on the behalf of others? If yes, please a copy of the agreements and related details.

14. Is the holding company controlled by a voting trust or a member of a voting trust? If yes, please provide a copy of the agreement.

15. Has the holding company issued additional stock, stock options, or stock warrants since the last review or inspection? If so, please provide details.

16. Does the holding company have a formal stock buy back or redemption plan?

17. Has the holding company distributed or received any non-cash dividends (property dividends or stock dividends) since the last review or inspection?

---

Attachment 2 July 29, 2014 Page 3

HOLDING COMPANY QUESTIONNAIRE

18. Does the holding company charge its bank/thrift/trust company subsidiaries management or service fees?

COMPLIANCE

19. Has a change of control occurred since the last review or inspection and, if so, has the change of control been approved by the Federal Reserve Bank? [NOTE: Trust companies should only respond to whether there has been a change of control.]

20. Have there been any changes to the holding company's articles of incorporation or bylaws since the last review or inspection? If yes, please describe.

21. Are any of the holding company's subsidiaries non-Louisiana corporations, companies, or partnerships? If yes, please identify only those formed since the last review or inspection.

22. Since the last review or inspection, has the holding company filed with the Federal Reserve Bank an application to begin operating as a Financial Holding Company? [Not applicable to trust companies holding company]

23. If the holding company is not publicly traded, do the directors and executive officers of the parent company report any loans they have at any institution, which are secured by holding company stock, to the Board of Directors at least annually?

I hereby certify that the following statements are true and correct to the best of my knowledge and belief.

Officer's Name and Title	Institution's Name and Location
Officer's Signature	Date Signed

This is an official document. Any false information contained in it may be grounds for prosecution and may be punishable by fine or imprisonment.

---

Attachment 3 July 29, 2014 Page 1

HOLDING COMPANY QUESTIONNAIRE – for any secondary financial subsidiary of a multi-bank/thrift/trust company holding company

BOARD AND SENIOR MANAGEMENT OVERSIGHT

1. Explain any differences in the membership of the boards of the bank, thrift, or trust company and the holding company. If different, do you have an objection to the results of the holding company inspection being included in the bank/thrift/trust company examination report?

2. Does the holding company have any dual employees with this bank/thrift/trust company subsidiary? If yes, please identify those employees.

3. Exclusive of employment contracts, does the holding company have any contracts or agreements with directors, officers, or their related interests for products or services? If yes, please identify.

FINANCIAL

4. Has the holding company distributed or received any non-cash dividends (property dividends or stock dividends) since the last review or inspection?

5. Does the holding company charge its bank/thrift/trust company subsidiaries management or service fees?

I hereby certify that the following statements are true and correct to the best of my knowledge and belief.

Officer's Name and Title	Institution's Name and Location
Officer's Signature	Date Signed

This is an official document. Any false information contained in it may be grounds for prosecution and may be punishable by fine or imprisonment.

---

Attachment 4 July 29, 2014 Page 1

HOLDING COMPANY RATING SYSTEM

Section 4070.0 On December 1, 2004, the Board of Governors approved for System-wide implementation a revised bank holding company (BHC) rating system to more closely align the supervisory rating system for BHCs, including financial holding companies, with the Federal Reserve's current supervisory practices.² The revised rating system became effective January 1, 2005, and is to be used for all inspections commencing after that date.

Each BHC is assigned a composite rating “C” based on an evaluation and rating of its managerial and financial condition and an assessment of future potential risk to its subsidiary depository institution(s). The main components of the rating system represent Risk management (R); Financial condition (F); and potential Impact (I) of the parent company and nondepository subsidiaries (collectively nondepository entities) on the subsidiary depository institution(s). While all BHCs are required to act as sources of strength to their subsidiary depository institutions, pursuant to the Board's rules and policies, the impact rating (I) focuses on downside risk—that is, on the likelihood of significant negative Impact on the subsidiary depository institutions. A fourth component rating, Depository institution (D), will generally mirror the primary regulator's assessment of the subsidiary depository institution(s). Thus, the primary component and composite ratings are displayed: RFI/C(D).

To provide a consistent framework for assessing risk management, the R component is supported by four subcomponents that reflect the effectiveness of the banking organization's risk management and controls. The subcomponents are board and senior management oversight; policies, procedures, and limits; risk monitoring and MIS; and internal controls. The F component is similarly supported by four subcomponents reflecting an assessment of the quality of the banking organization's capital, asset quality, earnings, and liquidity. A simplified version of the rating system that requires only the assignment of the risk-management component rating and composite rating will be applied to noncomplex BHCs with assets below $1 billion.

Composite, component, and subcomponent ratings are assigned based on a 1 to 5 numeric scale. A 1 indicates the highest rating, strongest performance and practices, and least degree of supervisory concern; a 5 indicates the lowest rating, weakest performance, and highest degree of supervisory concern.

The Federal Reserve recognizes the interrelationship between the risk-management and financial-performance components of the revised rating system, an interrelationship that is inherent in all supervisory rating systems. Accordingly, examiners are expected to consider that a risk management factor may have a bearing on the assessment of a financial subcomponent or component rating and vice versa. In general, the risk-management component and subcomponents should be viewed as the more forward-looking aspect of the rating system, and the financial-condition component and subcomponents should be viewed as the current aspect of the rating system. For example, a BHC's ability to monitor and manage market risk (or sensitivity to market risk) should be evaluated together with the organization's ability to monitor and manage all risks under the R component of the rating system. However, poor market-risk management may also be reflected in the F component if it impacts earnings or capital. (See SR-04-18 and its attachment.)

All of the BHC numeric ratings, including the composite, component, and subcomponent ratings, should be presented in the report of inspection, in accordance with the Federal Reserve's supervisory practices. The management of each BHC under inspection should be made aware of the fact that this rating is furnished solely for its confidential use and under no circumstances should the BHC or any of its directors, officers, or employees disclose or make public any of the ratings.

4070.0.1 THE BANK HOLDING COMPANY RFI/C(D) RATING SYSTEM The bank holding company (BHC) rating system provides an assessment of certain risk management and financial-condition factors that are common to all BHCs, as well as an assessment of the potential impact of the parent BHC and its nondepository subsidiaries (collectively nondepository entities) on the BHC's subsidiary depository institutions. Under this system, the Federal Reserve endeavors to ensure that all BHCs, including financial holding companies (FHCs), are evaluated in a comprehensive and uniform manner, and that supervisory attention is appropriately focused on the BHCs that exhibit financial and operational weaknesses or adverse trends. The rating system serves as a useful vehicle for identifying problem or deteriorating BHCs, as well as for categorizing BHCs with deficiencies in particular

¹ The Federal Reserve System's previous BHC rating system was the BOPEC rating system. The components of the rating represented the Bank, Other nonbank subsidiaries, Parent company, Earnings, and Capital. ² A simplified version of the rating system that includes only the R and C components will be applied to noncomplex bank holding companies with assets at or below $1 billion.

---

Attachment 4 July 29, 2014 Page 2

HOLDING COMPANY RATING SYSTEM

areas. Further, the rating system assists the Federal Reserve in following safety-and-soundness trends and in assessing the aggregate strength and soundness of the financial industry.

Each BHC² is assigned a composite rating “C” based on an overall evaluation and rating of its managerial and financial condition and an assessment of future potential risk to its subsidiary depository institution(s). The main components of the rating system represent Risk management (R); Financial condition (F); and potential Impact (I) of the nondepository entities on the subsidiary depository institutions. While the Federal Reserve expects all BHCs to act as a source of strength to their subsidiary depository institutions, the Impact (I) rating focuses on downside risk—that is, on the likelihood of significant negative impact by the nondepository entities on the subsidiary depository institution(s). A fourth rating, Depository institution(s) (D), will generally mirror the primary regulator's assessment of the subsidiary depository institution(s). Thus, the primary component and composite ratings are displayed: RFI/C(D).

To provide a consistent framework for assessing risk management, the R component is supported by four subcomponents that reflect the effectiveness of the banking organization's risk management and controls. The subcomponents are board and senior management oversight; policies, procedures, and limits; risk monitoring and MIS; and internal controls. The F component is also supported by four subcomponents reflecting an assessment of the quality of the consolidated banking organization's capital, asset quality, earnings, and liquidity.

Composite, component, and subcomponent ratings are assigned based on a 1 to 5 numeric scale. A 1 numeric rating indicates the highest rating, strongest performance and practices, and least degree of supervisory concern, whereas a 5 numeric rating indicates the lowest rating, weakest performance, and the highest degree of supervisory concern.

The following three sections contain detailed descriptions of the composite, component, and subcomponent ratings; implementation guidance by BHC type; and definitions of the ratings.

4070.0.2 DESCRIPTION OF THE RATING-SYSTEM ELEMENTS 4070.0.2.1 The Composite (C) Rating “C” is the overall composite assessment of the BHC as reflected by consolidated risk management, consolidated financial strength, and the potential impact of the nondepository entities on the subsidiary depository institutions. The composite rating encompasses both a forward looking and static assessment of the consolidated organization, as well as an assessment of the relationship between the depository and nondepository entities. Consistent with current Federal Reserve practice, the C rating is not derived as a simple numeric average of the R, F, and I components; rather, it reflects examiner judgment with respect to the relative importance of each component to the safe and sound operation of the BHC.

4070.0.2.2 The Risk-Management (R) Component “R” represents an evaluation of the ability of the BHC's board of directors and senior management, as appropriate for their respective positions, to identify, measure, monitor, and control risk.

The R rating underscores the importance of the control environment, taking into consideration the complexity of the organization and the risk inherent in its activities. The R rating is supported by four subcomponents that are each assigned a separate rating. The four subcomponents are as follows: (1) board and senior management oversight; (2) policies, procedures, and limits; (3) risk monitoring and MIS; and (4) internal controls. The subcomponents are evaluated in the context of the risks undertaken by and inherent in a banking organization and the overall level of complexity of the firm's operations. They provide the Federal Reserve System with a consistent framework for evaluating risk management and the control environment. Moreover, the subcomponents provide a clear structure and basis for discussion of the R rating with BHC management, reflect the principles of SR-95-51, are familiar to examiners, and parallel the existing risk-assessment process. SR-95-51 contains a detailed description of the four risk-management subcomponents.

4070.0.2.2.1 Risk-Management Subcomponents 4070.0.2.2.1.1 Board and Senior Management Oversight This subcomponent evaluates the adequacy and effectiveness of board and senior management's understanding and management of risk inherent in the BHC's activities, as well as the general capabilities of management. It also includes consideration of management's ability to understand, and control the risks undertaken by the institution, to hire competent staff, and to respond to changes in the institution's risk profile or innovations in the banking sector.

---

Attachment 4 July 29, 2014 Page 3

HOLDING COMPANY RATING SYSTEM

4070.0.2.2.1.2 Policies, Procedures, and Limits This subcomponent evaluates the adequacy of a BHC's policies, procedures, and limits given the risks inherent in the activities of the consolidated BHC and the organization's stated goals and objectives. This analysis will include consideration of the adequacy of the institution's accounting and risk-disclosure policies and procedures.

4070.0.2.2.1.3 Risk Monitoring and Management Information Systems This subcomponent assesses the adequacy of a BHC's risk measurement and monitoring, and the adequacy of its management reports and information systems. This analysis will include a review of the assumptions, data, and procedures used to measure risk and the consistency of these tools with the level of complexity of the organization's activities.

4070.0.2.2.1.4 Internal Controls This subcomponent evaluates the adequacy of a BHC's internal controls and internal audit procedures, including the accuracy of financial reporting and disclosure and the strength and influence of the internal audit team within the organization. This analysis will also include a review of the independence of control areas from management and the consistency of the scope coverage of the internal audit team with the complexity of the organization.

4070.0.2.3 The Financial-Condition (F) Component “F” represents an evaluation of the consolidated organization's financial strength. The F rating focuses on the ability of the BHC's resources to support the level of risk associated with its activities. The F rating is supported by four subcomponents: capital (C), asset quality (A), earnings (E), and liquidity (L). The CAEL subcomponents can be evaluated along individual business lines, product lines, or on a legal-entity basis, depending on what is most appropriate given the structure of the organization. The assessment of the CAEL components should use benchmarks and metrics appropriate to the business activity being evaluated. Consistent with current supervisory practices, examination staff should continue to review relevant market indicators, such as external debt ratings, credit spreads, debt and equity prices, and qualitative rating-agency assessments as a source of information complementary to examination findings.

4070.0.2.3.1 Financial-Condition Subcomponents (CAEL) 4070.0.2.3.1.1 Capital Adequacy “C” reflects the adequacy of an organization's consolidated capital position, from a regulatory capital perspective and an economic capital perspective, as appropriate to the BHC.³ The evaluation of capital adequacy should consider the risk inherent in an organization's activities and the ability of capital to absorb unanticipated losses, to provide a base for growth, and to support the level and composition of the parent company and subsidiaries' debt.

4070.0.2.3.1.2 Asset Quality “A” reflects the quality of an organization's consolidated assets. The evaluation should include, as appropriate, both on-balance-sheet and off-balance-sheet exposures and the level of criticized and nonperforming assets. Forward looking indicators of asset quality, such as the adequacy of underwriting standards, the level of concentration risk, the adequacy of credit administration policies and procedures, and the adequacy of MIS for credit risk, may also form the Federal Reserve's view of asset quality.

4070.0.2.3.1.3 Earnings “E” reflects the quality of consolidated earnings. The evaluation considers the level, trend, and sources of earnings, as well as the ability of earnings to augment capital as necessary to provide ongoing support for a BHC's activities.

4070.0.2.3.1.4 Liquidity “L” reflects the consolidated organization's ability to attract and maintain the sources of funds necessary to support its operations and meet its obligations. The funding conditions for each of the material legal entities in the holding company structure should be evaluated to determine if any weaknesses exist that could affect the funding profile of the consolidated organization.

³ The regulatory minimum capital ratios for BHCs are 8 percent for total risk-based capital, 4 percent for tier 1 riskbased capital, 3 percent for tier 1 leverage for HCs rated strong, and 4 percent for tier 1 leverage for all other HCs. See 12 C.F.R. 225, appendices A and D.

---

Attachment 4 July 29, 2014 Page 4

HOLDING COMPANY RATING SYSTEM

4070.0.2.4 The Impact (I) Component Like the other components and subcomponents, the I component is rated on a five-point numerical scale. However, the descriptive definitions of the numerical ratings for I are different than those of the other components and subcomponents. The I ratings are defined as follows:

1—low likelihood of significant negative impact 2—limited likelihood of significant negative impact 3—moderate likelihood of significant negative impact 4—considerable likelihood of significant negative impact 5—high likelihood of significant negative impact

The I component is an assessment of the potential impact of the nondepository entities on the subsidiary depository institution(s). The I assessment will evaluate both the risk management practices and financial condition of the nondepository entities—an analysis that will borrow heavily from the analysis conducted for the R and F components. Consistent with current practices, nondepository entities will be evaluated using benchmarks and analysis appropriate for those businesses. In addition, for functionally regulated nondepository subsidiaries, examination staff will continue to rely, to the extent possible, on the work of those functional regulators to assess the risk management practices and financial condition of those entities. In rating the I component, examination staff is required to evaluate the degree to which current or potential issues within the nondepository entities present a threat to the safety and soundness of the subsidiary depository institution(s). In this regard, the I component will give a clearer indication of the degree of risk posed by the nondepository entities to the federal safety net than does the current rating system.

The I component focuses on the aggregate impact of the nondepository entities on the subsidiary depository institution(s). In this regard, the I rating does not include individual subcomponent ratings for the parent company and nondepository subsidiaries. An I rating is assigned always for each BHC; however, as is currently the case, nonmaterial nondepository subsidiaries⁴ may be excluded from the I analysis at the examiner's discretion. Any risk-management and financial issues at the nondepository entities that potentially impact the safety and soundness of the subsidiary depository institution(s) should be identified in the written comments under the I rating. This approach is consistent with the Federal Reserve's objective not to extend bank like supervision to nondepository entities.

The analysis of the parent company for the purpose of assigning an I rating should emphasize weaknesses that could directly impact the risk-management or financial condition of the subsidiary depository institution(s). Similarly, the analysis of the nondepository subsidiaries for the purpose of assigning an I rating should emphasize weaknesses that could negatively impact the parent company's relationship with its subsidiary depository institution(s) and weaknesses that could have a direct impact on the risk-management practices or financial condition of the subsidiary depository institution(s). The analysis under the I component should consider existing as well as potential issues and risks that may impact the subsidiary depository institution(s) now or in the future. Particular attention should be paid to the following risk management and financial factors in assigning the I rating:

4070.0.2.4.1 Risk-Management Factors

• Strategic considerations. The potential risks posed to the subsidiary depository institution(s) by the nondepository entities' strategic plans for growth in existing activities and expansion into new products and services.
• Operational considerations. The spillover impact on the subsidiary depository institution(s) from actual losses, a poor control environment, or an operational loss history in the nondepository entities.
• Legal and reputational considerations. The spillover effect on the subsidiary depository institution(s) of complaints and litigation that name one or more of the nondepository entities as defendants, or involve violations of laws or regulations, especially pertaining to intercompany transactions where the subsidiary depository institution(s) is involved.
• Concentration considerations. The potential risks posed to the subsidiary depository institution(s) by concentrations within the nondepository entities in business lines, geographic areas, industries, customers, or other factors.

4070.0.2.4.2 Financial Factors

• Capital distribution. The distribution and transferability of capital across the legal entities.
• Intra-group exposures. The extent to which intra-group exposures, including servicing agreements, have the potential to undermine the condition of subsidiary depository institution(s).

⁴ As a general rule, nondepository subsidiaries should be included in the I analysis whenever their assets exceed 5 percent of the BHC's consolidated capital or $10 million, whichever is lower.

---

Attachment 4 July 29, 2014 Page 5

HOLDING COMPANY RATING SYSTEM

• Parent company cash flow and leverage. The extent to which the parent company is dependent on dividend payments, from both the nondepository subsidiaries and the subsidiary depository institution(s), to service debt and cover fixed charges. Also, the effect that these upstreamed cash flows have had, or can be expected to have, on the financial condition of the BHC's nondepository subsidiaries and subsidiary depository institution(s).

4070.0.2.5 The Depository Institutions (D) Component The (D) component will reflect generally the composite CAMELS rating assigned by the subsidiary institution's primary supervisor. In a multibank BHC, the (D) rating will reflect a weighted average of the CAMELS composite ratings of the individual subsidiary depository institutions, weighted by both asset size and the relative importance of each depository institution within the holding company structure. In this regard, the CAMELS composite rating for a subsidiary depository institution that dominates the corporate culture may figure more prominently in the assignment of the (D) rating than would be dictated by asset size, particularly when problems exist within that depository institution.

The (D) component conveys important supervisory information, reflecting the primary supervisor's assessment of the legal entity. The (D) component stands outside of the composite rating, although significant risk-management and financial-condition considerations at the depository institution level are incorporated in the consolidated R and F ratings, which are then factored into the C rating.

Consistent with current practice, if, in the process of analyzing the financial condition and risk management programs of the consolidated organization, a major difference of opinion regarding the safety and soundness of the subsidiary depository institution(s) emerges between the Federal Reserve and the depository institution's primary regulator, then the (D) rating should reflect the Federal Reserve's evaluation.

To highlight the presence of one or more problem depository institution(s) in a multibank BHC whose depository institution component, based on weighted averages, might not otherwise reveal their presence (i.e., depository institution ratings of 1, 2, or 3), a problem modifier, P, would be attached to the depository institution rating (e.g., 1P, 2P, or 3P). Thus, 2P would indicate that, while on balance the depository subsidiaries are rated Satisfactory, there exists a problem depository institution (composite 4 or 5) among the subsidiary depository institutions. The problem identifier is unnecessary when the depository institution component is rated 4 or 5.

4070.0.3 IMPLEMENTATION OF THE BHC RATING SYSTEM BY BHC TYPE The Federal Reserve's BHC rating system aligns the rating system with current Federal Reserve supervisory practices.⁵ The rating system requires analysis and support for BHCs of all sizes.⁶ As such, the level of analysis and support will vary based upon whether a BHC has been determined to be “complex” or “noncomplex.”⁷ In addition, the resources dedicated to the inspection of each BHC will continue to be determined by the risk posed by the subsidiary depository institution(s) to the federal safety net and the risk posed by the BHC to the subsidiary depository institution(s).

4070.0.3.1 Noncomplex BHCs with Assets of $1 Billion or Less (Shell Holding Companies) Rating: R and C Consistent with SR-02-1, examination staff will assign only an R and a C rating for all companies in the shell BHC program (noncomplex BHCs with assets under $1 billion). The R rating is the M rating from the subsidiary depository institution's CAMELS rating. To provide consistent rating terminology across BHCs of all sizes, the terminology is changed to R from the former M. The C rating is the subsidiary depository institution's composite CAMELS rating.

⁵ As described in the FR Manual, SR-95-51, SR-97-24, SR-99-15, and SR-02-1. ⁶ The determination of whether a holding company is “complex” or “noncomplex” is made at least annually on a case-by-case basis taking into account and weighing a number of considerations, such as the size and structure of the holding company; the extent of intercompany transactions between depository institution subsidiaries and the holding company or nondepository subsidiaries of the holding company; the nature and scale of any nondepository activities, including whether the activities are subject to review by another regulator and the extent to which the holding company is conducting Gramm-Leach-Bliley-authorized activities (e.g., insurance, securities, merchant banking); whether risk-management processes for the holding company are consolidated; and whether the holding company has material debt outstanding to the public. Size is a less important determinant of complexity than many of the factors noted above, but generally companies of significant size (e.g., assets of $10 billion on balance sheet or managed) would be considered complex, irrespective of the other considerations. ⁷ The federal safety net includes the federal deposit insurance fund, the payments system, and the Federal Reserve's discount window.

---

Attachment 4 July 29, 2014 Page 6

HOLDING COMPANY RATING SYSTEM

4070.0.3.2 Noncomplex BHCs with Assets Greater Than $1 Billion 4070.0.3.2.1 One-Bank Holding Companies Rating: RFI/C(D) For all noncomplex one-bank holding companies with assets of greater than $1 billion, examination staff will assign all component and subcomponent ratings; however, examination staff should continue to rely heavily on information and analysis contained in the primary regulator's report of examination for the subsidiary depository institution to assign the R and F ratings. If examination staff have reviewed the primary regulator's examination report and are comfortable with the analysis and conclusions contained in that report, then the BHC ratings should be supported with concise language that the conclusions are based on the analysis of the primary regulator. No additional analysis will be required.

In cases where the analysis and conclusions of the primary regulator are insufficient to assign the ratings, the primary regulator should be contacted to ascertain whether additional analysis and support may be available. Further, if discussions with the primary regulator do not provide sufficient information to assign the ratings, discussions with BHC management may be warranted to provide adequate information to assign the ratings. In most cases, additional information or support obtained through these steps will be sufficient to permit the assignment of the R and F ratings. To the extent that additional analysis is deemed necessary, the level of analysis and resources spent on this assessment should be in line with the level of risk the subsidiary depository institution poses to the federal safety net. In addition, any activities that involve information gathering with respect to the subsidiary depository institution should be coordinated with and, if possible, conducted by, the primary regulator of that institution.

Examination staff are required to make an independent assessment in order to assign the I rating, which provides an evaluation of the impact of the BHC on the subsidiary depository institution. Analysis for the I rating in noncomplex one-bank holding companies should place particular emphasis on issues related to parent company cash flow and compliance with sections 23A and 23B of the Federal Reserve Act and the Board's Regulation W.

4070.0.3.2.2 Multibank Holding Companies Rating: RFI/C(D) For all noncomplex BHCs with assets of greater than $1 billion and more than one subsidiary depository institution, examination staff will assign all component and subcomponent ratings of the new system. Examiners should rely, to the extent possible, on the work conducted by the primary regulators of the subsidiary depository institutions to assign the R and F ratings. However, any risk-management or other important functions conducted by the nondepository entities of the BHC, or conducted across legal entity lines, should be subject to review by OFI Federal Reserve examination staff. These reviews should be conducted in coordination with the primary regulator(s). The assessment for the I rating requires an independent assessment by OFI Federal Reserve examination staff.

4070.0.3.3 Complex BHCs Rating: RFI/C(D) For complex BHCs, examination staff will assign all component and subcomponent ratings of the new system. The ratings analysis should be based on the primary and functional regulators' assessment of the subsidiary entities, as well as on the examiners' assessment of the consolidated organization as determined through off-site review and the BHC inspection process. The resources needed for the inspection and the level of support needed for developing a full rating will depend on the complexity of the organization, including structure and activities (see footnote 5), and should be commensurate with the level of risk posed by the subsidiary depository institution(s) to the federal safety net and the level of risk posed by the BHC to the subsidiary depository institution(s).

4070.0.3.4 Nontraditional BHCs Rating: RFI/C(D) Examination staff are required to assign the full rating system for nontraditional BHCs. Nontraditional BHCs include BHCs in which most or all nondepository entities are regulated by a functional regulator and in which the subsidiary depository institution(s) are small in relation to the nondepository entities. The rating system is not intended to introduce significant additional work in the rating process for these organizations. As discussed above, the level of analysis conducted and resources needed to inspect the BHC and to assign the consolidated R and F ratings should be commensurate with the level of risk posed by the subsidiary depository institution(s) to the federal safety net and the level of risk posed by the BHC to the subsidiary depository institution(s). The report of examination by, and other information obtained from, the functional and primary bank regulators should provide the basis for the consolidated R and F ratings. On-site work, to the extent it involves areas that are the primary responsibility of the functional or primary bank regulator, should be coordinated with and, if possible, conducted by, those regulators. Examination staff

---

Attachment 4 July 29, 2014 Page 7

HOLDING COMPANY RATING SYSTEM

should concentrate their independent analysis for the R and F ratings around activities and risk management conducted by the parent company and non-functionally regulated nondepository subsidiaries, as well as around activities and risk management functions that are related to the subsidiary depository institution(s), for example, audit functions for the depository institution(s) and compliance with sections 23A and 23B and the Board's Regulation W. Examination staff are required to make an independent assessment of the impact of the nondepository entities on the subsidiary depository institution(s) in order to assign the I rating.

4070.0.4 RATING DEFINITIONS FOR THE RFI/C(D) RATING SYSTEM All component and subcomponent ratings are rated on a five-point numeric scale. With the exception of the I component, ratings will be assigned in ascending order of supervisory concern as follows: 1—Strong 2—Satisfactory 3—Fair 4—Marginal 5—Unsatisfactory

A description of the I component ratings is in the I section (see section 4070.0.4.4). As is current Federal Reserve practice, the component ratings are not derived as a simple numeric average of the subcomponent ratings; rather, weight afforded to each subcomponent in the overall component rating will depend on the severity of the condition of that subcomponent and the relative importance of that subcomponent to the consolidated organization. Similarly, some components may be given more weight than others in determining the composite rating, depending on the situation of the BHC. Assignment of a composite rating may incorporate any factor that bears significantly on the overall condition and soundness of the BHC, although generally the composite rating bears a close relationship to the component ratings assigned.

4070.0.4.1 Composite Rating Rating 1 (Strong). BHCs in this group are sound in almost every respect; any negative findings are basically of a minor nature and can be handled in a routine manner. Risk-management practices and financial condition provide resistance to external economic and financial disturbances. Cash flow is more than adequate to service debt and other fixed obligations, and the nondepository entities pose little risk to the subsidiary depository institution(s).

Rating 2 (Satisfactory). BHCs in this group are fundamentally sound but may have modest weaknesses in risk-management practices or financial condition. The weaknesses could develop into conditions of greater concern but are believed correctable in the normal course of business. As such, the supervisory response is limited. Cash flow is adequate to service obligations, and the nondepository entities are unlikely to have a significant negative impact on the subsidiary depository institution(s).

Rating 3 (Fair). BHCs in this group exhibit a combination of weaknesses in risk-management practices and financial condition that range from fair to moderately severe. These companies are less resistant to the onset of adverse business conditions and would likely deteriorate if concerted action is not effective in correcting the areas of weakness. Consequently, these companies are vulnerable and require more-than-normal supervisory attention and financial surveillance. However, the risk-management and financial capacity of the company, including the potential negative impact of the nondepository entities on the subsidiary depository institution(s), pose only a remote threat to its continued viability.

Rating 4 (Marginal). BHCs in this group have significant risk-management and financial weaknesses, which may pose a heightened risk of significant negative impact on the subsidiary depository institution(s). The holding company's cash-flow needs may be being met only by upstreaming imprudent dividends and/or fees from its subsidiaries. Unless prompt action is taken to correct these conditions, the organization's future viability could be impaired. These companies require close supervisory attention and substantially increased financial surveillance.

Rating 5 (Unsatisfactory). The magnitude and character of the risk-management and financial weaknesses of BHCs in this category, and concerns about the nondepository entities negatively impacting the subsidiary depository institution(s), could lead to insolvency without urgent aid from shareholders or other sources. The imminent inability to prevent liquidity and/or capital depletion places the BHC's continued viability in serious doubt. These companies require immediate corrective action and constant supervisory attention.

---

Attachment 4 July 29, 2014 Page 8

HOLDING COMPANY RATING SYSTEM

4070.0.4.2 Risk-Management Component Rating 1 (Strong). A rating of 1 indicates that management effectively identifies and controls all major types of risk posed by the BHC's activities. Management is fully prepared to address risks emanating from new products and changing market conditions. The board and management are forward-looking and active participants in managing risk. Management ensures that appropriate policies and limits exist and are understood, reviewed, and approved by the board. Policies and limits are supported by risk monitoring procedures, reports, and MIS that provide management and the board with the information and analysis that is necessary to make timely and appropriate decisions in response to changing conditions. Risk-management practices and the organization's infrastructure are flexible and highly responsive to changing industry practices and current regulatory guidance. Staff has sufficient experience, expertise, and depth to manage the risks assumed by the institution.

Internal controls and audit procedures are sufficiently comprehensive and appropriate to the size and activities of the institution. There are few noted exceptions to the institution's established policies and procedures, and none is material. Management effectively and accurately monitors the condition of the institution consistent with the standards of safety and soundness, and in accordance with internal and supervisory policies and risk-management processes are fully effective in identifying, monitoring, and controlling the risks to the institution.

Rating 2 (Satisfactory). A rating of 2 indicates that the institution's management of risk is largely effective, but lacking in some modest degree. Management demonstrates a responsiveness and ability to cope successfully with existing and foreseeable risks that may arise in carrying out the institution's business plan. Although the institution may have some minor risk management weaknesses, these problems have been recognized and are in the process of being resolved. Overall, board and senior management oversight, policies and limits, risk-monitoring procedures, reports, and MIS are considered satisfactory and effective in maintaining a safe and sound institution. Risks are controlled in a manner that does not require more-than-normal supervisory attention.

The BHC's risk-management practices and infrastructure are satisfactory and generally are adjusted appropriately in response to changing industry practices and current regulatory guidance. Staff experience, expertise, and depth are generally appropriate to manage the risks assumed by the institution.

Internal controls may display modest weaknesses or deficiencies, but they are correctable in the normal course of business. The examiner may have recommendations for improvement, but the weaknesses noted should not have a significant effect on the safety and soundness of the institution.

Rating 3 (Fair). A rating of 3 signifies that risk-management practices are lacking in some important ways and, therefore, are a cause for more-than-normal supervisory attention. One or more of the four elements of sound risk management⁸ (active board and senior management oversight; adequate policies, procedures, and limits; adequate risk-management monitoring and MIS; comprehensive internal controls) are considered less than acceptable, and has precluded the institution from fully addressing one or more significant risks to its operations. Certain risk-management practices are in need of improvement to ensure that management and the board are able to identify, monitor, and control all significant risks to the institution. Also, the risk-management structure may need to be improved in areas of significant business activity, or staff expertise may not be commensurate with the scope and complexity of business activities. In addition, management's response to changing industry practices and regulatory guidance may need to improve.

The internal control system may be lacking in some important aspects, particularly as indicated by continued control exceptions or by a failure to adhere to written policies and procedures. The risk-management weaknesses could have adverse effects on the safety and soundness of the institution if corrective action is not taken by management.

Rating 4 (Marginal). A rating of 4 represents deficient risk-management practices that fail to identify, monitor, and control significant risk exposures in many material respects. Generally, such a situation reflects a lack of adequate guidance and supervision by management and the board. One or more of the four elements of sound risk management are deficient and requires immediate and concerted corrective action by the board and management.

⁸ See the Federal Reserve System handbook Framework for Risk-Focused Supervision of Large Complex Institutions, August 1997, and SR-95-51, “Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies.”

---

Attachment 4 July 29, 2014 Page 9

HOLDING COMPANY RATING SYSTEM

The institution may have serious identified weaknesses, such as an inadequate separation of duties, that require substantial improvement in internal control or accounting procedures, or improved adherence to supervisory standards or requirements. The risk-management deficiencies warrant a high degree of supervisory attention because, unless properly addressed, they could seriously affect the safety and soundness of the institution.

Rating 5 (Unsatisfactory). A rating of 5 indicates a critical absence of effective risk management practices with respect to the identification, monitoring, or control over significant risk exposures. One or more of the four elements of sound risk management are considered wholly deficient, and management and the board have not demonstrated the capability to address these deficiencies.

Internal controls are critically weak and, as such, could seriously jeopardize the continued viability of the institution. If not already evident, there is an immediate concern as to the reliability of accounting records and regulatory reports and the potential for losses if corrective measures are not taken immediately. Deficiencies in the institution's risk-management procedures and internal controls require immediate and close supervisory attention.

4070.0.4.2.1 Risk-Management Subcomponents 4070.0.4.2.1.1 Board and Senior Management Oversight Rating 1 (Strong). An assessment of Strong signifies that the board and senior management are forward-looking, fully understand the types of risk inherent in the BHC's activities, and actively participate in managing those risks. The board has approved overall business strategies and significant policies, and ensures that senior management is fully capable of managing the activities that the BHC conducts. Consistent with the standards of safety and soundness, oversight of risk-management practices is strong and the organization's overall business strategy is effective.

Senior management ensures that risk management practices are rapidly adjusted in accordance with enhancements to industry practices and regulatory guidance, and exposure limits are adjusted as necessary to reflect the institution's changing risk profile. Policies, limits, and tracking reports are appropriate, understood, and regularly reviewed.

Management provides effective supervision of the day-to-day activities of all officers and employees, including the supervision of the senior officers and the heads of business lines. It hires staff that possess experience and expertise consistent with the scope and complexity of the organization's business activities. There is a sufficient depth of staff to ensure sound operations. Management ensures compliance with laws and regulations and that employees have the integrity, ethical values, and competence consistent with a prudent management philosophy and operating style.

Management responds appropriately to changes in the marketplace. It identifies all risks associated with new activities or products before they are launched and ensures that the appropriate infrastructure and internal controls are established.

Rating 2 (Satisfactory). An assessment of Satisfactory indicates that board and senior management have an adequate understanding of the organization's risk profile and provide largely effective oversight of risk-management practices. In this regard, the board has approved all major business strategies and significant policies and ensures that senior management is capable of managing the activities that the BHC conducts. Oversight of risk-management practices is satisfactory, and the organization's overall business strategy is generally sound.

Senior management generally adjusts risk management practices appropriately in accordance with enhancements to industry practices and regulatory guidance, and adjusts exposure limits as necessary to reflect the institution's changing risk profile, although these practices may be lacking in some modest degree. Policies, limits, and tracking reports are generally appropriate, understood, and regularly reviewed, and the new-product approval process adequately identifies the associated risks and necessary controls.

Senior management's day-to-day supervision of management and staff at all levels is generally effective. The level of staffing, and its experience, expertise, and depth, is sufficient to operate the business lines in a safe and sound manner. Minor weaknesses may exist in the staffing, infrastructure, and risk-management processes for individual business lines or products, but these weaknesses have been identified by management, are correctable in the normal course of business, and are in the process of being addressed. Weaknesses noted should not have a significant effect on the safety and soundness of the institution.

Rating 3 (Fair). An assessment of Fair signifies that board and senior management oversight is lacking in some important way and, therefore, is a cause for more-than-normal supervisory attention. The weaknesses may involve a

---

Attachment 4 July 29, 2014 Page 10

HOLDING COMPANY RATING SYSTEM

broad range of activities or be material to a major business line or activity. Weaknesses in one or more aspect of board and senior management oversight have precluded the institution from fully addressing one or more significant risks to the institution. The deficiencies may include a lack of knowledge with respect to the organization's risk profile, insufficient oversight of risk management practices, ineffective policies or limits, inadequate or under-utilized management reporting, an inability to respond to industry enhancements and changes in regulatory guidance, or a failure to execute appropriate business strategies. Staffing may not be adequate or staff may not possess the experience and expertise needed for the scope and complexity of the organization's business activities. The day-to-day supervision of officer and staff activities, including the management of senior officers or heads of business lines, may be lacking. Certain risk-management practices are in need of improvement to ensure that management and the board are able to identify, monitor, and control all significant risks to the institution.

Weaknesses noted could have adverse effects on the safety and soundness of the institution if corrective action is not taken by management.

Rating 4 (Marginal). An assessment of Marginal represents deficient oversight practices that reflect a lack of adequate guidance and supervision by management and the board. A number of significant risks to the institution have not been adequately addressed, and the board and senior management function warrants a high degree of supervisory attention. Multiple board and senior management weaknesses are in need of immediate improvement. They may include a significant lack of knowledge with respect to the organization's risk profile, largely insufficient oversight of risk-management practices, ineffective policies or limits, inadequate or considerably under-utilized management reporting, an inability to respond to industry enhancements and changes in regulatory guidance, or a failure to execute appropriate business strategies. Staffing may not be adequate or possess the experience and expertise needed for the scope and complexity of the organization's business activities, and the day-to-day supervision of officer and staff activities, including the management of senior officers or heads of business lines, may be considerably lacking. These conditions warrant a high degree of supervisory attention because, unless properly addressed, they could seriously affect the safety and soundness of the institution.

Rating 5 (Unsatisfactory). An assessment of Unsatisfactory indicates a critical absence of effective board and senior management oversight practices. Problems may include a severe lack of knowledge with respect to the organization's risk profile, insufficient oversight of risk management practices, wholly ineffective policies or limits, critically inadequate or underutilized management reporting, a complete inability to respond to industry enhancements and changes in regulatory guidance, or failure to execute appropriate business strategies. Staffing may be inadequate, inexpert, and/or inadequately supervised. The deficiencies require immediate and close supervisory attention, as management and the board have not demonstrated the capability to address them. Weaknesses could seriously jeopardize the continued viability of the institution.

4070.0.4.2.1.2 Policies, Procedures, and Limits Rating 1 (Strong). An assessment of Strong indicates that the policies, procedures, and limits provide for effective identification, measurement, monitoring, and control of the risks posed by all significant activities, including lending, investing, trading, trust, and fiduciary activities. Policies, procedures, and limits are consistent with the institution's goals and objectives and its overall financial strength. The policies clearly delineate accountability and lines of authority across the institution's activities. The policies also provide for the review of new activities to ensure that the infrastructure necessary to identify, monitor, and control the associated risks is in place before the activities are initiated.

Rating 2 (Satisfactory). An assessment of Satisfactory indicates that the policies, procedures, and limits cover all major business areas, are thorough and substantially up-to-date, and provide a clear delineation of accountability and lines of authority across the institution's activities. Policies, procedures, and limits are generally consistent with the institution's goals and objectives and its overall financial strength. Also, the policies provide for adequate due diligence before engaging in new activities or products. Any deficiencies or gaps that have been identified are minor in nature and in the process of being addressed. Weaknesses should not have a significant effect on the safety and soundness of the institution.

Rating 3 (Fair). An assessment of Fair signifies that deficiencies exist in policies, procedures, and limits that require more-than-normal supervisory attention. The deficiencies may involve a broad range of activities or be material to a major business line or activity. The deficiencies may include policies, procedures, or limits (or the lack thereof) that do not adequately identify, measure, monitor, or control the risks posed by significant activities; are not consistent with the experience of staff, the organization's strategic goals and objectives, or the financial strength of the institution; or do not clearly delineate accountability or lines of authority. Also, the policies may not provide for adequate due diligence

---

Attachment 4 July 29, 2014 Page 11

HOLDING COMPANY RATING SYSTEM

before engaging in new activities or products. Weaknesses noted could have adverse effects on the safety and soundness of the institution unless corrective action is taken by management.

Rating 4 (Marginal). An assessment of Marginal indicates deficient policies, procedures, and limits that do not address a number of significant risks to the institution. Multiple practices are in need of immediate improvement, which may include policies, procedures, or limits (or the lack thereof) that ineffectively identify, measure, monitor, or control the risks posed by significant activities; are not commensurate with the experience of staff, the institution's strategic goals and objectives, or the financial strength of the institution; or do not delineate accountability or lines of authority. Moreover, policies may be considerably lacking with regard to providing for effective due diligence before engaging in new activities or products. These conditions warrant a high degree of supervisory attention because, unless properly addressed, they could seriously affect the safety and soundness of the institution.

Rating 5 (Unsatisfactory). An assessment of Unsatisfactory indicates a critical absence of effective policies, procedures, and limits. Policies, procedures, or limits (or the lack thereof) are largely or entirely ineffective with regard to identifying, measuring, monitoring, or controlling the risks posed by significant activities; are completely inconsistent with the experience of staff, the organization's strategic goals and objectives, or the financial strength of the institution; or do not delineate accountability or lines of authority. Also, policies may be completely lacking with regard to providing for effective due diligence before engaging in new activities or products. Critical weaknesses could seriously jeopardize the continued viability of the institution and require immediate and close supervisory attention.

4070.0.4.2.1.3 Risk Monitoring and Management Information Systems Rating 1 (Strong). An assessment of Strong indicates that risk-monitoring practices and MIS reports address all material risks. Thekey assumptions, data sources, and procedures used in measuring and monitoring risk are appropriate, thoroughly documented, and frequently tested for reliability. Reports and other forms of communication are consistent with activities; are structured to monitor exposures and compliance with established limits, goals, or objectives; and compare actual versus expected performance when appropriate. Management and board reports are accurate and timely and contain sufficient information to identify adverse trends and to thoroughly evaluate the level of risk faced by the institution.

Rating 2 (Satisfactory). An assessment of Satisfactory indicates that risk-monitoring practices and MIS reports cover major risks and business areas, although they may be lacking in some modest degree. In general, the reports contain valid assumptions that are periodically tested for accuracy and reliability and are adequately documented and distributed to the appropriate decision makers. Reports and other forms of communication generally are consistent with activities; are structured to monitor exposures and compliance with established limits, goals, or objectives; and compare actual versus expected performance when appropriate. Management and board reports are generally accurate and timely, and broadly identify adverse trends and the level of risk faced by the institution. Any weaknesses or deficiencies that have been identified are in the process of being addressed.

Rating 3 (Fair). An assessment of Fair signifies that weaknesses exist in the institution's risk monitoring practices or MIS reports that require more-than-normal supervisory attention. The weaknesses may involve a broad range of activities or be material to a major business line or activity. The weaknesses may contribute to ineffective risk identification or monitoring through inappropriate assumptions, incorrect data, poor documentation, or the lack of timely testing. In addition, MIS reports may not be distributed to the appropriate decision makers, adequately monitor significant risks, or properly identify adverse trends and the level of risk faced by the institution. Weaknesses noted could have adverse effects on the safety and soundness of the institution if corrective action is not taken by management.

Rating 4 (Marginal). An assessment of Marginal represents deficient risk-monitoring practices or MIS reports that, unless properly addressed, could seriously affect the safety and soundness of the institution. A number of significant risks to the institution are not adequately monitored or reported. Ineffective risk identification may result from notably inappropriate assumptions, incorrect data, poor documentation, or the lack