The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
Federal Reserve System Docket No. OP-1207 Bank Holding Company Rating System AGENCY: Board of Governors of the Federal Reserve System. ACTION: Notice. SUMMARY: The Federal Reserve has revised its bank holding company (BHC) rating system to better reflect and communicate its supervisory priorities and practices. The revised BHC rating system emphasizes risk management; implements a comprehensive and adaptable framework for analyzing and rating financial factors; and provides a framework for assessing and rating the potential impact of the nondepository entities of a holding company on the subsidiary depository institution(s). DATES: The revised rating system will be applied to all BHC inspections beginning on or after January 1, 2005, as well as to inspections opened in 2004 and closed in 2005, at the discretion of the Reserve Bank. FOR FURTHER INFORMATION CONTACT: Deborah Bailey, Associate Director, (202-452-2634), Barbara Bouchard, Deputy Associate Director, (202-452-3072), Molly Mahar, Senior Supervisory Financial Analyst, (202-452-2568), or Anna Lee Hewko, Supervisory Financial Analyst, (202-530-6260). For users of Telecommunications Device for the Deaf (“TDD”) only, contact (202) 263-4869. SUPPLEMENTARY INFORMATION: Background On July 23, 2004, the Federal Reserve published a notice in the Federal Register (69 FR 43996) requesting comment on proposed revisions to the BHC rating system. The BHC rating system is an internal rating system used by the Federal Reserve as a management information and supervisory tool that defines the condition of all BHCs, including financial holding companies (FHCs), in a systematic way. First and foremost, a BHC’s rating provides a summary evaluation of the BHC’s condition for use by the supervisory community. Second, the BHC rating forms the basis of supervisory responses and actions. Third, the BHC rating provides the basis for supervisors’ discussion of the firm’s condition with BHC management. Fourth, the BHC rating determines whether the BHC is entitled to expedited applications processing and to certain regulatory exemptions. The former BHC rating system, implemented in 1979 and commonly referred to as the BOPEC rating system, focused on the financial condition of discrete legal entities, consolidated capital, and consolidated earnings. It also included composite financial 1 condition and management ratings. Since that time, a number of changes have occurred in the financial services industry, prompting a shift in supervisory policies and procedures away from historical analyses of financial condition, toward more forward looking assessments of risk management and financial factors. In order to address this shift, the Federal Reserve introduced a risk management rating for all bank holding companies in the mid-1990s. Although this adjustment proved an effective tool for assessing risk management, it was not the central focus of the rating system. Moreover, as the banking industry has continued to evolve over the past decade, the focus of the Federal Reserve’s examination program for bank holding companies has increasingly centered on a comprehensive review of financial risk and the adequacy of risk management. As a result, in order to more fully align the rating process for BHCs with current supervisory practices, the Federal Reserve is revising the BHC rating system to emphasize risk management; introduce a comprehensive and adaptable framework for analyzing and rating financial factors; and provide a framework for assessing and rating the potential impact of the nondepository entities of a holding company on the subsidiary depository institution(s). Summary of the Revised Rating System Each BHC is assigned a composite rating (C) based on an evaluation and rating of its managerial and financial condition and an assessment of future potential risk to its subsidiary depository institution(s). The main components of the rating system represent: Risk Management (R); Financial Condition (F); and potential Impact (I) of the parent company and nondepository subsidiaries (collectively nondepository entities) on the subsidiary depository institutions. While the Federal Reserve expects all bank holding companies to act as a source of strength to their subsidiary depository institutions, the Impact rating focuses on downside risk--that is, on the likelihood of significant negative impact by the nondepository entities on the subsidiary depository institution. A fourth component rating, Depository Institution (D), will generally mirror the primary regulator’s assessment of the subsidiary depository institutions. Thus, the primary component and composite ratings are displayed: R F I / C (D) In order to provide a consistent framework for assessing risk management, the R component is supported by four subcomponents that reflect the effectiveness of the banking organization’s risk management and controls. The subcomponents are: Board and Senior Management Oversight; Policies, Procedures, and Limits; Risk Monitoring and Management Information Systems; and Internal Controls. The F component is similarly supported by four subcomponents reflecting an assessment of the quality of the banking organization’s Capital; Asset Quality; Earnings; and Liquidity. A simplified version of the rating system that requires only the assignment of the risk management component rating and composite rating will be applied to noncomplex bank holding companies with assets at or below $1 billion. 2 Composite, component, and subcomponent ratings are assigned based on a 1 to 5 numeric scale. A 1 numeric rating indicates the highest rating, strongest performance and practices, and least degree of supervisory concern, whereas a 5 numeric rating indicates the lowest rating, weakest performance, and the highest degree of supervisory concern. The Federal Reserve recognizes the interrelationship between the risk management and financial performance components of the revised rating system, an interrelationship that is inherent in all supervisory rating systems. As such, examiners are expected to consider that a risk management factor may have a bearing on the assessment of a financial subcomponent or component rating and vice versa. In general, however, the risk management component and subcomponents should be viewed as the forwardlooking component of the rating system and the financial condition component and subcomponents should be viewed as the current component of the rating system. For example, a BHC’s ability to monitor and manage market risk (or sensitivity to market risk) should be evaluated together with the organization’s ability to monitor and manage all risks under the R component of the rating system. However, poor market risk management may also be reflected in the F component if it impacts earnings or capital. Comments Received and Changes Made The Federal Reserve received a total of 13 comments regarding the proposed revisions to the BHC rating system. The comments came from banking organizations, trade associations, several Reserve Banks and one law firm. Commenters generally supported changes to the rating system, stating that the move to a more forward-looking assessment of risk management systems and the condition of the consolidated organization is appropriate. Many commenters recommended that the rating scale for the subcomponents under the risk management rating be changed from a three point qualitative scale to a five point numeric rating scale in order to provide more granularity and consistency with the rest of the rating system. In response, the Federal Reserve has changed the rating scale for the risk management subcomponent ratings to a five point numeric rating scale. Several commenters raised concerns that the new rating system is signaling a move by the Federal Reserve to lessen its reliance on the work of primary bank regulators and other functional nonbank regulators in its supervision of BHCs. The revised BHC rating system was developed to align the BHC rating process with the Federal Reserve’s current supervisory practices in carrying out consolidated or umbrella supervision of BHCs. As such, the revised rating system and the accompanying implementation guidance is not intended to signal a shift in the Federal Reserve’s supervisory practices of coordinating with and relying to the greatest extent possible on the work of primary bank and other functional nonbank regulators. This intent is clearly stated in the final policy. Commenters also raised concerns about the ability of the Federal Reserve to apply the new rating system in a consistent manner due to the large number of subcomponent ratings in the new system and the inherent subjectivity in the rating process. As is the 3 case with all supervisory rating systems, there is some subjectivity inherent in the revised BHC rating system; however, the Federal Reserve has made and will continue to make every effort to provide appropriate examiner guidance and training around the revised BHC rating system to ensure that the system is applied in a consistent manner. In addition, the Federal Reserve notes that the subcomponents under the R rating are based on the same guidance that has been used to rate risk management since 1995 and are therefore familiar to examination staff. Examination staff also is very familiar with assigning capital, asset quality, earnings, and liquidity ratings, as these components are important elements of our existing rating systems. The Federal Reserve believes that the subcomponents will increase consistency and transparency in the rating process by providing a clearer basis for the component ratings. Commenters raised concerns about the possibility of one factor being weighted too heavily in the composite rating due to overlap between the component ratings and because the proposal stated that the composite rating may not be the numerical average of the component ratings. There is an interrelationship among the component ratings in the revised BHC rating system that is inherent in all supervisory rating systems. Federal Reserve examiners will consider that a risk management factor may have a bearing on the assessment of a financial subcomponent or component rating and vice versa, and weight that factor proportionately in the overall composite rating. Consistent with current rating practices for the BOPEC and CAMELS rating systems, some components may be given more weight than others in determining the composite rating, depending on the importance of that component in the overall condition of the BHC. In general, assignment of a composite rating may incorporate any factor that bears significantly on the overall condition and soundness of the BHC. Therefore, the composite rating is not derived by computing the arithmetic average of the component ratings. Nevertheless, the composite rating generally bears a close relationship to the component ratings assigned. Commenters also raised questions about whether the Federal Reserve intends to impose de facto capital requirements on nondepository subsidiaries, whether the language in the proposal around the use of market indicators is signaling more extensive use of these references in the rating process, and whether the Federal Reserve intends to run the BOPEC rating system in conjunction with the revised BHC rating system for some time period of time. The Federal Reserve has clarified in the final policy that, consistent with current practice, the revised BHC rating system assesses the consolidated capital adequacy of the organization and is not intended to impose de facto capital requirements on nondepository subsidiaries. In addition, the Federal Reserve has clarified and simplified the language around the use of market indicators in the revised rating system to indicate that, consistent with current practice, examination staff should use these indicators as a source of information complementary to the examination process. Finally, the Federal Reserve is implementing a quality assurance program around the new rating system during the first year of implementation that includes a mechanism to collect feedback from examination staff to address any significant implementation issues and to discuss difficult rating decisions to ensure consistent application of the revised rating system. 4 Disclosure The numeric ratings for bank holding companies under the revised BHC rating system will be disclosed to the bank holding company for its confidential use, in accordance with current disclosure practices. Under no circumstances should the bank holding company or any of its directors, officers, or employees disclose or make public any of the ratings. Implementation The revised BHC rating system becomes effective January 1, 2005, and is to be used for all BHC inspections commencing after that date. Inspections opened in 2004 and closed in 2005 may assign either the BOPEC rating or the RFI/C (D) rating. Although the timing of implementation is relatively close to the December release of the final rating system, supervision and examination staff at all twelve Reserve Banks and the Board of Governors have had and will continue to receive appropriate training in the revised rating system. Moreover, the revised rating system was developed and reviewed over a number of years with participation from a wide range of Federal Reserve System supervision and examination staff. Because the revised BHC rating system incorporates factors that have been routinely considered by examiners for years in evaluating a BHC’s condition, the revised rating system should not have a significant effect on the conduct of inspections or on the regulatory burden of supervised institutions. Text of the Bank Holding Company Rating System Bank Holding Company Rating System The bank holding company (BHC) rating system provides an assessment of certain risk management and financial condition factors that are common to all BHCs, as well as an assessment of the potential impact of the parent BHC and its nondepository subsidiaries (collectively nondepository entities) on the BHC’s subsidiary depository institutions. Under this system, the Federal Reserve endeavors to ensure that all BHCs, including financial holding companies (FHCs), are evaluated in a comprehensive and uniform manner, and that supervisory attention is appropriately focused on the BHCs that exhibit financial and operational weaknesses or adverse trends. The rating system serves as a useful vehicle for identifying problem or deteriorating BHCs, as well as for categorizing BHCs with deficiencies in particular areas. Further, the rating system assists the Federal Reserve in following safety and soundness trends and in assessing the aggregate strength and soundness of the financial industry. Each BHC1 is assigned a composite rating (C) based on an overall evaluation and rating of its managerial and financial condition and an assessment of future potential risk to its subsidiary depository institution(s). The main components of the rating system 1 A simplified version of the rating system that includes only the R and C components will be applied to noncomplex bank holding companies with assets at or below $1 billion. 5 represent: Risk Management2 (R); Financial Condition (F); and Impact (I) of the nondepository entities on the subsidiary depository institutions. While the Federal Reserve expects all bank holding companies to act as a source of strength to their subsidiary depository institutions, the Impact rating focuses on downside risk--that is, on the likelihood of significant negative impact by the nondepository entities on the subsidiary depository institution(s). A fourth rating, Depository Institution(s) (D), will generally mirror the primary regulator’s assessment of the subsidiary depository institution(s). Thus, the primary component and composite ratings are displayed: R F I / C (D) In order to provide a consistent framework for assessing risk management, the R component is supported by four subcomponents that reflect the effectiveness of the banking organization’s risk management and controls. The subcomponents are: Board and Senior Management Oversight; Policies, Procedures, and Limits; Risk Monitoring and Management Information Systems; and Internal Controls. The F component is also supported by four subcomponents reflecting an assessment of the quality of the consolidated banking organization’s Capital; Asset Quality; Earnings; and Liquidity. Composite, component, and subcomponent ratings are assigned based on a 1 to 5 numeric scale. A 1 numeric rating indicates the highest rating, strongest performance and practices, and least degree of supervisory concern, whereas a 5 numeric rating indicates the lowest rating, weakest performance, and the highest degree of supervisory concern. The following three sections contain detailed descriptions of the composite, component, and subcomponent ratings, implementation guidance by BHC type, and definitions of the ratings. I. Description of the Rating System Elements The Composite (C) Rating C is the overall composite assessment of the BHC as reflected by consolidated risk management, consolidated financial strength, and the potential impact of the nondepository entities on the subsidiary depository institutions. The composite rating encompasses both a forward-looking and static assessment of the consolidated organization, as well as an assessment of the relationship between the depository and nondepository entities. Consistent with current Federal Reserve practice, the C rating is not derived as a simple numeric average of the R, F, and I components; rather, it reflects examiner judgment with respect to the relative importance of each component to the safe and sound operation of the BHC. The Risk Management (R) Component R represents an evaluation of the ability of the BHC’s board of directors and senior management, as appropriate for their respective positions, to identify, measure, 2 This risk management rating replaces the risk management rating required for BHCs by SR 95-51. 6 monitor, and control risk. The R rating underscores the importance of the control environment, taking into consideration the complexity of the organization and the risk inherent in its activities. The R rating is supported by four subcomponents that are each assigned a separate rating. The four subcomponents are as follows: 1) Board and Senior Management Oversight; 2) Policies, Procedures and Limits; 3) Risk Monitoring and Management Information Systems; and 4) Internal Controls.3 The subcomponents are evaluated in the context of the risks undertaken by and inherent in a banking organization and the overall level of complexity of the firm’s operations. They provide the Federal Reserve System with a consistent framework for evaluating risk management and the control environment. Moreover, the subcomponents provide a clear structure and basis for discussion of the R rating with BHC management, reflect the principles of SR Letter 95-51, are familiar to examiners, and parallel the existing risk assessment process. Risk Management Subcomponents4 Board and Senior Management Oversight5 This subcomponent evaluates the adequacy and effectiveness of board and senior management’s understanding and management of risk inherent in the BHC’s activities, as well as the general capabilities of management. It also includes consideration of management’s ability to identify, understand, and control the risks undertaken by the institution, to hire competent staff, and to respond to changes in the institution’s risk profile or innovations in the banking sector. Policies, Procedures and Limits This subcomponent evaluates the adequacy of a BHC’s policies, procedures, and limits given the risks inherent in the activities of the consolidated BHC and the organization’s stated goals and objectives. This analysis will include consideration of the adequacy of the institution’s accounting and risk disclosure policies and procedures. Risk Monitoring and Management Information Systems This subcomponent assesses the adequacy of a BHC’s risk measurement and monitoring, and the adequacy of its management reports and information systems. This analysis will include a review of the assumptions, data, and procedures used to measure risk and the consistency of these tools with the level of complexity of the organization’s activities. 3 Another subcomponent assessing the adequacy of disclosures relating to risk exposures, risk assessment, and capital adequacy for BHCs using the advanced internal ratings based approach to risk-based capital may be added once the Basel II framework has been implemented in the United States. The Federal Reserve does not intend to adopt such a disclosure rating without going out for public comment. 4 SR Letter 95-51 contains a detailed description of the four risk management subcomponents. 5 The Board of Directors is considered separate from Management. 7 Internal Controls This subcomponent evaluates the adequacy of a BHC’s internal controls and internal audit procedures, including the accuracy of financial reporting and disclosure and the strength and influence, within the organization, of the internal audit team. This analysis will also include a review of the independence of control areas from management and the consistency of the scope coverage of the internal audit team with the complexity of the organization. The Financial Condition (F) Component F represents an evaluation of the consolidated organization’s financial strength. The F rating focuses on the ability of the BHC’s resources to support the level of risk associated with its activities. The F rating is supported by four subcomponents: capital (C), asset quality (A), earnings (E), and liquidity (L). The CAEL subcomponents can be evaluated along individual business lines, product lines, or on a legal entity basis, depending on what is most appropriate given the structure of the organization. The assessment of the CAEL components should utilize benchmarks and metrics appropriate to the business activity being evaluated. Consistent with current supervisory practices, examination staff should continue to review relevant market indicators, such as external debt ratings, credit spreads, debt and equity prices, and qualitative rating agency assessments as a source of information complementary to examination findings. Financial Condition Subcomponents (CAEL) Capital Adequacy C reflects the adequacy of an organization’s consolidated capital position, from a regulatory capital perspective and an economic capital perspective, as appropriate to the BHC.6 The evaluation of capital adequacy should consider the risk inherent in an organization’s activities and the ability of capital to absorb unanticipated losses, to provide a base for growth, and to support the level and composition of the parent company and subsidiaries’ debt. Asset Quality A reflects the quality of an organization’s consolidated assets. The evaluation should include, as appropriate, both on-balance sheet and off-balance sheet exposures, and the level of criticized and nonperforming assets. Forward-looking indicators of asset quality, such as the adequacy of underwriting standards, the level of concentration risk, the adequacy of credit administration policies and procedures, and the adequacy of management information systems for credit risk may also inform the Federal Reserve’s view of asset quality. 6 Of course, the regulatory minimum capital ratios for BHCs are eight percent total risk-based capital, four percent tier 1 risk-based capital, three percent tier 1 leverage for BHCs rated strong, and four percent tier 1 leverage for all other BHCs. See 12 CFR 225, Appendices A and D. 8 Earnings E reflects the quality of consolidated earnings. The evaluation considers the level, trend, and sources of earnings, as well as the ability of earnings to augment capital as necessary, to provide ongoing support for a BHC’s activities. Liquidity L reflects the consolidated organization’s ability to attract and maintain the sources of funds necessary to support its operations and meet its obligations. The funding conditions for each of the material legal entities in the holding company structure should be evaluated to determine if any weaknesses exist that could affect the funding profile of the consolidated organization. The Impact (I) Component Like the other components and subcomponents, the I component is rated on a five point numerical scale. However, the descriptive definitions of the numerical ratings for I are different than those of the other components and subcomponents. The I ratings are defined as follows: 1 – low likelihood of significant negative impact; 2 – limited likelihood of significant negative impact; 3 – moderate likelihood of significant negative impact; 4 – considerable likelihood of significant negative impact; and 5 – high likelihood of significant negative impact. The I component is an assessment of the potential impact of the nondepository entities on the subsidiary depository institution(s). The I assessment will evaluate both the risk management practices and financial condition of the nondepository entities--an analysis that will borrow heavily from the analysis conducted for the R and F components. Consistent with current practices, nondepository entities will be evaluated using benchmarks and analysis appropriate for those businesses. In addition, for functionally regulated nondepository subsidiaries, examination staff will continue to rely, to the extent possible, on the work of those functional regulators to assess the risk management practices and financial condition of those entities. In rating the I component, examination staff is required to evaluate the degree to which current or potential issues within the nondepository entities present a threat to the safety and soundness of the subsidiary depository institution(s). In this regard, the I component will give a clearer indication of the degree of risk posed by the nondepository entities to the federal safety net than does the current rating system. The I component focuses on the aggregate impact of the nondepository entities on the subsidiary depository institution(s). In this regard, the I rating does not include individual subcomponent ratings for the parent company and nondepository subsidiaries. An I rating is always assigned for each BHC; however, as is currently the case, nonmaterial nondepository subsidiaries7 may be excluded from the I analysis at examiner discretion. Any risk management and financial issues at the nondepository entities that potentially 7 As a general rule, nondepository subsidiaries should be included in the I analysis whenever their assets exceed five percent of the BHC’s consolidated capital or $10 million, whichever is lower. 9 impact the safety and soundness of the subsidiary depository institution(s) should be identified in the written comments under the I rating. This approach is consistent with the Federal Reserve’s objective not to extend bank-like supervision to nondepository entities. The analysis of the parent company for the purpose of assigning an I rating should emphasize weaknesses that could directly impact the risk management or financial condition of the subsidiary depository institution(s). Similarly, the analysis of the nondepository subsidiaries for the purpose of assigning an I rating should emphasize weaknesses that could negatively impact the parent company’s relationship with its subsidiary depository institution(s) and weaknesses that could have a direct impact on the risk management practices or financial condition of the subsidiary depository institution(s). The analysis under the I component should consider existing as well as potential issues and risks that may impact the subsidiary depository institution(s) now or in the future. Particular attention should be paid to the following risk management and financial factors in assigning the I rating: Risk Management Factors • Strategic Considerations: The potential risks posed to the subsidiary depository institution(s) by the nondepository entities’ strategic plans for growth in existing activities and expansion into new products and services; • Operational Considerations: The spillover impact on the subsidiary depository institution(s) from actual losses, a poor control environment, or an operational loss history in the nondepository entities; • Legal and Reputational Considerations: The spillover effect on the subsidiary depository institution(s) of complaints and litigation that name one or more of the nondepository entities as defendants, or violations of laws or regulations, especially pertaining to intercompany transactions where the subsidiary depository institution(s) is involved; and • Concentration Considerations: The potential risks posed to the subsidiary depository institution(s) by concentrations within the nondepository entities in business lines, geographic areas, industries, customers, or other factors. Financial Factors • Capital Distribution: The distribution and transferability of capital across the legal entities; • Intra-Group Exposures: The extent to which intra-group exposures, including servicing agreements, have the potential to undermine the condition of subsidiary depository institution(s); and, • Parent Company Cash Flow and Leverage: The extent to which the parent company is dependent on dividend payments, from both the nondepository subsidiaries and the subsidiary depository institution(s), to service debt and cover fixed charges. Also, the effect that these upstreamed cash flows have had, or can be expected to have, on the financial condition of the BHC’s nondepository subsidiaries and subsidiary depository institution(s). 10 The Depository Institutions (D) Component The (D) component will generally reflect the composite CAMELS rating assigned by the subsidiary depository institution’s primary supervisor. In a multi-bank BHC, the (D) rating will reflect a weighted average of the CAMELS composite ratings of the individual subsidiary depository institutions, weighted by both asset size and the relative importance of each depository institution within the holding company structure. In this regard, the CAMELS composite rating for a subsidiary depository institution that dominates the corporate culture may figure more prominently in the assignment of the (D) rating than would be dictated by asset size, particularly when problems exist within that depository institution. The (D) component conveys important supervisory information, reflecting the primary supervisor’s assessment of the legal entity. The (D) component stands outside of the composite rating although significant risk management and financial condition considerations at the depository institution level are incorporated in the consolidated R and F ratings, which are then factored into the C rating. Consistent with current practice, if, in the process of analyzing the financial condition and risk management programs of the consolidated organization, a major difference of opinion regarding the safety and soundness of the subsidiary depository institution(s) emerges between the Federal Reserve and the depository institution’s primary regulator, then the (D) rating should reflect the Federal Reserve’s evaluation. To highlight the presence of one or more problem depository institution(s) in a multi-bank BHC whose depository institution component, based on weighted averages, might not otherwise reveal their presence (i.e., depository institution ratings of 1, 2 or 3), a problem modifier, “P” would be attached to the depository institution rating (e.g., 1P, 2P, or 3P). Thus, 2P would indicated that, while on balance the depository subsidiaries are rated satisfactory, there exists a problem depository institution (composite 4 or 5) among the subsidiary depository institutions. The problem identifier is unnecessary when the depository institution component is rated 4 or 5. II. Implementation of the BHC Rating System by Bank Holding Company Type The Federal Reserve revised the BHC rating system to align the rating system with current Federal Reserve supervisory practices. The rating system will require analysis and support similar to that required by the former BOPEC rating system for BHCs of all sizes.8 As such, the level of analysis and support will vary based upon whether a BHC has been determined to be “complex” or “noncomplex.”9 In addition, 8 As described in the BHC inspection manual, SR 95-51, SR 97-24, SR 99-15, and SR 02-01. The determination of whether a holding company is "complex" versus "noncomplex" is made at least annually on a case-by-case basis taking into account and weighing a number of considerations, such as: the size and structure of the holding company; the extent of intercompany transactions between depository institution subsidiaries and the holding company or nondepository subsidiaries of the holding company; the nature and scale of any nondepository activities, including whether the activities are subject to review by another regulator and the extent to which the holding company is conducting Gramm-Leach-Bliley 9 11 the resources dedicated to the inspection of each BHC will continue to be determined by the risk posed by the subsidiary depository institution(s) to the federal safety net10 and the risk posed by the BHC to the subsidiary depository institution(s). Noncomplex BHCs with Assets of $1 Billion or Less (Shell Holding Companies) Rating: R and C Consistent with SR 02-1, examination staff will assign only an R and C rating for all companies in the shell BHC program (noncomplex BHCs with assets under $1 billion). The R rating is the M rating from the subsidiary depository institution’s CAMELS rating. To provide consistent rating terminology across BHCs of all sizes, the terminology is changed to R from the former M. The C rating is the subsidiary depository institution’s composite CAMELS rating. Noncomplex BHCs with Assets Greater than $1 Billion One-Bank Holding Company Rating: RFI/C (D) For all noncomplex, one-bank holding companies with assets of greater than $1 billion, examination staff will assign all component and subcomponent ratings; however, examination staff should continue to rely heavily on information and analysis contained in the primary regulator’s report of examination for the subsidiary depository institution to assign the R and F ratings. If examination staff have reviewed the primary regulator’s examination report and are comfortable with the analysis and conclusions contained in that report, then the BHC ratings should be supported with concise language that indicates that the conclusions are based on the analysis of the primary regulator. No additional analysis will be required. Please note, however, in cases where the analysis and conclusions of the primary regulator are insufficient to assign the ratings, the primary regulator should be contacted to ascertain whether additional analysis and support may be available. Further, if discussions with the primary regulator do not provide sufficient information to assign the ratings, discussions with BHC management may be warranted to obtain adequate information to assign the ratings. In most cases, additional information or support obtained through these steps will be sufficient to permit the assignment of the R and F ratings. To the extent that additional analysis is deemed necessary, the level of analysis and resources spent on this assessment should be in line with the level of risk the subsidiary depository institution poses to the federal safety net. In addition, any activities that involve information gathering with respect to the subsidiary depository institution should be coordinated with and, if possible, conducted by, the primary regulator of that institution. authorized activities (e.g., insurance, securities, merchant banking); whether risk management processes for the holding company are consolidated; and whether the holding company has material debt outstanding to the public. Size is a less important determinant of complexity than many of the factors noted above, but generally companies of significant size (e.g., assets of $10 billion on balance sheet or managed) would be considered complex, irrespective of the other considerations. 10 The federal safety net includes the federal deposit insurance fund, the payments system, and the Federal Reserve’s discount window. 12 Examination staff are required to make an independent assessment in order to assign the I rating, which provides an evaluation of the impact of the BHC on the subsidiary depository institution. Analysis for the I rating in non-complex one-bank holding companies should place particular emphasis on issues related to parent company cash flow and compliance with sections 23A and 23B of the Federal Reserve Act. Multi-Bank Holding Company Rating: RFI/C (D) For all noncomplex BHCs with assets of greater than $1 billion and more than one subsidiary depository institution, examination staff will assign all component and subcomponent ratings of the new system. Examiners should rely, to the extent possible, on the work conducted by the primary regulators of the subsidiary depository institutions to assign the R and F ratings. However, any risk management or other important functions conducted by the nondepository entities of the BHC, or conducted across legal entity lines, should be subject to review by Federal Reserve examination staff. These reviews should be conducted in coordination with the primary regulator(s). The assessment for the I rating requires an independent assessment by Federal Reserve examination staff. Complex BHCs Rating: RFI/C (D) For complex BHCs, examination staff will assign all component and subcomponent ratings of the new rating system. The ratings analysis should be based on the primary and functional regulators’ assessment of the subsidiary entities, as well as on the examiners’ assessment of the consolidated organization as determined through offsite review and the BHC inspection process, as appropriate. The resources needed for the inspection and the level of support needed for developing a full rating will depend on the complexity of the organization, including structure and activities (see footnote 7), and should be commensurate with the level of risk posed by the subsidiary depository institution(s) to the federal safety net and the level of risk posed by the BHC to the subsidiary depository institution(s). Nontraditional BHCs Rating: RFI/C (D) Examination staff are required to assign the full rating system for nontraditional BHCs. Nontraditional BHCs include BHCs in which most or all nondepository entities are regulated by a functional regulator and in which the subsidiary depository institution(s) are small in relation to the nondepository entities. The rating system is not intended to introduce significant additional work in the rating process for these organizations. As discussed above, the level of analysis conducted and resources needed to inspect the BHC and to assign the consolidated R and F ratings should be commensurate with the level of risk posed by the subsidiary depository institution(s) to the federal safety net and the level of risk posed by the BHC to the subsidiary depository institution(s). The report of examination by, and other information obtained from, the functional and primary bank regulators should provide the basis for the consolidated R 13 and F ratings. On-site work, to the extent it involves areas that are the primary responsibility of the functional or primary bank regulator, should be coordinated with and, if possible, conducted by, those regulators. Examination staff should concentrate their independent analysis for the R and F ratings around activities and risk management conducted by the parent company and non-functionally regulated nondepository subsidiaries, as well as around activities and risk management functions that are related to the subsidiary depository institution(s), for example, audit functions for the depository institution(s) and compliance with sections 23A and 23B. Examination staff are required to make an independent assessment of the impact of the nondepository entities on the subsidiary depository institution(s) in order to assign the I rating. III. Rating Definitions for the RFI/C (D) Rating System All component and subcomponent ratings are rated on a five point numeric scale. With the exception of the I component, ratings will be assigned in ascending order of supervisory concern as follows: 1 – Strong; 2 – Satisfactory; 3 – Fair; 4 – Marginal; and 5 – Unsatisfactory. A description of the I component ratings is in the I section below. As is current Federal Reserve practice, the component ratings are not derived as a simple numeric average of the subcomponent ratings; rather, weight afforded to each subcomponent in the overall component rating will depend on the severity of the condition of that subcomponent and the relative importance of that subcomponent to the consolidated organization. Similarly, some components may be given more weight than others in determining the composite rating, depending on the situation of the BHC. Assignment of a composite rating may incorporate any factor that bears significantly on the overall condition and soundness of the BHC, although generally the composite rating bears a close relationship to the component ratings assigned. Composite Rating Rating 1 (Strong). BHCs in this group are sound in almost every respect; any negative findings are basically of a minor nature and can be handled in a routine manner. Risk management practices and financial condition provide resistance to external economic and financial disturbances. Cash flow is more than adequate to service debt and other fixed obligations, and the nondepository entities pose little risk to the subsidiary depository institution(s). Rating 2 (Satisfactory). BHCs in this group are fundamentally sound but may have modest weaknesses in risk management practices or financial condition. The weaknesses could develop into conditions of greater concern but are believed correctable in the normal course of business. As such, the supervisory response is limited. Cash flow is adequate to service obligations, and the nondepository entities are unlikely to have a significant negative impact on the subsidiary depository institution(s). 14 Rating 3 (Fair). BHCs in this group exhibit a combination of weaknesses in risk management practices and financial condition that range from fair to moderately severe. These companies are less resistant to the onset of adverse business conditions and would likely deteriorate if concerted action is not effective in correcting the areas of weakness. Consequently, these companies are vulnerable and require more than normal supervisory attention and financial surveillance. However, the risk management and financial capacity of the company, including the potential negative impact of the nondepository entities on the subsidiary depository institution(s), pose only a remote threat to its continued viability. Rating 4 (Marginal). BHCs in this group have an immoderate volume of risk management and financial weaknesses, which may pose a heightened risk of significant negative impact on the subsidiary depository institution(s). The holding company’s cash flow needs may be being met only by upstreaming imprudent dividends and/or fees from its subsidiaries. Unless prompt action is taken to correct these conditions, the organization’s future viability could be impaired. These companies require close supervisory attention and substantially increased financial surveillance. Rating 5 (Unsatisfactory). The critical volume and character of the risk management and financial weaknesses of BHCs in this category, and concerns about the nondepository entities negatively impacting the subsidiary depository institution(s), could lead to insolvency without urgent aid from shareholders or other sources. The imminent inability to prevent liquidity and/or capital depletion places the BHC’s continued viability in serious doubt. These companies require immediate corrective action and constant supervisory attention. Risk Management Component Rating 1 (Strong). A rating of 1 indicates that management effectively identifies and controls all major types of risk posed by the BHC’s activities. Management is fully prepared to address risks emanating from new products and changing market conditions. The board and management are forward-looking and active participants in managing risk. Management ensures that appropriate policies and limits exist and are understood, reviewed, and approved by the board. Policies and limits are supported by risk monitoring procedures, reports, and management information systems that provide management and the board with the information and analysis that is necessary to make timely and appropriate decisions in response to changing conditions. Risk management practices and the organization’s infrastructure are flexible and highly responsive to changing industry practices and current regulatory guidance. Staff has sufficient experience, expertise and depth to manage the risks assumed by the institution. Internal controls and audit procedures are sufficiently comprehensive and appropriate to the size and activities of the institution. There are few noted exceptions to the institution's established policies and procedures, and none is material. Management effectively and accurately monitors the condition of the institution consistent with the standards of safety and soundness, and in accordance with internal and supervisory 15 policies and practices. Risk management processes are fully effective in identifying, monitoring, and controlling the risks to the institution. Rating 2 (Satisfactory). A rating of 2 indicates that the institution's management of risk is largely effective, but lacking in some modest degree. Management demonstrates a responsiveness and ability to cope successfully with existing and foreseeable risks that may arise in carrying out the institution's business plan. While the institution may have some minor risk management weaknesses, these problems have been recognized and are in the process of being resolved. Overall, board and senior management oversight, policies and limits, risk monitoring procedures, reports, and management information systems are considered satisfactory and effective in maintaining a safe and sound institution. Risks are controlled in a manner that does not require more than normal supervisory attention. The BHC’s risk management practices and infrastructure are satisfactory and generally are adjusted appropriately in response to changing industry practices and current regulatory guidance. Staff experience, expertise and depth are generally appropriate to manage the risks assumed by the institution. Internal controls may display modest weaknesses or deficiencies, but they are correctable in the normal course of business. The examiner may have recommendations for improvement, but the weaknesses noted should not have a significant effect on the safety and soundness of the institution. Rating 3 (Fair). A rating of 3 signifies that risk management practices are lacking in some important ways and, therefore, are a cause for more than normal supervisory attention. One or more of the four elements of sound risk management11 (active board and senior management oversight; adequate policies, procedures, and limits; adequate risk management monitoring and management information systems; comprehensive internal controls) is considered less than acceptable, and has precluded the institution from fully addressing one or more significant risks to its operations. Certain risk management practices are in need of improvement to ensure that management and the board are able to identify, monitor, and control all significant risks to the institution. Also, the risk management structure may need to be improved in areas of significant business activity, or staff expertise may not be commensurate with the scope and complexity of business activities. In addition, management’s response to changing industry practices and regulatory guidance may need to improve. The internal control system may be lacking in some important aspects, particularly as indicated by continued control exceptions or by a failure to adhere to written policies and procedures. The risk management weaknesses could have adverse 11 Framework for Risk-Focused Supervision of Large Complex Institutions, August 1997; SR Letter 95-51, Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies. 16 effects on the safety and soundness of the institution if corrective action is not taken by management. Rating 4 (Marginal). A rating of 4 represents deficient risk management practices that fail to identify, monitor, and control significant risk exposures in many material respects. Generally, such a situation reflects a lack of adequate guidance and supervision by management and the board. One or more of the four elements of sound risk management is deficient and requires immediate and concerted corrective action by the board and management. The institution may have serious identified weaknesses, such as an inadequate separation of duties, that require substantial improvement in internal control or accounting procedures, or improved adherence to supervisory standards or requirements. The risk management deficiencies warrant a high degree of supervisory attention because, unless properly addressed, they could seriously affect the safety and soundness of the institution. Rating 5 (Unsatisfactory). A rating of 5 indicates a critical absence of effective risk management practices with respect to the identification, monitoring, or control over significant risk exposures. One or more of the four elements of sound risk management is considered wholly deficient, and management and the board have not demonstrated the capability to address these deficiencies. Internal controls are critically weak and, as such, could seriously jeopardize the continued viability of the institution. If not already evident, there is an immediate concern as to the reliability of accounting records and regulatory reports and the potential for losses if corrective measures are not taken immediately. Deficiencies in the institution's risk management procedures and internal controls require immediate and close supervisory attention. Risk Management Subcomponents Board and Senior Management Oversight Rating 1 (Strong). An assessment of Strong signifies that the board and senior management are forward-looking, fully understand the types of risk inherent in the BHC’s activities, and actively participate in managing those risks. The board has approved overall business strategies and significant policies, and ensures that senior management is fully capable of managing the activities that the BHC conducts. Consistent with the standards of safety and soundness, oversight of risk management practices is strong and the organization’s overall business strategy is effective. Senior management ensures that risk management practices are rapidly adjusted in accordance with enhancements to industry practices and regulatory guidance, and exposure limits are adjusted as necessary to reflect the institution’s changing risk profile. Policies, limits, and tracking reports are appropriate, understood, and regularly reviewed. 17 Management provides effective supervision of the day-to-day activities of all officers and employees, including the supervision of the senior officers and the heads of business lines. It hires staff that possess experience and expertise consistent with the scope and complexity of the organization’s business activities. There is a sufficient depth of staff to ensure sound operations. Management ensures compliance with laws and regulations and that employees have the integrity, ethical values, and competence consistent with a prudent management philosophy and operating style. Management responds appropriately to changes in the marketplace. It identifies all risks associated with new activities or products before they are launched, and ensures that the appropriate infrastructure and internal controls are established. Rating 2 (Satisfactory). An assessment of Satisfactory indicates that board and senior management have an adequate understanding of the organization’s risk profile and provide largely effective oversight of risk management practices. In this regard, the board has approved all major business strategies and significant policies, and ensures that senior management is capable of managing the activities that the BHC conducts. Oversight of risk management practices is satisfactory and the organization’s overall business strategy is generally sound. Senior management generally adjusts risk management practices appropriately in accordance with enhancements to industry practices and regulatory guidance, and adjusts exposure limits as necessary to reflect the institution’s changing risk profile, although these practices may be lacking in some modest degree. Policies, limits, and tracking reports are generally appropriate, understood, and regularly reviewed, and the new product approval process adequately identifies the associated risks and necessary controls. Senior management’s day-to-day supervision of management and staff at all levels is generally effective. The level of staffing, and its experience, expertise, and depth, is sufficient to operate the business lines in a safe and sound manner. Minor weaknesses may exist in the staffing, infrastructure, and risk management processes for individual business lines or products, but these weaknesses have been identified by management, are correctable in the normal course of business, and are in the process of being addressed. Weaknesses noted should not have a significant effect on the safety and soundness of the institution. Rating 3 (Fair). An assessment of Fair signifies that board and senior management oversight is lacking in some important way and, therefore, is a cause for more than normal supervisory attention. The weaknesses may involve a broad range of activities or be material to a major business line or activity. Weaknesses in one or more aspect of board and senior management oversight have precluded the institution from fully addressing one or more significant risks to the institution. The deficiencies may include a lack of knowledge with respect to the organization’s risk profile, insufficient oversight of risk management practices, ineffective policies or limits, inadequate or under-utilized management reporting, an inability to respond to industry enhancements and changes in 18 regulatory guidance, or failure to execute appropriate business strategies. Staffing may not be adequate or staff may not possess the experience and expertise needed for the scope and complexity of the organization’s business activities. The day-to-day supervision of officer and staff activities, including the management of senior officers or heads of business lines, may be lacking. Certain risk management practices are in need of improvement to ensure that management and the board is able to identify, monitor, and control all significant risks to the institution. Weaknesses noted could have adverse effects on the safety and soundness of the institution if corrective action is not taken by management. Rating 4 (Marginal). An assessment of Marginal represents deficient oversight practices that reflect a lack of adequate guidance and supervision by management and the board. A number of significant risks to the institution have not been adequately addressed, and the board and senior management function warrants a high degree of supervisory attention. Multiple board and senior management weaknesses are in need of immediate improvement. They may include a significant lack of knowledge with respect to the organization’s risk profile, largely insufficient oversight of risk management practices, ineffective policies or limits, inadequate or considerably under-utilized management reporting, an inability to respond to industry enhancements and changes in regulatory guidance, or failure to execute appropriate business strategies. Staffing may not be adequate or possess the experience and expertise needed for the scope and complexity of the organization’s business activities, and the day-to-day supervision of officer and staff activities, including the management of senior officers or heads of business lines, may be considerably lacking. These conditions warrant a high degree of supervisory attention because, unless properly addressed, they could seriously affect the safety and soundness of the institution. Rating 5 (Unsatisfactory). An assessment of Unsatisfactory indicates a critical absence of effective board and senior management oversight practices. Problems may include a severe lack of knowledge with respect to the organization’s risk profile, insufficient oversight of risk management practices, wholly ineffective policies or limits, critically inadequate or under-utilized management reporting, a complete inability to respond to industry enhancements and changes in regulatory guidance, or failure to execute appropriate business strategies. Staffing may be inadequate, inexpert, and/or inadequately supervised. The deficiencies require immediate and close supervisory attention, as management and the board have not demonstrated the capability to address them. Weaknesses could seriously jeopardize the continued viability of the institution. Policies, Procedures and Limits Rating 1 (Strong). An assessment of Strong indicates that the policies, procedures, and limits provide for effective identification, measurement, monitoring, and control of the risks posed by all significant activities, including lending, investing, trading, trust, and fiduciary activities. Policies, procedures, and limits are consistent with the institution’s goals and objectives and its overall financial strength. The policies clearly delineate accountability and lines of authority across the institution’s activities. The policies also provide for the review of new activities to ensure that the infrastructure necessary to 19 identify, monitor, and control the associated risks is in place before the activities are initiated. Rating 2 (Satisfactory). An assessment of Satisfactory indicates that the policies, procedures and limits cover all major business areas, are thorough and substantially upto-date, and provide a clear delineation of accountability and lines of authority across the institution’s activities. Policies, procedures, and limits are generally consistent with the institution’s goals and objectives and its overall financial strength. Also, the policies provide for adequate due diligence before engaging in new activities or products. Any deficiencies or gaps that have been identified are minor in nature and in the process of being addressed. Weaknesses should not have a significant effect on the safety and soundness of the institution. Rating 3 (Fair). An assessment of Fair signifies that deficiencies exist in policies, procedures, and limits that require more than normal supervisory attention. The deficiencies may involve a broad range of activities or be material to a major business line or activity. The deficiencies may include policies, procedures, or limits (or the lack thereof) that do not adequately identify, measure, monitor, or control the risks posed by significant activities; are not consistent with the experience of staff, the organization’s strategic goals and objectives, or the financial strength of the institution; or do not clearly delineate accountability or lines of authority. Also, the policies may not provide for adequate due diligence before engaging in new activities or products. Weaknesses noted could have adverse effects on the safety and soundness of the institution unless corrective action is taken by management. Rating 4 (Marginal). An assessment of Marginal indicates deficient policies, procedures, and limits that do not address a number of significant risks to the institution. Multiple practices are in need of immediate improvement, which may include policies, procedures, or limits (or the lack thereof) that ineffectively identify, measure, monitor, or control the risks posed by significant activities; are not commensurate with the experience of staff, the institution’s strategic goals and objectives, or the financial strength of the institution; or do not delineate accountability or lines of authority. Moreover, policies may be considerably lacking with regards to providing for effective due diligence before engaging in new activities or products. These conditions warrant a high degree of supervisory attention because, unless properly addressed, they could seriously affect the safety and soundness of the institution. Rating 5 (Unsatisfactory). An assessment of Unsatisfactory indicates a critical absence of effective policies, procedures, and limits. Policies, procedures, or limits (or the lack thereof) are largely or entirely ineffective with regard to identifying, measuring, monitoring, or controlling the risks posed by significant activities; are completely inconsistent with the experience of staff, the organization’s strategic goals and objectives, or the financial strength of the institution; or do not delineate accountability or lines of authority. Also, policies may be completely lacking with regard to providing for effective due diligence before engaging in new activities or products. Critical 20 weaknesses could seriously jeopardize the continued viability of the institution and require immediate and close supervisory attention. Risk Monitoring and MIS Rating 1 (Strong). An assessment of Strong indicates that risk monitoring practices and MIS reports address all material risks. The key assumptions, data sources, and procedures used in measuring and monitoring risk are appropriate, thoroughly documented, and frequently tested for reliability. Reports and other forms of communication are consistent with activities, are structured to monitor exposures and compliance with established limits, goals, or objectives, and compare actual versus expected performance when appropriate. Management and board reports are accurate and timely and contain sufficient information to identify adverse trends and to thoroughly evaluate the level of risk faced by the institution. Rating 2 (Satisfactory). An assessment of Satisfactory indicates that risk monitoring practices and MIS reports cover major risks and business areas, although they may be lacking in some modest degree. In general, the reports contain valid assumptions that are periodically tested for accuracy and reliability and are adequately documented and distributed to the appropriate decision-makers. Reports and other forms of communication generally are consistent with activities; are structured to monitor exposures and compliance with established limits, goals, or objectives; and compare actual versus expected performance when appropriate. Management and board reports are generally accurate and timely, and broadly identify adverse trends and the level of risk faced by the institution. Any weaknesses or deficiencies that have been identified are in the process of being addressed. Rating 3 (Fair). An assessment of Fair signifies that weaknesses exist in the institution’s risk monitoring practices or MIS reports that require more than normal supervisory attention. The weaknesses may involve a broad range of activities or be material to a major business line or activity. They may contribute to ineffective risk identification or monitoring through inappropriate assumptions, incorrect data, poor documentation, or the lack of timely testing. In addition, MIS reports may not be distributed to the appropriate decision-makers, adequately monitor significant risks, or properly identify adverse trends and the level of risk faced by the institution. Weaknesses noted could have adverse effects on the safety and soundness of the institution if corrective action is not taken by management. Rating 4 (Marginal). An assessment of Marginal represents deficient risk monitoring practices or MIS reports that, unless properly addressed, could seriously affect the safety and soundness of the institution. A number of significant risks to the institution are not adequately monitored or reported. Ineffective risk identification may result from notably inappropriate assumptions, incorrect data, poor documentation, or the lack of timely testing. In addition, MIS reports may not be distributed to the appropriate decisionmakers, may inadequately monitor significant risks, or fail to identify adverse trends and the level of risk faced by the institution. The risk monitoring and MIS deficiencies 21 warrant a high degree of supervisory attention because, unless properly addressed, they could seriously affect the safety and soundness of the institution. Rating 5 (Unsatisfactory). An assessment of Unsatisfactory indicates a critical absence of risk monitoring and MIS. They are wholly deficient due to inappropriate assumptions, incorrect data, poor documentation, or the lack of timely testing. Moreover, MIS reports may not be distributed to the appropriate decision-makers, fail to monitor significant risks, or fail to identify adverse trends and the level of risk faced by the institution. These critical weaknesses require immediate and close supervisory attention, as they could seriously jeopardize the continued viability of the institution. Internal Controls Rating 1 (Strong). An assessment of Strong indicates that the system of internal controls is robust for the type and level of risks posed by the nature and scope of the organization’s activities. The organizational structure establishes clear lines of authority and responsibility for monitoring adherence to policies, procedures, and limits, and wherever applicable, exceptions are noted and promptly investigated. Reporting lines provide clear independence of the control areas from the business lines and separation of duties throughout the organization. Robust procedures exist for ensuring compliance with applicable laws and regulations, including consumer laws and regulations. Financial, operational, and regulatory reports are reliable, accurate, and timely. Internal audit or other control review practices provide for independence and objectivity. Internal controls and information systems are thoroughly tested and reviewed; the coverage, procedures, findings, and responses to audits and review tests are well documented; identified material weaknesses are given thorough and timely high level attention; and management’s actions to address material weaknesses are objectively reviewed and verified. The board or its audit committee regularly reviews the effectiveness of internal audits and other control review activities. Rating 2 (Satisfactory). An assessment of Satisfactory indicates that the system of internal controls adequately covers major risks and business areas, with some modest weaknesses. In general, the control functions are independent from the business lines, and there is appropriate separation of duties. The control system supports accuracy in record-keeping practices and reporting systems, is adequately documented, and verifies compliance with laws and regulations, including consumer laws and regulations. Internal controls and information systems are adequately tested and reviewed, and the coverage, procedures, findings, and responses to audits and review tests are documented. Identified material weaknesses are given appropriate attention and management’s actions to address material weaknesses are objectively reviewed and verified. The board or its audit committee reviews the effectiveness of internal audits and other control review activities. Any weaknesses or deficiencies that have been identified are modest in nature and in the process of being addressed. Rating 3 (Fair). An assessment of Fair signifies that weaknesses exist in the system of internal controls that require more than normal supervisory attention. The weaknesses may involve a broad range of activities or be material to a major business line or activity. 22 The weaknesses may include insufficient oversight of internal controls and audit by the board or its audit committee; unclear or conflicting lines of authority and responsibility; a lack of independence between control areas and business activities; or ineffective separation of duties. The internal control system may produce inadequate or untimely risk coverage and verification, including monitoring compliance with both safety and soundness and consumer laws and regulations; inaccurate records or financial, operational, or regulatory reporting; a lack of documentation for work performed; or a lack of timeliness in management review and correction of identified weaknesses. Weaknesses noted could have adverse effects on the safety and soundness of the institution if corrective action is not taken by management. Rating 4 (Marginal). An assessment of Marginal represents a deficient internal control system that does not adequately address a number of significant risks to the institution. The deficiencies may include neglect of internal controls and audit by the board or its audit committee; conflicting lines of authority and responsibility; a lack of independence between control areas and business activities; or no separation of duties in critical areas. The internal control system may produce inadequate, untimely, or nonexistent risk coverage and verification in certain areas, including monitoring compliance with both safety and soundness and consumer laws and regulations; inaccurate records or financial, operational, or regulatory reporting; a lack of documentation for work performed; or infrequent management review and correction of identified weaknesses. The internal control deficiencies warrant a high degree of supervisory attention because, unless properly addressed, they could seriously affect the safety and soundness of the institution. Rating 5 (Unsatisfactory). An assessment of Unsatisfactory indicates a critical absence of an internal control system. There may be no oversight by the board or its audit committee; conflicting lines of authority and responsibility; no distinction between control areas and business activities; or no separation of duties. The internal control system may produce totally inadequate or untimely risk coverage and verification, including monitoring compliance with both safety and soundness and consumer laws and regulations; completely inaccurate records or regulatory reporting; a severe lack of documentation for work performed; or no management review and correction of identified weaknesses. Such deficiencies require immediate and close supervisory attention, as they could seriously jeopardize the continued viability of the institution. Financial Condition Component Rating 1 (Strong). A rating of 1 indicates that the consolidated BHC is financially sound in almost every respect; any negative findings are basically of a minor nature and can be handled in a routine manner. The capital adequacy, asset quality, earnings, and liquidity of the consolidated BHC are more than adequate to protect the company from reasonably foreseeable external economic and financial disturbances. The company generates more than sufficient cash flow to service its debt and fixed obligations with no harm to subsidiaries of the organization. Rating 2 (Satisfactory). A rating of 2 indicates that the consolidated BHC is fundamentally financially sound, but may have modest weaknesses correctable in the 23 normal course of business. The capital adequacy, asset quality, earnings and liquidity of the consolidated BHC are adequate to protect the company from external economic and financial disturbances. The company also generates sufficient cash flow to service its obligations; however, areas of weakness could develop into areas of greater concern. To the extent minor adjustments are handled in the normal course of business, the supervisory response is limited. Rating 3 (Fair). A rating of 3 indicates that the consolidated BHC exhibits a combination of weaknesses ranging from fair to moderately severe. The company has less than adequate financial strength stemming from one or more of the following: modest capital deficiencies, substandard asset quality, weak earnings, or liquidity problems. As a result, the BHC and its subsidiaries are less resistant to adverse business conditions. The financial condition of the BHC will likely deteriorate if concerted action is not taken to correct areas of weakness. The company’s cash flow is sufficient to meet immediate obligations, but may not remain adequate if action is not taken to correct weaknesses. Consequently, the BHC is vulnerable and requires more than normal supervision. Overall financial strength and capacity are still such as to pose only a remote threat to the viability of the company. Rating 4 (Marginal). A rating of 4 indicates that the consolidated BHC has either inadequate capital, an immoderate volume of problem assets, very weak earnings, serious liquidity issues, or a combination of factors that are less than satisfactory. An additional weakness may be that the BHC’s cash flow needs are met only by upstreaming imprudent dividends and/or fees from subsidiaries. Unless prompt action is taken to correct these conditions, they could impair future viability. BHCs in this category require close supervisory attention and increased financial surveillance. Rating 5 (Unsatisfactory). A rating of 5 indicates that the volume and character of financial weaknesses of the BHC are so critical as to require urgent aid from shareholders or other sources to prevent insolvency. The imminent inability of such a company to service its fixed obligations and/or prevent capital depletion due to severe operating losses places its viability in serious doubt. Such companies require immediate corrective action and constant supervisory attention. The Financial Condition Subcomponents The financial condition subcomponents can be evaluated along business lines, product lines, or legal entity lines--depending on which type of review is most appropriate for the holding company structure. Capital Adequacy Rating 1 (Strong). A rating of 1 indicates that the consolidated BHC maintains more than adequate capital to support the volume and risk characteristics of all parent and subsidiary business lines and products; provide a sufficient cushion to absorb unanticipated losses arising from the parent and subsidiary activities; and support the level and composition of parent and subsidiary borrowing. In addition, a company assigned a rating of 1 has more than sufficient capital to provide a base for the growth of 24 risk assets and the entry into capital markets as the need arises for the parent company and subsidiaries. Rating 2 (Satisfactory). A rating of 2 indicates that the consolidated BHC maintains adequate capital to support the volume and risk characteristics of all parent and subsidiary business lines and products; provide a sufficient cushion to absorb unanticipated losses arising from the parent and subsidiary activities; and support the level and composition of parent and subsidiary borrowing. In addition, a company assigned a rating of 2 has sufficient capital to provide a base for the growth of risk assets and the entry into capital markets as the need arises for the parent company and subsidiaries. Rating 3 (Fair). A rating of 3 indicates that the consolidated BHC may not maintain sufficient capital to ensure support for the volume and risk characteristics of all parent and subsidiary business lines and products; the unanticipated losses arising from the parent and subsidiary activities; or the level and composition of parent and subsidiary borrowing. In addition, a company assigned a rating of 3 may not maintain a sufficient capital position to provide a base for the growth of risk assets and the entry into capital markets as the need arises for the parent company and subsidiaries. The capital position of the consolidated BHC could quickly become inadequate in the event of asset deterioration or other negative factors and therefore requires more than normal supervisory attention. Rating 4 (Marginal). A rating of 4 indicates that the capital level of the consolidated BHC is significantly below the amount needed to ensure support for the volume and risk characteristics of all parent and subsidiary business lines and products; the unanticipated losses arising from the parent and subsidiary activities; and the level and composition of parent and subsidiary borrowing. In addition, a company assigned a rating of 4 does not maintain a sufficient capital position to provide a base for the growth of risk assets and the entry into capital markets as the need arises for the parent company and subsidiaries. If left unchecked, the consolidated capital position of the company might evolve into weaknesses or conditions that could threaten the viability of the institution. The capital position of the consolidated BHC requires immediate supervisory attention. Rating 5 (Unsatisfactory). A rating of 5 indicates that the level of capital of the consolidated BHC is critically deficient and in need of immediate corrective action. The consolidated capital position threatens the viability of the institution and requires constant supervisory attention. Asset Quality Rating 1 (Strong). A rating of 1 indicates that the BHC maintains strong asset quality across all parts of the organization, with a very low level of criticized and nonperforming assets. Credit risk across the organization is commensurate with management’s abilities and modest in relation to credit risk management practices. 25 Rating 2 (Satisfactory). A rating of 2 indicates that the BHC maintains satisfactory asset quality across all parts of the organization, with a manageable level of criticized and nonperforming assets. Any identified weaknesses in asset quality are correctable in the normal course of business. Credit risk across the organization is commensurate with management’s abilities and generally modest in relation to credit risk management practices. Rating 3 (Fair). A rating of 3 indicates that the asset quality across all or a material part of the consolidated BHC is less than satisfactory. The BHC may be facing a decrease in the overall quality of assets currently maintained on and off balance sheet. The BHC may also be experiencing an increase in credit risk exposure that has not been met with an appropriate improvement in risk management practices. BHCs assigned a rating of 3 require more than normal supervisory attention. Rating 4 (Marginal). A rating of 4 indicates that the BHC’s asset quality is deficient. The level of problem assets and/or unmitigated credit risk subjects the holding company to potential losses that, if left unchecked, may threaten its viability. BHCs assigned a rating of 4 require immediate supervisory attention. Rating 5 (Unsatisfactory). A rating of 5 indicates that the BHC’s asset quality is critically deficient and presents an imminent threat to the institution's viability. BHCs assigned a rating of 5 require immediate remedial action and constant supervisory attention. Earnings Rating 1 (Strong). A rating of 1 indicates that the quantity and quality of the BHC’s consolidated earnings over time are more than sufficient to make full provision for the absorption of losses and/or accretion of capital when due consideration is given to asset quality and BHC growth. Generally, BHCs with a 1 rating have earnings well above peergroup averages. Rating 2 (Satisfactory). A rating of 2 indicates that the quantity and quality of the BHC’s consolidated earnings over time are generally adequate to make provision for the absorption of losses and/or accretion of capital when due consideration is given to asset quality and BHC growth. Generally, BHCs with a 2 earnings rating have earnings that are in line with or slightly above peer-group averages. Rating 3 (Fair). A rating of 3 indicates that the BHC’s consolidated earnings are not fully adequate to make provisions for the absorption of losses and the accretion of capital in relation to company growth. The consolidated earnings of companies rated 3 may be further clouded by static or inconsistent earnings trends, chronically insufficient earnings, or less than satisfactory asset quality. BHCs with a 3 rating for earnings generally have earnings below peer-group averages. Such BHCs require more than normal supervisory attention. 26 Rating 4 (Marginal). A rating of 4 indicates that the BHC’s consolidated earnings, while generally positive, are clearly not sufficient to make full provision for losses and the necessary accretion of capital. BHCs with earnings rated 4 may be characterized by erratic fluctuations in net income, poor earnings (and the likelihood of the development of a further downward trend), intermittent losses, chronically depressed earnings, or a substantial drop from the previous year. The earnings of such companies are generally substantially below peer-group averages. Such BHCs require immediate supervisory attention. Rating 5 (Unsatisfactory). A rating of 5 indicates that the BHC is experiencing losses or a level of earnings that is worse than that described for the 4 rating. Such losses, if not reversed, represent a distinct threat to the BHC’s solvency through erosion of capital. Such BHCs require immediate and constant supervisory attention. Liquidity Rating 1 (Strong). A rating of 1 indicates that the BHC maintains strong liquidity levels and well developed funds management practices. The parent company and subsidiaries have reliable access to sufficient sources of funds on favorable terms to meet present and anticipated liquidity needs. Rating 2 (Satisfactory). A rating of 2 indicates that the BHC maintains satisfactory liquidity levels and funds management practices. The parent company and subsidiaries have access to sufficient sources of funds on acceptable terms to meet present and anticipated liquidity needs. Modest weaknesses in funds management practices may be evident, but those weaknesses are correctable in the normal course of business. Rating 3 (Fair). A rating of 3 indicates that the BHC’s liquidity levels or funds management practices are in need of improvement. BHCs rated 3 may lack ready access to funds on reasonable terms or may evidence significant weaknesses in funds management practices at the parent company or subsidiary levels. However, these deficiencies are considered correctable in the normal course of business. Such BHCs require more than normal supervisory attention. Rating 4 (Marginal). A rating of 4 indicates that the BHC’s liquidity levels or funds management practices are deficient. Institutions rated 4 may not have or be able to obtain a sufficient volume of funds on reasonable terms to meet liquidity needs at the parent company or subsidiary levels and require immediate supervisory attention. Rating 5 (Unsatisfactory). A rating of 5 indicates that the BHC’s liquidity levels or funds management practices are critically deficient and may threaten the continued viability of the institution. Institutions rated 5 require constant supervisory attention and immediate external financial assistance to meet maturing obligations or other liquidity needs. Impact Component 27 The I component rating reflects the aggregate potential impact of the nondepository entities on the subsidiary depository institution(s). It is rated on a five point numerical scale. Ratings will be assigned in ascending order of supervisory concern as follows: 1 – low likelihood of significant negative impact; 2 – limited likelihood of significant negative impact; 3 – moderate likelihood of significant negative impact; 4 – considerable likelihood of significant negative impact; and 5 – high likelihood of significant negative impact. Rating 1 (Low Likelihood of Significant Negative Impact). A rating of 1 indicates that the nondepository entities of the BHC are highly unlikely to have a significant negative impact on the subsidiary depository institution(s) due to the sound financial condition of the nondepository entities, the strong risk management practices within the nondepository entities, or the corporate structure of the BHC. The BHC maintains an appropriate capital allocation across the organization commensurate with associated risks. Intra-group exposures, including servicing agreements, are very unlikely to undermine the financial condition of the subsidiary depository institution(s). Parent company cash flow is sufficient and not dependent on excessive dividend payments from subsidiaries. The potential risks posed to the subsidiary depository institution(s) by strategic plans, the control environment, risk concentrations, or legal or reputational issues within or facing the nondepository entities are minor in nature and can be addressed in the normal course of business. Rating 2 (Limited Likelihood of Significant Negative Impact). A rating of 2 indicates a limited likelihood that the nondepository entities of the BHC will have a significant negative impact on the subsidiary depository institution(s) due to the adequate financial condition of the nondepository entities, the satisfactory risk management practices within the parent nondepository entities, or the corporate structure of the BHC. The BHC maintains adequate capital allocation across the organization commensurate with associated risks. Intra-group exposures, including servicing agreements, are unlikely to undermine the financial condition of the subsidiary depository institution(s). Parent company cash flow is satisfactory and generally does not require excessive dividend payments from subsidiaries. The potential risks posed to the subsidiary depository institution(s) by strategic plans, the control environment, risk concentrations, or legal or reputational issues within the nondepository entities are modest and can be addressed in the normal course of business. Rating 3 (Moderate Likelihood of Significant Negative Impact). A rating of 3 indicates a moderate likelihood that the aggregate impact of the nondepository entities of the BHC on the subsidiary depository institution(s) will have a significant negative impact on the subsidiary depository institution(s) due to weaknesses in the financial condition and/or risk management practices of the nondepository entities. The BHC may have only marginally sufficient allocation of capital across the organization to support risks. Intragroup exposures, including servicing agreements, may have the potential to undermine the financial condition of the subsidiary depository institution(s). Parent company cash flow may at times require excessive dividend payments from subsidiaries. Strategic 28 growth plans, weaknesses in the control environment, risk concentrations or legal or reputational issues within the nondepository entities may pose significant risks to the subsidiary depository institution(s). A BHC assigned a 3 impact rating requires more than normal supervisory attention, as there could be adverse effects on the safety and soundness of the subsidiary depository institution(s) if corrective action is not taken by management. Rating 4 (Considerable Likelihood of Significant Negative Impact). A rating of 4 indicates that there is a considerable likelihood that the nondepository entities of the BHC will have a significant negative impact on the subsidiary depository institution(s) due to weaknesses in the financial condition and/or risk management practices of the nondepository entities. A 4-rated BHC may have insufficient capital within the nondepository entities to support their risks and activities. Intra-group exposures, including servicing agreements, may also have the immediate potential to undermine the financial condition of the subsidiary depository institution(s). Parent company cash flow may be dependent on excessive dividend payments from subsidiaries. Strategic growth plans, weaknesses in the control environment, risk concentrations or legal or reputational issues within the nondepository entities may pose considerable risks to the subsidiary depository institution(s). A BHC assigned a 4 impact rating requires immediate remedial action and close supervisory attention because the nondepository entities could seriously affect the safety and soundness of the subsidiary depository institution(s). Rating 5 (High Likelihood of Significant Negative Impact). A rating of 5 indicates a high likelihood that the aggregate impact of the nondepository entities of the BHC on the subsidiary depository institution(s) is or will become significantly negative due to substantial weaknesses in the financial condition and/or risk management practices of the nondepository entities. Strategic growth plans, a deficient control environment, risk concentrations or legal or reputational issues within the nondepository entities may pose critical risks to the subsidiary depository institution(s). The parent company also may be unable to meet its obligations without excessive support from the subsidiary depository institution(s). The BHC requires immediate and close supervisory attention, as the nondepository entities seriously jeopardize the continued viability of the subsidiary depository institution(s). (D) (Depository Institutions) Component The (D) component identifies the overall condition of the subsidiary depository institution(s) of the BHC. For BHCs with only one subsidiary depository institution, the (D) component rating generally will mirror the CAMELS composite rating for that depository institution. To arrive at a (D) component rating for BHCs with multiple subsidiary depository institutions, the CAMELS composite ratings for each of the depository institutions should be weighted, giving consideration to asset size and the relative importance of each depository institution within the overall structure of the organization. In general, it is expected that the resulting (D) component rating will reflect the lead depository institution’s CAMELS composite rating. 29 If in the process of analyzing the financial condition and risk management programs of the consolidated organization, a major difference of opinion regarding the safety and soundness of the subsidiary depository institution(s) emerges between the Federal Reserve and the depository institution’s primary regulator, then the (D) rating should reflect the Federal Reserve’s evaluation. By order of the Board of Governors of the Federal Reserve System, December 1, 2004. Jennifer J. Johnson (signed) Jennifer J. Johnson Secretary of the Board 30