Idaho Department of Finance Notice on CAMELS Rating System Update

C.L. “BUTCH” OTTER Governor GAVIN M. GEE Director TO: Idaho State-Chartered Credit Unions FROM: Gavin M. Gee, Director Idaho Department of Finance SUBJECT: Sensitivity to Market Risk or Interest Rate Risk DATE: June 10, 2016 The purpose of this letter is to notify you of an upcoming change in the manner in which the Idaho Department of Finance (Department) will assign ratings to Idaho state-chartered credit unions at examinations. Specifically, the Department will assess “Sensitivity to Market Risk” within its own component rating (“S”) rather than as a factor within the “Liquidity and Asset￾Liability Management” or “L” component rating. As a result, the ratings system acronym will change from CAMEL to CAMELS. The Federal Financial Institutions Examination Council (FFIEC) defines Sensitivity to Market Risk as the degree to which changes in interest rates, foreign exchange rates, commodity prices, or equity prices can adversely affect a financial institution’s earnings or economic capital. For most Idaho state-chartered credit unions, the analysis is centered on interest rate risk. This change will go into effect for all examinations commencing after October 1, 2016. In conjunction with this “S” component implementation, the “L” rating will be modified to reflect only liquidity factors. See Appendix A to this document for the definitions of CAMELS that will be used by the Department. The addition of the “S” rating to the Uniform Financial Institutions Rating System (UFIRS), also known as CAMEL, was approved by the FFIEC on December 9, 1996, with the revised UFIRS taking effect on January 1, 1997. At that time, the “S” rating was adopted by all Federal supervisory agencies that comprise the FFIEC with the exception of the NCUA. Department examiners have rated the “L” and “S” components individually since 1997 when examining banks and this approach has served both the banks and regulators well over this period. The Department believes the implementation of the distinct “S” rating is prudent at this time for Idaho state-chartered credit unions. The historically low-yield environment continues to encourage greater risk-taking across the financial system. On a national level, reduced net interest margins (NIMs) have led some financial institutions to “reach for yield” by increasing the holdings of longer-duration assets, or by engaging in other forms of increased risk-taking in order to maintain earnings. While duration extension may augment near-term earnings, it could significantly increase losses in the event of a sudden yield curve steepening or a large rise in interest rates. Specifically, rising interest rates may adversely impact an institution’s earnings, net worth, net economic value, and the market value of its liabilities. Changes in interest rates

Idaho State-Chartered Credit Unions June 10, 2016 Page 2 can also influence interest-sensitive income and expenses, such as investment income, loan income and share dividends, thereby also affecting earnings. This discussion has led to the determination that a separate and distinct “S” rating is needed in order to effectively capture and articulate the sensitivity to market risk of Idaho state-chartered credit unions. To date, at least ten other states have made the same decision to implement the “S” rating for credit union examinations, while the NCUA has indicated a desire to implement the “S” rating by year-end 2018. The Department will continue to use the same examination procedures for examining liquidity and interest rate risks. However, by adding the “S” component and using the CAMELS rating, we will provide better information to credit unions to clearly delineate our analysis between liquidity risk and interest rate risks. While the “S” rating will now be separately reported, supervisory expectations for the management of market risk remain unchanged. The ability of management to identify, measure, monitor, and control exposure to market risk should be commensurate with the credit union’s size, complexity, and risk profile. Evaluation of this component will be based on the degree to which interest rate risk exposure can affect the credit union’s earnings and capital, and the effectiveness of the credit union’s interest rate risk management system, given its particular situation. The separation of the “S” component does not imply a requirement to develop enhanced management systems where market risk is already appropriately identified, measured, monitored, and controlled. Please see Appendix B to this document for answers to frequently asked questions. If you have additional questions or concerns, or wish to discuss this matter, please contact our office.

Sincerely, /S/ Gavin M. Gee Gavin M. Gee Director of Finance cc: Idaho Credit Union League National Credit Union Administration American Share Insurance National Association of State Credit Union Supervisors This is an agency guidance document within the meaning of Idaho Code §67-5250(2) and does not have the force and effect of law. It is prepared for the benefit of regulated credit unions and is an agency interpretation of law for the benefit of regulated credit unions so that they will know the proper procedure to be followed.

Idaho State-Chartered Credit Unions June 10, 2016 Page 3 APPENDIX A The CAMELS rating system is based upon an evaluation of six critical elements of a credit union's operations: Capital Adequacy, Asset Quality, Management, Earnings, Liquidity and Sensitivity to Market Risk. CAMELS is designed to take into account and reflect all significant financial, operational, and management factors examiners assess in their evaluation of a credit union's performance and risk profile. Examiners rate credit unions based on their assessment of the individual credit union rather than against peer averages. Peer averages do not necessarily reflect credit unions are operated in a safe and sound manner. The CAMELS ratings should reflect the condition of the credit union regardless of peer performance. Examiners are expected to use their professional judgment and consider both qualitative and quantitative factors when analyzing a credit union's performance. Since numbers are often lagging indicators of a credit union's condition, the examiner must also conduct a qualitative analysis of current and projected operations when assigning CAMELS ratings. Part of the examiner’s qualitative analysis includes an assessment of the credit union’s risk management program. In Risk Focused Examinations (RFEs), examiners assess the amount and direction of risk exposure in seven categories: Credit, Interest Rate, Liquidity, Transaction, Compliance, Reputation, and Strategic (seven risk categories) and determine how the nature and extent of these risks affect one or more CAMELS components. Although the CAMELS composite rating should normally bear a close relationship to the component ratings, the examiner does not derive the composite rating solely by computing an arithmetic average of the component ratings. Examiners consider the interrelationships between CAMELS components when assigning the overall rating. Some of the evaluation factors are reiterated under one or more of the components to reinforce the interrelationships between components. The following two sections contain the component and composite ratings. CAMELS COMPOSITE RATINGS Rating 1 - Credit unions in this group are sound in every respect and generally have components rated 1 and 2. Any weaknesses are minor and can be handled in a routine manner by the board of directors and management. These credit unions are the most capable of withstanding unpredictable business conditions and are resistant to outside influences such as economic instability in their trade area. These credit unions are in substantial compliance with laws and regulations. As a result, they exhibit sound performance and risk management practices relative to the credit union’s size, complexity, and risk profile, and give no cause for supervisory concern. Rating 2 – Credit unions in this group are fundamentally sound. For a credit union to receive this rating, generally no component rating should be more severe than a 3. Only moderate weaknesses are present and are well within the board of directors’ and management’s capabilities and willingness to correct. These credit unions are stable and are capable of withstanding

Idaho State-Chartered Credit Unions June 10, 2016 Page 4 business fluctuations. These credit unions are in substantial compliance with laws and regulations. Overall risk management practices are satisfactory relative to the credit union’s size, complexity, and risk profile. There are no material supervisory concerns and, as a result, the supervisory response is informal and limited. Rating 3 - Credit unions in this group exhibit some degree of supervisory concern in one or more of the component areas. These credit unions exhibit a combination of weaknesses that may range from moderate to severe; however, the magnitude of the deficiencies generally will not cause a component to be rated more severely than 4. Management may lack the ability or willingness to effectively address weaknesses within appropriate time frames. Credit unions in this group generally are less capable of withstanding business fluctuations and are more vulnerable to outside influences than those rated a composite 1 or 2. Additionally, these credit unions may be in significant noncompliance with laws and regulations. Risk management practices may be less than satisfactory relative to the credit union’s size, complexity, and risk profile. These credit unions require more than normal supervision which may include enforcement actions. Failure appears unlikely, however, given overall strength and financial capacity of these credit unions. Rating 4 - Credit unions in this group generally exhibit unsafe and unsound practices or conditions. There are serious financial or managerial deficiencies that result in unsatisfactory performance. The problems range from severe to critically deficient. The weaknesses and problems are not being satisfactorily addressed or resolved by the board of directors and management. Credit unions in this group generally are not capable of withstanding business fluctuations. There may be significant noncompliance with laws and regulations. Risk management practices are generally unacceptable relative to the credit union’s size, complexity, and risk profile. Close supervisory attention is required, which means, in most cases, enforcement action is necessary to address the problems. Credit unions in the group pose a risk to the National Credit Union Share Insurance Fund (NCUSIF). Failure is a distinct possibility if the problems and weaknesses are not satisfactorily addressed and resolved. Rating 5 – Credit unions in this group exhibit extremely unsafe and unsound practices and conditions; exhibit a critically deficient performance; often contain inadequate risk management practices relative to the credit union’s size, complexity, and risk profile; and are of the greatest supervisory concern. The volume and severity of problems are beyond management's ability or willingness to control or correct. Immediate outside financial or other assistance is needed in order for the credit union to be viable. Ongoing supervisory attention is necessary. Credit unions in this group pose a significant risk to the NCUSIF and failure is highly probable.

Idaho State-Chartered Credit Unions June 10, 2016 Page 5 CAMELS COMPONENT RATINGS CAPITAL A credit union is expected to maintain capital commensurate with the nature and extent of risk to the institution and the ability of management to identify, measure, monitor, and control these risks. The effect of credit, market, and other risk on the credit union’s financial condition is considered when evaluating capital adequacy. The types and quantity of risk inherent in a credit union’s activities will determine the extent to which it may be necessary to maintain capital to properly reflect the potentially adverse consequences these risks may have on the institution’s capital. Regulatory capital requirements are minimum levels and separate and distinct from a credit union’s need to maintain capital commensurate with the level of risk inherent in operations. A credit union’s capital adequacy is based upon, but not limited to, an assessment of the following evaluation factors. The order of these factors does not signify a level of importance. • Capital level and quality of capital; • Overall financial condition; • The ability of management to address emerging needs for additional capital; • Compliance with risk-based net worth requirements; • Composition of capital; • Interest and dividend policies and practices; • Quality, type, liquidity, and diversification of assets, with particular reference to classified assets; • Loan and investment concentrations; • Balance sheet composition including the nature and amount of market risk, concentration risk, and risk associated with nontraditional activities; • Growth plans and past experience managing growth; • Volume and risk characteristics of new business initiatives; • Ability of management to control and monitor risk; • Earnings quality and composition; • Liquidity and sensitivity to market risk; • Extent of contingent liabilities and existence of pending litigation; • Field of membership; and • Economic environment. RATINGS A capital adequacy rating of 1 indicates sound capital relative to the credit union’s current and prospective risk profile. A rating of 2 indicates satisfactory capital relative to the credit union’s current and prospective risk profile.

Idaho State-Chartered Credit Unions June 10, 2016 Page 6 A capital adequacy rating of 3 reflects less than satisfactory capital that does not fully support the credit union’s current and prospective risk profile. The rating indicates a need for improvement. A capital adequacy rating of 4 indicates deficient capital. In light of the credit union’s current and prospective risk profile, viability of the credit union may be threatened. Financial support from outsiders may be required. A rating of 5 indicates critically deficient capital in light of the credit union’s current and prospective risk profile such that the credit union’s viability is threatened. Immediate assistance from external sources or financial support is required. ASSET QUALITY The asset quality rating reflects the quantity of existing and potential credit risk associated with the loan and investment portfolios, other real estate owned (OREO), and other assets, as well as off-balance sheet transactions. The ability of management to identify, measure, monitor, and control credit risk is also reflected here. The evaluation of asset quality should consider the adequacy of the allowance for loan and lease losses and weigh the exposure to counterparty issuer or borrower default under actual or implied contractual agreements. All other risks that may affect the value or marketability of a credit union’s assets, including but not limited to the seven risk categories, should be considered. A credit union’s asset quality is based upon, but not limited to, an assessment of the following evaluation factors. The order of these factors does not signify a level of importance. • The quality of loan underwriting, policies, procedures, and practices; • The internal controls and due diligence procedures in place to review new loan programs, high concentrations, and changes in underwriting procedures and practices of existing programs; • The level, distribution, and severity of classified assets; • The adequacy of the allowance for loan and lease losses and other asset valuation reserves; • The level and composition of nonaccrual and restructured assets; • The ability of management to properly administer its assets, including the timely identification and collection of problem assets; • The existence of significant growth trends indicating erosion or improvement in asset quality; • The existence of loan concentrations that present undue risk to the credit union; • The appropriateness of investment policies and practices; • The investment risk factors when compared to capital and earnings structure; and • The effect of fair (market) value of investments compared to book value of investments.

Idaho State-Chartered Credit Unions June 10, 2016 Page 7 RATINGS A rating of 1 indicates sound asset quality and credit administration practices. Identified weaknesses are minor in nature and risk exposure is modest in relation to capital adequacy and management’s abilities. Asset quality is of minimal supervisory concern. A rating of 2 indicates satisfactory asset quality and credit administration practices. The level and severity of classifications and other weaknesses warrant a limited level of supervisory attention. Risk exposure is commensurate with capital adequacy and management’s abilities. A rating of 3 is assigned when asset quality or credit administration practices are less than satisfactory. Trends may be stable or indicate deterioration in asset quality or an increase in risk exposure. The level and severity of classified assets, other weaknesses, and risk require an elevated level of supervisory concern. There is generally a need to improve credit administration and risk management practices. A rating of 4 is assigned to credit unions with deficient asset quality or credit administration practices. The levels of risk and problem assets are significant, inadequately controlled, and subject the credit union to potential losses that, if left unchecked, may threaten the credit union’s viability. A rating of 5 represents critically deficient asset quality or credit administration practices that present an imminent threat to the credit union’s viability. MANAGEMENT The capabilities of the board of directors and management, in their respective roles, to identify, measure, monitor, and control the risks of a credit union’s activities and to ensure a credit union’s safe, sound, and efficient operation in compliance with applicable laws and regulations is reflected in this rating. Generally, directors need not be actively involved in day-to-day operations; however, they provide clear guidance establishing acceptable risk exposure levels thru appropriate policies, procedures, and practices. Senior management is responsible for developing and implementing policies, procedures, and practices that translate the board’s goals, objectives, and risk limits into prudent operating standards. Management practices need to address the seven risk categories and other risks commensurate with the nature and scope of a credit union’s activities. Sound management practices are demonstrated by active oversight by the board of directors and management; competent personnel; adequate policies, processes, and controls taking into consideration the size and sophistication of the credit union; maintenance of an appropriate audit program and internal control environment; and effective risk monitoring and management information systems. This rating should reflect the board’s and management’s ability as it applies to all aspects of the credit union’s operations as well as other financial service activities in which the credit union is involved.

Idaho State-Chartered Credit Unions June 10, 2016 Page 8 The ability of management to respond to changing business conditions, or the initiation of new activities or products, is an important factor in evaluating a credit union’s overall risk profile and the level of supervisory attention warranted. For this reason, the management component is given special consideration when assigning the composite rating. The capability and performance of management and the board of directors is also rated based upon, but not limited to, an assessment of the following evaluation factors: CORPORATE GOVERNANCE The board of directors and management have a fiduciary responsibility to the members to maintain very high standards of professional conduct including but not limited to:

1. Appropriateness of compensation policies. Management compensation policies should be supported. The board needs to ensure performance standards are in place for senior management and an effective formal evaluation process is used and documented.
2. Avoidance of conflict of interest. Appropriate policies and procedures for avoidance of conflicts of interest and management of potential conflicts of interest should be in place.
3. Professional ethics and behavior. The board of directors and management should not use the credit union for unauthorized or inappropriate personal gain. Credit union property should not be used for anything other than authorized activities. Management should act ethically and impartially in carrying out appropriate credit union policies and procedures. STRATEGIC PLANNING Strategic planning involves a systematic process to develop a long-term vision for the credit union. The strategic plan incorporates all areas of a credit union's operations and sets broad goals enabling credit union management to make sound decisions. The strategic plan should identify risks and threats to the organization and outline methods to address them. As part of the strategic planning process, credit unions should develop a business plan for the next one or two years. The board of directors should review and approve the business plan, including a budget, in the context of its consistency with the credit union's strategic plan. The business plan is evaluated against the strategic plan to determine if the two are consistent. Examiners also assess how the plan is put into effect. The plans should be unique to and reflective of the individual credit union. Information systems and technology (IS&T) should be included as an integral part of the credit union’s strategic plan. Examiners assess the credit union’s risk analysis, policies, and oversight of this area based on the size and complexity of the credit union and the type and volume of e-

Idaho State-Chartered Credit Unions June 10, 2016 Page 9 commerce systems and services1 offered. Examiners consider the criticality of e-commerce systems and services in their assessment of the overall IS&T plan. INTERNAL CONTROLS Internal controls play a crucial role in controlling a credit union's risks. Effective internal controls provide safeguards against system malfunctions, errors in judgment, and fraud. Without proper internal controls, management will not be able to identify and track the credit union’s exposure to risk. Controls are also essential to enable management to ensure operating units are acting within the parameters established by the board of directors and senior management. The following seven aspects of internal controls deserve special attention:

1. Information Systems. It is crucial that effective controls are in place to ensure the integrity, security, and privacy of information contained on the credit union’s computer systems.
2. Segregation of Duties. The credit union should have adequate segregation of duties in every area of operation. Segregation of duties may be limited by the number of employees in smaller credit unions.
3. Audit Program. Audit functions and processes should be commensurate with the credit union’s size, sophistication, and risk. The program should be independent, reporting to the supervisory committee without conflict or interference from management. An annual audit plan is necessary to ensure risk areas are examined, and the areas of greatest risk receive priority. Reports should be issued to management for comment and action and forwarded to the board of directors with management's response. Follow-up of any unresolved issues is essential and should be covered in subsequent reports.
4. Record Keeping. The books of every credit union should be kept in accordance with well￾established accounting principles. A credit union's records and accounts should reflect its actual financial condition and accurate results of operations. Records should be current and provide an audit trail. The audit trail should include sufficient documentation to follow a transaction from its inception through to its completion. Subsidiary records should be kept in balance with general ledger control figures.
5. Protection of Physical Assets. A principal method of safeguarding assets is to limit access to authorized personnel. Protection of assets can be accomplished by developing operating policies and procedures for cash control, joint custody (dual control), teller operations, and physical security of the computer.
6. Education of Staff. Credit union staff and volunteers should be thoroughly trained in specific daily operations. A training program tailored to meet management needs should be in place 1 E-commerce services include those services a credit union provides, and member accesses, via electronic means including, but not limited to: Internet/World Wide Web services, wireless services, home banking (direct dial in) services, online bill paying services, and account transaction processing services.

Idaho State-Chartered Credit Unions June 10, 2016 Page 10 and cross-training programs for office staff should be present. Risk is controlled when the credit union is able to maintain continuity of operations and service to members. OTHER MANAGEMENT ISSUES Other key factors considered when assessing the management of a credit union follow. The order of these factors does not signify a level of importance. • Adequacy of the policies and procedures covering each area of the credit union’s operations (written, board approved, followed); • Budget performance compared against actual performance; • Effectiveness of systems that measure and monitor risk; • Risk-taking practices and methods of control to mitigate concerns; • Integration of risk management with planning and decision-making; • Responsiveness to examination and audit suggestions, recommendations, or requirements; • Compliance with laws and regulations; • Appropriateness of the products and services offered in relation to the credit union’s size and management experience; • Market penetration; • Rate structure; • Appropriateness of disaster preparedness planning for continuity of operations; and; • Succession planning for key management positions. RATINGS A rating of 1 indicates sound performance by management and the board of directors and sound risk management practices relative to the credit union’s size complexity, and risk profile. All significant risks are consistently and effectively identified, measured, monitored, and controlled. Management and the board have demonstrated the ability to promptly and successfully address existing and potential problems and risks. A rating of 2 indicates satisfactory management and board practices relative to the credit union’s size, complexity, and risk profile. In general, significant risks are effectively identified, measured, monitored, and controlled. Management and the board have demonstrated the ability to promptly and successfully address existing and potential problems and risks. Minor weaknesses may exist but are not material. A rating of 3 indicates management and board performance that needs improvement or risk management practices that are less than satisfactory given the nature of the credit union’s activities. Problems and significant risks may be inadequately identified, measured, monitored, and controlled. The capabilities of management or the board of directors may be insufficient for the type, size, or condition of the institution.

Idaho State-Chartered Credit Unions June 10, 2016 Page 11 A rating of 4 indicates deficient management and board performance or risk management practices that are inadequate considering the nature of a credit union’s activities. The level of problems and risk exposure is excessive. Problems and significant risks are inadequately identified, measured, monitored, or controlled and require immediate action by the board and management to preserve the soundness of the institution. Replacing or strengthening the board may be necessary. A rating of 5 indicates critically deficient management and board performance or risk management practices. Management and the board of directors have not demonstrated the ability to correct problems and implement appropriate risk management practices. Problems and significant risks are inadequately measured, monitored, or controlled and now threaten the continued viability of the institution. Replacing or strengthening management or the board of directors is necessary. EARNINGS This rating reflects the adequacy of current and future earnings to fund capital commensurate with the credit union’s current and prospective financial and operational risk exposure, potential changes in economic climate, and strategic plans. Earnings can be affected by excessive or inadequately managed credit risk that may result in loan losses and require additions to the allowance for loan and lease losses, or by market risk that may unduly expose a credit union’s earnings to volatility in interest rates. The quality of earnings may also be diminished by undue reliance on extraordinary gains or nonrecurring events. Future earnings may be adversely affected by an inability to forecast or control funding and operating expenses, improperly executed or ill-advised business strategies, or poorly managed or uncontrolled exposure to other risks. The rating of a credit union’s earnings is based upon, but not limited to, an assessment of the following evaluation factors. The order of these factors does not signify a level of importance. • Quality and sources of earnings; • Ability to fund capital commensurate with current and prospective risk through retained earnings; • Adequacy of valuation allowances; • Adequacy of budgeting systems, forecasting processes, and management information systems, in general; • Future earnings adequacy under a variety of economic conditions; • Quality and composition of assets; • Earnings exposure to market risk including interest rate risk; and • Material factors affecting the credit union's income producing ability such as fixed assets and other non-earning assets.

Idaho State-Chartered Credit Unions June 10, 2016 Page 12 RATINGS A rating of 1 indicates earnings that are sound. Adequate capital and allowance levels already exist after consideration is given to asset quality, growth, and risk factors. A rating of 2 indicates earnings that are satisfactory. Earnings are sufficient to reach adequate capital and allowance levels after consideration is given to asset quality, growth, and risk factors. A rating of 3 indicates earnings that need to be improved. Earnings may not fully support current and future capital and allowance funding commensurate with the credit union’s overall condition, growth, and risk factors. A rating of 4 indicates earnings that are deficient. Earnings are insufficient to support current and future capital and allowance funding commensurate with the credit union’s overall condition, growth, and risk factors. A rating of 5 indicates earnings that are critically deficient and represent a distinct threat to the credit union’s viability. Earnings do not support current and future capital and allowance funding commensurate with the credit overall condition, growth, and risk factors. LIQUIDITY In evaluating the adequacy of a financial institution's liquidity position, consideration should be given to the current level and prospective sources of liquidity compared to funding needs, as well as to the adequacy of funds management practices relative to the institution's size, complexity, and risk profile. In general, funds management practices should ensure that an institution is able to maintain a level of liquidity sufficient to meet its financial obligations in a timely manner and to fulfill the legitimate banking needs of its community. Practices should reflect the ability of the institution to manage unplanned changes in funding sources, as well as react to changes in market conditions that affect the ability to quickly liquidate assets with minimal loss. In addition, funds management practices should ensure that liquidity is not maintained at a high cost, or through undue reliance on funding sources that may not be available in times of financial stress or adverse changes in market conditions. Liquidity is rated based upon, but not limited to, an assessment of the following evaluation factors: • The adequacy of liquidity sources compared to present and future needs and the ability of the institution to meet liquidity needs without adversely affecting its operations or condition. • The availability of assets readily convertible to cash without undue loss. • Access to money markets and other sources of funding. • The level of diversification of funding sources, both on- and off-balance sheet. • The degree of reliance on short-term, volatile sources of funds, including borrowings and brokered deposits, to fund longer term assets.

Idaho State-Chartered Credit Unions June 10, 2016 Page 13 • The trend and stability of deposits. • The ability to securitize and sell certain pools of assets. • The capability of management to properly identify, measure, monitor, and control the institution's liquidity position, including the effectiveness of funds management strategies, liquidity policies, management information systems, and contingency funding plans. RATINGS A rating of 1 indicates strong liquidity levels and well-developed funds management practices. The credit union has reliable access to sufficient sources of funds on favorable terms to meet present and anticipated liquidity needs. A rating of 2 indicates satisfactory liquidity levels and funds management practices. The credit union has access to sufficient sources of funds on acceptable terms to meet present and anticipated liquidity needs. Modest weaknesses may be evident in funds management practices. A rating of 3 indicates liquidity levels or funds management practices in need of improvement. Credit unions rated 3 may lack ready access to funds on reasonable terms or may evidence significant weaknesses in funds management practices. A rating of 4 indicates deficient liquidity levels or inadequate funds management practices. Credit unions rated 4 may not have or be able to obtain a sufficient volume of funds on reasonable terms to meet liquidity needs. A rating of 5 indicates liquidity levels or funds management practices so critically deficient that the continued viability of the institution is threatened. Credit unions rated 5 require immediate external financial assistance to meet maturing obligations or other liquidity needs. SENSITIVITY TO MARKET RISK The sensitivity to market risk component reflects the degree to which changes in interest rates, foreign exchange rates, commodity prices, or equity prices can adversely affect a financial institution's earnings or economic capital. When evaluating this component, consideration should be given to: management's ability to identify, measure, monitor, and control market risk; the institution's size; the nature and complexity of its activities; and the adequacy of its capital and earnings in relation to its level of market risk exposure. For many institutions, the primary source of market risk arises from non-trading positions and their sensitivity to changes in interest rates. In some larger institutions, foreign operations can be a significant source of market risk. For some institutions, trading activities are a major source of market risk. Market risk is rated based upon, but not limited to, an assessment of the following evaluation factors:

Idaho State-Chartered Credit Unions June 10, 2016 Page 14 • The sensitivity of the financial institution's earnings or the economic value of its capital to adverse changes in interest rates, foreign exchange rates, commodity prices, or equity prices. • The ability of management to identify, measure, monitor, and control exposure to market risk given the institution's size, complexity, and risk profile. • The nature and complexity of interest rate risk exposure arising from non-trading positions. • Where appropriate, the nature and complexity of market risk exposure arising from trading and foreign operations. RATINGS A rating of 1 indicates that market risk sensitivity is well controlled and that there is minimal potential that the earnings performance or capital position will be adversely affected. Risk management practices are strong for the size, sophistication, and market risk accepted by the credit union. The level of earnings and capital provide substantial support for the degree of market risk taken by the institution. A rating of 2 indicates that market risk sensitivity is adequately controlled and that there is only moderate potential that the earnings performance or capital position will be adversely affected. Risk management practices are satisfactory for the size, sophistication, and market risk accepted by the credit union. The level of earnings and capital provide adequate support for the degree of market risk taken by the credit union. A rating of 3 indicates that control of market risk sensitivity needs improvement or that there is significant potential that the earnings performance or capital position will be adversely affected. Risk management practices need to be improved given the size, sophistication, and level of market risk accepted by the credit union. The level of earnings and capital may not adequately support the degree of market risk taken by the credit union. A rating of 4 indicates that control of market risk sensitivity is unacceptable or that there is high potential that the earnings performance or capital position will be adversely affected. Risk management practices are deficient for the size, sophistication, and level of market risk accepted by the credit union. The level of earnings and capital provide inadequate support for the degree of market risk taken by the credit union. A rating of 5 indicates that control of market risk sensitivity is unacceptable or that the level of market risk taken by the credit union is an imminent threat to its viability. Risk management practices are wholly inadequate for the size, sophistication, and level of market risk accepted by the credit union.

Idaho State-Chartered Credit Unions June 10, 2016 Page 15 APPENDIX B OFFICE OF THE COMPTROLLER OF THE CURRENCY OFFICE OF THRIFT SUPERVISION BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM FEDERAL DEPOSIT INSURANCE CORPORATION March 4, 1997 JOINT INTERAGENCY COMMON QUESTIONS AND ANSWERS ON THE REVISED UNIFORM FINANCIAL INSTITUTIONS RATING SYSTEM On March 4, 1997, the Task Force on Supervision of the Federal Financial Institutions Examination Council approved the issuance of common questions and answers about the recently revised Uniform Financial Institutions Rating System. The Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), the Federal Reserve Board (FRB), and the Federal Deposit Insurance Corporation (FDIC) collectively developed common responses to questions asked to date by bankers and examiners regarding the revised rating system. The responses were coordinated with the Conference of State Bank Supervisors. The purpose of the questions and answers is to provide additional interagency guidance and clarification regarding the revised rating system. On December 9, 1996, the Federal Financial Institutions Examination Council (FFIEC) adopted the revised Uniform Financial Institutions Rating System (UFIRS or CAMELS rating system). The UFIRS is an internal rating system used by the federal and state regulators for assessing the soundness of financial institutions on a uniform basis and for identifying those insured institutions requiring special supervisory attention. A final notice was published in the Federal Register on December 19, 1996 (61 FR67021), effective January 1, 1997. The major changes to UFIRS include an increased emphasis on the quality of risk management practices and the addition of a sixth component called "Sensitivity to Market Risk." The updated rating system also reformats and clarifies component rating descriptions and component rating definitions, revises composite rating definitions to parallel the other changes in the rating system, and highlights risks that may be considered in assigning component ratings. The attached questions and answers are being distributed to bankers and examiners to ensure consistent and uniform implementation of the revised rating system. COMMON QUESTIONS AND ANSWERS ON THE REVISED UNIFORM FINANCIAL INSTITUTIONS RATING SYSTEM

1. How will the new Sensitivity to Market Risk (S) component rating be determined?

Idaho State-Chartered Credit Unions June 10, 2016 Page 16 The rating assigned to the S component should reflect a combined assessment of both the level of market risk and the ability to manage market risk. Low market risk sensitivity alone may not be sufficient to achieve a favorable S rating. Indeed, institutions with low risk, but inadequate market risk management, may be subject to unfavorable S ratings. Conversely, institutions with moderate levels of market risk and the demonstrated ability to ensure that market risk is, and will remain, well controlled may receive favorable S component ratings. In assessing the level of market risk exposure and the risk management process in place to control it, examiners will rely on existing supervisory guidance issued by their respective agencies, including guidance issued on interest rate risk, investment, financial derivatives, and trading activities. 2. Will institutions be expected to have formal, sophisticated risk management processes in order to receive the favorable ratings for S? In line with the general thrust of the agencies' various guidance on market risk, the sophistication of an institution's risk management system is expected to be commensurate with the complexity of its holdings and activities and appropriate to its specific needs and circumstances. Institutions with relatively noncomplex holdings and activities, and whose senior managers are actively involved in the details of daily operations, may be able to rely on relatively basic and less formal risk management systems. If the procedures for managing and controlling market risks are adequate, communicated clearly, and well understood by all relevant parties, these basic processes may, when combined with low to moderate levels of exposure, be sufficient to receive a favorable rating for the S component. Organizations with more complex holdings, activities and business structures may require more elaborate and formal market risk management processes in order to receive ratings of 1 or 2 for the S component. 3. How much weight should be placed on the S component in determining the composite rating? The weight attributed to any individual component in determining the composite rating should vary depending on the degree of supervisory concern associated with the component. The composite rating does not assume a predetermined weight for each component and it does not represent an arithmetic average of assigned component ratings. As a result, for most institutions where market risk is not a significant issue, less weight should be placed on the S component in determining a composite rating than on other components. 4. How should the S rating be applied when evaluating small community banks or thrifts with limited asset/liability management processes? For most small community banks or thrifts, sensitivity to market risk will primarily reflect interest rate risk. Regardless of the size of an institution, the quality of risk management systems must be commensurate with the nature and complexity of its risk-taking activities,

Idaho State-Chartered Credit Unions June 10, 2016 Page 17 and management's ability to identify, measure, monitor and control the risk. Evaluation of this component will be based on the degree to which interest rate risk exposure can affect the institution's earnings and capital, and the effectiveness of the institution's asset/liability or interest rate risk management system, given its particular situation. 5. If the levels of market risk change between examinations, is it always necessary to change the rating assigned to the S component? The rating assigned to the S component should reflect a combined assessment of both the level of market risk and the ability to manage market risk. Accordingly, changes in either quantitative or qualitative aspects of market risk exposure or management may necessitate changes in the rating assigned to the S component. While changes in the level of market risk between examinations may in some circumstances necessitate a change in the rating assigned to the S component, this does not automatically imply a rating change. For example, an institution that accepts additional market risk between examinations, but maintains risk management processes and earnings and capital levels commensurate with the level of risk, need not have its S rating changed. 6. Does the increased emphasis on market risk management practices place new and burdensome requirements on institutions or examiners? The updated rating system incorporates examination considerations that were not explicitly noted in the prior rating system. Under the prior rating system, examiners considered market risk exposure and risk management practices when assigning component and composite ratings. Consequently, examiners are not required to perform any additional procedures, and institutions are not required to add to their management procedures or practices, solely because of the updated rating system. 7. Will the revised rating system, with the addition of the new Sensitivity to Market Risk (S) component and increased emphasis on the quality of risk management practices, result in a change in a bank's or thrift's composite rating? The revised rating system generally should not result in a change in the composite rating assigned to a particular bank or thrift simply because of the addition of the new component and the increased emphasis on risk management practices. The level of market risk has traditionally been taken into consideration when evaluating an institution's capital, earnings and liquidity. The quality of an institution's risk management practices has also traditionally been considered by examiners when assessing an institution's condition and assigning ratings, particularly in the Management component. 8. How much weight should be given to risk management practices versus the level of exposure, as measured by specific ratios, when assigning a component rating? The CAMELS rating system assesses an institution's overall condition based on both quantitative and qualitative elements. Quantitative data such as the level of classified assets

Idaho State-Chartered Credit Unions June 10, 2016 Page 18 remain an integral part of that measurement. Qualitative elements, such as the adequacy of board and senior management oversight, policies, risk management practices, and management information systems are also central to the evaluation of components. The relative importance given to the qualitative considerations for each component depends on the circumstances particular to the institution. Risk management systems should be appropriate for the nature and level of risks the institution assumes. However, unacceptable risk levels or an unsatisfactory financial condition will often outweigh other factors and result in an adverse component rating. 9. Why aren't peer data comparisons specifically mentioned in the revised rating system? May they still be used in assigning ratings? Peer data are an integral part of the evaluation process and, when available and relevant, may be used in assigning a rating. However, peer data should be used in conjunction with other pertinent evaluation factors and not relied upon in isolation when assigning a rating. 10. Agency guidelines require examiners to discuss with senior management and, when appropriate, with the board of directors the evaluation factors they considered in assigning component ratings and a composite rating. Are examiners limited to only those evaluation factors listed in the revised rating system and must each evaluation factor be addressed when assessing a component area? No. Examiners have the flexibility to consider any other evaluation factors that, in their judgment, relate to the component area under review. The evaluation factors listed under a component area are not intended to be all-inclusive, but rather a list of the more common factors considered under that component. Only those factors believed relevant to fully support the rating being assigned by the examiner need be addressed in the report and in discussions with senior management. 11. With multiple references to some items across several components, such as market risk and management's ability to identify, measure, monitor, and control risk, are we "double counting" these and other items when assigning a rating? Each component is interrelated with one or more other components. For example, the level of problem assets in an institution is a primary consideration in assigning an asset quality component rating. But it is also an item that affects the capital and earnings component ratings. The level of market risk and the quality of risk management practices are elements that also can affect several components. Examiners consider relevant factors and their interrelationship among components when assigning ratings. 12. To what extent should market risk be carved out of the earnings or capital evaluation? Should institutions with high market risk receive an adverse rating in the earnings or capital components as well as the market sensitivity component?

Idaho State-Chartered Credit Unions June 10, 2016 Page 19 Market risk is evaluated primarily under the new S component and is only one of several evaluation factors used to assess the earnings and capital components. Whether the institution's exposure to market risk results in an unfavorable rating for earnings or capital, however, is based on a careful analysis of the effect of this factor in relation to the other factors considered under these components. The capital component is evaluated based on the risk profile of an institution, including the effect of market risk, and whether the level of capital supports those risks. The earnings component evaluates the ability of earnings to support operations and maintain adequate capital after considering factors, such as market risk exposure, that affect the quantity, quality, and trend of earnings. The importance accorded to an evaluation factor should thus depend on the situation at the institution.