Arkansas State Bank Department Examination Policies (updated August 29, 2006) * Capital Adequacy (98-1) * Classification Guidelines for Repossessions and Credit Card Debt (02-2) * Correct Accounting Treatment for State Bank Department Assessments (93-4) * Debt Cancellation Contracts (92-3) * Disclosure of Bank Holding Company Component Ratings (05-1) * Disclosure of CAMELS Component Ratings (97-2) * Disclosure of Consumer Compliance Ratings (04-1) * Disclosure of Trust Component Ratings (02-1) * Financing Municipalities, Counties and School Districts (01-1) * Investment in Student Loan Marketing Association (SALLIEMAE) Preferred Stock (91-3) * Investments in Bank Premises (06-1) * Investments in Bank Premises and Payment of Dividends (99-3) * Loan Repayment Plans Approved through Bankruptcy Court (91-1) * Mortgage Banking Activities (95-1) * Other Real Estate Owned (01-2) * Retail Sales of Non Deposit Investment Products (95-2) * State and Local Government Leases (93-2) * Treatment of Certificates of Equity and Capital Based Certificates Issued by Agricultural and/or Marketing Cooperatives (92-4) * Treatment of Mortgage Loan Pools and Mortgage Servicing Rights Acquired from the RTC (91-2) * Uniform Rating System for Information Technology (99-2) 91-1- Loan Repayment Plans Approved through Bankruptcy Court Loan payment plans approved by the bankruptcy court frequently do not conform to the original loan payment plan contracted at the beginning of the loan. Many times the court approved payment plan calls for a more lengthy maturity, reduced interest or reduced principal for the loan. Questions have arisen concerning the calculation of past due status for these loans and the correct categorization of these loans for Examination Report and Report of Income and Condition purposes. Chapter 1 POLICY Loans which have been accorded new payment plans by a bankruptcy court will be deemed to have received a new contractual payment plan and the past due status will be evaluated based upon the new plan. Loans performing according to the court-approved plan will not be considered past due even though the loans are not performing according to the original payment plan. Loan which become delinquent under the court approved plan will be included in the appropriate past due category according to established guidelines. However, loans which have a court-approved payment plan may be considered restructured debt. Restructured Loans are loans whose terms have been modified, because of a deterioration in the financial position of the borrower, to provide for a reduction of either interest or principal. Once an obligation has been restructured because of such credit problems, it continues to be considered restructured until paid in full or until time as the terms are substantially equivalent to terms on which loans with comparable risks are being made. 91-2 – Treatment of Mortgage Loan Pools and Mortgage Servicing Rights Acquired from the RTC The Resolution Trust Corporation (RTC) packages 1 to 4-family residential mortgage loans into pools for sale to various financial institutions and other entities. Questions have arisen concerning the accounting for the loan pools depends upon whether they are to be held for resale or for long-term investment. POLICY before the mortgage loan pool can be classified as a long-term investment, the intent and ability of the bank to hold the loans to maturity or for an extended period must be established. A corporate resolution may be used to document management's intent to hold the pool of loans for an extended period of time or until maturity. Mortgage loan pools acquired from the RTC for long-term investment are to be booked at cost and carried on the bank's balance sheet in the loan category. The subsidiary loan trial may carry the loans on an individual basis or carry a control amount for the block of loans purchased. A premium or discount may be associated with the purchase of this type of asset and must be amortized or accreted over the life of the loans. A premium exists when a bank purchases the pool of loans at a price in excess of the principle of the loans within the pool. The difference between the purchase price and balance represents the premium which the bank is required to amortize. Amortization may be calculated on an individual loan basis or may be calculated on the entire pool utilizing a weighted average life method. (The remaining life of each loan is determined and totaled. The total life is then divided by the number of loans within the pool.) A discount exists when a bank purchases a pool of loans at a price below the principle balance of the loans within the pool The difference between the proposed balance and purchase price presents the discount which the bank is required to accrete. Accretion may be calculated on the individual loans or may be calculated on the entire pool utilizing the weighted average life method previously described. Mortgage loan pools acquired for sale are booked at the lower of cost or principle balance of the loans within the pool. Discounts resulting from the purchase of a loan pool that are held for sale shall not be realized as income until the loans are actually sold. A gain or loss on he sale is the difference between the sale price and the net carrying amount of the pool. This gain or loss will be reported as noninterest income and will not affect the yield on the pool of loans for the carrying period. Certain costs incurred in block purchases of mortgage loans can be associated with future servicing income and capitalized and amortized over the estimated average term of the mortgage loans. Appropriately capitalized costs can be added to the book value of the loans, and the lower of cost or principle balance has been determined. Loans are sometimes warehoused for s short period of time and sold under a repurchase agreement (repo). If the loans are not repurchased in accordance with the repo agreement, the lending institution may exercise ownership of the pool of loans. The seller may pay an agreed-upon rate of interest for the use of funds provided by the lending institution. Repos are accounted for as a borrowing and no sale is recorded. When the interest paid on the short-term warehouse loans is less than interest received on the asset, a positive spread is created for the repo seller. However sometimes interest rates reverse, and short-term rates exceed long-term rates. This results in a negative spread in interest rates for the repo seller which must be charged to current operations as they are incurred. Mortgage loans pools held for resale should be segregated on the balance sheet. Disclosure must be made of the method used to determine the lower of cost or market value of the loan pools. Capitalization of servicing rights must be disclosed as follows: (a) amount capitalized; (b) method of amortization used; and (c) amount of amortization. The bank's loan policy is to address the following information for the purchase of mortgage loan pools from the RTC: inclusion of mortgage loan pools on the list of loans suitable for investment; the maturity desired for these type of loans; documentation requirements; assignment of responsibility for oversight of the pool; and guidelines for accounting, assignment of risk rating, and sale of individual loans from the pool or the entire pool. The reserve for loan losses is to be increased according to the risk assigned to this pool of loans. ACCOUNTING FOR SERVICING RIGHTS Part of the mortgage loan pool's purchase price may be the right to receive future servicing income. The amount directly attributable to servicing rights shall be deferred with certain limitations. The first limitation is that the amount deferred shall not be more than the difference between the market value (excluding servicing rights) of the loans at the date of purchase and the total purchase must be in accordance with FASB-65 (lower of cost or market). The following conditions must be met: a. Prior to date of purchase, commitments from investors to purchase the mortgage loans must be obtained, or the commitments must be obtained no later than 30 days after the date of purchase. The commitment must provide for the seller to continue servicing the mortgage loans. b. If the sales price to the permanent investor exceeds the market value of the loans at date of purchase, the difference must be applied to reduce any amount deferred for mortgage servicing rights. c. No other costs relating to the purchase of the loans can be deferred. NOTE: If the above conditions are not met, the cost of the right to receive future servicing income is usually included as part of the cost of the mortgage loans for the purpose of determining lower of cost or market. The second limitation is that the amount allocated to the right to receive future servicing income cannot exceed the present value of the estimated future net servicing income. Future net servicing income is the difference between the estimated future servicing revenue and the estimated future servicing costs. probable late charges can be included in future revenues. Servicing costs may be determined on an incremental cost basis. 91-3 – Investment in Student Loan Marketing Association (SALLIEMAE) Preferred Stock Questions have arisen whether state banks may invest in preferred stock of the Student Loan Marketing Association (SALLIEMAE). State Banks are authorized to purchase common stock in this program pursuant to department regulation. POLICY Preferred stock in the Student Marketing Association (SALLIEMAE) will be considered an eligible investment for a state bank for purposes of qualifying to offer guaranteed student loans through its program. 92-3 – Debt Cancellation Contracts An increasing number of state chartered banks are offering debt cancellation contracts as an alternative to the sale of credit life insurance. Debt Cancellation Contracts provide for losses arising from cancellation of outstanding loans upon the death of borrowers. These contracts contain an element of risk which may impact the safe and sound operation of a bank. Activity in this area should be examined to determine the degree of risk and to insure that proper guidelines have been implemented to provide for safe and sound operations. The United States Court of Appeals for the Eight Circuit ruled on June 25, 1990, in First National Bank of Eastern Arkansas. A National Banking Association, vs. Ron Taylor, Commissioner of the Insurance Department for the State of Arkansas, that national banks can sell "Debt cancellation contracts". On November 13, 1990, the Supreme Court declined to hear the case, thus affirming the 8th Circuit's decision. State chartered banks are authorized to provide for losses arising from the cancellation of outstanding loans upon the death of borrowers by means of a Resolution of the State Banking Board dated July 17, 1984. POLICY State chartered banks engaging in the activity of issuing debt cancellation contracts must consider the following: - The bank's Board of Directors shall have considered the risks inherent in such activity and determined by resolution that the issuance of debt cancellation contracts is an approved product to be provided to certain loan customers of the bank; - The Board of Directors shall designate the bank's officers eligible to offer the contracts; - A loan limit shall be established for which the debt cancellation contracts may be sold (it would appear that debt cancellation contracts should only be offered for personal and consumer type loans); - The bank shall establish a reasonable reserve based on a five year average of mortality losses experienced with past credit life insurance underwriters or other such method deemed acceptable by the State Bank Commissioner; - The reserves shall be evaluated at least quarterly for adequacy and records supporting the justification for the reserve balance shall be maintained for examiner inspection; and - The sale of a debt cancellation contract cannot be a condition to the approval of a loan application and should be offered along with similar products that may be available from other sources. In the event that the debt cancellation contract is negotiated with the provision that a rebate will be made to the customer if the note is paid in full prior to maturity, the fee income shall be periodically recognized in proportion to the bank's performance under the contract. The bank's performance under the contract is the coverage of the risk associated with each contract. Thus, for those contracts in which the coverage is provided evenly during the term of the contract period, the income should be recognized evenly during the term of the contract. In the event the amount of coverage of the contract declines during the term of the contract, the fee should be recognized in proportion to the coverage during the term of the contract. In the event that the debt cancellation contract is negotiated without a provision for rebate of a portion of the fee as a result of early payoff of the loan, all fees generated from the sale of the debt cancellation contracts shall be posted to non-interest income. Increases in the required reserve established to absorb losses shall be made by provision expense and posted to non-interest expense. Both the unearned portion of the feel and the reserve set aside for possible losses are to be recognized as liabilities on the bank's books. Disclosure of the costs of debt cancellation contracts are subject to Section 226.4 of Regulation z - Truth in Lending. This disclosure is required for any charge payable directly or indirectly by the consumer and imposed directly or indirectly by the creditor as an incident to or condition of the extension of credit. Potential liability also exists for the bank customer due to liability to a third party who may become a beneficiary due to inheritance and the impact of inheritance taxes. The bank is encouraged to disclose this fact to customers who may wish to seek tax advise on this issue. The unreserved portion of the outstanding balances of loans in excess of the reserve balance are not to be considered contingent liabilities and, as such, debt cancellation contracts will have no effect upon risk based capital calculations. EXAMINATION POLICY The evaluation of the practices employed by a bank and bank management in the sale of debt cancellation contracts is to inspect for safety and soundness. The product should be offered so as to minimize risk and limit liability. In the event that minimum safeguards are not employed, management and the board of directors are to be cited for violating prudent banking practices and, in instances where risk is more than ordinary, cease and desist orders will be issued. Agriculture and/or marketing cooperatives frequently issue certificates of equity and capital based certificates to farmers who market their crops through the cooperative. These certificates represent the farmer's ownership in the cooperative and are a "deferred payment" or a "receivable" to the farmer as a portion of payment which the cooperative withholds from the cash amount it pays the farmer for the value of his crop. The traditional method of payment for such certificates has been full payment of face value at the end of the ten to twelve years. However, any determination of payment is made by the Board of Directors of the cooperative. These certificates have no maturity, have not established market, and are highly illiquid. 92-4 - Treatment of Certificates of Equity and Capital Based Certificates Issued by Agricultural and/or Marketing Cooperatives Agriculture and/or marketing cooperatives frequently issue certificates of equity and capital based certificates to farmers who market their crops through the cooperative. These certificates represent the farmer's ownership in the cooperative and are a "deferred payment" or a "receivable" to the farmer as a portion of payments which the cooperative withholds from the cash amount it pays the farmer for the value of his crop. The traditional method of payment for such certificates has been full payment of face value at the end of the ten to twelve years. However, any determination of payment is made by the Board of Directors of the cooperative. These certificates have no maturity, have no established market, and are highly illiquid. POLICY State chartered banks that receive certificates of equity and/or capital based certificates through default of the loan customer will be permitted to retain certificates of equity and/or capital based certificates on their books at a fair market value. Market value must be established by reasonable banking practices acceptable to the Bank Commissioner. This valuation must be fully documented and maintained by the bank. It is the opinion of the Bank Commissioner that the legislative intent of A.C.A. Sec. 23-32-703(c) addressing the holding period for "goods or chattels" coming into a bank's possession as collateral security for loans or any ordinary collection of debts extends to all assets not specifically excluded by statute. (See A.C.A. 23-32-709 and A.C.A. Sec 23-32-303(2)(b)(iii)) Accordingly, these certificates of equity and/or capital based certificates may not be reckoned as a bank asset for a period longer than twelve months. Under no circumstances may a bank purchase as an investment a certificate of equity and/or capital based certificate. 93-2 – State and Local Government Leases Act 508 of 1991, the so-called Local Government Lease Act provided a method for structuring a multi-year lease arrangement that local governments could use to obtain capital improvements, equipment, facilities, goods, etc. Certain provisions of the Act provided for payment of interest by the local government. (See Examination Policy 91-4) An Arkansas Supreme Court decision, Mason Brown v. City of Stuttgart, Arkansas and First Continental Financial Corporation, Case No. 92-849 (February 22, 1993) may have invalidated Act 508 of 1991. The case held that a multi-year lease arrangement that provided for the payment of "interest" by the municipality was a violation of the Arkansas State Constitution, Article 16, Section 1, which prohibits a city from entering into an obligation with interest bearing indebtedness. The court cited several other provisions for invalidating the lease in this case, such as a great penalty for default, and the fact that there was no way to terminate the lease except if an appropriation was not made for it each year. While the court did not reach the question of the constitutionality of Act 508 of 1992, it did invalidate the lease in this case. POLICY Leases between a lender and state and local governments should be scrutinized for evidence of an interest bearing obligation as well as whether there are major penalties for default from the lease agreement. Such leases, if discovered, should be accorded a special mention classification and the bank should be requested to confer with bank counsel to determine if a new arrangement should be negotiated due to the above cited Supreme Court decision. 93-4 – Correct Accounting Treatment for State Bank Department Assessments Assessments for state chartered banks in Arkansas are due semi-annually based upon total assets shown in the bank's Report of Condition for the periods ending June 30 and December 31 of each year. These assessments are based upon the last six months of operation of the institution and, as such, are paid in arrears. The correct accounting treatment for this activity would be to accrue this expense with an offsetting liability entry over the six-month period in which the assessments apply and then pay the assessment when billed. It is incorrect to book payment of Bank Department assessments as a prepaid asset and amortize this expense over the six-month period following payment. Assessments booked in this manner should be accorded a loss classification and promptly charged off. 95-1 – Mortgage Banking Activities MORTGAGE BANKING OVERVIEW Mortgage banking activities include loan origination, loan production, mortgage servicing, secondary marketing, and other areas such as mortgage banking management, accounting, and reporting. The areas evaluated during an examination should be determined on a case-by-case basis depending upon the size of a particular company and the business activities in which it engages. Loan origination is the retail operation in which loans are made directly to the public. The loans are processed, underwritten, and closed. These mortgages become part of the "mortgages held for resale" account where they will remain for the two to three month period necessary to complete the recording of the loan documents and to find a permanent investor to purchase the loans. The mortgage banker obtains purchase commitments from permanent investors and submits completed loan documentation packages to the investors for their approvals in satisfaction of the commitments. The mortgage banker maintains a relationship with a variety of permanent investors to whom the originated mortgages are sold. Loan production is the function in which the mortgage company acts as a wholesaler and purchases loans in bulk or individually from other mortgage bankers, brokers, and bankers. These loans are purchased with the intent to pool the loans and resell in the secondary market. The mortgage company may then pool loans and sell to private or public investors with servicing rights retained or released. Generally servicing is retained in order to generate an ongoing income stream. During the production process, loans may be warehoused. Loans are retained in an inventory either pending commitment to a pool or to speculate on interest rates. Mortgage servicing is performing the required duties of a mortgage seller such as collecting and remitting payments, managing the tax and insurance escrow accounts, inspecting the properties when required, pursuing delinquent borrowers, foreclosing on the mortgages when necessary, and providing accounting support. Servicing may be done by the lender or by a company acting for the lender. Due to economies of scale, the servicing portfolio must be sizable for the company to be profitable. MORTGAGE COMPANY MANAGEMENT Evaluation of management will entail a review of the organizational structure, board supervision, management oversight, management and board reporting, and the adequacy of management control systems. The organizational structure should be reviewed to determine, on a legal entity basis, the relationship between the mortgage banking company, the bank holding company, and any other bank or nonbank subsidiaries. Supervisory oversight is generally provided through the mortgage banking company's board, which may consist of mortgage banking company executives, bank holding company executives, and outside representatives. The examiner should determine whether a separate board exists, its membership and qualifications. Minutes should be reviewed to determine whether directors are fulfilling their fiduciary responsibilities. Directors' duties include: 1) selecting and retaining a competent executive management team; 2) establishing, with management, the company's short and long-term objectives, and adopting operating policies to achieve those objectives in a safe and sound manner; 3) monitoring operations to ensure they are controlled adequately and are in compliance with laws and policies; 4) overseeing the mortgage banking company's business performance; and 5) ensuring that the company meets the community's residential mortgage credit needs. Board reports should include default rates, new loans, liquidity levels, capital needs, policy exceptions, past dues, geographic concentrations, departmental profit and loss statements, and foreclosure rates. Management should be evaluated in terms of technical competence, leadership skills, administrative capabilities, and knowledge of relevant State and Federal laws and regulations. Without adequate management oversight, excessive errors can occur, fraud or violations of law may go undetected, and financial information may be reported incorrectly. Management should also be evaluated on its ability to plan effectively. Effective planning entails the annual approval of an operating budget and the development of a long-term business plan which helps management anticipate changes in the internal and external environment and respond to changing circumstances. Without appropriate planning, the company can only react to external events and market forces. Compensation of management should also be examined. Compensation based on volume of production may increase risk, conflicts of interest, and an absence of independence. Management controls consist of internal audit, external audit, quality control, insurance coverage, fraud detection procedures and related employee training programs. The internal audit function is responsible for detecting irregularities, determining compliance with applicable laws and regulations, and appraising the soundness and adequacy of accounting, operating and administrative control systems. The auditor must be independent and should report directly to the board or a designated committee. Small financial institutions may rely solely on their external auditor to perform these functions. Examiners should review the most recent external audit report and note any significant concerns or weaknesses in the company's internal control structure. Management's response to the audit should also be reviewed. Quality Control services can be provided internally by an independent party or externally. In a small organization there may be little separation between the person underwriting the loan and the individual reviewing it. Quality Control reviews are necessary to test the quality of loans produced and serviced for investors. Investors such as GNMA, FHLMC, and FNMA issue very specific guidelines that must be met with respect to the scope and frequency of such reviews. At a minimum, these investors require that the servicer/seller sample at least ten percent of all closed loans each month for accuracy, completeness, and adherence to agency underwriting standards. The Quality Control person basically re-underwrites the loan, verifies deposits and employment, recomputes the APR, interest rate, loan to value, debt to equity and so forth. The Quality Control function should serve as an early warning system which alerts management to situations which may jeopardize the financial strength, image, or origination and sale capacity of the company. Quality Control should not substitute work performed by the internal audit and loan review functions. Insurance programs should be reviewed to determine whether coverage adequately protects the company and its affiliate against exposure to undue financial risk. The board should review and approve insurance policies at least annually. A letter should also be obtained from the mortgage company's attorney to determine if any pending litigation could cause losses to the bank and or the mortgage company. MORTGAGE RELATED AGENCIES Loans are categorized as either government or conventional loans. Government loans generally carry a below-market interest rate and are either insured by the Federal Housing Administration (FHA) or guaranteed by the Veterans Administration (VA). To be insured or guaranteed, a loan must meet agency standards regarding the size, interest rate, and terms. The lender must obtain a certificate of insurance or guarantee in order to qualify a loan for inclusion in a security. Loans which are not FHA-insured or VA-guaranteed are referred to as conventional loans. Conventional loans are generally originated for larger loan amounts and can be offered with a fixed or variable interest rate. These loans typically require higher down payments and bear market interest rates. Lenders often require borrowers to obtain mortgage insurance coverage in high-ratio loans (generally, any loan with a loan-to-value ratio above 80 percent). In the primary market, private mortgage insurance (PMI) insurers provide coverage for the top 20 to 25 percent of a mortgage loan. There are three major organizations involved with the facilitation of mortgage loans in both the primary and secondary mortgage markets: Federal National Mortgage Association (FNMA), Government National Mortgage Association (Ginnie Mae or GNMA), and Federal Home Loan Mortgage Corporation (FHLMC or Freddie Mac). The extent of credit risk depends upon the secondary market program under which the loan is originated. GNMA pass-through securities, which are issued by the lender, are backed by pools of FHA-insured or VA-guaranteed mortgages and are fully-guaranteed by the U.S. Government. Pass-through securities provide for monthly installments of interest at the stated certificate rate plus scheduled principal amortization on specific dates, despite the delinquency status of the underlying loans, as well as any prepayments and additional principal reduction. The issuer collects the mortgage payments and after retaining servicing fees, remits monthly payments to the certificate holders. This agency is under general policy direction of HUD. FNMA operates a secondary market facility for FHA, VA, and conventional loan products which provides a degree of liquidity to holders of mortgage investments. FNMA will purchase FHA approved mortgages from qualified sellers through an auction format, using competitive and noncompetitive bidding procedures, and through convertible standby purchase commitments. These FNMA purchases enable originators to adjust their mortgage inventory levels periodically and maintain their origination capabilities. FNMA will also sell mortgages to qualified buyers which allows the purchasers to meet investor commitments by making up mortgage inventory shortages. The FNMA purchases and sales of the loans are dependent upon market conditions. FNMA guarantees the monthly pass-through of interest, the scheduled amortization of principal, and the ultimate repayment of principal. Participation certificates are not backed by the full faith and credit of the U.S. Government. FNMA is regulated by HUD. Similar to FNMA, FHLMC is also a private corporation which purchases conventional loans from lenders and sells mortgage-participation certificates which are similar to GNMA pass-through securities. Participation certificates represent an ownership interest in pools of conventional loans. FHLMC guarantees the monthly pass-through of interest, the scheduled amortization of principal, and the repayment of principal. The certificates are not backed by the full faith and credit of the U.S. Government. Conventional loans are classified as either conforming or nonconforming. Conforming loans must comply with FNMA and/or FHLMC size limitations, underwriting and documentation guidelines. Conforming mortgages may be sold to FNMA or FHLMC on either a recourse or nonrecourse basis. Nonconforming loans that do not meet FNMA or FHLMC guidelines may be sold in the secondary market under a private label structure. Nonconforming loans are often "nontraditional" products such as loans with teaser rates, limited documentation, graduated payment schedules, and "jumbo" loans which exceed maximum agency size requirements. LOAN ORIGINATION Loan origination entails five principal steps: 1) application; 2) processing; 3) underwriting; 4) closing and funding; and 5) post closing. Each of these functions should be independent of one another and separately supervised to ensure the quality of the loans produced. Loan originators must be knowledgeable of bank policy, procedures, laws, rules, and regulations. This is a highly regulated industry and noncompliance in any of these areas may disqualify a loan from sale in the secondary market. Loan origination begins with the completion of a loan application. The applicant authorizes the lender to verify their employment, credit history, bank deposits, and other information which evidences repayment capacity. The loan processing area is responsible for gathering all documents which verify the financial condition of the borrower and the collateral. Processing activities should be controlled through standardized procedures, checklists, and systems. The underwriting unit approves or disapproves applications based on underwriting criteria established by FHA, VA, FNMA, FHLMC, private mortgage insurers, and institutional investors. Once a loan is approved by the underwriter, a commitment letter is sent to the applicant which states the interest rate and terms of the loan. At the loan closing, the legal title to the property passes from seller to buyer and the mortgage banker establishes a first lien on the property to secure the loan. After closing, a post-closing review is performed to ensure that documents were properly executed and underwriting instructions were followed. The post-closing review also identifies any trailing or missing documents which must be tracked and obtained to meet investors' pool certification requirements. Certain risks are evident in the origination process. Operational inefficiencies can result in high staff turnover, an inability to meet investor documentation requirements, an increasing number of pools which lack final certification, or an unusually high production cost structure. Credit risk and operational inefficiencies may also create liquidity problems and additional interest rate risk if the company is unable to sell its loans in the secondary market. Other risks include product risk, borrower fallout risk, and reverse price risk. Product risk occurs when the product offered or made is not desired on the current secondary markets. If it can be sold, it is often at a steep discount. Borrower fallout risk is the risk that the loan will not close due to an action or inaction of the borrower. Reverse price risk occurs when a commitment is made to sell the loan to an investor at a certain rate prior to committing to the borrower. In the interim, a decrease in rates requires that the loan be delivered at an unexpected discount. Prior to or at closing, the mortgage banker has an option whether to retain the loan in their own inventory (warehouse); pool loans and sell them to one of the federal agencies, a private investor, or choose to securitize the loans themselves; sell the loan individually; or sell it as part of a loan participation. The size and scale of the mortgage banking entity, liquidity, funding limits, and the product itself influence which decision is made. 00-1 - WAREHOUSING The term pipeline is typically used to describe mortgages that are in the process of being originated, while warehouse refers to the inventory of mortgages that have been closed and are awaiting sale in the secondary market. Making a distinction between the pipeline and the warehouse is important because the risks of mortgages that are already closed differ from those that have not, and might not, close. Once a mortgage is closed and the final documents are received, a mortgage leaves the pipeline and enters the warehouse, where it is either held for sale and marketed to investors, or shipped to a prearranged buyer. The amount of non-committed inventory is often restricted by mortgage company policy. Loans maintained in the warehouse with an intent to resell should be marked to market at least quarterly. After write-downs, write-ups to market values in subsequent periods are recorded, but total recorded market value may not exceed cost. The marking to market is often insignificant for loan pools committed to be delivered within a short period of time. The most adversely affected loans will be those held for a longer period of time with unusual features. While mortgages are being held in the warehouse, but before a contract has been signed agreeing to their sale price and terms, the mortgage company bears an enormous risk of the mortgages going down in value as a result of changes in overall interest rates or merely changes in the secondary mortgage market. It is critically important that a mortgage banking operation's interest rate risk is controlled, especially if the company's average pipeline and warehouse volume is significant relative to its capital. Since a mortgage company typically obtains working capital from the sale of mortgage loans, warehoused loans can impair the sources of funds for new loans. Mortgages held for resale are frequently funded by a "warehouse mortgage" line of credit. This is a collateralized line of credit from a bank which is supported by a pledge of the mortgages in the resale inventory. The warehouse line operates as a revolving line of credit, with additional advances to the company for new mortgages to be placed in "warehouse" and repayments from the proceeds of sales to investors. Warehouse lines are a prime source of liquidity for the mortgage banker operating in the residential mortgage market. Refer to Arkansas State Bank Department Rules and Regulations, Section 5, Page 4 for additional information. The primary risks in the area of warehousing are interest rate risk, market risk, and product risk. Interest rate risk occurs from holding a product, and it represents the difference between the rate paid for the loan versus the rate it can be sold at on the market. Market risk is the risk that either the market pricing will change or the market perception changes. Product risk is the risk that the product is undesirable to investors. LOAN PRODUCTION Wholesale production channels, where contact with the borrower is made by another party, take several forms. Whole loans can be purchased either individually or using bulk commitments. Bulk commitments either require the correspondent to deliver a set amount of loans (mandatory), or deliver all registered loans that close (best effort or optional). Loans are purchased in this manner to increase volume and to expedite the securitization process. Since this entails buying loans from outside sources, certain key factors should be considered and established by mortgage company policy: 1) guidelines for due diligence reviews; 2) definitions of loan products to purchase; 3) amount of loans desired; and 4) authority for purchase approval/commitment letter. The integrity and the independence of the introducing broker should be determined to ensure the purchases are made at arms length. If the mortgage company determines that it wants to proceed with a due diligence review of the loans, individuals are assigned internally or hired externally to perform the review on behalf of the mortgage company. Either way due diligence policies and procedures should be established by the mortgage company. These procedures should define scope, sample size, and specific review guidelines. If an external review team is used, a contract should be written which defines both parties responsibilities and compensation. For purchasers of correspondent production, credit risk increases to the extent that the lender relies on other parties to correctly process and underwrite the loan. Contracts with correspondents should include representations and warranties from the correspondent that loans delivered meet the underwriting requirements of the agency or investor program for which the loan was originated. Risks in this area include: 1) sampling risk; 2) pricing risk; 3) delivery risk; and 4) interest rate risk. Sampling risk is the risk of obtaining a biased sample which does not reflect the overall condition of the portfolio to be purchased. Pricing risk is the risk of offering too much for the loans purchased. Delivery risk is the risk that the loans purchased won't be delivered upon the commitment date or will not conform with the commitment requirements. Interest rate risk is the risk that the rate paid was too much based on the time frame for delivery and what the market will tolerate. SECONDARY MORTGAGE MARKETING The marketing department is typically responsible for the development of mortgage products, determination of products to be offered, as well as the establishment of daily mortgage prices. The marketing department which is also referred to as Secondary Marketing, is also responsible for the sale of mortgage loans to investors. The marketing department acts as an intermediary between the borrower and the investor. In a small mortgage company, the president, an executive officer, or a combination of individuals may be responsible for the marketing function. Marketing activities are generally supervised by a marketing committee, which may consist of the Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, and the executive officers responsible for marketing, production, and servicing/loan administration. The committee is responsible for the formulation of marketing policies, departmental operating procedures, pricing strategies, and parameters governing the use of various mortgage-related products and strategies used to hedge the interest rate risk associated with certain mortgage loans. Bank policy should establish reasonable guidelines for the amount of loans that can be retained in the mortgage pipeline, liquidity levels, levels of uncommitted inventory, number of pools in process (including dollar amounts), approval authority, types of pools and securities in process, pair off procedures and guidelines or restrictions on hedging the current position. Identified risks in this area are: 1) interest rate risk; 2) product risk; 3) investor/counterparty performance risk; 4) fallout risk; and 5) delivery risk. Interest rate risk is the risk arising from timing differences which occur from the point of application to the point of sale to an investor. Product risk is the risk that there is no market for that particular type of loan. Investor/counterparty risk can be reduced by establishing dealer limits to limit the maximum amount of trades outstanding with each firm and monitoring the financial capacity of the brokers and dealers. The company should also ensure that when a loan is sold to an investor the payments for each loan are received in a timely manner. If loans are sold with recourse, management reports should identify and track potential recourse obligations. Fallout risk is the risk the borrower may not qualify for the loan, may walk away from the loan or a contingent event occurs preventing the mortgage loan from closing. Delivery risk is the risk that the commitment to deliver by the mortgage company is unable to be met. Mortgage pricing decisions are critical because price is the major determinant in the volume of mortgages originated. A neutral price structure sets mortgage prices that are equivalent to the expected price for which the mortgages will be sold to investors, plus a normal servicing spread of 25 to 50 basis points. Daily adjustments are usually made to prices to reflect market changes for future settlement of mortgage-backed securities (MBS). Due to regional or local competition, mortgage banking companies often find it necessary to deviate from a purely neutral pricing strategy to maintain volume in certain markets. However, large deviations from market price in either a lower, or even upward, direction can have adverse consequences. Price cutting could place operational strains on the production and servicing areas. Premium pricing can position the company as a lender of last resort with adverse credit quality implications. The marketing department attempts to minimize price risk by matching origination pricing with the price they expect to receive from investors. Risk exists that the proportion of loans in the rate-committed pipeline that are expected to close will change with a given change in interest rates. Conservative management, who do not want to take a great deal of interest rate risk, may obtain a forward commitment once they have a certain percentage of the pool/security complete. Speculative management may utilize numerous hedging tools and assume a greater degree of interest rate risk. Mortgage companies use hedging strategies to protect the inventory of closed loans and the rate-committed pipeline against adverse interest rate movements. In order to control exposure to rate movements, management must estimate the percentage of the rate-committed pipeline that is expected to close in the current economic environment. Other products used to hedge inventory loans and the rate-committed pipeline include loans with an adjustable rate feature or other specialized characteristics. LOAN SERVICING/ADMINISTRATION In the loan administration or servicing function, the mortgage company is acting as an agent for the investors whose loans are being serviced. While the quality of the serviced assets is not a primary concern of the examiner, the quality of the operations and its impact on the company's earnings are matters of concern. A poor quality portfolio may be very costly to service; therefore, management should recognize the importance of a proper due diligence review prior to purchasing servicing rights. The examiner should be alert to servicing costs that exceed income. The examiner should also review the amortization of mortgage servicing rights to determine whether the amortization period exceeds the average life of the serviced mortgage loan portfolio. Servicing rights, when properly managed, provide a stable source of earnings. Long-term profitability is achieved through efficient processing, cost containment and the attainment of economies of scale. Mortgage banking companies that originate and sell residential real estate loans in the secondary market often retain the right to service those loans for the investor for a fee. Each investors' servicing funds should be maintained in separate accounts. The servicer's specific responsibilities with regard to each investor are specified in a formal written servicing agreement. The servicer collects the monthly payments from mortgagors, collects and maintains escrow accounts, pays the mortgagors' real estate taxes and insurance premiums, and remits principal and interest payments to the ultimate investors. The servicer also maintains records for the mortgagor, collects late payments on delinquent accounts, inspects property, initiates and conducts foreclosures, and submits regular reports to investors. Additionally, most servicing departments are responsible for customer complaints, retaining complaint logs, channelling complaints and ensuring proper follow-up. Investor reporting and customer complaint records must be complete and accurate. Servicing agreements establish minimum conditions for the servicer such as its fiduciary responsibilities, audit requirements and fees. Real and contingent liabilities arise out of the contract. Most investors, including the federally-sponsored agencies, hold servicers responsible for full compliance with investor requirements. Investors may require a loan to be purchased or request reimbursement for losses that occur as a result of servicing errors, omissions or improper documentation. The agreements should be reviewed to determine that no additional liabilities, real or contingent, are imposed upon the company beyond its responsibilities as a servicing agent. Mortgage servicing revenues are derived from five sources. The primary source is the servicing fee. Because this fee is usually expressed as a fixed percentage of the outstanding mortgage loan principal balance, servicing fee revenues decline over time as the loan balance amortizes. The second source of servicing income arises from the interest that can be earned by the servicer from the escrow balance that the borrower often maintains with the servicer. The third source of revenue is the float earned on the monthly loan payment. The opportunity for float arises because of the delay permitted between the time the servicer receives the payment and the time the payment must be remitted to the investor. Ancillary income, such as a late fee charged to the borrower if the monthly payment is not made on time, is another source of revenue. Finally, the servicer might generate fee income by selling mailing lists to third parties. Many companies have established aggressive growth targets for their servicing portfolios. The usual source of growth in the servicing portfolio is the company's own origination activity. However, it is not uncommon for a company to supplement this growth with bulk or individual purchases of loans or purchased servicing rights from other companies. Portfolio size is reduced through normal runoff, prepayments, and sales of either loans or servicing rights only. Subservicers can be used to perform the tax services, insurance, etc. The mortgage company continues to be responsible for these activities and errors that may occur. The company's method of evaluating and monitoring the financial condition of its subservicers should also be reviewed. Subservicing agreements should be evaluated in terms of the subservicer's responsibilities, reporting requirements, performance, and fees. CAPITALIZED SERVICING ASSETS The right to service mortgages are generally acquired in four ways: (1) the origination of mortgages by the mortgage company that are kept in the portfolio which is called portfolio servicing; (2) the origination of mortgages that are sold with servicing retained which is called retained servicing or originated mortgage servicing rights (OMSR); (3) the purchase of servicing rights from third parties called purchased mortgage servicing rights (PMSR); or (4) as a by-product in a purchase of mortgages and their servicing (servicing released purchase) where a definitive plan for the sale of the mortgages with the servicing rights retained exists at the time the mortgages are acquired, also called purchased mortgage servicing rights (PMSR). Capitalized servicing assets consist of purchased mortgage servicing rights (PMSR) and excess servicing fee receivables (ESFR). PMSRs are acquired assets which represent the right to service loans owned by investors in exchange for a share of the future cash flows generated by the underlying loans. The purchase price represents the buyer's estimate of the present value of the future servicing fees net of servicing costs. The right to service mortgage loans for investors is an intangible asset which may be acquired separately, in a purchase of mortgage loans, or in a business combination. Statement of Financial Accounting Standards SFAS No. 65, "Accounting for Certain Mortgage Banking Activities, is the relevant accounting guidance for mortgage banking activities. Under SFAS 65, a mortgage banking company shall capitalize the cost of acquiring the right to service a loan as a separate asset if: 1) the loan qualifies as a purchase transaction, and 2) a definitive plan for the sale of that loan exists when the loan is acquired. A definitive plan for sale exists if: a) the mortgage banking company has either obtained, prior to purchase, commitments from permanent investors to purchase the mortgage loans or related mortgage-backed securities, or obtains such a commitment within a reasonable period (i.e. 30 days), and b) the plan includes estimates of the purchase price and selling price. The initial amount capitalized cannot exceed the lesser of 1) the purchase price of the loan, including any transfer fees paid, in excess of the market value of the loans without servicing rights at the purchase date or 2) the present value of net future servicing income discounted at an appropriate long-term interest rate. Management should be able to substantiate the rate used. The capitalized amount shall be amortized in proportion to, and over the period of, estimated net servicing income. PMSRs are highly subject to interest rate and prepayment rate risk since the amount of future cash flows is dependent upon the outstanding balances of the underlying mortgage loans. Unanticipated changes in interest rate, prepayment speed, or other valuation assumptions may impair the carrying value of PMSRs and require accelerated amortization or a write-down. The recoverability of the unamortized balance should be evaluated periodically, and amortization and/or the value of the asset should be adjusted accordingly. To the extent impairment is not recognized, PMSR values may be inflated. As a result, assets, earnings, and capital may be overstated. Regulatory guidance requires that PMSR values be evaluated at least quarterly. Evaluation models may be developed in-house or purchased from an outside vendor. Excess servicing fee receivables are recorded when the mortgage company's fee for servicing mortgages sold exceeds the normal servicing fee for a comparable pool of mortgages. The asset to be recorded represents the present value of the expected future excess fee income. The company should first estimate the amount of excess cash flows that it expects to receive from servicing the loans. The estimated cash flow stream must consider expected prepayments of the underlying mortgages. Next the estimated cash flow stream should be discounted to determine its present value. The discount rate should be an appropriate long-term interest rate that reflects the risks of the assets. Once the amount of the excess servicing fee receivable is determined, it is recorded as an asset. ESFR should be reevaluated at least quarterly to determine the impact of unanticipated prepayments of the underlying cash flows. According to EITF 86-38, the ESFR must be written down to the present value of the estimated remaining future excess service fee revenues. The discount rate used to compute the present value of the estimate future servicing fee income should be the same rate as that used to initially record the asset. Unlike PMSRs, which require that an actual service be performed, ESFRs merely represent the purchase of the right to receive the underlying cash flows. ESFRs are considered tangible assets. OMSRs represent the future net servicing income which is associated with loans that are originated through a mortgage banking company's own production network. Currently OMSR are not recognized on the balance sheet as an asset distinct from the mortgage. SFAS No. 65 also prohibits the recognition of a mortgage servicing asset representing the normal servicing fee when a mortgage company originates a mortgage loan and then sells it to a third party with the servicing rights retained by the seller; only the excess servicing fee, if any, may be recorded as an asset. In a press release dated June 21, 1995, an FFIEC Task Force announced recommendations regarding the appropriate regulatory reporting treatment for mortgage servicing rights (MSRs) by banks. The need for this guidance is a result of FASB's issuance of Statement No. 122 "Accounting for Mortgage Servicing Rights," in May 1995. The FFIEC recommended Federal regulators adopt interim capital rules to clarify the regulatory capital treatment for MSRs. Prior to the adoption of Statement No. 122, only PMSRs but not OMSRs could be capitalized as balance sheet assets. Once an institution adopts Statement No. 122, it generally must capitalize OMSRs on a prospective basis. In addition, Statement No. 122 requires all capitalized MSRs (both originated and purchased) to be evaluated for impairment based on their fair values. For purposes of the bank Reports of Condition and Income, all insured banks must adopt Statement No. 122 for fiscal years beginning after December 15, 1995. For institutions with a calendar year fiscal year that do not elect early option, the March 31, 1996, Call Report will be the first report to be completed in accordance with Statement No. 122. As an interim measure, banks should continue to report PMSRs in Call Report Schedule RC-M, item 6.a, "Mortgage Servicing Rights, " and on the balance sheet in Schedule RC, item 10, "Intangible Assets." OMSRs that are capitalized as balance sheet assets in accordance with Statement No. 122 should be reported in these same Call Report items. The FFIEC's Task Force also recommends that the agencies issue interim capital rules that would apply the same regulatory capital provisions to OMSRs that presently apply to PMSRs. Under the recommended interim approach, capitalized MSRs (both purchased and originated) would be subject to a quarterly valuation requirement and a restriction limiting the amount of MSRs that may be recognized for Tier 1 capital purposes to the lesser of 90 percent of fair value or 100 percent of book value (net of any valuation allowance). In addition, the aggregate amount of PMSRs, OMSRs, and purchased credit card relationship intangibles that may be recognized for regulatory capital purposes would be limited to no more than 50 percent of Tier 1 (core) capital. The quarterly valuations of the fair value of OMSRs would be based on the same regulatory guidance the agencies have issued with respect to determining the fair value of PMSRs. FINANCIAL ANALYSIS The analysis of the financial condition of a mortgage company should incorporate a review of primary balance sheet and income statement levels and trends, contingent off-balance sheet liabilities such as the servicing portfolio, asset quality, earnings performance, funding sources and liquidity needs, and capital adequacy. Financial statements should be reviewed to detect assets, liabilities, income or expense items which are either large relative to the company's operations or may post undue financial risk for other reasons. Any unusual trends, which appear inconsistent with the mortgage banking company's normal operation, the current economic and interest rate environment, and the company's growth plans, should be investigated. The asset side of the balance sheet will consist of items such as cash; marketable securities; mortgage loans available-for-sale; purchased mortgage servicing rights; excess servicing fee receivables; mortgage loans held-to-maturity; reserves for loan and other credit-related losses; other real estate; premises and equipment; and other miscellaneous assets. The examiner should determine whether the accounting treatment for securities and loans is consistent with SFAS No. 115, "Accounting for Certain Investments in Debt and Equity Securities." Under SFAS No. 115, any debt or equity security that has a readily determinable fair value should be classified as either trading, available-for-sale, or held-to-maturity. Loans held for investment may include loans that: 1) do not meet secondary market guidelines and are therefore unsalable; 2) loans that were repurchased from an investor due to poor documentation and/or improper servicing; and 3) loans put back to the mortgage company under recourse agreements. The liability side of the balance sheet may include: repurchase agreements, commercial paper, revolving warehouse lines of credit, long-term debt instruments, intercompany payables, and equity capital. Asset quality is evidenced by underwriting standards, borrower performance, and the degree of protection which is afforded by collateral. Credit risk is reduced for an originator when insurance and guarantees are provided by federally-sponsored agencies. However, the originator remains responsible for the quality of loans sold to investors for at least the first 90 days, and any loans sold under recourse arrangements. As a servicer, the company can also be held liable if it does not initiate collection and foreclosure actions in strict accordance with investor servicing agreements. In addition, certain interest losses and expenses relating to collections, foreclosure, and ORE are not fully reimbursable and should be anticipated. The primary indicators of portfolio problems are: declines in the turnover rate of the "resale" account (the industry turnover has generally averaged about four times a year but does vary with market conditions); consistent losses in the sales of the mortgages; increases in the "investment" category; and write-downs of the value of the "investment" account. It is a general industry practice to price the "resale" inventory at the lower of cost or market each reporting quarter for balance sheet purposes. One of the principal measures of portfolio quality is the delinquency rate. Delinquencies in the report should be presented by portfolio category and spread by the periods past due, such as 15-30 days, 31-90 days, 91-180 days, and 181 days and over. The delinquency status of loans available-for-sale, loans-held-to maturity, and loans serviced for investors should be monitored. Management information systems should also include an internal loan grading system which is consistent with guidelines used by the bank, the parent company, and regulatory agencies. Information to be tracked includes the borrower's ability to meet its payment obligations, collection and foreclosure actions initiated by the servicer, and repurchase requests initiated by a permanent investor or other third party. Appraisal practices should be verified to ensure consistency with state and federal laws and regulations. Mortgage banking companies that are subsidiaries of either state-member banks, state non-member banks, or bank holding companies are subject to the same appraisal standards and requirements as their parent companies. Management should establish and maintain adequate reserves to cover all identified loss exposure. Policies and procedures should clearly state the purpose of each reserve. The level of each reserve account should be evaluated at least quarterly, documented, and replenished as necessary. Earnings performance should be assessed in terms of the level, composition and trend of net income. The earnings analysis should take into consideration internal factors such as the company business orientation and management's growth plans. The examiner should consider the company's ability to generate positive earnings consistently over time, and the proportionate share of consolidated earnings (or losses) which are a result of this business activity. Management's ability to satisfy the company's liquidity needs and plan for contingencies without placing undue strain on affiliate bank resources or reliance on the parent bank holding company are crucial. Liquidity needs depend upon the size of the mortgage company's warehouse and the nature and extent of other longer-term assets. Liquidity can quickly erode if investor perceptions of a company's credit standing change. The ability to fund mortgage operations under economic duress and access to alternate liquidity sources become key considerations. Funding instruments may include repurchase agreements, commercial paper, revolving warehouse lines of credit and/or long-term debt. Financial flexibility, which is the ability to obtain the cash required to make payments as needed, should also be evaluated. Cash should be able to be obtained from 1) business operations; 2) liquid assets already held by the company; and 3) deriving funds from external sources via lines of credit, bank borrowing or the money and capital markets through the issuance of debt or equity securities. Capital must be adequate to absorb potential operating losses, provide for liquidity needs and expected growth, and meet minimum requirements set by third party creditors and investors. At a minimum, a mortgage banking company must meet the nominal capital levels required by investors such as FNMA ($250,000). Companies that have excessive off-balance sheet risk or high growth expectations may require additional capital. Capital levels should be monitored and reported to the company's board of directors regularly to mitigate the risk of inadequate or eroding capital. The examiner should evaluate capital adequacy, the amount of dividends which are upstreamed to the bank or parent company, and the extent to which the parent company can be relied upon to augment the ongoing capital needs of its bank and nonbank subsidiaries. In some instances, the bank or parent company may operate on the premise that the mortgage banking company requires little capital of its own as long as the bank or parent company remains adequately capitalized. The bank or parent company must be prepared to support its subsidiaries should the financial need arise. There are no state/federal guidelines requiring specific capital levels for a mortgage banking company. OVERVIEW Critical material can be reviewed at the bank or parent company level to help determine whether or not to go on-site. Some of the determinants of this decision should include: relative size; current earnings performance; overall contribution to the corporation's condition; asset quality as indicated by nonaccrual and delinquency reports; and the condition of the company at a prior examination. From the information provided, it might be determined that the company is operating properly and is in sound condition. Conversely, a deteriorating condition might be detected which would require a more in depth review. Mortgage subsidiaries in unsatisfactory condition should be inspected each time the bank or parent company is inspected. All significant mortgage banking subsidiaries should be fully inspected at least once every three years POLICY REQUIREMENTS 00-1 - Strategic Planning Management should develop a strategic plan for the mortgage company or incorporate a long-term business plan for mortgage banking activities into the bank's and/or bank holding company's strategic plan. Characteristics of long-term business plan include: * Identifying strengths and weaknesses * Growth targets * Other strategic initiatives over a one-to-three year time horizon Goals and objectives should be specific, measurable, understandable, and communicated throughout the organization. To help achieve the goals established, progress must be monitored. The board should review and approve the plan annually. Mortgage Banking Policy A well written mortgage banking policy will, at a minimum, address the following: A. the mortgage banking activities the bank or mortgage company will be involved, including loan production, pipeline and warehouse administration, secondary market transactions, servicing operations, and management of mortgage servicing rights (MSR) and excess servicing fees receivable (ESFR); B. documentation standards for all aspects of mortgage banking activities, including substantiating the initial book values of MSR and ESFR assigned to each pool of loans, as well as the results of periodic reviews of each asset's book and fair-market value; C. systems that track and collect required loan documents; D. impairment analyses, including using the discount rate applied when each MSR and ESFR asset was originally booked and employing realistic prepayment estimates E. quality control reviews; F. interest rate risk and liquidity levels; G. guidelines for due diligence reviews, definitions of loan products to purchase, amount of loans desired, and authority for purchase/commitment letter; H. guidelines for amount of loans that can be retained in the pipeline, levels of uncommitted inventory, number and dollar amount of pools in process, and approval authority; I. board review of mortgage banking activity reports including default rates, new loans, liquidity levels, capital needs, past dues, geographic concentrations, departmental profit and loss statements, and foreclosure rates. SUGGESTED MORTGAGE COMPANY REVIEW AREAS MANAGEMENT AND BOARD SUPERVISION 1. Review minutes from board and committee meetings to determine whether directors are fulfilling their fiduciary and supervisory responsibilities. Determine if management is providing sufficient information to the board. 2. Determine if any officer is paid based on volume/commissions. 3. Determine if the mortgage company's goals and objectives are incorporated into a long-term business plan. Determine whether objectives, goals, and growth targets are reasonable. 4. Evaluate the mortgage banking operations policy manual. Ensure that the policy addresses such items as: mortgage company's objectives, scope of operations, description of the lines of approval for transactions, and reporting requirements. 5. Determine the frequency and scope of internal and external audits. Determine if the audit program adequately addresses: loan origination, mortgage servicing, secondary mortgage marketing, internal controls, and management information systems. 6. Review audit reports and management responses to reports prepared by internal and external auditors, FNMA, GNMA, and HUD. 7. Determine if auditor's exceptions are brought to the attention of the bank's or bank holding company's board and the mortgage company's board. 8. Review the Quality Control plan to determine reasonableness and ensure compliance with investor requirements. 9. Determine whether Quality Control results are relayed to executive management, and whether follow-up procedures are adequate to ensure corrective action . 10. Review board minutes to ascertain the date the board last reviewed and approved the insurance program. 11. Review all current and pending litigation of a material nature and determine whether adequate reserves are maintained to cover anticipated financial exposure. 12. Evaluate staffing requirements and knowledge and skills of executive officers. 13. Evaluate adequacy of management information systems (internal and external). 00-1 - LOAN ORIGINATION 1. Determine the types of mortgage products offered and the company's target markets. Evaluate portfolio trends for over reliance on one product type and undue concentrations in one geographic area. 2. Determine whether the level of nonconforming or unsalable loans originated present undue risk and whether the quality and delinquency trends for such loans are adequately monitored. 3. Ensure that all mortgage production offices conform to uniform policies for underwriting, pricing, and product type. 4. Determine if limits are set for uncommitted inventory for the mortgage operation. Ascertain if a funding limit is set for the loan origination. How is it monitored for liquidity? 5. Evaluate procedures, checklists and systems for closing loans. Are all required documents obtained from the borrower before funds are disbursed? If not, evaluate appropriateness of suspense items. 6. Review Quality Control reports to determine if underwriting concerns are identified. 7. Determine if the bank monitors fall-out risk for borrower withdrawals and underwriting concerns. 8. Determine who makes the decision for loans to be warehoused. Is there a dollar limit for loans committed to be resold in pools or for loans held in uncommitted inventory? Is there a limit on the length of time it can be carried in inventory? 00-1 - LOAN PRODUCTION 1. Determine if the mortgage operations purchase loans on a wholesale basis. Are purchases primarily new origination, seasoned loans or both? 2. Determine how the mortgage company is informed that loans are for sale. 3. Determine if there are policies and procedures for Due Diligence Reviews. Do contracts specify scope, sampling, loan products, compensation, etc.? 4. Does the loan policy limit purchases by loan type? geographic area? product features (ie ARMs)? 00-1 - SECONDARY MARKETING 1. Review minutes from recent committee meetings to determine the nature and scope of responsibilities, the frequency of meetings, and the degree to which oversight over marketing activities is provided. 2. Determine whether loans or securities are sold with recourse. If so, are recourse obligations monitored? Are recourse losses analyzed by investor and product type? Are reserves held for recourse loans? Are reserves adequate? 3. Are all mortgage products originated by the mortgage company intended to be salable in the secondary market? How is actual salability monitored? 4. Are mortgage loans that are not salable generated specifically for the permanent investment portfolio of either the mortgage banking company or its bank affiliates. Related intercompany purchase and sale agreements should be reviewed for compliance with Sections 23A and 23 B of the Federal Reserve Act. 5. What methods do management use to predict the volume of applications that are expected to "fall out" of the mortgage pipeline. Is methodology well documented? 6. Determine if any hedging products are used to hedge interest rate risk associated with inventory loans and rate-locked loan applications in the pipeline? Review the marketing policy to determine hedging products and strategies. 7. Review information provided to executive management and the board to determine whether hedging practices are adequately supervised. 8. Review list of approved brokers and dealers. Have appropriate dealer limits been established and limits adhered to? Are exceptions monitored? 9. Does management monitor the financial capacity of brokers and dealers? 00-1 - LOAN SERVICING AND ADMINISTRATION 1. Determine if a periodic review of services provided by each subservicer is conducted. The financial condition of each subservicer should be evaluated at least annually. 2. Has a contingent operating plan been established should subservicers and vendors be unable to perform their contractual obligations? 3. Are periodic quality control reviews performed on the subservicer? If not, does the subservicer have their own quality control review? 4. Does a disaster recovery plan exist to cover all servicing functions performed in house? Verify that backup systems exist should primary systems fail. 5. Review the list of investors for which servicing is performed. Discuss the nature of any recourse or repurchase provisions and nonreimbursable collection and/or foreclosure expenses. 6. Determine if an annual analysis of escrow accounts is performed. How are underages and overages handled? 7. Review procedures for collecting late payments. At what point do collection efforts start once an account becomes delinquent? (i.e. 20 day requirements for some investors) 8. Review loan delinquency reports by product type and originator. 9. Determine the number and volume of delinquent loans that were purchased from the servicing portfolio (buyouts and buybacks). Assess the impact of repurchases on profitability. 10. Review the system for logging, tracking, and responding to customer complaints. Has the volume of complaints grown? Are complaints addressed promptly, with any problems resolved in a timely manner? Review mortgage complaint log and files and determine if complaints are concentrated in one area. 00-1 - FINANCIAL ANALYSIS 1. Review the mortgage company's financial statements over the previous three year period. Discuss significant balance sheet and income statement categories with management. 2. Are financial trends consistent with the economic environment, interest rate movements, and management's intended growth strategy? 3. Obtain a copy of the loans past due 30, 60, and 90 days by loan type. 4. Obtain a list of loans in the process of foreclosure and bankruptcy. Review with management. 5. Reconcile all other real estate owned by the mortgage banking company to the general ledger. Compare current appraisals to carrying value for potential write-downs. 6. Review the reserve account for accuracy and adequacy. 7. Determine the mortgage banking company's liquidity needs based upon a review of the size of its warehouse and the nature and extent of other longer-term assets. 8. Are sources of liquidity adequate under current conditions and economic duress? 9. Does the company have the ability to obtain the cash required to make payments as needed? Easy access to lines of credit? 10. Review asset/liability management practices to determine whether funding maturities closely approximate the maturities of underlying assets or whether a funding mismatch exists. 11. Are capital levels adequate to absorb potential operating losses, provide for liquidity needs and expected growth, and meet minimum requirements set by investors whose loans are serviced and other external parties? 12. Does management adequately monitor and report capital levels to the board of directors? 13. Is the parent company prepared to support its subsidiaries should the financial need arise? Are cash dividends paid by the mortgage subsidiary to the parent company reasonable? 14. Evaluate the overall financial condition of the mortgage company, considering its asset quality, earnings, liquidity, and capital adequacy. APPENDIX A: ACCOUNTING LITERATURE Banks must conform to Regulatory Accounting Principles. Bank holding companies and their direct subsidiaries must conform to Generally Accepted Accounting Principles (GAAP). The following is a list of GAAP governing the mortgage banking industry which are in the form of accounting standards and interpretations. FASB Statement No. 122, "Accounting for Mortgage Servicing Rights." SFAS No. 65, "Accounting for Certain Mortgage Banking Activities." SFAS No. 80, "Accounting for Futures Transactions." SFAS No. 91, "Accounting for Nonrefundable Fees and Costs Associated with Originating or Acquiring Loans and Initial Direct Costs of Leases." SFAS No. 115, "Accounting for Certain Investments in Debt and Equity Securities." Emerging Issues Task Force (EITF) Issue No. 85-13, "Sale of Mortgage Service Rights on Mortgages Owned by Others." EITF Issue No. 86-38, "Implications of Mortgage Prepayments on Amortization of Servicing Rights." EITF Issue No. 86-39, "Gains from the sale of Mortgage Loans with Servicing Rights Retained." EITF Issue No. 88-11, "Allocation of Recorded Investment When a Loan or Part of a Loan is Sold." EITF Issue No. 89-5, "Sale of Mortgage Loan Servicing Rights." EITF Issue No. 92-10, "Loan Acquisitions Involving Table Funding Arrangements." Technical Bulletin No. 87-3, "Accounting for Mortgage Servicing Fees and Rights." APPENDIX B: REGULATORY GUIDANCE State and Federal issuances which may be useful in reviewing mortgage banking activities: 23-32-701 A.C.A. - Powers of Banks FDIC Transactions Between Member State Banks and Their Affiliates FFIEC Mortgage Servicing Rights 2010.0.1 Policy Statement on the Responsibility of Bank Holding Companies to Act as Sources of Strength to Their Subsidiary Banks 2020.0 - .7 Intercompany Transactions 2050.0 Extensions of Credit to BHC Officials 2060.0 - .6 Management Information Systems 2065.2 Determining an Adequate Level for the Allowance for Loan and Lease Losses 2080.0 - .3 BHC Funding Practices 2130.0 Futures, Forward, and Option Contracts 2150.0 Repurchase Transactions 2190.0 Asset Securitization 2190.0.5 "Interagency Supervisory Policy Statement on Securities Activities" 3070.0 Section 4 (c) (8) - Mortgage Banking 3080.0 Section 4 (c) (8) - Servicing Loans 4000 Financial Analysis 4070 BHC Rating System 95-2 – Retail Sales of Non Deposit Investment Products I. Introduction The sale of nondeposit investment products, which is defined for this policy to include equity securities, bonds, mutual funds, and annuities, by Arkansas state chartered banks, has increased over the last few years. To provide guidance for this type of activity, this examination policy has been issued in conjunction with the Interagency State issued February 15, 1994 by the four Federal banking regulatory agencies. A bank's compliance with these policies should be evaluated as a part of the examination process. Although the Interagency Statement does not generally apply to sales of nondeposit investment products to nonretail customers, such as sales to fiduciary accounts administered by an institution, examiners should apply the recommended examination procedures when retail customers are directed to the institution's trust department where they may purchase nondeposit investment products by simply completing a customer agreement. II. Authority to Sell NonDeposit Investment Products A Resolution addressing the sale of securities for bank customers and other are issued by the State Banking Board as of March 8, 1983. All Arkansas banks were authorized to sell fixed or variable annuities through Act 592 of 1995 which amended A.C.A. Section 23-64-203. This act allowed all banks to be licensed to sell credit life insurance as well as fixed or variable rate annuities. Individuals that sell nondeposit investment products must be registered with the National Association of Securities Dealers (NASD) and the Arkansas Securities Department. The chart below lists the require examination series an individual must pass before he/she is qualified to sell a particular type of security or nondeposit investment product in Arkansas: PRODUCT REQUIREMENTS TO SELL Mutual Funds Series 6 to 7, AND Series 63 Fixed Rate Annuities Fixed annuity license issued by Arkansas Insurance Department Variable Rate Annuities Series 6 or 7, AND Series 63 PRODUCT REQUIREMENTS TO SELL Equity Securities Series 7 or 62, AND Series 63 Government Securities Series 52 or 7, AND Series 63 Municipal Securities Series 52 or 7, AND Series 63 III. Marketing of NonDeposit Investment Products This examination policy applies to nondeposit investment products marketed through three different methods. The first marketing method is directly through the bank's employees. The second marketing method utilizes employees of a third party, which may or may not be affiliated with the bank and which sell the nondeposit investment products on the bank's premises (including sales or recommendations initiated by telephone or by mail from the bank premises). The third method involves sales of nondeposit investment products resulting from a referral of retail customers by the institution to a third party when the depository institution receives a benefit for the referral. A majority of all nondeposit investment products are sold by agents of third parties. The bank is able to offer nondeposit investment products to its customers without committing a large part of its personnel to the selling of these products or the time consuming servicing of customer accounts. Third parties include bona fide subsidiaries1 of the bank, bank affiliated broker/dealers of the bank's holding company, or unaffiliated broker/dealers. Other entities such as insurance companies may be used by banks to sell annuities and other nondeposit investment products. IV. Risks Associated with the Sale of Non-Deposit Investment Products With the possible reward of higher fee income comes the added risks associated with the marketing of any product. Three main risks are of supervisory concern. These include litigation risks, compliance risks, and performance risks. All three risks should be assessed by management and the examiner to determine if the risk of selling nondeposit investment products outweighs the rewards of the offered service. Litigation risks are usually created when a bank does not properly disclose to its customers that its nondeposit investment products: are not incurred by the FDIC; are not deposits or other obligations of the institution and are not guaranteed by the institution; and, are subject to investment risks, including possible loss of the principal invested. Other litigation risks can be caused by unethical sales techniques such as churning and switching of accounts. The National Association of Securities Dealers (NASD) Rules of Fair Practice expressly governs the sale so securities by broker/dealers and their agents. Compliance risks are created by noncompliance with all applicable laws of the Securities and Exchange Commission (SEC), NASD, and the Arkansas Securities Department, the Arkansas Insurance Department, and the bank's state and federal regulators. Noncompliance with these agencies could result in enforcement actions, fines , and suspension of the sale of nondeposit investment products by the bank. Banks choosing to sell nondeposit investment products must have a compliance monitoring system to ensure compliance with all applicable laws. 1Compliance with 12 CFR 337.4 is required for state nonmember banks conducting securities activities through affiliates or subsidiaries. Performance risks are created when customers become dissatisfied with the performance of their investments. These unhappy customers may withdraw deposits they had with the bank and establish banking relationships with competing institutions. Other performance risks arise when the expense associated with the sale of nondeposit investment products exceeds the income the products generate. Additionally, the sale of non-deposit investment products exposes the bank to additional embezzlement schemes and improprieties. Auditing procedures of a bank choosing to sell nondeposit investment products must be able to identify these additional risks. V. Examination Procedures of Banks Selling Non-Deposit Investment products 1. Determine the bank's marketing method of Nondeposit Investment Products. For affiliated organizations selling nondeposit investment products, check the Officer's Questionnaire. The Arkansas State Bank Department is granted authority to examine affiliates of any state chartered bank through A.C.A. Section 23-32-1104. Direct inquiries to management may be needed if the bank uses its own employees or a subsidiary, uses an unaffiliated vendor on it premises, or refers its customers to a third party vendor and receives a referral fee. Refer to Retail Sale of Nondeposit Investment Products Examination Procedures Work Papers for additional information. 2. Check with the Department to determine that the broker/dealer firm the subject bank is using has not has "past disciplinary actions" issued by the NASD or the Arkansas Securities Department. The NASD/Arkansas Securities Department has regulatory/examination authority for all broker/dealers and their agents operating in Arkansas. The NASD has agreed to cooperate with the four federal banking agencies in the supervision of banks which sell nondeposit investment products. 3. Complete the Retail Sale of Nondeposit Investment Products Examination Procedures Work Papers. Keep in examination workpapers for future reference. 4. Assess the following factors to be included in the Management comment of the Report of Examination: technical competence regarding nondeposit investment products; compliance with all governing regulations; compliance with internal policies; compliance with the Federal Regulator's Interagency Statement; and contingency risks associated with the sale of nondeposit investment products. ARKANSAS STATE BANK DEPARTMENT RETAIL SALE OF NONDEPOSIT INVESTMENT PRODUCTS EXAMINATION PROCEDURES--WORK PAPERS Bank Name: Charter number: Date: Examiner Assigned: State chartered banks are permitted to engage in sales of nondeposit investment products, provided the Board of Directors has ensured the bank has adequate expertise on hand, and appropriate policies and procedures in place to conduct these activities in a safe and sound manner. If management permits the sale of nondeposit investment products without addressing the aforementioned issues, the bank may be subjected to substantial risks including potential liability to provide restitution to improperly advised customers and possible loss of customer confidence through association with high-risk products. If the examination procedure does not apply, mark as N.A. REGISTRATION REQUIREMENTS Review extent and nature of activity to determine whether the nondeposit Investment activity is conducted through a subsidiary of the bank, an affiliate of the bank, or an unaffiliated third party. Under Arkansas Law, banks are directly exempt from registration requirements as broker/dealers with the Arkansas Securities Department. Accordingly, if the bank has chosen to directly sell nondeposit investment products, it can do so through a wholly owned subsidiary, or an affiliate company owned by the bank's holding company. Any employees of a wholly-owned bank subsidiary or affiliate organization selling nondeposit investment products must be registered with the NASD and the Arkansas Securities Department. Most state chartered banks provide nondeposit investment products services by referring customers to unaffiliated third parties; therefore, no registration is needed for the bank's employees making the referrals. Examiners should refer irregular noncomplying, or questionable activity to the EIC, who will coordinate inquiries with the Bank Department, and/or Arkansas Securities Department. If the activity is conducted through a third party provider selling at the bank's offices, determine whether the third party provider is registered with the Arkansas Securities Department. List the in state officer or partner acting as supervisor of the broker/dealer firm which conducts the customers' nondeposit investment trades. Name/Title If the activity is conducted by an employee of the bank's subsidiary or an affiliate of the bank, verify the employee's registration with the Arkansas Securities Department. If nondeposit investment products are sold in any of the bank's branches, check for proper licensing of the agents selling the products. DISCLOSURE AND SUITABILITY Determine whether adequate verbal and written disclosures are made regarding the risk of the product. Review all marketing material, including sample oral sales dialogues, brochures, lobby displays, and advertising (newspaper, radio, television) copy to determine that the following are conspicuously disclosed: Not insured by the FDIC. Not an obligation of the bank. Not guaranteed by the bank. Investment risk, including the possible loss of principal. Determine whether sales information adequately discloses the associated costs: Is the product subject to any early withdrawal penalties, surrender charge penalties, or deferred sales charges? is the effect of commissions and fees on yields disclosed in a complete and understandable manner? Determine whether the product is adequately distinguished from bank products. If the bank as joint advertising with the nondeposit investment products seller, does the advertising clearly segregate information? Do account statements sent to nondeposit investment purchasers reference the bank in any way? Do nondeposit products have names that are different and not easily confused with deposit products? Determine whether sales activity is adequately segregated from deposit-taking and other banking functions: If the product is sold by a bank employee, determine whether the employee moves to a separate location within he bank to make the transaction. determine that no uninsured products are sold from the same desk, window, or lobby area where insured deposits are transacted. If the bank's premises are limited, determine that extra emphasis is made in disclosing the products uninsured status. Determine the employees who accept retail deposits (tellers) are prohibited from giving investment advice and from selling retail nondeposit investment products. Determine whether bank employees with customer contact have signed an acknowledgment limiting their sales activity to bank products, if applicable. Determine that any dual employee (if applicable) adequately disclose that they work for both the bank and the broker/dealer. Determine whether the bank provides any information on its customers (i.e. maturing CDs) to third party or dual broker/dealers, without the prior written consent of the customer. Review the prospectus of products offered for sale to determine whether any apparently high-risk products are offered. For example, long-term bond funds or funds composed of nonrated investments generally carry higher risk than short-term Government or rated municipal funds. Review the variety and diversity of products offered. Does the bank offer enough products to provide a range for differing customer needs? If annuities are offered, determine that the bank is registered with the Arkansas Insurance Department and that personnel conducting the sales are registered insurance agents. Determine whether adequate procedures are employed to determine the suitability of a product for a customer prior to its sale: Do sales representatives make a reasonable inquiry into a customer's financial condition or other investments? Is inquiry made regarding the customer's comfort level for risk to their investment principal? Is inquiry made concerning the customer's investment objective, i.e., growth, income, tax deferral? Review a sample of customer files to determine. Is there adequate documentation to indicate that the customer understands that the nondeposit investment is not insured and that the nondeposit investment is not a bank product? Do customers sign a disclosure document when the nondeposit account is opened? Is appropriate documentation maintained to reflect that the salesperson had reasonable grounds to believe a recommended investment was suitable for the customer at the time of the transaction? Is this determination based on information obtained directly from the customer? Are the files updated periodically? MANAGEMENT AND OVERSIGHT ACTIVITY Evaluate the adequacy of Board-approved written policies and procedures. These should address, at a minimum: Supervision of personnel involved in nondeposit investment products. The roles of other entities selling on bank premises. The types of products the bank will sell. The manner in which customers will be informed regarding the uninsured status of investment products. The permissible uses of bank customer information; and How compliance will be monitored. Review the Board's evaluation of the products being offered in terms of risk, suitability, etc. Ensure that evaluations are performed on a periodic basis. Review management reports regularly going to the Boar d to determine whether they are adequate to supervise the activity. If the bank is affiliated with a third-party broker/dealer, determine whether the Board undertook a complete evaluation of the third party before entering into an agreement by: Determining the third party's ability to fulfill commitments evidenced by capital strength and operating results disclosed in current financial data, annual reported, credit report, etc.; Inquiring into the entity's general reputation for financial stability and fair and honest dealings with customers, including an inquiry of past or current financial institution customers of the entity; Questioning appropriate State and Federal securities industry self-regulatory organizations (i.e. National Association of Securities Dealers), as to formal enforcement actions against the dealer or its affiliates or associated personnel; Inquiring, as appropriate, into the licensing status and background of sales representative(s) to determine experience and expertise; and Conducting periodic reviews of the entity once a relationship has been established. If the activity is conducted through a third-party broker/dealer, review the written agreement between the bank and the provider to ensure that it: Requires compliance with all applicable registration and regulatory requirements; Indicates that bank management and regulators will be verifying compliance to applicable laws and regulation; Includes provisions regarding bank oversight or activity; Provides examiner access to records of broker's activities at the bank; Details terms for compensation for bank space, equipment, and personnel used by the third-party; and Indemnifies the bank for any claims arising out of the securities brokerage service. Determine that background inquiries have been performed on sales personnel who are bank employees with previous security industry experience. The inquiry should check for any possible disciplinary history with securities regulators. Review the resumes and visit the sales personnel employed by the bank to determine whether they are qualified and adequately trained to sell all nondeposit investment products offered by the bank. Do they have a thorough product knowledge and understand customer protection requirements? Have they received adequate and ongoing training? Review the level and nature of compensation provided the employee/sales personnel for reasonability and propriety. Compensation should not operate on an incentive basis for salespersons if a more appropriate option is available. If tellers participate in a referral program, banks should not base compensation on success of sale. Review the adequacy of audit procedures and policy in the area: Determine whether written audit procedures and policy are established for nondeposit investment products. Have audit and compliance personnel been properly trained and qualified? Does the compliance function include a system to monitor customer complaints and periodically review customer accounts to prevent abusive practices? Does compliance personnel review progress in addressing identified compliance problems? Are compliance findings periodically reported to the bank's board of directors? determine whether the bank has received a written acknowledgment from its blanket bond carrier regarding direct or indirect sale of nondeposit investment products. EXAMINATION REPORT If the bank is not involved in any way in retail sales of nondeposit investment products, state as much in the confidential section of the report. If the bank is involved in any way in retail sales of nondeposit investment products, discuss activity in the Management Comment. significant activity or weaknesses should also be discussed in Overall Examination Conclusions. Comments should address the following at a minimum: Nature of activity, registration Where it is conducted Who is involved Whether products have any particular risk characteristics Disclosure adequacy Documentation of suitability Quality of management and board oversight. REFERENCES The following sources of information may be used for further guidance: Interagency Statement on retail Sales of Nondeposit Investment Products, 2-15-94 12 CFR 337.4 "securities Activities of Subsidiaries of Insured Nonmember Banks: Bank transactions with Affiliated Securities Companies" OCC Bulletin 94-13 "Examination Procedures for Retail Nondeposit Investment sales", 2-24-94 Boar of Governors of the Federal Reserve System "Examination Procedures for Retail Sales Of Nondeposit Investment Products", 5-31-94 FDIC Transmittal 94-067 "Examination Procedures for Banks Involved with the Sale of Nondeposit Investment Products", 4-28-94 DOB Numbered Memo 88-06 "Unsuitable Investment Practices", 5-20-88 Chapter 42 of the Arkansas Code of 1987 Annotated 97-2 – Disclosure of CAMELS Component Rating Background The Uniform Interagency Bank Rating System (the CAMEL Rating System) was developed by the Federal Financial Institutions Examination Council (FFIEC) and has been utilized by the Arkansas State Bank Department for several years. On March 1, 1993, the Arkansas State Bank Department made a decision to advise Boards of Directors of state chartered banks of the entire CAMEL rating assigned pursuant to an examination by this agency. By disclosing all component ratings, it is felt that bank directors are more fully informed of the bank's condition, as indicated by the assigned component ratings, and therefore better equipped to address all financial and operational deficiencies. Effective July 1, 1997 the updated rating system now referred to as the CAMELS rating system will be utilized by the Arkansas State Bank Department. This rating system is also used by federal bank regulatory agencies. Each bank's Board of Directors are advised of the assigned rating in the examination report, and the rating will not be a matter of public information. The rating disclosed in the examination report is that assigned by the Examiner in Charge and approved by supervisory personnel and the Bank Commissioner as a result of an independent examination by the Arkansas State Bank Department or as a result of a joint or concurrent examination in which the Arkansas State Bank Department participated. While the CAMELS rating assigned by the Arkansas State Bank Department may be the same as that assigned by the respective federal agency, some differences in component and composite ratings may exist. It is important to note that the overall uniform bank rating is not an arithmetic mean of the six component ratings, but the composite rating should be consistent with the individual performance ratings. Overview of the Rating System The rating system is based upon a careful evaluation of six critical dimensions of a bank's operations that reflect in a comprehensive fashion an institution's financial condition, managerial performance, compliance with banking regulations and statutes and overall operating soundness. The specific dimensions that are to be evaluated are the following: Capital Adequacy Asset Quality Management Earnings Liquidity Sensitivity To Market Risk Each of these dimensions is to be rated on a scale of 1 thru 5 in descending order of performance quality. Thus, 1 represents the highest and 5 the lowest (and most critically deficient) level of operating performance. Each bank is accorded a summary or composite rating that is predicated upon the evaluations of the specific performance dimensions. The composite rating is also based upon a scale of 1 thru 5 in ascending order of supervisory concern. In arriving at a composite rating, each financial dimension must be weighed and due consideration given to the interrelationships among the various aspects of a bank's operations. The delineation of specific performance dimensions does not preclude consideration of other factors that, in the judgment of the examiner or reviewer, are deemed relevant to accurately reflect the overall condition and soundness of a particular bank. However, the assessment of the specific performance dimensions represents the essential foundation upon which the composite rating is based. Composite Rating The five composite ratings are defined and distinguished as follows: Composite 1 Financial institutions in this group are sound in every respect and generally have components rated 1 or 2. Any weaknesses are minor and can be handled in a routine manner by the board of directors and management. These financial institutions are the most capable of withstanding the vagaries of business conditions and are resistant to outside influences such as economic instability in their trade area. These financial institutions are in substantial compliance with laws and regulations. As a result, these financial institutions exhibit the strongest performance and risk management practices relative to the institution's size, complexity, and risk profile, and give no cause for supervisory concern. Composite 2 Financial institutions in this group are fundamentally sound. For a financial institution to receive this rating, generally no component rating should be more severe than 3. Only moderate weaknesses are present and are well within the board of directors' and management's capabilities and willingness to correct. These financial institutions are stable and are capable of withstanding business fluctuations. These financial institutions are in substantial compliance with laws and regulations. Overall risk management practices are satisfactory relative to the institution's size, complexity, and risk profile. There are no material supervisory concerns and, as a result, the supervisory response is informal and limited. Composite 3 Financial institutions in this group exhibit some degree of supervisory concern in one or more of the component areas. These financial institutions exhibit a combination of weaknesses that may range from moderate to severe; however, the magnitude of the deficiencies generally will not cause a component to be rated more severely than 4. Management may lack the ability or willingness to effectively address weaknesses within appropriate time frames. Financial institutions in this group generally are less capable of withstanding business fluctuations and are more vulnerable to outside influences than those institutions rated a composite 1 or 2. Additionally, these financial institutions may be in significant noncompliance with laws and regulations. Risk management practices may be less than satisfactory relative to the institution's size, complexity, and risk profile. These financial institutions require more than normal supervision, which may include formal or informal enforcement actions. Failure appears unlikely, however, given the overall strength and financial capacity of these institutions. Composite 4 Financial institutions in this group generally exhibit unsafe and unsound practices or conditions. There are serious financial or managerial deficiencies that result in unsatisfactory performance. The problems range from severe to critically deficient. The weaknesses and problems are not being satisfactorily addressed or resolved by the board of directors and management. Financial institutions in this group generally are not capable of withstanding business fluctuations. There may be significant noncompliance with laws and regulations. Risk management practices are generally unacceptable relative to the institution's size, complexity, and risk profile. Close supervisory attention is required, which means, in most cases, formal enforcement action is necessary to address the problems. Institutions in this group pose a risk to the deposit insurance fund. Failure is a distinct possibility if the problems and weaknesses are not satisfactorily addressed and resolved. Composite 5 Financial institutions in this group exhibit extremely unsafe and unsound practices or conditions; exhibit a critically deficient performance; often contain inadequate risk management practices relative to the institution's size, complexity, and risk profile; and are of the greatest supervisory concern. The volume and severity of problems are beyond management's ability or willingness to control or correct. Immediate outside financial or other assistance is needed in order for the financial institution to be viable. Ongoing supervisory attention is necessary. Institutions in this group pose a significant risk to the deposit insurance fund and failure is highly probable. Performance Evaluation As already noted, the six key performance dimensions -- capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk -- are to be evaluated on a scale of one to five. The following is a description of the gradations to be utilized in the assignment of performance ratings: Rating No. 1 - indicates strong performance. It is the highest rating and is indicative of performance that is significantly higher than average. Rating No. 2 - reflects satisfactory performance. It reflects performance that is average or above; it includes performance that adequately provides for the safe and sound operation of the bank. Rating No. 3 - represents performance that is flawed to some degree; as such, it is considered fair. It is neither satisfactory nor marginal but is characterized by performance of below average quality. Rating No. 4 - represents marginal performance which is significantly below average. If left unchecked, such performance might evolve into weaknesses or conditions that could threaten the viability of the institution. Rating No. 5 - is considered unsatisfactory (poor). It is the lowest rating and is indicative of performance that is critically deficient and in need of immediate remedial attention. Such performance by itself, or in combination with other weaknesses, could threaten the viability of the institution. Capital Adequacy A financial institution is expected to maintain capital commensurate with the nature and extent of risks to the institution and the ability of management to identify, measure, monitor, and control these risks. The capital adequacy of an institution is rated (1 thru 5) based upon, but not limited to, an assessment of the following evaluation factors: (a) The level and quality of capital and the overall financial condition of the institution. (b) The ability of management to address emerging needs for additional capital. (c) The nature, trend, and volume of problem assets, and the adequacy of allowances for loan and lease losses and other valuation reserves. (d) Balance sheet composition, including the nature and amount of intangible assets, market risk, concentration risk, and risks associated with nontraditional activities. (e) Risk exposure represented by off-balance sheet activities. (f) The quality and strength of earnings, and the reasonableness of dividends. (g) Prospects and plans for growth, as well as past experience in managing growth. (h) Access to capital markets and other sources of capital, including support provided by a parent holding company. Ratings Capital Adequacy rated 1 indicates a strong capital level relative to the institution's risk profile. A 2 rating indicates a satisfactory capital level relative to the financial institution's risk profile. A rating of 3 indicates a less than satisfactory level of capital that does not fully support the institution's risk profile. The rating indicates a need for improvement, even if the institution's capital level exceeds minimum regulatory and statutory requirements. A 4 rating indicates a deficient level of capital. In light of the institution's risk profile, viability of the institution may be threatened. Assistance from shareholders or other external sources of financial support may be required. Capital adequacy rated 5 indicates a critically deficient level of capital such that the institution's viability is threatened. Immediate assistance from shareholders or other external sources of financial support is required. Asset Quality The asset quality rating reflects the quantity of existing and potential credit risk associated with the loan and investment portfolios, other real estate owned, and other assets, as well as off-balance sheet transactions. The ability of management to identify, measure, monitor, and control credit risk is also reflected here. The asset quality of an institution is rated (1 thru 5) based upon, but not limited to, an assessment of the following evaluation factors: (a) The adequacy of underwriting standards, soundness of credit administration practices, and appropriateness of risk identification practices. (b) The level, distribution, severity, and trend of problem, classified, nonaccrual, restructured, delinquent, and nonperforming assets for both on- and off-balance sheet transactions. (c) The adequacy of the allowance for loan and lease losses and other asset valuation reserves. (d) The credit risk arising from or reduced by off-balance sheet transactions, such as unfunded commitments, credit derivatives, commercial and standby letters of credit, and lines of credit. (e) The diversification and quality of the loan and investment portfolios. (f) The extent of securities underwriting activities and exposure to counterparties in trading activities. (g) The existence of asset concentrations. (h) The adequacy of loan and investment policies, procedures, and practices. (i) The ability of management to properly administer its assets, including the timely identification and collection of problem assets. (j) The adequacy of internal controls and management information systems. (k) The volume and nature of credit documentation exceptions. Ratings Asset quality rated 1 indicates strong asset quality and credit administration practices. Identified weaknesses are minor in nature and risk exposure is modest in relation to capital protection and management's abilities. Asset quality in such institutions is of minimal supervisory concern. A rating of 2 indicates satisfactory asset quality and credit administration practices. The level and severity of classifications and other weaknesses warrant a limited level of supervisory attention. Risk exposure is commensurate with capital protection and management's abilities. A 3 rating is assigned when asset quality or credit administration practices are less than satisfactory. Trends may be stable or indicate deterioration in asset quality or an increase in risk exposure. The level and severity of classified assets, other weaknesses, and risks require an elevated level of supervisory concern. There is generally a need to improve credit administration and risk management practices. An asset quality rating of 4 is assigned to financial institutions with deficient asset quality or credit administration practices. The levels of risk and problem assets are significant, inadequately controlled, and subject the financial institution to potential losses that, if left unchecked, may threaten its viability. A rating of 5 represents critically deficient asset quality or credit administration practices that present an imminent threat to the institution's viability. Management The capability of the board of directors and management, in their respective roles, to identify, measure, monitor, and control the risks of an institution's activities and to ensure a financial institution's safe, sound, and efficient operation in compliance with applicable laws and regulations is reflected in this rating. The capability and performance of management and the board of directors is rated (1 thru 5) based upon, but not limited to, an assessment of the following: (a) The level and quality of oversight and support of all institution activities by the board of directors and management. (b) The ability of the board of directors and management, in their respective roles, to plan for, and respond to, risks that may arise from changing business conditions or the initiation of new activities or products. (c) The adequacy of, and conformance with, appropriate internal policies and controls addressing the operations and risks of significant activities. (d) The accuracy, timeliness, and effectiveness of management information and risk monitoring systems appropriate for the institution's size, complexity, and risk profile. (e) The adequacy of audits and internal controls to: promote effective operations and reliable financial and regulatory reporting; safeguard assets; and ensure compliance with laws, regulations, and internal policies. (f) Compliance with laws and regulations and responsiveness to recommendations from auditors and supervisory authorities. (g) Management depth and succession and the extent that the board of directors and management is affected by, or susceptible to, dominant influence or concentration of authority. (h) Reasonableness of compensation policies and avoidance of self-dealing. (i) Demonstrated willingness to serve the legitimate banking needs of the community. (j) The overall performance of the institution and its risk profile. Ratings A 1 rating indicates strong performance by management and the board of directors and strong risk management practices relative to the institution's size, complexity, and risk profile. All significant risks are consistently and effectively identified, measured, monitored, and controlled. Management and the board have demonstrated the ability to promptly and successfully address existing and potential problems and risks. A rating of 2 indicates satisfactory management and board performance and risk management practices relative to the institution's size, complexity, and risk profile. Minor weaknesses may exist, but are not material to the safety and soundness of the institution and are being addressed. In general, significant risks and problems are effectively identified, measured, monitored, and controlled. The 3 rating indicates management and board performance that need improvement or risk management practices that are less than satisfactory given the nature of the institution's activities. The capabilities of management or the board of directors may be insufficient for the type, size, or condition of the institution. Problems and significant risks may be inadequately identified, measured, monitored, or controlled. A 4 rating indicates deficient management and board performance or risk management practices that are inadequate considering the nature of an institution's activities. The level of problems and risk exposure is excessive. Problems and significant risks are inadequately identified, measured, monitored, or controlled and require immediate action by the board and management to preserve the soundness of the institution. Replacing or strengthening management or the board may be necessary. A rating of 5 indicates critically deficient management and board performance or risk management practices. Management and the board of directors have not demonstrated the ability to correct problems and implement appropriate risk management practices. Problems and significant risks are inadequately identified, measured, monitored, or controlled and now threaten the continued viability of the institution. Replacing or strengthening management or the board of directors is necessary. Earnings This rating reflects not only the quantity and trend of earnings, but also factors that may affect the sustainability or quality of earnings. The quantity as well as the quality of earnings can be affected by excessive or inadequately managed credit risk that may result in loan losses and require additions to the allowance for loan and lease losses, or by high levels of market risk that may unduly expose an institution's earnings to volatility in interest rates. The rating (1 thru 5) of an institution’s earnings is based upon, but not limited to, an assessment of the following evaluation factors: (a) The level of earnings, including trends and stability. (b) The ability to provide for adequate capital through retained earnings. (c) The quality and sources of earnings. (d) The level of expenses in relation to operations. (e) The adequacy of the budgeting systems, forecasting processes, and management information systems in general. (f) The adequacy of provisions to maintain the allowance for loan and lease losses and other valuation allowance accounts. (g) The earnings exposure to market risk such as interest rate, foreign exchange, and price risks. Ratings Earnings rated 1 indicates earnings that are strong. Earnings are more than sufficient to support operations and maintain adequate capital and allowance levels after consideration is given to asset quality, growth, and other factors affecting the quality, quantity, and trend of earnings. A 2 rating indicates earnings that are satisfactory. Earnings are sufficient to support operations and maintain adequate capital and allowance levels after consideration is given to asset quality, growth, and other factors affecting the quality, quantity, and trend of earnings. Earnings that are relatively static, or even experiencing a slight decline, may receive a 2 rating provided the institution's level of earnings is adequate in view of the assessment factors listed above. A rating of 3 indicates earnings that need to be improved. Earnings may not fully support operations and provide for the accretion of capital and allowance levels in relation to the institution's overall condition, growth, and other factors affecting the quality, quantity, and trend of earnings. The 4 rating indicates earnings that are deficient. Earnings are insufficient to support operations and maintain appropriate capital and allowance levels. Institutions so rated may be characterized by erratic fluctuations in net income or net interest margin, the development of significant negative trends, nominal or unsustainable earnings, intermittent losses, or a substantive drop in earnings from the previous years. A 5 rating indicates earnings that are critically deficient. A financial institution with earnings rated 5 is experiencing losses that represent a distinct threat to its viability through the erosion of capital. Liquidity In evaluating the adequacy of a financial institution's liquidity position, consideration should be given to the current level and prospective sources of liquidity compared to funding needs, as well as to the adequacy of funds management practices relative to the institution's size, complexity, and risk profile. Liquidity is rated (1 thru 5) based upon, but not limited to, an assessment of the following evaluation factors: (a) The adequacy of liquidity sources compared to present and future needs and the ability of the institution to meet liquidity needs without adversely affecting its operations or condition. (b) The availability of assets readily convertible to cash without undue loss. (c) Access to money markets and other sources of funding. (d) The level of diversification of funding sources, both on- and off-balance sheet. (e) The degree of reliance on short-term, volatile sources of funds, including borrowings and brokered deposits, to fund longer term assets. (f) The trend and stability of deposits. (g) The ability to securitize and sell certain pools of assets. (h) The capability of management to properly identify, measure, monitor, and control the institution's liquidity position, including the effectiveness of funds management strategies, liquidity policies, management information systems, and contingency funding plans. Ratings A liquidity rating of 1 indicates strong liquidity levels and well-developed funds management practices. The institution has reliable access to sufficient sources of funds on favorable terms to meet present and anticipated liquidity needs. A rating of 2 indicates satisfactory liquidity levels and funds management practices. The institution has access to sufficient sources of funds on acceptable terms to meet present and anticipated liquidity needs. Modest weaknesses may be evident in funds management practices. A 3 rating indicates liquidity levels or funds management practices in need of improvement. Institutions rated 3 may lack ready access to funds on reasonable terms or may evidence significant weaknesses in funds management practices. A rating of 4 indicates deficient liquidity levels or inadequate funds management practices. Institutions rated 4 may not have or be able to obtain a sufficient volume of funds on reasonable terms to meet liquidity needs. The 5 rating indicates liquidity levels or funds management practices so critically deficient that the continued viability of the institution is threatened. Institutions rated 5 require immediate external financial assistance to meet maturing obligations or other liquidity needs. Sensitivity to Market Risk Sensitivity to market risk is rated with respect to the degree to which changes in interest rates, foreign exchange rates, commodity prices, or equity prices can adversely affect a financial institution's earnings or economic capital. Market risk is rated (1 thru 5) based upon, but not limited to, an assessment of the following evaluation factors: (a) The sensitivity of the financial institution's earnings or the economic value of its capital to adverse changes in interest rates, foreign exchanges rates, commodity prices, or equity prices. (b) The ability of management to identify, measure, monitor, and control exposure to market risk given the institution's size, complexity, and risk profile. (c) The nature and complexity of interest rate risk exposure arising from nontrading positions. (d) Where appropriate, the nature and complexity of market risk exposure arising from trading and foreign operations. Ratings A sensitivity to market risk rating of 1 indicates that market risk sensitivity is well controlled and that there is minimal potential that the earnings performance or capital position will be adversely affected. Risk management practices are strong for the size, sophistication, and market risk accepted by the institution. The level of earnings and capital provide substantial support for the degree of market risk taken by the institution. A rating of 2 indicates that market risk sensitivity is adequately controlled and that there is only moderate potential that the earnings performance or capital position will be adversely affected. Risk management practices are satisfactory for the size, sophistication, and market risk accepted by the institution. The level of earnings and capital provide adequate support for the degree of market risk taken by the institution. A 3 rating indicates that control of market risk sensitivity needs improvement or that there is significant potential that the earnings performance or capital position will be adversely affected. Risk management practices need to be improved given the size, sophistication, and level of market risk accepted by the institution. The level of earnings and capital may not adequately support the degree of market risk taken by the institution. The 4 rating indicates that control of market risk sensitivity is unacceptable or that there is high potential that the earnings performance or capital position will be adversely affected. Risk management practices are deficient for the size, sophistication, and level of market risk accepted by the institution. The level of earnings and capital provide inadequate support for the degree of market risk taken by the institution. A rating of 5 indicates that control of market risk sensitivity is unacceptable or that the level of market risk taken by the institution is an imminent threat to its viability. Risk management practices are wholly inadequate for the size, sophistication, and level of market risk accepted by the institution. Examination Report Disclosure For examination purposes, the following disclosure should be made on Page 1 of the report: COMPONENT RATING Under the Uniform Interagency Bank Rating System, your institution has been rated as follows: Capital Adequacy - X Asset Quality - X Management - X Earnings - X Liquidity - X Sensitivity to Market Risk - X COMPOSITE RATING Additionally, component ratings will be disclosed on the appropriate core page of the report. This disclosure will be a simple statement disclosing the rating preceding any comments traditionally made on those pages. Example: "Asset Quality is assigned a rating of two." 98 - 1 – Capital Adequacy Capital is the cushion that enables banks to sustain losses due to economic declines and unanticipated financial setbacks. It is the buffer between unreserved losses and the interest of depositors and creditors. As the ownership interest of shareholders, capital instills discipline and motivates bank managers to exercise prudence in the acceptance and management of risk. Adequate capital promotes public confidence and enables banks to more safely support and stimulate economic growth through the ability to attract deposits at reasonable rates and lend money to qualified borrowers. The federal bank regulatory agencies have adopted uniform risk based capital guidelines and have agreed on a minimum leverage ratio. The primary objectives of risk based capital are to: 1) make regulatory capital requirements more sensitive to differing risk profiles among banks; 2) factor off-balance sheet risk exposure into the assessment of capital adequacy; 3) minimize disincentives to hold more liquid, low risk assets; and 4) achieve greater consistency in the evaluation of bank capital adequacy world-wide. POLICY The Arkansas State Bank Department hereby adopts the capital adequacy guidelines established by the Federal Deposit Insurance Corporation and Federal Reserve System for state-chartered banks. These guidelines establish a minimum capital level for: (1) Total risk-based capital ratio; (2) Tier 1 risk-based capital ratio; and (3) The leverage ratio. Specific capital levels and “capital adequacy categories” are identified below. Minimum capital levels are applicable to well managed banks with strong risk management practices in place, and assigned a composite 1 or 2 CAMELS rating by regulatory agencies. Banks not meeting this criteria will be required to maintain higher capital ratios. The Bank Commissioner retains the authority to require higher capital levels based on the condition of the bank and the performance of management and directors. CAPITAL CATEGORIES AND MINIMUM CAPITAL LEVELS A well capitalized bank: (i) Has a total risk-based capital ratio of 10.0 percent or greater; and (ii) Has a Tier 1 risk-based capital ratio of 6.0 percent or greater; and (iii) Has a leverage ratio of 5.0 percent or greater; and (iv) Is not subject to any written agreement, order, capital directive, or prompt corrective action directive issued by regulatory agencies to meet and maintain a specific capital level. An adequately capitalized bank; (i) Has a total risk-based capital ratio of 8.0 percent or greater; and (ii) Has a Tier 1 risk-based capital ratio of 4.0 percent or greater; and (iii) Has: (A) A leverage ratio of 4.0 percent or greater; or (B) A leverage ratio of 3.0 percent or greater if the bank is rated composite 1 under the CAMELS rating system in the most recent examination of the bank and is not experiencing or anticipating significant growth; and (iv) Does not meet the definition of a well-capitalized bank. An undercapitalized bank: (i) Has a total risk-based capital ratio that is less than 8.0 percent; or (ii) Has a Tier 1 risk-based capital ratio that is less than 4.0 percent or (iii) Has: (A) A leverage ratio that is less than 4.0 percent; or (B) A leverage ratio that is less than 3.0 percent if the bank is rated composite 1 under the CAMELS rating system in the most recent examination of the bank and is not experiencing or anticipating significant growth. A significantly undercapitalized bank: (i) Has a total risk-based capital ratio that is less than 6.0 percent; or (ii) Has a Tier 1 risk-based capital ratio that is less than 3.0 percent; or (iii) Has a leverage ratio that is less than 3.0 percent. A critically undercapitalized bank has a ratio of tangible equity to total assets that is equal to or less than 2.0 percent. CAPITAL COMPONENTS Tier 1 or core capital consists of the following: common stock, surplus, noncumulative perpetual preferred stock, undivided profits and capital reserves, minority interest in consolidated subsidiaries, qualifying portions of mortgage servicing assets (generally limited to: 1) 50% of the bank's equity capital exclusive of serving rights; 2) 90% of the original price of the servicing rights; or 3) 90% of the fair market value of those servicing rights), and qualifying portions of purchased credit card relationships, less ineligible intangible assets, identified losses and ineligible gains or losses on available-for-sale securities. Tier 2 or supplemental capital consists of the following: allowance for loan and leases losses (up to a maximum of 1.25 percent of risk-weighted assets), cumulative perpetual preferred stock, subordinated debt with original maturities greater than five (5) years, limited life preferred stock with original maturities greater than five (5) years, long-term preferred stock with a maturity greater than 20 years, mandatory convertible debt, and other capital instruments in compliance with federal regulations. The maximum amount of tier two capital that may be recognized for risk-based capital purposes is limited to 100 percent of tier one capital. The allowable volume of subordinated debt and limited life preferred stock that may be recognized as part of tier two capital is limited to 50 percent of tier one capital. POLICY CHANGES Specifics identified in capital categories, minimum capital levels, and capital components will change in order to remain consistent with modifications adopted by the Federal Deposit Insurance Corporation and the Federal Reserve System. 99-2 – Uniform Rating System for Information Technology Introduction The quality, reliability, and integrity of a financial institution or service provider's information technology (IT) affect all aspects of its performance. An assessment of the technology risk management framework is necessary whether or not the institution or a third-party service provider manages these operations. The Uniform Rating System for Information Technology (URSIT) is an internal rating system used by federal and state regulators to uniformly assess financial institution and service provider risks introduced by IT. It also allows the regulators to identify those insured institutions and service providers whose information technology risk exposure or performance requires special supervisory attention. The rating system includes component and composite rating descriptions and the explicit identification of risks and assessment factors that examiners consider in assigning component ratings. Additionally, information technology can affect the risks associated with financial institutions. The effect on credit, operational, market, reputation, strategic, liquidity, interest rate, and compliance risks should be considered for each IT rating component. The primary purpose of the rating system is to identify those entities whose condition or performance of information technology functions requires special supervisory attention. This rating system assists examiners in making an assessment of risk and compiling examination findings. However, the rating system does not drive the scope of an examination. Examiners should use the rating system to help evaluate the entity's overall risk exposure and risk management performance, and determine the degree of supervisory attention believed necessary to ensure that weaknesses are addressed and that risk is properly managed. Overview The URSIT is based on a risk evaluation of four critical components: Audit, Management, Development and Acquisition, and Support and Delivery (AMDS). These components are used to assess the overall performance of IT within an organization. Examiners evaluate the functions identified within each component to assess the institution's ability to identify, measure, monitor and control information technology risks. Each organization examined for IT is assigned a summary or composite rating based on the overall results of the evaluation. The IT composite rating and each component rating are based on a scale of "1" through "5" in ascending order of supervisory concern; "1" representing the highest rating and least degree of concern, and "5" representing the lowest rating and highest degree of concern. The first step in developing an IT composite rating for an organization is the assignment of a performance rating to the individual AMDS components. The evaluation of each of these components, their interrelationships, and relative importance is the basis for the composite rating. The composite rating is derived by making a qualitative summarization of all of the AMDS components. A direct relationship exists between the composite rating and the individual AMDS component performance ratings. However, the composite rating is not an arithmetic average of the individual components. An arithmetic approach does not reflect the actual condition of IT when using a risk- focused approach. A poor rating in one component may heavily influence the overall composite rating for an institution. For example, if the audit function is viewed as inadequate, the overall integrity of the IT systems is not readily verifiable. Thus, a composite rating of less than satisfactory ("3"-"5") would normally be appropriate. A principal purpose of the composite rating is to identify those financial institutions and service providers that pose an inordinate amount of information technology risk and merit special supervisory attention. Thus, individual risk exposures that more explicitly affect the viability of the organization and/or its customers should be given more weight in the composite rating. The FFIEC recognizes that management practices, particularly as they relate to risk management, vary considerably among financial institutions and service bureaus depending on their size and sophistication, the nature and complexity of their business activities and their risk profile. Accordingly, the FFIEC also recognizes that for less complex information systems environments, detailed or highly formalized systems and controls are not required to receive the higher composite and component ratings. The following two sections contain the URSIT composite rating definitions, the assessment factors, and definitions for the four component ratings. These assessment factors and definitions outline various IT functions and controls that may be evaluated as part of the examination. Composite Ratings 3 Composite 1 Financial institutions and service providers rated composite "1" exhibit strong performance in every respect and generally have components rated 1 or 2. Weaknesses in IT are minor in nature and are easily corrected during the normal course of business. Risk management processes provide a comprehensive program to identify and monitor risk relative to the size, complexity and risk profile of the entity. Strategic plans are well defined and fully integrated throughout the organization. This allows management to quickly adapt to changing market, business and technology needs of the entity. Management identifies weaknesses promptly and takes appropriate corrective action to resolve audit and regulatory concerns. The financial condition of the service provider is strong and overall performance shows no cause for supervisory concern. 3 The descriptive examples in the numeric composite rating definitions are intended to provide guidance to examiners as they evaluate the overall condition of Information Technology. Examiners must use professional judgement when making this assessment and assigning the numeric rating. Composite 2 Financial institutions and service providers rated composite "2" exhibit safe and sound performance but may demonstrate modest weaknesses in operating performance, monitoring, management processes or system development. Generally, senior management corrects weaknesses in the normal course of business. Risk management processes adequately identify and monitor risk relative to the size, complexity and risk profile of the entity. Strategic plans are defined but may require clarification, better coordination or improved communication throughout the organization. As a result, management anticipates, but responds less quickly to changes in market, business, and technological needs of the entity. Management normally identifies weaknesses and takes appropriate corrective action. However, greater reliance is placed on audit and regulatory intervention to identify and resolve concerns. The financial condition of the service provider is acceptable and while internal control weaknesses may exist, there are no significant supervisory concerns. As a result, supervisory action is informal and limited. Composite 3 Financial institutions and service providers rated composite "3" exhibit some degree of supervisory concern due to a combination of weaknesses that may range from moderate to severe. If weaknesses persist, further deterioration in the condition and performance of the institution or service provider is likely. Risk management processes may not effectively identify risks and may not be appropriate for the size, complexity, or risk profile of the entity. Strategic plans are vaguely defined and may not provide adequate direction for IT initiatives. As a result, management often has difficulty responding to changes in business, market, and technological needs of the entity. Self-assessment practices are weak and are generally reactive to audit and regulatory exceptions. Repeat concerns may exist, indicating that management may lack the ability or willingness to resolve concerns. The financial condition of the service provider may be weak and/or negative trends may be evident. While financial or operational failure is unlikely, increased supervision is necessary. Formal or informal supervisory action may be necessary to secure corrective action. Composite 4 Financial institutions and service providers rated composite "4" operate in an unsafe and unsound environment that may impair the future viability of the entity. Operating weaknesses are indicative of serious managerial deficiencies. Risk management processes inadequately identify and monitor risk, and practices are not appropriate given the size, complexity, and risk profile of the entity. Strategic plans are poorly defined and not coordinated or communicated throughout the organization. As a result, management and the board are not committed to, or may be incapable of ensuring that technological needs are met. Management does not perform self-assessments and demonstrates an inability or unwillingness to correct audit and regulatory concerns. The financial condition of the service provider is severely impaired and/or deteriorating. Failure of the financial institution or service provider may be likely unless IT problems are remedied. Close supervisory attention is necessary and, in most cases, formal enforcement action is warranted. Composite 5 Financial institutions and service providers rated composite "5" exhibit critically deficient operating performance and are in need of immediate remedial action. Operational problems and serious weaknesses may exist throughout the organization. Risk management processes are severely deficient and provide management little or no perception of risk relative to the size, complexity, and risk profile of the entity. Strategic plans do not exist or are ineffective, and management and the board provide little or no direction for IT initiatives. As a result, management is unaware of, or inattentive to technological needs of the entity. Management is unwilling or incapable of correcting audit and regulatory concerns. The financial condition of the service provider is poor and failure is highly probable due to poor operating performance or financial instability. Ongoing supervisory attention is necessary. Component Ratings 4 Audit Financial institutions and service providers are expected to provide independent assessments of their exposure to risks and the quality of internal controls associated with the acquisition, implementation and use of information technology.5 Audit practices should address the IT risk exposures throughout the institution and its service provider(s) in the areas of user and data center operations, client/server architecture, local and wide area networks, telecommunications, information security, electronic data interchange, systems development, and contingency planning. This rating should reflect the adequacy of the organization's overall IT audit program, including the internal and external auditor's abilities to detect and report significant risks to management and the board of directors on a timely basis. It should also reflect the internal and external auditor's capability to promote a safe, sound, and effective operation. 4 The descriptive examples in the numeric component rating definitions are intended to provide guidance to examiners as they evaluate the individual components. Examiners must use professional judgement when assessing a component area and assigning a numeric rating value as it is likely that examiners will encounter conditions that correspond to descriptive examples in two or more numeric rating value definitions. 5 Financial institutions that outsource their data processing operations should obtain copies of internal audit reports, SAS 70 reviews, and/or regulatory examination reports of their service providers. The performance of audit is rated based upon an assessment of factors such as: The level of independence maintained by audit and the quality of the oversight and support provided by the board of directors and management. The adequacy of audit's risk analysis methodology used to prioritize the allocation of audit resources and to formulate the audit schedule. The scope, frequency, accuracy, and timeliness of internal and external audit reports. The extent of audit participation in application development, acquisition, and testing, to ensure the effectiveness of internal controls and audit trails. The adequacy of the overall audit plan in providing appropriate coverage of IT risks. The auditor's adherence to codes of ethics and professional audit standards. The qualifications of the auditor, staff succession, and continued development through training. The existence of timely and formal follow-up and reporting on management's resolution of identified problems or weaknesses. The quality and effectiveness of internal and external audit activity as it relates to IT controls. Ratings 1. A rating of "1" indicates strong audit performance. Audit independently identifies and reports weaknesses and risks to the board of directors or its audit committee in a thorough and timely manner. Outstanding audit issues are monitored until resolved. Risk analysis ensures that audit plans address all significant IT operations, procurement, and development activities with appropriate scope and frequency. Audit work is performed in accordance with professional auditing standards and report content is timely, constructive, accurate, and complete. Because audit is strong, examiners may place substantial reliance on audit results. 2. A rating of "2" indicates satisfactory audit performance. Audit independently identifies and reports weaknesses and risks to the board of directors or audit committee, but reports may be less timely. Significant outstanding audit issues are monitored until resolved. Risk analysis ensures that audit plans address all significant IT operations, procurement, and development activities; however, minor concerns may be noted with the scope or frequency. Audit work is performed in accordance with professional auditing standards; however, minor or infrequent problems may arise with the timeliness, completeness and accuracy of reports. Because audit is satisfactory, examiners may rely on audit results but because minor concerns exist, examiners may need to expand verification procedures in certain situations. 3. A rating of "3" indicates less than satisfactory audit performance. Audit identifies and reports weaknesses and risks; however, independence may be compromised and reports presented to the board or audit committee may be less than satisfactory in content and timeliness. Outstanding audit issues may not be adequately monitored. Risk analysis is less than satisfactory. As a result, the audit plan may not provide sufficient audit scope or frequency for IT operations, procurement, and development activities. Audit work is generally performed in accordance with professional auditing standards; however, occasional problems may be noted with the timeliness, completeness and/ or accuracy of reports. Because audit is less than satisfactory, examiners must use caution if they rely on the audit results. 4. A rating of "4" indicates deficient audit performance. Audit may identify weaknesses and risks but it may not independently report to the board or audit committee and report content may be inadequate. Outstanding audit issues may not be adequately monitored and resolved. Risk analysis is deficient. As a result, the audit plan does not provide adequate audit scope or frequency for IT operations, procurement, and development activities. Audit work is often inconsistent with professional auditing standards and the timeliness, accuracy, and completeness of reports is unacceptable. Because audit is deficient, examiners cannot rely on audit results. 5. A rating of "5" indicates critically deficient audit performance. If an audit function exists, it lacks sufficient independence and, as a result, does not identify and report weaknesses or risks to the board or audit committee. Outstanding audit issues are not tracked and no follow-up is performed to monitor their resolution. Risk analysis is critically deficient. As a result, the audit plan is ineffective and provides inappropriate audit scope and frequency for IT operations, procurement and development activities. Audit work is not performed in accordance with professional auditing standards and major deficiencies are noted regarding the timeliness, accuracy, and completeness of audit reports. Because audit is critically deficient examiners cannot rely on audit results. Management This rating reflects the abilities of the board and management as they apply to all aspects of IT acquisition, development, and operations. Management practices may need to address some or all of the following IT-related risks: strategic planning, quality assurance, project management, risk assessment, infrastructure and architecture, end-user computing, contract administration of third party service providers, organization and human resources, regulatory and legal compliance. Generally, directors need not be actively involved in day- to-day operations; however, they must provide clear guidance regarding acceptable risk exposure levels and ensure that appropriate policies, procedures, and practices have been established. Sound management practices are demonstrated through active oversight by the board of directors and management, competent personnel, sound IT plans, adequate policies and standards, an effective control environment, and risk monitoring. This rating should reflect the board's and management's ability as it applies to all aspects of IT operations. The performance of management and the quality of risk management are rated based upon an assessment of factors such as: The level and quality of oversight and support of the IT activities by the board of directors and management. The ability of management to plan for and initiate new activities or products in response to information needs and to address risks that may arise from changing business conditions. The ability of management to provide information reports necessary for informed planning and decision making in an effective and efficient manner. The adequacy of, and conformance with, internal policies and controls addressing the IT operations and risks of significant business activities. The effectiveness of risk monitoring systems. The timeliness of corrective action for reported and known problems. The level of awareness of and compliance with laws and regulations. The level of planning for management succession. The ability of management to monitor the services delivered and to measure the organization's progress toward identified goals in an effective and efficient manner. The adequacy of contracts and management's ability to monitor relationships with third-party servicers. The adequacy of strategic planning and risk management practices to identify, measure, monitor, and control risks, including management's ability to perform self-assessments. The ability of management to identify, measure, monitor, and control risks and to address emerging information technology needs and solutions. In addition to the above, factors such as the following are included in the assessment of management at service providers: The financial condition and ongoing viability of the entity. The impact of external and internal trends and other factors on the ability of the entity to support continued servicing of client financial institutions. The propriety of contractual terms and plans. Ratings 1. A rating of "1" indicates strong performance by management and the board. Effective risk management practices are in place to guide IT activities, and risks are consistently and effectively identified, measured, controlled, and monitored. Management immediately resolves audit and regulatory concerns to ensure sound operations. Written technology plans, policies and procedures, and standards are thorough and properly reflect the complexity of the IT environment. They have been formally adopted, communicated, and enforced throughout the organization. IT systems provide accurate, timely reports to management. These reports serve as the basis of major decisions and as an effective performance-monitoring tool. Outsourcing arrangements are based on comprehensive planning; routine management supervision sustains an appropriate level of control over vendor contracts, performance, and services provided. Management and the board have demonstrated the ability to promptly and successfully address existing IT problems and potential risks. 2. A rating of "2" indicates satisfactory performance by management and the board. Adequate risk management practices are in place and guide IT activities. Significant IT risks are identified, measured, monitored, and controlled; however, risk management processes may be less structured or inconsistently applied and modest weaknesses exist. Management routinely resolves audit and regulatory concerns to ensure effective and sound operations, however, corrective actions may not always be implemented in a timely manner. Technology plans, policies and procedures, and standards are adequate and are formally adopted. However, minor weaknesses may exist in management's ability to communicate and enforce them throughout the organization. IT systems provide quality reports to management which serve as a basis for major decisions and a tool for performance planning and monitoring. Isolated or temporary problems with timeliness, accuracy or consistency of reports may exist. Outsourcing arrangements are adequately planned and controlled by management, and provide for a general understanding of vendor contracts, performance standards and services provided. Management and the board have demonstrated the ability to address existing IT problems and risks successfully. 3. A rating of "3" indicates less than satisfactory performance by management and the board. Risk management practices may be weak and offer limited guidance for IT activities. Most IT risks are generally identified; however, processes to measure and monitor risk may be flawed. As a result, management's ability to control risk is less than satisfactory. Regulatory and audit concerns may be addressed, but time frames are often excessive and the corrective action taken may be inappropriate. Management may be unwilling or incapable of addressing deficiencies. Technology plans, policies and procedures, and standards exist, but may be incomplete. They may not be formally adopted, effectively communicated, or enforced throughout the organization. IT systems provide requested reports to management, but periodic problems with accuracy, consistency and timeliness lessen the reliability and usefulness of reports and may adversely affect decision making and performance monitoring. Outsourcing arrangements may be entered into without thorough planning. Management may provide only cursory supervision that limits their understanding of vendor contracts, performance standards, and services provided. Management and the board may not be capable of addressing existing IT problems and risks, evidenced by untimely corrective actions for outstanding IT problems. 4. A rating of "4" indicates deficient performance by management and the board. Risk management practices are inadequate and do not provide sufficient guidance for IT activities. Critical IT risk are not properly identified, and processes to measure and monitor risks are deficient. As a result, management may not be aware of and is unable to control risks. Management may be unwilling and/or incapable of addressing audit and regulatory deficiencies in an effective and timely manner. Technology plans, policies and procedures, and standards are inadequate, have not been formally adopted, or effectively communicated throughout the organization, and management does not effectively enforce them. IT systems do not routinely provide management with accurate, consistent, and reliable reports, thus contributing to ineffective performance monitoring and/or flawed decision making. Outsourcing arrangements may be entered into without planning or analysis, and management may provide little or no supervision of vendor contracts, performance standards, or services provided. Management and the board are unable to address existing IT problems and risks, as evidenced by ineffective actions and longstanding IT weaknesses. Strengthening of management and its processes is necessary. The financial condition of the service provider may threaten its viability. 5. A rating of "5" indicates critically deficient performance by management and the board. Risk management practices are severely flawed and provide inadequate guidance for IT activities. Critical IT risks are not identified, and processes to measure and monitor risks do not exist, or are not effective. Management's inability to control risk may threaten the continued viability of the institution or service provider. Management is unable and/or unwilling to correct audit and regulatory identified deficiencies and immediate action by the board is required to preserve the viability of the institution or service provider. If they exist, technology plans, policies and procedures, and standards are critically deficient. Because of systemic problems, IT systems do not produce management reports which are accurate, timely, or relevant. Outsourcing arrangements may have been entered into without management planning or analysis, resulting in significant losses to the financial institution or ineffective vendor services. The financial condition of the service provider presents an imminent threat to its viability. Development and Acquisition This rating reflects an organization's ability to identify, acquire, install, and maintain appropriate information technology solutions. Management practices may need to address all or parts of the business process for implementing any kind of change to the hardware or software used. These business processes include an institution's or service provider's purchase of hardware or software, development and programming performed by the institution or service provider, purchase of services from independent vendors or affiliated data centers, or a combination of these activities. The business process is defined as all phases taken to implement a change including researching alternatives available, choosing an appropriate option for the organization as a whole, and converting to the new system, or integrating the new system with existing systems. This rating reflects the adequacy of the institution's systems development methodology and related risk management practices for acquisition and deployment of information technology. This rating also reflects the boards and management's ability to enhance and replace information technology prudently in a controlled environment. The performance of systems development and acquisition and related risk management practice is rated based upon an assessment of factors such as: The level and quality of oversight and support of systems development and acquisition activities by senior management and the board of directors. The adequacy of the organizational and management structures to establish accountability and responsibility for IT systems and technology initiatives. The volume, nature, and extent of risk exposure to the financial institution in the area of systems development and acquisition. The adequacy of the institution's Systems Development Life Cycle (SDLC) and programming standards. The quality of project management programs and practices which are followed by developers, operators, executive management/owners, independent vendors or affiliated servicers, and end-users. The independence of the quality assurance function and the adequacy of controls over program changes. The quality and thoroughness of system documentation. The integrity and security of the network, system, and application software. The development of information technology solutions that meet the needs of end users. The extent of end user involvement in the system development process. In addition to the above, factors such as the following are included in the assessment of development and acquisition at service providers: The quality of software releases and documentation. The adequacy of training provided to clients. Ratings 1. A rating of "1" indicates strong systems development, acquisition, implementation, and change management performance. Management and the board routinely demonstrate successfully the ability to identify and implement appropriate IT solutions while effectively managing risk. Project management techniques and the SDLC are fully effective and supported by written policies, procedures and project controls that consistently result in timely and efficient project completion. An independent quality assurance function provides strong controls over testing and program change management. Technology solutions consistently meet end user needs. No significant weaknesses or problems exist. 2. A rating of "2" indicates satisfactory systems development, acquisition, implementation, and change management performance. Management and the board frequently demonstrate the ability to identify and implement appropriate IT solutions while managing risk. Project management and the SDLC are generally effective; however, weaknesses may exist that result in minor project delays or cost overruns. An independent quality assurance function provides adequate supervision of testing and program change management, but minor weaknesses may exist. Technology solutions meet end user needs. However, minor enhancements may be necessary to meet original user expectations. Weaknesses may exist; however, they are not significant and they are easily corrected in the normal course of business. 3. A rating of "3" indicates less than satisfactory systems development, acquisition, implementation, and change management performance. Management and the board may often be unsuccessful in identifying and implementing appropriate IT solutions; therefore, unwarranted risk exposure may exist. Project management techniques and the SDLC are weak and may result in frequent project delays, backlogs or significant cost overruns. The quality assurance function may not be independent of the programming function which may adversely impact the integrity of testing and program change management. Technology solutions generally meet end user needs, but often require an inordinate level of change after implementation. Because of weaknesses, significant problems may arise that could result in disruption to operations or significant losses. 4. A rating of "4" indicates deficient systems development, acquisition, implementation and change management performance. Management and the board may be unable to identify and implement appropriate IT solutions and do not effectively mange risk. Project management techniques and the SDLC are ineffective and may result in severe project delays and cost overruns. The quality assurance function is not fully effective and may not provide independent or comprehensive review of testing controls or program change management. Technology solutions may not meet the critical needs of the organization. Problems and significant risks exist that require immediate action by the board and management to preserve the soundness of the institution. 5. A rating of "5" indicates critically deficient systems development, acquisition, implementation, and change management performance. Management and the board appear to be incapable of identifying, and implementing appropriate information technology solutions. If they exist, project management techniques and the SDLC are critically deficient and provide little or no direction for development of systems or technology projects. The quality assurance function is severely deficient or not present and unidentified problems in testing and program change management have caused significant IT risks. Technology solutions do not meet the needs of the organization. Serious problems and significant risks exist which raise concern for the financial institution's or service providers' ongoing viability. Support and Delivery This rating reflects an organization's ability to provide technology services in a secure environment. It reflects not only the condition of IT operations but also factors such as reliability, security, and integrity, which may affect the quality of the information delivery system. The factors include customer support and training, and the ability to manage problems and incidents, operations, system performance, capacity planning, and facility and data management. Risk management practices should promote effective, safe and sound IT operations that ensure the continuity of operations and the reliability and availability of data. The scope of this component rating includes operational risks throughout the organization and service providers. The rating of IT support and delivery is based on a review and assessment of requirements such as: The ability to provide a level of service that meets the requirements of the business. The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers. The adequacy of data controls over preparation, input, processing, and output. The adequacy of corporate contingency planning and business resumption for data centers, networks, service providers and business units. The quality of processes or programs that monitor capacity and performance. The adequacy of controls and the ability to monitor controls at service providers. The quality of assistance provided to users, including the ability to handle problems. The adequacy of operating policies, procedures, and manuals. The quality of physical and logical security, including the privacy of data. The adequacy of firewall architectures and the security of connections with public networks. In addition to the above, factors such as the following are included in the assessment of support and delivery at service providers: The adequacy of customer service provided to clients. The ability of the entity to provide and maintain service level performance that meets the requirements of the client. 1. A rating of "1" indicates strong IT support and delivery performance. The organization provides technology services that are reliable and consistent. Service levels adhere to well-defined service level agreements and routinely meet or exceed business requirements. A comprehensive corporate contingency and business resumption plan is in place. Annual contingency plan testing and updating is performed; and, critical systems and applications are recovered within acceptable time frames. A formal written data security policy and awareness program is communicated and enforced throughout the organization. The logical and physical security for all IT platforms is closely monitored and security incidents and weaknesses are identified and quickly corrected. Relationships with third-party service providers are closely monitored. IT operations are highly reliable, and risk exposure is successfully identified and controlled. 2. A rating of "2" indicates satisfactory IT support and delivery performance. The organization provides technology services that are generally reliable and consistent, however, minor discrepancies in service levels may occur. Service performance adheres to service agreements and meets business requirements. A corporate contingency and business resumption plan is in place, but minor enhancements may be necessary. Annual plan testing and updating is performed and minor problems may occur when recovering systems or applications. A written data security policy is in place but may require improvement to ensure its adequacy. The policy is generally enforced and communicated throughout the organization, e.g. via a security awareness program. The logical and physical security for critical IT platforms is satisfactory. Systems are monitored, and security incidents and weaknesses are identified and resolved within reasonable time frames. Relationships with third-party service providers are monitored. Critical IT operations are reliable and risk exposure is reasonably identified and controlled. 3. A rating of "3" indicates that the performance of IT support and delivery is less than satisfactory and needs improvement. The organization provides technology services that may not be reliable or consistent. As a result, service levels periodically do not adhere to service level agreements or meet business requirements. A corporate contingency and business resumption plan is in place but may not be considered comprehensive. The plan is periodically tested; however, the recovery of critical systems and applications is frequently unsuccessful. A data security policy exists; however, it may not be strictly enforced or communicated throughout the organization. The logical and physical security for critical IT platforms is less than satisfactory. Systems are monitored; however, security incidents and weaknesses may not be resolved in a timely manner. Relationships with third-party service providers may not be adequately monitored. IT operations are not acceptable and unwarranted risk exposures exist. If not corrected, weaknesses could cause performance degradation or disruption to operations. 4. A rating of "4" indicates deficient IT support and delivery performance. The organization provides technology services that are unreliable and inconsistent. Service level agreements are poorly defined and service performance usually fails to meet business requirements. A corporate contingency and business resumption plan may exist, but its content is critically deficient. If contingency testing is performed, management is typically unable to recover critical systems and applications. A data security policy may not exist. As a result, serious supervisory concerns over security and the integrity of data exist. The logical and physical security for critical IT platforms is deficient. Systems may be monitored, but security incidents and weaknesses are not successfully identified or resolved. Relationships with third-party service providers are not monitored. IT operations are not reliable and significant risk exposure exists. Degradation in performance is evident and frequent disruption in operations has occurred. 5. A rating of "5" indicates critically deficient IT support and delivery performance. The organization provides technology services that are not reliable or consistent. Service level agreements do not exist and service performance does not meet business requirements. A corporate contingency and business resumption plan does not exist. Contingency testing is not performed and management has not demonstrated the ability to recover critical systems and applications. A data security policy does not exist, and a serious threat to the organization's security and data integrity exists. The logical and physical security for critical IT platforms is inadequate, and management does not monitor systems for security incidents and weaknesses. Relationships with third-party service providers are not monitored, and the viability of a service provider may be in jeopardy. IT operations are severely deficient, and the seriousness of weaknesses could cause failure of the financial institution or service provider if not addressed. 99-3 – Investments in Bank Premises and Payment of Dividends Occasionally, the State Bank Department learns that a state chartered bank has violated Section 23-47-103 of the Arkansas Banking Code of 1997, and Section 48-203.1 of the Rules and Regulations by investing in bank premises or paying excessive dividends without obtaining the prior approval of the Bank Commissioner. Inasmuch as the referenced statute and regulation require prior approval, the prior approval contemplated by the regulations obviously cannot be given. POLICY In the future, such cases should not be submitted to the Bank Commissioner except by mention in the Report of Examination. There is no need for the bank to write the Commissioner requesting "retroactive" approval. Violation of these sections should be contained in the Report of Examination, of course, and this will ensure that the violations are brought to the attention of the bank's board of directors. In the majority of cases, the Bank Commissioner will advise the bank by letter that he will not "object" to the expenditure or dividend payment. This has the effect of notifying the bank that the Commissioner is aware of the violation but does not intend to take disciplinary action. This letter will also caution the bank against future violations. If the financial condition of the bank has been adversely affected to a serious extent by the investment or dividend payment, the case should, of course, be reported directly to the Bank Commissioner for appropriate action. 01-1 – Financing Municipalities, Counties and School Districts Background Amendment 78 of the Arkansas Constitution was passed by voters in November 2000 and became effective January 1, 2001. This amendment permits cities and counties to form redevelopment districts for the purpose of financing capital improvements for redevelopment projects in the district. Bonds may be issued to finance these projects. Amendment 78 also permits municipalities and counties to incur short-term financing obligations maturing over a period not to exceed five (5) years. Municipalities and counties can enter into such obligations for the purpose of acquiring, constructing, installing or renting real property or tangible personal property having an expected useful life of more than one (1) year. These obligations can be in the form of loans, leases or bonds. The Bank Commissioner sets a maximum rate of interest that can be charged on these obligations. The rate is set quarterly. School Districts Generally a school district is restrained from issuing obligations that cannot be paid out of the revenues of the school year in which the obligation is incurred. There are exceptions to this which include: purchase of school leases, certain insurance policies, certain equipment, school sites, repair of facilities, energy conservation measures, settlement of litigation, and employment of professional appraisers for ad valorem tax purposes. Obligations incurred to finance these exceptions may be in the form of post-dated warrants, lease purchase agreements or installment contracts which must be paid within eight (8) years of the date of issuance. The school fiscal year begins July 1. It is recommended that in financial dealings between banks, cities, counties and school districts the bank consult its attorney. 01-2 – Other Real Estate I. OTHER REAL ESTATE OWNED (OREO) DEFINED OREO generally consists of all real estate, other than bank premises, owned or controlled by the bank and its consolidated subsidiaries. OREO may also include certain receivables resulting from sales of OREO. State banks may acquire OREO by any of the following methods: 1) Real estate acquired in any manner for debts previously contracted (foreclosure, by deed in lieu of foreclosure) even if the bank has not yet received title to the property, but maintains possession of the property. 2) Real estate collateral which the bank controls "In-Substance" (accounting OREO but not legal OREO). Loans reclassified as OREO should be recorded at the fair value of the collateral less the cost to sell. Any write-down required at the time of an in-substance foreclosure should be recorded as a charge to the bank's allowance for loan and lease losses. Subsequent write-downs should be charged to current period earnings as a noninterest expense. In-Substance Criteria: The debtor has little or no equity in the collateral, considering the current fair market value of the collateral; and Proceeds for repayment of the loan can be expected to come only from the operation or sale of the collateral; and The debtor has either: Formally or effectively abandoned control of the collateral to the bank, or Retained control of the collateral but, because of the current financial condition of the debtor, or the economic prospects for the debtor and/or collateral in the foreseeable future, it is doubtful that the debtor will be able to rebuild equity in the collateral or otherwise repay the loan in the foreseeable future. Pursuant to provisions of The Financial Accounting Standards Board (FASB) Statement No. 114, "Accounting by Creditors for Impairment of a Loan," collateral dependent real estate loans that meet the above criteria should only be reported as OREO if the lender has taken possession of the collateral. If foreclosure is probable, identified losses must be recognized based on the fair value of the collateral, but such loans do not have to be reported as OREO. Accounting OREO that no longer meets the criteria for in-substance foreclosure can be reclassified as a loan. The loan must be recorded at the carrying value of the in-substance foreclosure. It cannot be written back up to reverse previous write-offs or to reverse payments applied to the recorded balance while it was considered in-substance foreclosed. 3) Real estate formerly but no longer used for banking purposes and real estate originally acquired for future expansion but no longer intended to be used for that purpose. For future expansion property not utilized within one year of acquisition date, banks must submit to the Bank Commissioner a written plan, approved by the board of directors, detailing how and when the property will be utilized for banking purposes. Future expansion property not utilized within one year of acquisition date will be considered OREO if a written plan has not been submitted to and approved by the Bank Commissioner. 4) Real estate sold under contract and accounted for under the deposit method of accounting in accordance with FASB Statement No. 66, "Accounting for Sales of Real Estate." The deposit method is used when a sale has not been consummated and/or when recovery of the carrying value of the property is not reasonably assured. If another method in accordance with FASB 66 is used to account for the sale, the resulting receivable should be reported as a loan. The inappropriate use of the deposit method may cause a bank to report higher amounts of OREO causing nonperforming assets to be overstated. 5) Real estate acquired, directly or indirectly, by the bank or a consolidated subsidiary and held for development, resale, or other investment purposes. Banks must maintain a written plan, approved by the board of directors and the Bank Commissioner, which outlines the purpose and strategy for such investments. Federal regulations require the prior approval of federal regulators for certain types of real estate investments. 6) Real estate acquisition, development, or construction arrangements that are accounted for as direct investments in real estate. II. APPLICABLE LAWS, REGULATIONS AND REGULATORY REQUIREMENTS REGARDING HOLDING AND VALUING OTHER REAL ESTATE OWNED The Arkansas Banking Code of 1997, Section 23-47-508, specifies a state bank's authority to hold OREO. State banks must also comply with requirements contained in the instructions for Reports of Condition and Income issued by the Federal Financial Institutions Examination Council (FFIEC). FFIEC instructions refer to several accounting principles regarding accounting for OREO: FASB Statement No. 15, "Accounting by Debtors and Creditors for Troubled Debt Restructurings"; FASB Statement No. 121, "Accounting for the Impairment of Long-Lived Assets and for Long-Lived Assets to be Disposed Of"; FASB Statement No. 66, "Accounting for Sales of Real Estate". Pursuant to provisions of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), state chartered banks may not acquire or retain, directly or indirectly, equity investments of a type, or in an amount, that is not permissible for a national bank. Banks desiring to pursue restricted investments must obtain prior approval from the FDIC. Additional information regarding activities and investments of state banks can be found in Part 362 of FDIC Rules and Regulations. State banks may not hold real estate acquired for the collection of debts previously contracted for more than five years. If not disposed of within five years, it shall be charged off as an asset unless the Bank Commissioner extends the time for its disposition. Pursuant to FFIEC requirements and Generally Accepted Accounting Principles (GAAP), when property becomes OREO, it must be recorded at fair value less the cost to sell. A market valuation or qualifying appraisal should be prepared to substantiate fair value of the property. A current appraisal prepared by an independent, qualified appraiser must be obtained when the recorded value of the loan/asset exceeds $250,000. An appropriate market valuation must be performed when the recorded amount of the loan/asset is at or below $250,000. If a valid appraisal or valuation has been performed within the last twelve months, no new appraisal or valuation will be required when property is transferred to OREO, unless significant deterioration has occurred in the local market. For OREO acquired as direct investments by banks and their consolidated subsidiaries, a written plan must be maintained. The plan must be approved by the board of directors and the Bank Commissioner, and state the purpose and strategy for such investments. OREO held for investment should be evaluated for quality and yield as are other bank investments (i.e. loans and securities). A bank's direct investment in real estate, directly or via a subsidiary, is limited to 150 percent of its capital base. Real estate acquired for future expansion should normally be utilized within one year of its date of acquisition. For future expansion property not utilized within one year, banks must submit a board approved plan to the Bank Commissioner detailing its plans for utilizing the property. Future expansion property not utilized within five years of its date of acquisition must be transferred to OREO at fair value less the cost to sell, and disposed of within five years of the date of transfer. III. INFORMATION REQUIRED TO EVALUATE THE STATUS AND PROSPECTS FOR OTHER REAL ESTATE OWNED Each parcel of OREO must be evaluated on its own merits. Adequate documentation must be maintained on all types of OREO in order that management and regulators can produce a thorough and accurate assessment of its status, value and probable disposition. Relevant information to review in ascertaining the quality of OREO includes: 1) Determine the reason the property was acquired and the bank's intentions as to its disposition; 2) Analyze the carrying value in relation to appraised value, the asking price, offers received, and sales prices of properties recently sold; 3) Ascertain the reason(s) the property has not been sold and review the bank's efforts to dispose of each parcel (the bank should maintain a record of inquiries and offers made by potential buyers); 4) Review other pertinent factors including the bank's title, other liens, tax status, insurance, occupancy, rental income, validity of capitalized expenses, and other expenses associated with carrying OREO; 5) Determine if the bank has assessed its potential liability regarding environmental hazards; 6) Evaluate bank management's ability and track record in liquidating assets acquired for debts previously contracted; 7) Determine whether additional improvements (repairs, renovations) are necessary to successfully market the property; and 8) Determine that OREO acquired for investment purposes is in compliance with federal regulations restricting activities and investments of state banks. IV. ADDITIONAL INVESTMENTS, ADVANCES AND EXPENSES FOR OTHER REAL ESTATE OWNED For legal OREO (the bank has acquired title to the property), additional investments and/or expenses are permitted to complete unfinished projects and to make necessary improvements to enable the bank to recover its total investment or dispose of the property. Such expenses may be capitalized (added to the book value of OREO) if the bank maintains documentation that the expenses result in a more salable property AND are recoverable. Expenses for general maintenance repairs may not be capitalized. A bank may also expend additional funds on acquired property to operate an establishment whose value depends substantially on uninterrupted operation. For accounting OREO (in-substance foreclosures), additional advances and/or expenses (including the purchase of prior liens) are considered disbursements of loan proceeds to the borrower and are subject to the legal lending limit. Although the accounting treatment reflects foreclosure, the bank still has a secured loan to its borrower for legal purposes. V. GUIDELINES FOR CLASSIFYING OTHER REAL ESTATE OWNED AND REAL ESTATE SALES CONTRACTS OREO is frequently a nonearning bank asset. Each parcel of OREO, whether held by the bank or a real estate subsidiary, is to be reviewed and classified on its own merits. Pursuant to a thorough review of documentation previously discussed (refer to the heading, "Information Required to Evaluate Status and Prospects"), examiners should consider the following: 1) Present and future income, less appropriate expenses, generated by the property (a yield comparable to loans for similar investment purposes is considered a reasonable rate of return); 2) The source and quality of the appraisal/valuation; 3) Local economic conditions; 4) The manner in which the bank intends to dispose of the property; 5) Compliance with applicable laws and regulations; and 6) An offer and acceptance must be written and include earnest money to not be considered for adverse classification. OREO not subject to adverse classification must generate a reasonable rate of return after expenses, have a book value not greater than the current fair market value, and contain no evidence of additional losses Substandard classifications are indicative of OREO that generates little or no return, and no additional losses are anticipated. OREO classified Doubtful and/or Loss have book values that exceed current fair market value and/or contain additional losses that are identifiable. Real estate sales contracts generally result when the purchaser's down payment is inadequate and title to the property remains vested in the name of the bank. Sales contracts may allow banks to dispose of nonearning assets, to the extent that interest is received, and be relieved of expenses for taxes, insurance, repairs and similar charges. Sales contracts may prove to be unfavorable if payments are no greater than potential rental income and the contract provides for extended terms. Information to consider when determining classification of sales contracts includes: 1) Does the contract represent a bona fide sale; 2) The rate of return (yields should be comparable to loans for similar investment purposes); 3) The present equity of the purchaser; 4) The financial capacity of the purchaser; 5) Compliance with applicable accounting requirements regarding recognition of gains on the sale of OREO and discounting for financing at interest rates below current market rates; 6) The payment history of the purchaser pursuant to the terms of the contract; and 7) The bank's track record in utilizing sales contracts to dispose of OREO. 02-1 – Disclosure of Trust Component Ratings Background The Uniform Interagency Trust Rating System (UITRS) was developed by the Federal Financial Institutions Examination Council (FFIEC) and has been utilized by the Arkansas State Bank Department for several years. On April 1, 1996, the Arkansas State Bank Department made a decision to advise Boards of Directors of state chartered banks of the entire UITRS rating assigned pursuant to an examination by this agency. By disclosing all component ratings, it is felt that bank directors are more fully informed of the condition of the bank’s trust department, as indicated by the assigned component ratings, and therefore better equipped to address all fiduciary and operational deficiencies. On January 1, 1999 the Arkansas State Bank Department started utilizing an updated rating system. This rating system is also used by federal bank regulatory agencies. Each bank's Board of Directors are advised of the assigned rating in the examination report, and the rating will not be a matter of public information. The rating disclosed in the examination report is that assigned by the Examiner in Charge and approved by supervisory personnel and the Bank Commissioner as a result of an independent examination by the Arkansas State Bank Department or as a result of a joint or concurrent examination in which the Arkansas State Bank Department participated. While the UITRS rating assigned by the Arkansas State Bank Department may be the same as that assigned by the respective federal agency, some differences in component and composite ratings may exist. It is important to note that the overall uniform bank rating is not an arithmetic mean of the five component ratings, but the composite rating should be consistent with the individual performance ratings. Overview of the Rating System Under the UITRS, the fiduciary activities of financial institutions are assigned a composite rating based on an evaluation and rating of five critical components of an institutions fiduciary activities. The specific dimensions that are to be evaluated are the following: Management Operations, Internal Controls and Auditing Earnings Compliance Asset Management Each of these dimensions is to be rated on a scale of 1 through 5 in descending order of performance quality. Thus, 1 represents the highest indicating the strongest performance and risk management practices and 5 indicating weak performance and risk management practices (and most critically deficient) and the lowest level of operating performance. Each trust department is accorded a composite rating that is predicated upon the evaluations of the specific performance dimensions. The composite or overall rating is assigned predicated upon the ratings assigned to the critical areas. This rating signifies the general condition of the department, and should be consistent with the criteria and evaluating factors defined in the UITRS. The composite rating is also based upon a scale of 1 through 5 in ascending order of supervisory concern. In arriving at a composite rating, each financial dimension must be weighed and due consideration given to the interrelationships among the various aspects of a bank’s trust department operations. The delineation of specific performance dimensions does not preclude consideration of other factors that, in the judgment of the examiner or reviewer, are deemed relevant to accurately reflect the overall condition and soundness of a particular bank’s trust department. However, the assessment of the specific performance dimensions represents the essential foundation upon which the composite rating is based. Composite Rating Composite ratings are based on a careful evaluation of how an institution conducts its fiduciary activities. The review encompasses the capability of management, the soundness of policies and practices, the quality of service rendered to the public, and the effect of fiduciary activities upon the soundness of the institution. Effective September 16, 2002, the five composite ratings of the overall condition of a trust department are defined and distinguished as follows: Composite 1 Trust Departments in this group administer fiduciary activities in accordance with sound fiduciary principles. Any weaknesses are minor and can be handled in a routine manner by management. The institution is in substantial compliance with fiduciary laws and regulations. Risk management practices are strong relative to the size and complexity of the institution's fiduciary activities. Composite 2 Trusts Departments so rated are fundamentally sound. Only moderate weaknesses are present and are well within management's capabilities and willingness to correct. Fiduciary activities are conducted in substantial compliance with laws and regulations. Overall risk management practices are satisfactory relative to the institution's size and complexity. There are no material supervisory concerns. Composite 3 Trust Departments in this group exhibit some degree of supervisory concern in one or more of the component rating areas. A combination of weaknesses exists that may range from moderate to severe. Management may lack the ability or willingness to effectively address weaknesses within appropriate time frames. Additionally, fiduciary activities may reveal some significant noncompliance with laws and regulations. Risk management practices may be less than satisfactory relative to the institution's size, complexity, and risk profile. While problems of relative significance may exist, they are not of such importance as to pose a threat to the trust beneficiaries generally, or to the soundness of the institution. The institution's fiduciary activities require more than normal supervision and may include formal or informal enforcement actions. Composite 4 Trust Departments so rated generally exhibit unsafe and unsound practices or conditions in their fiduciary activities, resulting in unsatisfactory performance. The problems range from severe to critically deficient and may be centered around inexperienced or inattentive management, weak or dangerous operating practices, or an accumulation of unsatisfactory features of lesser importance. The weaknesses and problems are not being satisfactorily addressed or resolved by the board of directors and management. There may be significant noncompliance with laws and regulations. Risk management practices are generally unacceptable relative to the size, complexity, and risk profile of fiduciary activities. These problems pose a threat to the account beneficiaries generally and, if left unchecked, could evolve into conditions that could cause significant losses to the institution and ultimately undermine the public confidence in the institution. Close supervisory attention is required, which means, in most cases, formal enforcement action is necessary to address the problems. Composite 5 Trust Departments in this group conduct fiduciary activities in an extremely unsafe and unsound manner. Administration of fiduciary activities is critically deficient in numerous major respects, with problems resulting from incompetent or neglectful administration, flagrant and/or repeated disregard for laws and regulations, or a willful departure from sound fiduciary principles and practices. The volume and severity of problems are beyond management's ability or willingness to control or correct. Such conditions evidence a flagrant disregard for the interests of the beneficiaries and may pose a serious threat to the soundness of the institution. Continuous close supervisory attention is warranted and may include termination of the institution's fiduciary activities. Performance Evaluation As already noted, the five key performance dimensions – Management, Operations, Internal Controls and Auditing, Earnings, Compliance and Asset Management -- are to be evaluated on a scale of one to five. The following is a description of the gradations to be utilized in the assignment of performance ratings: Rating No. 1 - indicates strong performance. It is the highest rating and is indicative of performance that is significantly higher than average. Rating No. 2 - reflects satisfactory performance. It reflects performance that is average or above; it includes performance that adequately provides for the operation of the trust department without loss to the fiduciary account holders. Rating No. 3 - represents performance that is marginally adequate and is flawed to some degree; as such is considered fair. It is neither satisfactory nor marginal but is characterized by performance that allows for faithful discharge of fiduciary obligations. Rating No. 4 - represents marginal performance which is significantly below average. If left unchecked, such performance might evolve into weaknesses or conditions that could threaten the account beneficiaries and the viability of the institution. Rating No. 5 - is considered unsatisfactory (poor). It is the lowest rating and is indicative of performance that is critically deficient in numerous major respects and in need of immediate remedial attention. Such performance by itself, or in combination with other weaknesses, could threaten the interest of the trust beneficiaries and the viability of the institution. Management This rating reflects the capability of the board of directors and management, in their respective roles, to identify, measure, monitor and control the risks of an institution's fiduciary activities. It also reflects their ability to ensure that the institution's fiduciary activities are conducted in a safe and sound manner, and in compliance with applicable laws and regulations. The management rating (1 through 5) is based upon an assessment of the capability and performance of management and the board of directors, including, but not limited to, the following evaluation factors: (a) The level and quality of oversight and support of fiduciary activities by the board of directors and management, including committee structure and adequate documentation of committee actions; (b) The ability of the board of directors and management, in their respective roles, to plan for, and respond to, risks that may arise from changing business conditions or the introduction of new activities or products; (c) The adequacy of, and conformance with, appropriate internal policies, practices and controls addressing the operations and risks of significant fiduciary activities; (d) The accuracy, timeliness, and effectiveness of management information and risk monitoring systems appropriate for the institution's size, complexity, and fiduciary risk profile; (e) The overall level of compliance with laws, regulations, and sound fiduciary principles; (f) Responsiveness to recommendations from auditors and regulatory authorities; (g) Strategic planning for fiduciary products and services; (h) The level of experience and competence of fiduciary management and staff, including issues relating to turnover and succession planning; (i) The adequacy of insurance coverage; (j) The availability of competent legal counsel, and the extent and nature of pending litigation associated with fiduciary activities, and its potential impact on earnings, capital, and the institution's reputation; and (k) The process for identifying and responding to fiduciary customer complaints. Ratings A 1 rating indicates strong performance by management and the board of directors and strong risk management practices relative to the size, complexity and risk profile of the institution's fiduciary activities. A 2 rating indicates satisfactory management and board performance and risk management practices relative to the size, complexity and risk profile of the institution's fiduciary activities. A rating of 3 indicates management and board performance that needs improvement or risk management practices that are less than satisfactory given the nature of the institution's fiduciary activities. The 4 rating indicates deficient management and board performance or risk management practices that are inadequate considering the size, complexity, and risk profile of the institution's fiduciary activities. A rating of 5 indicates critically deficient management and board performance or risk management practices. Management and the board of directors have not demonstrated the ability to correct problems and implement appropriate risk management practices. Operations, Internal Controls & Auditing This rating reflects the adequacy of the institution's fiduciary operating systems and internal controls in relation to the volume and character of business conducted. Audit coverage must assure the integrity of the financial records, the sufficiency of internal controls, and the adequacy of the compliance process. The institution's fiduciary operating systems, internal controls, and audit function subject it primarily to transaction and compliance risk. The operations, internal controls and auditing rating (1 through 5) is based upon, but not limited to, an assessment of the following evaluation factors: Operations and Internal Controls, including the adequacy of: (a) Staff, facilities and operating systems; (b) Records, accounting and data processing systems (including controls over systems access and such accounting procedures as aging, investigation and disposition of items in suspense accounts); (c) Trading functions and securities lending activities; (d) Vault controls and securities movement; (e) Segregation of duties; (f) Controls over disbursements (checks or electronic) and unissued securities; (g) Controls over income processing activities; (h) Reconciliation processes (depository, cash, vault, sub-custodians, suspense accounts, etc.); (i) Disaster and/or business recovery programs; (j) Hold-mail procedures and controls over returned mail; and, (k) Investigation and proper escheatment of funds in dormant accounts. Auditing including the adequacy of: (a) The independence, frequency, quality and scope of the internal and external fiduciary audit function relative to the volume, character and risk profile of the institution's fiduciary activities; (b) The volume and/or severity of internal control and audit exceptions and the extent to which these issues are tracked and resolved; and (c) The experience and competence of the audit staff. Ratings A rating of 1 indicates that operations, internal controls, and auditing are strong in relation to the volume and character of the institution's fiduciary activities. A rating of 2 indicates that operations, internal controls and auditing are satisfactory in relation to the volume and character of the institution's fiduciary activities. A 3 rating indicates that operations, internal controls or auditing need improvement in relation to the volume and character of the institution's fiduciary activities. A rating of 4 indicates deficient operations, internal controls or audits. One or more of these areas are inadequate or the level of problems and risk exposure is excessive in relation to the volume and character of the institution's fiduciary activities. The 5 rating indicates critically deficient operations, internal controls or audits. Operating practices, with or without audits, pose a serious threat to the safety of assets of fiduciary accounts. Earnings This rating reflects the profitability of an institution's fiduciary activities and its effect on the financial condition of the institution. The use and adequacy of budgets and earnings projections by functions, product lines and clients are reviewed and evaluated. Risk exposure that may lead to negative earnings is also evaluated. An evaluation of earnings is required for all institutions with fiduciary activities. An assignment of an earnings rating, however, is required only for institutions that, at the time of the examination, have total trust assets of more than $100 million, or are a non-deposit trust company. For institutions where the assignment of an Earnings rating is not required by the UITRS, the supervisory agency has the option to assign an earnings rating using an alternate set of ratings. The evaluation of earnings is based upon, but not limited to, an assessment of the following factors: (a) The profitability of fiduciary activities in relation to the size and scope of those activities and to the overall business of the institution. (b) The overall importance to the institution of offering fiduciary services to its customers and local community. (c) The effectiveness of the institution's procedures for monitoring fiduciary activity income and expense relative to the size and scope of these activities and their relative importance to the institution, including the frequency and scope of profitability reviews and planning by the institution's board of directors or a committee thereof. For those institutions for which a rating (1 through 5) of earnings is mandatory, additional factors should include the following: (a) The level and consistency of profitability, or the lack thereof, generated by the institution's fiduciary activities in relation to the volume and character of the institution's business. (b) Dependence upon non-recurring fees and commissions, such as fees for court accounts. (c) The effects of charge-offs or compromise actions. (d) Unusual features regarding the composition of business and fee schedules. (e) Accounting practices that contain practices such as (1) unusual methods of allocating direct and indirect expenses and overhead, or (2) unusual methods of allocating fiduciary income and expense where two or more fiduciary institutions within the same holding company family share fiduciary services and/or processing functions. (f) The extent of management's use of budgets, projections and other cost analysis procedures. (g) Methods used for directors' approval of financial budgets and/or projections. (h) Management's attitude toward growth and new business development. (i) New business development efforts, including types of business solicited, market potential, advertising, competition, relationships with local organizations, and an evaluation by management of risk potential inherent in new business areas. Ratings A rating of 1 indicates strong earnings. The institution consistently earns a rate of return on its fiduciary activities that is commensurate with the risk of those activities. A rating of 2 indicates satisfactory earnings. Although the earnings record may exhibit some weaknesses, earnings performance does not pose a risk to the overall institution nor to its ability to meet its fiduciary obligations. A rating of 3 indicates less than satisfactory earnings. Earnings are not commensurate with the risk associated with the fiduciary activities undertaken. A rating of 4 indicates earnings that are seriously deficient. Fiduciary activities have a significant adverse effect on the overall income of the institution and its ability to generate adequate capital to support the continued operation of its fiduciary activities. A rating of 5 indicates critically deficient earnings. In general, an institution with this rating is experiencing losses from fiduciary activities that have a significant negative impact on the overall institution, representing a distinct threat to its viability through the erosion of its capital. Alternate Rating of Earnings Alternate ratings (1 through 5) are assigned based on the level of implementation of four minimum standards by the board of directors and management. These standards are: (a) Standard No. 1--The institution has reasonable methods for measuring income and expense commensurate with the volume and nature of the fiduciary services offered. (b) Standard No. 2--The level of profitability is reported to the board of directors, or a committee thereof, at least annually. (c) Standard No. 3--The board of directors periodically determines that the continued offering of fiduciary services provides an essential service to the institution's customers or to the local community. (d) Standard No. 4--The board of directors, or a committee thereof, reviews the justification for the institution to continue to offer fiduciary services even if the institution does not earn sufficient income to cover the expenses of providing those services. Ratings A rating of 1 may be assigned where an institution has implemented all four minimum standards. If fiduciary earnings are lacking, management views this as a cost of doing business as a full service institution and believes that the negative effects of not offering fiduciary services are more significant than the expense of administrating those services. A rating of 2 may be assigned where an institution has implemented, at a minimum, at least three of the four standards. This rating may be assigned if the institution is not generating positive earnings or where formal earnings information may not be available. A rating of 3 may be assigned if the institution has implemented at least two of the four standards. While management may have attempted to identify and quantify other revenue to be earned by offering fiduciary services, it has decided that these services should be offered as a service to customers, even if they cannot be operated profitably. A rating of 4 may be assigned if the institution has implemented only one of the four standards. Management has undertaken little or no effort to identify or quantify the collateral advantages, if any, to the institution from offering fiduciary services. A rating of 5 may be assigned if the institution has implemented none of the standards. Compliance This rating reflects an institution's overall compliance with applicable laws, regulations, accepted standards of fiduciary conduct, governing account instruments, duties associated with account administration, and internally established policies and procedures. This component specifically incorporates an assessment of a fiduciary's duty of undivided loyalty and compliance with applicable laws, regulations, and accepted standards of fiduciary conduct related to self-dealing and other conflicts of interest. The compliance rating (1 through 5) is based upon, but not limited to, an assessment of the following evaluation factors: (a) Compliance with applicable federal and state statutes and regulations, including, but not limited to, federal and state fiduciary laws, the Employee Retirement Income Security Act of 1974, federal and state securities laws, state investment standards, state principal and income acts, and state probate codes; (b) Compliance with the terms of governing instruments; (c) The adequacy of overall policies, practices, and procedures governing compliance, considering the size, complexity, and risk profile of the institution's fiduciary activities; (d) The adequacy of policies and procedures addressing account administration; (e) The adequacy of policies and procedures addressing conflicts of interest, including those designed to prevent the improper use of “material inside information”; (f) The effectiveness of systems and controls in place to identify actual and potential conflicts of interest; (g) The adequacy of securities trading policies and practices relating to the allocation of brokerage business, the payment of services with “soft dollars” and the combining, crossing, and timing of trades; (h) The extent and permissibility of transactions with related parties, including, but not limited to, the volume of related commercial and fiduciary relationships and holdings of corporations in which directors, officers, or employees of the institution may be interested; (i) The decision making process used to accept, review, and terminate accounts; and, (j) The decision making process related to account administration duties, including cash balances, overdrafts, and discretionary distributions. Ratings A 1 rating indicates strong compliance policies, procedures and practices. Policies and procedures covering conflicts of interest and account administration are appropriate in relation to the size and complexity of the institution's fiduciary activities. A 2 rating indicates fundamentally sound compliance policies, procedures and practices in relation to the size and complexity of the institution's fiduciary activities. A rating of 3 indicates compliance practices that are less than satisfactory in relation to the size and complexity of the institution's fiduciary activities. A 4 rating indicates an institution with deficient compliance practices in relation to the size and complexity of its fiduciary activities. Account administration is notably deficient. A rating of 5 indicates critically deficient compliance practices. Account administration is critically deficient or incompetent and there is a flagrant disregard for the terms of the governing instruments and interests of account beneficiaries. Asset Management This rating reflects the risks associated with managing the assets (including cash) of others. Prudent portfolio management is based on an assessment of the needs and objectives of each account or portfolio. An evaluation of asset management should consider the adequacy of processes related to the investment of all discretionary accounts and portfolios, including collective investment funds, proprietary mutual funds, and investment advisory arrangements. The asset management rating (1 through 5) is based upon, but not limited to, an assessment of the following evaluation factors: (a) The adequacy of overall policies, practices and procedures governing asset management, considering the size, complexity and risk profile of the institution's fiduciary activities. (b) The decision making processes used for selection, retention and preservation of discretionary assets including adequacy of documentation, committee review and approval, and a system to review and approve exceptions. (c) The use of quantitative tools to measure the various financial risks in investment accounts and portfolios. (d) The existence of policies and procedures addressing the use of derivatives or other complex investment products. (e) The adequacy of procedures related to the purchase or retention of miscellaneous assets including real estate, notes, closely held companies, limited partnerships, mineral interests, insurance and other unique assets. (f) The extent and adequacy of periodic reviews of investment performance, taking into consideration the needs and objectives of each account or portfolio. (g) The monitoring of changes in the composition of fiduciary assets for trends and related risk exposure. (h) The quality of investment research used in the decision-making process and documentation of the research. (i) The due diligence process for evaluating investment advice received from vendors and/or brokers (including approved or focus lists of securities). (j) The due diligence process for reviewing and approving brokers and/or counter parties used by the institution. Ratings A rating of 1 indicates strong asset management practices. Identified weaknesses are minor in nature. A rating of 2 indicates satisfactory asset management practices. Moderate weaknesses are present and are well within management's ability and willingness to correct. A rating of 3 indicates that asset management practices are less than satisfactory in relation to the size and complexity of the assets managed. A rating of 4 indicates deficient asset management practices in relation to the size and complexity of the assets managed. The levels of risk are significant and inadequately controlled. A rating of 5 represents critically deficient asset management practices and a flagrant disregard of fiduciary duties. These practices jeopardize the interests of account beneficiaries, subject the institution to losses, and may pose a threat to the soundness of the institution. Examination Report Disclosure For examination purposes, the following disclosure should be made on the Comments and Conclusions page of the report: COMPONENT RATING Under the Uniform Interagency Trust Rating System, your institution has been rated as follows: Management - x Operations, Internal Controls and Auditing - x Earnings - x Compliance.- x Asset Management - x COMPOSITE RATING Additionally, component ratings will be disclosed on the appropriate page of the report. This disclosure will be a simple statement disclosing the rating preceding any comments traditionally made on those pages. Example: “Asset Management is assigned a rating of two.” 02-2 – Classification Guidelines for Repossessions and Credit Card Debt Background The Bank Department has revised its classification policies regarding repossessed personal property and credit card debt. State banks should modify their internal policies and procedures, if necessary, to ensure compliance with this policy. Exceptions are permissible when extenuating circumstances exist. Policy: Credit Card Debt: Credit card debt will be adversely classified as follows: Past due 90 - 179 days, or four (4) to six (6) payments: Substandard Past due over 180 days, or seven (7) payments: Loss Repossessions: All repossessed automobiles, motorcycles, small boats, and all terrain vehicles (3/4 wheelers) will be adversely classified as follows: Held 0 - 90 days: Substandard Held over 90 days: Loss For repossessed assets not identified above (i.e. agriculture equipment, large boats, logging equipment, etc) banks must comply with the following statute from the Arkansas Banking Code. Examiner discretion will determine appropriate classifications for other types of personal property (i.e. fixtures, retail inventory, etc). All repossessed assets must be recorded at the lower of the remaining loan amount or fair value of the assets received. 23-47-507. Power to hold and sell collateral A state bank may hold and sell all kinds of property that may come into its possession as collateral security for loans or any ordinary collection of debts, in the manner provided by law. Any personal property coming into its possession in this manner and which is not otherwise authorized for state banks to own as an asset shall be disposed of as soon as possible and after twelve (12) months from the date of acquisition shall cease to be considered as a part of its assets. 04-1 – Disclosure of Consumer Compliance Ratings – SUPERSEDES 96-2 – Disclosure of Consumer Compliance Component Ratings Background The Arkansas State Bank Department has revised its approach to examining institutions for compliance with consumer protection laws and regulations. Under the new approach, Arkansas State Bank Department compliance examinations will combine the risk-based examination process it now employs with an in-depth evaluation of an institution’s compliance management system, resulting in a top-down, risk-focused approach to examinations. This new approach for examinations became effective June 30, 2003. Each bank’s Board of Directors will be advised of the assigned rating in the examination report. The compliance rating will not be a matter of public information. The rating disclosed in the examination report is that assigned by the Examiner in Charge and approved by supervisory personnel and the Bank Commissioner as a result of an independent examination by the Arkansas State Bank Department or as a result of a joint or concurrent examination in which the Arkansas State Bank Department participated. Compliance Rating System The Arkansas State Bank Department follows the Uniform Interagency Consumer Compliance Rating System approved by the Federal Financial Institutions Examination Council in 1980. The text of the rating system is contained in this section. In assigning ratings under this system, it is important to recognize that all the attributes in each rating category will not necessarily apply to each institution. Further, the rating system does not automatically place an institution in a certain category. The rating categories represent institutional profiles that are used to distinguish between varying levels of supervisory concern. Consistent with the overall examination approach, examiners are expected to use reasoned judgment to reach sensible, supportable conclusions about an institution’s performance based on the totality of the examination findings. The examiner should choose the category whose description best reflects the institution’s overall compliance position. For example, the categories for institutions rated “1” or “2” indicate the presence of a written compliance program. This means that institutions that fall in the “1” or “2” categories typically have written compliance programs. This does not mean that the absence of a written compliance program, in and of itself, automatically places an institution in the “3” category. However, the examiner would certainly want to encourage, but not require, an institution that has a good compliance program to commit it to writing. Conversely, an institution is not precluded from being assigned a “3” rating even if it has a written compliance program. The rating system also profiles institutions with Truth in Lending Act restitution at the “3” level. In most cases, the “3” rating is probably appropriate, especially when one considers and assesses the factors that contributed to the problem. However, if all other aspects of the institution’s compliance performance are satisfactory, and management completed or initiated restitution to borrowers during the examination, or promised to take appropriate corrective action in a timely manner, a satisfactory rating could be assigned. It must be justified and supported, and explained in the confidential section of the report. Similarly, a pattern or practice of discrimination is a noted attribute of the category for “4” rated and “5” rated institutions. Institutions with patterns or practices of discrimination pose exceptional levels of risk, and more often than not, a “4” or “5” rating accurately reflects that risk. Any form of discrimination is an extraordinarily significant and sensitive matter, and always requires substantially more than a normal level of supervisory attention from a regulatory agency. However, there is flexibility in the rating system to accommodate circumstances that could bear on which level of less than satisfactory performance will be assigned to the institution. These circumstances include factors such as the institution’s acknowledgement of the violation, its resolve to affirmatively address the violation and its causes, and its record of implementing comprehensive, enduring corrective measures. UNIFORM INTERAGENCY CONSUMER COMPLIANCE RATING SYSTEM Introduction The rating system provides a general framework for evaluating and integrating significant compliance factors in order to assign a consumer compliance rating to each federally regulated commercial bank, savings and loan association, mutual savings bank and credit union. The rating system does not consider or take into account an institution's record of lending performance under the CRA or its compliance with the applicable provisions of the implementing regulations since institutions are rated separately for CRA purposes. The purpose of the rating system is to reflect in a comprehensive and uniform fashion the nature and extent of an institution's compliance with consumer protection and civil rights statutes and regulations. In addition to serving as a useful tool for summarizing the compliance position of individual institutions, the rating system will also assist the public and the Congress in assessing the aggregate compliance posture of regulated financial institutions. Overview Under the uniform rating system, each financial institution is assigned a consumer compliance rating predicated upon an evaluation of the nature and extent of its present compliance with consumer protection and civil rights statutes and regulations and the adequacy of its operating systems designed to ensure compliance on a continuing basis. The rating system is based upon a scale of 1 through 5 in increasing order of supervisory concern. Thus, "1" represents the highest rating and consequently the lowest level of supervisory concern; while "5" represents the lowest, most critically deficient level of performance and therefore the highest degree of supervisory concern. Each of the five ratings is described in greater detail below. In assigning a consumer compliance rating all relevant factors must be evaluated and weighed. In general, these factors include the nature and extent of present compliance with consumer protection and civil rights statutes and regulations, the commitment of management to compliance and its ability and willingness to take the necessary steps to assure compliance, and the adequacy of operating systems, including internal procedures, controls, and audit activities designed to ensure compliance on a routine and consistent basis. The assignment of a compliance rating may incorporate other factors that impact significantly on the overall effectiveness of an institution's compliance efforts. While each type of financial institution has differences in its general business powers and constraints, all are subject to the same consumer protection and civil rights statutes and regulations covered by the rating system. Thus, there is no need to evaluate differing types of financial institutions on criteria relating to their particular industry. As a result, the assignment of a uniform consumer compliance rating will help direct uniform and consistent supervisory attention which does not depend solely upon the nature of the institution's charter or business or the identity of its primary regulator. In this manner, overall uniformity and consistency of supervision will be strengthened by the existence of common consumer compliance ratings. The primary purpose of the uniform rating system is to help identify those institutions whose compliance with consumer protection and civil rights statutes and regulations display weaknesses requiring special supervisory attention and which are cause for more than a normal degree of supervisory concern. To accomplish this objective, the rating system identifies an initial category of institutions that have compliance deficiencies that warrant more than normal supervisory concern. These institutions are not deemed to present a significant risk of financial or other harm to consumers but do require a higher than normal level of supervisory attention. Institutions in this category are generally rated "3." The rating system also identifies certain institutions whose weaknesses are so severe as to represent, in essence, a substantial or general disregard for the law. These institutions are, depending upon nature and degree of their weaknesses, rated "4" or "5." The uniform identification of institutions giving cause for more than a normal degree of supervisory concern will help ensure: * That the degree of supervisory attention and the type of supervisory response are based upon the severity and nature of the institution's problems; * That supervisory attention and action are, to the extent possible, administered uniformly and consistently, regardless of the type of institution or the identity of the regulatory agency; and * That appropriate supervisory action is taken with respect to those institutions whose compliance problems entail the greatest potential for financial or other harm to consumers. Consumer Compliance Ratings Consumer Compliance Ratings are defined and distinguished as follows: One An institution in this category is in a strong compliance position. Management is capable of and staff is sufficient for effectuating compliance. An effective compliance program, including an efficient system of internal procedures and controls, has been established. Changes in consumer statutes and regulations are promptly reflected in the institution's policies, procedures and compliance training. The institution provides adequate training for its employees. If any violations are noted they relate to relatively minor deficiencies in forms or practices that are easily corrected. There is no evidence of discriminatory acts or practices, reimbursable violations, or practices resulting in repeat violations. Violations and deficiencies are promptly corrected by management. As a result, the institution gives no cause for supervisory concern. Two An institution in this category is in a generally strong compliance position. Management is capable of administering an effective compliance program. Although a system of internal operating procedures and controls has been established to ensure compliance, violations have nonetheless occurred. These violations, however, involve technical aspects of the law or result from oversight on the part of operating personnel. Modification in the bank's compliance program and/or the establishment of additional review/audit procedures may eliminate many of the violations. Compliance training is satisfactory. There is no evidence of discriminatory acts or practices, reimbursable violations, or practices resulting in repeat violations. Three Generally, an institution in this category is in a less than satisfactory compliance position. It is a cause for supervisory concern and requires more than normal supervision to remedy deficiencies. Violations may be numerous. In addition, previously identified practices resulting in violations may remain uncorrected. Overcharges, if present, involve a few consumers and are minimal in amount. There is no evidence of discriminatory acts or practices. Although management may have the ability to effectuate compliance, increased efforts are necessary. The numerous violations discovered are an indication that management has not devoted sufficient time and attention to consumer compliance. Operating procedures and controls have not proven effective and require strengthening. This may be accomplished by, among other things, designating a compliance officer and developing and implementing a comprehensive and effective compliance program. By identifying an institution with marginal compliance early, additional supervisory measures may be employed to eliminate violations and prevent further deterioration in the institution's less-than-satisfactory compliance position. Four An institution in this category requires close supervisory attention and monitoring to promptly correct the serious compliance problems disclosed. Numerous violations are present. Overcharges, if any, affect a significant number of consumers and involve a substantial amount of money. Often practices resulting in violations and cited at previous examinations remain uncorrected. Discriminatory acts or practices may be in evidence. Clearly, management has not exerted sufficient effort to ensure compliance. Its attitude may indicate a lack of interest in administering an effective compliance program which may have contributed to the seriousness of the institution's compliance problems. Internal procedures and controls have not proven effective and are seriously deficient. Prompt action on the part of the supervisory agency may enable the institution to correct its deficiencies and improve its compliance position. Five An institution in this category is in need of the strongest supervisory attention and monitoring. It is substantially in noncompliance with the consumer statutes and regulations. Management has demonstrated its unwillingness or inability to operate within the scope of consumer statutes and regulations. Previous efforts on the part of the regulatory authority to obtain voluntary compliance have been unproductive. Discrimination, substantial overcharges, or practices resulting in serious repeat violations are present. Examination Report Disclosure For examination purposes the following disclosure should be made on Page 1 of the report: CONSUMER COMPLIANCE RATING   A Consumer Compliance Rating of "2" is assigned. 05-1 – Disclosure of Bank Holding Company Ratings – SUPERSEDES 96-3 – Disclosure of BOPEC Ratings The Arkansas State Bank Department (“ASBD”) has revised its approach to examining bank holding companies (“BHC”) to comply with revisions made by the Board of Governors of the Federal Reserve System, which will be applied to all BHC examinations beginning on or after January 1, 2005. Under the new approach, ASBD holding company examinations will incorporate increased emphasis on risk management, a more flexible and comprehensive evaluation of financial condition, and an explicit determination of the likelihood that nondepository institutions of a holding company will have a significant impact on depository subsidiaries. Each holding company’s Board of Directors will be advised of the assigned rating in the examination report. The holding company rating will not be a matter of public information. The rating disclosed in the examination report is that assigned by the Examiner in Charge and approved by supervisory personnel and the Bank Commissioner as a result of an independent examination by the Arkansas State Bank Department or as a result of a joint or concurrent examination in which the Arkansas State Bank Department participated. The BHC rating system takes into consideration certain financial, managerial, and compliance factors that are common to all BHCs. Under this system, ASBD and Federal Reserve Bank of St. Louis (“Federal Reserve”) endeavor to ensure that all BHCs are evaluated in a comprehensive and uniform manner, and that supervisory attention is appropriately focused on the BHCs exhibiting financial and operational weaknesses or adverse trends. The rating system serves as a useful vehicle for identifying problem or deteriorating BHCs, as well as for categorizing BHCs with deficiencies in particular areas. Further, the rating system assists ASBD and Federal Reserve in following safety and soundness trends and in assessing the aggregate strength and soundness of the financial industry. Each BHC is assigned a composite rating (C) based on an evaluation and rating of its managerial and financial condition and an assessment of future potential risk to its subsidiary depository institution(s). The main components of the rating system represent: Risk Management (R); Financial Condition (F); and potential Impact (I) of the parent company and nondepository subsidiaries (collectively nondepository entities) on the subsidiary depository institutions. While ASBD and the Federal Reserve expect all bank holding companies to act as a source of strength to their subsidiary depository institutions, the Impact rating focuses on downside risk--that is, on the likelihood of significant negative impact by the nondepository entities on the subsidiary depository institution. A fourth component rating, Depository Institution (D), will generally mirror the primary regulator’s assessment of the subsidiary depository institutions. Thus, the primary component and composite ratings are displayed: R F I / C (D) In order to provide a consistent framework for assessing risk management, the R component is supported by four subcomponents that reflect the effectiveness of the banking organization’s risk management and controls. The subcomponents are: Board and Senior Management Oversight; Policies, Procedures, and Limits; Risk Monitoring and Management Information Systems; and Internal Controls. The F component is similarly supported by four subcomponents reflecting an assessment of the quality of the banking organization’s Capital; Asset quality; Earnings; and Liquidity. A simplified version of the rating system that requires only the assignment of the risk management component rating and composite rating will be applied to noncomplex BHC’s with assets below $1 billion. Composite, component, and subcomponent ratings are assigned based on a 1 to 5 numerical scale. A 1 numeric rating indicates the highest rating, strongest performance and practices, and least degree of supervisory concern, whereas a 5 numeric rating indicates the lowest rating, weakest performance, and the highest degree of supervisory concern. The composite rating generally bears a close relationship to the component ratings assigned. Each component rating is based on a qualitative analysis of the factors comprising that component and its interrelationship with the other components. When assigning a composite rating, some components may be given more weight than others depending on the situation of the BHC. In general, assignment of a composite rating may incorporate any factor that bears significantly on the overall condition and soundness of the BHC. Therefore, the composite rating is not derived by computing the arithmetic average of the component ratings. Nevertheless, the composite rating generally bears a close relationship to the component ratings assigned. The following three sections contain detailed descriptions of the composite, component, and subcomponent ratings, definitions of the ratings, and implementation guidance by BHC type. I. Description of the Rating System Elements The “R” (Risk Management) Component * R represents an evaluation of the ability of the BHC’s Board of directors and senior management, as appropriate for their respective positions, to identify, measure, monitor, and control risk. The R rating underscores the importance of the control environment, taking into consideration the complexity of the organization and the risk inherent in its activities. * The R rating is supported by four subcomponents that are each assigned a separate rating. The four subcomponents are as follows: 1) Board and Senior Management Oversight; 2) Policies, Procedures and Limits; 3) Risk Monitoring and Management Information Systems; and 4) Internal Controls. The subcomponents are evaluated in the context of the risks undertaken by and inherent to a banking organization and the overall level of complexity of the firm’s operations. Risk Management Subcomponents Board and Senior Management Oversight This subcomponent evaluates the adequacy and effectiveness of Board and senior management’s understanding and management of risk inherent in the BHC’s activities, as well as the general capabilities of management. It also includes consideration of management’s ability to identify and understand the risks undertaken by the institution, to hire competent staff, and to respond to changes in the institution’s risk profile or innovations in the banking sector. Policies, Procedures and Limits This subcomponent evaluates the adequacy of a BHC’s policies, procedures, and limits given the risks inherent in the activities of the consolidated BHC and the organization’s stated goals and objectives. This analysis will include consideration of the adequacy of the institution’s accounting and risk disclosure policies and procedures. Risk Monitoring and Management Information Systems This subcomponent assesses the adequacy of a BHC’s risk measurement and monitoring, and the adequacy of its management reports and information systems. This analysis will include a review of the assumptions, data and procedures used to measure risk and the consistency of these tools with the level of complexity of the organization’s activities. Internal Controls This subcomponent evaluates the adequacy of a BHC’s internal controls and internal audit procedures, including the accuracy of financial reporting and disclosure and the strength and influence, within the organization, of the internal audit team. This analysis will also include a review of the independence of control areas from management and the consistency of the scope coverage of the internal audit team with the complexity of the organization. The “F” (Financial Condition) Component * F represents an evaluation of the consolidated organization’s financial strength. The F rating focuses on the ability of the BHC’s resources to support the level of risk associated with its activities. * The F rating is supported by four subcomponents: C (capital), A (asset quality), E (earnings), and L (liquidity). The CAEL subcomponents can be evaluated along individual business lines, product lines, or on a legal entity basis, depending on what is most appropriate given the structure of the organization. The assessment of the CAEL components will utilize benchmarks and metrics appropriate to the business activity being evaluated. Financial Condition Subcomponents (CAEL) In evaluating each of the CAEL subcomponents, examination staff will continue to review relevant market indicators, such as equity and debt prices, external debt ratings, credit spreads, and qualitative rating agency assessments as a source of information complementary to examination findings. Capital Adequacy C reflects the adequacy of an organization’s consolidated capital position, from a regulatory capital perspective and an economic capital perspective, as appropriate to the BHC (refer to 12 CFR 225, Appendices A and D for regulatory minimum capital ratios for BHCs). The evaluation of capital adequacy should consider the risk inherent in an organization’s activities and the ability of capital to absorb unanticipated losses, to provide a base for growth, and to support the level and composition of the parent company and subsidiaries’ debt. Asset Quality A reflects the quality of an organization’s consolidated assets. The evaluation should include, as appropriate, both on-balance sheet and off-balance sheet exposures, and the level of criticized and nonperforming assets. Forward-looking indicators of asset quality, such as the adequacy of underwriting standards, the level of concentration risk, the adequacy of credit administration policies and procedures, and the adequacy of management information systems for credit risk, are also evaluated. Earnings E reflects the quality of consolidated earnings. The evaluation considers the level, trend, and sources of earnings, as well as the ability of earnings to augment capital as necessary, to provide ongoing support for a BHC’s activities. Liquidity L reflects the consolidated organization’s ability to attract and maintain the sources of funds necessary to support its operations and meet its obligations. The funding conditions for each of the material legal entities in the holding company structure will be evaluated to determine if any weaknesses exist that could affect the funding profile of the consolidated organization. The “I” (Impact) Component The I component is rated on a five-point numerical scale. However, the descriptive definitions of the numerical ratings for I are different than those of the other components and subcomponents. I Ratings are defined as follows: 1 – low likelihood of significant negative impact; 2 – limited likelihood of significant negative impact; 3 – moderate likelihood of significant negative impact; 4 – considerable likelihood of significant negative impact; and 5 – high likelihood of significant negative impact. The I component is an assessment of the potential impact of the nondepository entities on the subsidiary depository institution(s). The I assessment will evaluate both the risk management practices and financial condition of the nondepository entities--an analysis that will borrow heavily from the analysis conducted for the R and F components. Consistent with current practices, nondepository entities will be evaluated using benchmarks and analysis appropriate for those businesses. In addition, for functionally regulated nondepository subsidiaries, examination staff will continue to rely, to the extent possible, on the work of those functional regulators to assess the risk management practices and financial condition of those entities. In rating the I component, examination staff is required to evaluate the degree to which current or potential issues within the nondepository entities present a threat to the safety and soundness of the subsidiary depository institution(s). In this regard, the I component will give a clearer indication of the degree of risk posed by the nondepository entity(ies) to the federal safety net than does the current rating system. The I component focuses on the aggregate impact of the nondepository entities on the subsidiary depository institution(s). In this regard, the I rating does not include individual subcomponent ratings for the parent company and nondepository subsidiaries. Any risk management and financial issues at the parent company and/or nondepository subsidiaries that potentially impact the safety and soundness of the subsidiary depository institution(s) will be identified in the written comments under the I rating. As a general rule, nondepository subsidiaries will be included in the I analysis whenever their assets exceed five percent of the BHC’s consolidated capital or $10 million, whichever is lower. The analysis of the parent company for the purpose of assigning an I rating will emphasize weaknesses that could directly impact the risk management or financial condition of the subsidiary depository institution(s). Similarly, the analysis of the nondepository subsidiaries for the purpose of assigning an I rating will emphasize weaknesses that could negatively impact the parent company’s relationship with its subsidiary depository institution(s) and weaknesses that have a direct impact on the risk management practices or financial condition of the subsidiary depository institution(s). The analysis under the I component considers existing as well as potential issues and risks that may impact the subsidiary depository institution(s) now or in the future. The following risk management and financial factors are considered in assigning the I rating: Risk Management Factors * Strategic Considerations: The potential risks posed to the subsidiary depository institution(s) by the nondepository entities’ plans for growth in existing activities and expansion into new products and services; * Operational Considerations: The spillover impact on the subsidiary depository institution(s) from actual losses, a poor control environment, or an operational loss history in the nondepository entities; * Legal and Reputational Considerations: The spillover effect on the subsidiary depository institution(s) of complaints and litigation that name one or more of the nondepository entities as defendants, or violations of laws or regulations, especially pertaining to intercompany transactions where the subsidiary depository institution(s) is involved; and, * Concentration Considerations: The potential risks posed to the subsidiary depository institution(s) by concentrations within the nondepository entities in business lines, geographic areas, industries, customers, or other factors. Financial Factors * Capital Distribution: The distribution and transferability of capital across the legal entities; * Intra-Group Exposures: The extent to which intra-group exposures, including servicing agreements, have the potential to undermine the condition of subsidiary depository institution(s); and, * Parent Company Cash Flow and Leverage: The extent to which the parent company is dependent on dividend payments, from both the nondepository subsidiaries and the subsidiary depository institution(s), to service debt and cover fixed charges. Also, the effect that these upstreamed cash flows have had, or can be expected to have, on the financial condition of the BHC’s nondepository subsidiaries and subsidiary depository institution(s). The “C” (Composite) Rating C is the overall composite assessment of the BHC as reflected by consolidated risk management, consolidated financial strength, and the potential impact of the nondepository entities on the subsidiary depository institution(s). The composite rating encompasses both a forward-looking and static assessment of the consolidated organization, as well as an assessment of the relationship between the depository and nondepository entities. The C rating is not derived as a simple numeric average of the R, F, and I components; but rather it reflects examiner judgment with respect to the relative importance of each component to the safe and sound operation of the BHC. The “(D)” (Depository Institutions) Component The (D) component will generally reflect the composite CAMELS rating assigned by the subsidiary depository institution’s primary regulator. In a multi-bank BHC, the (D) rating will reflect a weighted average of the CAMELS composite ratings of the individual subsidiary depository institutions, weighted by both asset size and the relative importance of each depository institution within the holding company structure. In this regard, the CAMELS composite rating for a subsidiary depository institution that dominates the corporate culture may figure more prominently in the assignment of the (D) rating than would be dictated by asset size, particularly when problems exist within that depository institution. To highlight the presence of one or more problem depository institution(s) in a multi-bank BHC whose depository institution component, based on weighted averages, might not otherwise reveal their presence (i.e., depository institution ratings of 1, 2 or 3), a problem modifier, “P” will be attached to the depository institution rating (e.g., 1P, 2P, or 3P). Thus, 2P would indicate that, while on balance the depository subsidiaries are rated satisfactory, there exists a problem depository institution (composite 4 or 5) among the subsidiary depository institutions. The problem identifier is unnecessary when the D component is rated 4 or 5. II. Implementation of BHC Rating System by Bank Holding Company Type Arkansas State Bank Department’s revision of the BHC rating system was driven by the need to align the rating system with current Federal Reserve supervisory practices. The rating system will require analysis and support similar to that required by the former BOPEC rating system for BHCs of all sizes. As such, the level of analysis and support will vary based upon whether a BHC has been determined to be “complex” or “noncomplex.” In addition, the resources dedicated to the examination of each BHC will continue to be determined by the risk posed by the subsidiary depository institution(s) to the federal safety net (defined as the deposit insurance fund, the payments systems, and the Federal Reserve’s discount window) and the risk posed by the BHC to the subsidiary depository institution(s). Noncomplex BHCs with Assets of $1 Billion or Less (Shell Holding Companies) Rating: R and C Consistent with SR 02-1, examination staff will assign only an R and C rating for all companies in the shell BHC program (noncomplex BHCs with assets under $1 billion). The R rating is the M rating from the subsidiary depository institution’s CAMELS rating. The C rating is the subsidiary depository institution’s composite CAMELS rating. Noncomplex BHCs with Assets Greater than $1 Billion One-Bank Holding Company Rating: RFI/C (D) For all noncomplex, one-bank holding companies with assets of greater than $1 billion, examination staff will assign all component and subcomponent ratings; however, examination staff will continue to rely heavily on information and analysis contained in the report of examination for the subsidiary depository institution to assign the R and F ratings. If examination staff have reviewed the primary regulator’s examination report and are comfortable with the analysis and conclusions contained in that report, then the BHC ratings should be supported with concise language that indicates that the conclusions are based on the analysis of the primary regulator. No additional analysis will be required. Please note, however, in cases where the analysis and conclusions of the primary regulator are insufficient to assign the ratings, the primary regulator will be contacted to ascertain whether additional analysis and support may be available. Further, if discussions with the primary regulator do not provide sufficient information to assign the ratings, discussions with BHC management may be warranted to obtain adequate information to assign the ratings. In most cases, additional information or support obtained through these steps will be sufficient to permit the assignment of the R and F ratings. To the extent that additional analysis is deemed necessary, the level of analysis and resources spent on this assessment should be in line with the level of risk the subsidiary depository institution poses to the federal safety net. In addition, any activities that involve information gathering with respect to the subsidiary depository institution should be coordinated with and, if possible, conducted by, the primary regulator of that institution. Examination staff will be required to make an independent assessment in order to assign the I rating, which provides an evaluation of the impact of the BHC on the subsidiary depository institution. Analysis for the I rating in non-complex one-bank holding companies should place particular emphasis on issues related to parent company cash flow and compliance with Sections 23A and 23B of the Federal Reserve Act, as implemented by Regulation W. Multi-Bank Holding Company Rating: RFI/C (D) For all noncomplex BHCs with assets of greater than $1 billion and having more than one subsidiary depository institution, examination staff will assign all component and subcomponent ratings of the new system. Examiners will rely, to the extent possible, on the work conducted by the primary bank regulators to assign the R and F ratings. However, any risk management or other important functions conducted by the nondepository entities of the BHC, or conducted across legal entity lines, should be subject to review by ASBD and/or Federal Reserve examination staff. These reviews should be conducted in coordination with the primary regulator(s). The assessment for the I rating will require an independent assessment by ASBD or Federal Reserve examination staff. Complex BHCs Rating: RFI/C (D) For complex BHCs, examination staff will assign all component and subcomponent ratings of the new rating system. The ratings analysis should be based on the primary and functional regulators’ assessment of the subsidiary entities, as well as on the examiners’ assessment of the consolidated organization as determined through the BHC examination process. The resources needed for the examination and the level of support needed for developing a full rating will depend upon the complexity of the organization, including structure and activities, and should be commensurate with the level of risk posed by the subsidiary depository institution(s) to the federal safety net and the level of risk posed by the BHC to the subsidiary depository institution(s). Nontraditional BHCs Rating: RFI/C (D) Examination staff will be required to assign the full rating system for nontraditional BHCs. Nontraditional BHCs include BHCs in which most or all nondepository operations are regulated by a functional regulator and in which the subsidiary depository institution(s) are small in relation to the nondepository entities. The rating system is not intended to introduce significant additional work in the rating process for these organizations. As discussed above, the level of analysis conducted and resources needed to examine the BHC and to assign the consolidated R and F ratings should be commensurate with the level of risk posed by the subsidiary depository institution(s) to the federal safety net and the level of risk posed by the BHC to the subsidiary depository institution(s). The report of examination by, and other information obtained from, the functional and primary bank regulators should provide the basis for the consolidated R and F ratings. On-site work, to the extent it involves areas that are the primary responsibility of the functional or primary bank regulator, should be coordinated with and, if possible, conducted by, those regulators. Examination staff should concentrate their independent analysis for the R and F ratings around activities and risk management conducted by the parent company and non-functionally regulated nondepository subsidiaries, as well as around activities and risk management functions that are related to the subsidiary depository institution(s), for example, audit functions for the depository institution(s) and compliance with Sections 23A and 23B of the Federal Reserve Act, as implemented by Regulation W. III. Rating Definitions for the RFI/C (D) Rating System All component and subcomponent ratings are rated on a five-point numerical scale, with the exception of the I component, ratings will be assigned in ascending order of supervisory concern as follows: 1 – Strong; 2 – Satisfactory; 3 – Fair; 4 – Marginal; and 5 – Unsatisfactory. A description of the I component ratings is in the I section below. Risk Management Component Rating 1 (Strong). A rating of 1 indicates that management effectively identifies and controls all major types of risk posed by the BHC’s activities. The board and senior management are active participants in monitoring risk. Management ensures that appropriate policies and limits are understood, reviewed, and approved by the board of directors. Policies and limits are supported by risk monitoring procedures, reports, and management information systems. The board and senior management are provided with the necessary information to make timely and appropriate decisions in response to changing conditions. Risk management practices are fully effective in identifying, monitoring, and controlling the risks to the institution. Internal controls and audit procedures are sufficiently comprehensive and appropriate to the size and activities of the institution. Internal controls and audit procedures are sufficiently comprehensive and appropriate to the size and activities of the institution. There are few noted exceptions to the institution's established policies and procedures, and none is material. Management effectively and accurately monitors the condition of the institution consistent with the standards of safety and soundness, and in accordance with internal and supervisory policies and practices. Risk management processes are fully effective in identifying, monitoring, and controlling the risks to the institution. Rating 2 (Satisfactory). A rating of 2 indicates that the institution's management of risk is largely effective, but lacking to some modest degree. Management demonstrates a responsiveness and ability to cope successfully with existing and foreseeable risks. While the institution may have some minor risk management weaknesses, problems are generally being resolved. Board and senior management oversight, policies, risk monitoring procedures, and management information systems are considered satisfactory and effective. Internal controls may display modest weaknesses, but are correctable in the normal course of business. Risks are controlled in a manner that requires only normal supervisory attention. The BHC’s risk management practices and infrastructure are satisfactory and generally are adjusted appropriately in response to changing industry practices and current regulatory guidance. Staff experience, expertise and depth are generally appropriate to manage the risks assumed by the institution. Internal controls may display modest weaknesses or deficiencies, but they are correctable in the normal course of business. The examiner may have recommendations for improvement, but the weaknesses noted should not have a significant effect on the safety and soundness of the institution. Rating 3 (Fair). A rating of 3 signifies that risk management practices are lacking to some degree and require more than normal supervisory attention. One or more of the four elements of sound risk management (board/senior management oversight; policies/procedures, risk management monitoring/management information systems; and internal controls) is considered less than acceptable. Certain risk management practices are in need of improvement to ensure that the board and senior management are able to identify, monitor, and control all significant risks to the institution. The risks associated with the noted weaknesses could have adverse effects on the safety and soundness of the institution if corrective action is not taken by management. The internal control system may be lacking in some important aspects, particularly as indicated by continued control exceptions or by a failure to adhere to written policies and procedures. The risk management weaknesses could have adverse effects on the safety and soundness of the institution if corrective action is not taken by management. Rating 4(Marginal). A rating of 4 represents risk management practices that fail to properly identify, monitor, and control risk exposure. Generally, such a situation reflects inadequate guidance and supervision by the board and senior management. One or more of the four elements of sound risk management (board/senior management oversight; policies/procedures, risk management monitoring/management information systems; and internal controls) is deficient and requires immediate corrective action. Unless properly addressed, these conditions could seriously affect the safety and soundness of the institution. The institution may have serious identified weaknesses, such as an inadequate separation of duties, that require substantial improvement in internal control or accounting procedures, or improved adherence to supervisory standards or requirements. The risk management deficiencies warrant a high degree of supervisory attention because, unless properly addressed, they could seriously affect the safety and soundness of the institution. Rating 5 (Unsatisfactory). A rating of 5 indicates a critical absence of effective risk management practices with respect to the identifying, monitoring, or controlling risk exposure. One or more of the four elements of sound risk management (board/senior management oversight; policies/procedures, risk management monitoring/management information systems; and internal controls) is considered wholly deficient. The board and senior management have not demonstrated the capability to address these deficiencies. Internal controls are critically weak and could seriously jeopardize the continued viability of the institution. Deficiencies in the institution's risk management procedures require immediate and close supervisory attention. Internal controls are critically weak and, as such, could seriously jeopardize the continued viability of the institution. I f not already evident, there is an immediate concern as to the reliability of accounting records and regulatory reports and the potential for losses if corrective measures are not taken immediately. Deficiencies in the institution's risk management procedures and internal controls require immediate and close supervisory attention. Risk Management Subcomponents Board and Senior Management Oversight Rating 1 (Strong). An assessment of Strong indicates that the board and senior management clearly understand the types of risk inherent in the BHC’s activities and actively participate in managing those risks. Consistent with the standards of safety and soundness, oversight of risk management practices is considered strong. The board has approved appropriate policies and business strategies, and ensures that management is fully capable of guiding the BHC. Management provides effective supervision of the day-to-day activities of officers and employees. There is a sufficient depth of staff to ensure sound operations and compliance with laws and regulations. Management provides effective supervision of the day-to-day activities of all officers and employees, including the supervision of the senior officers and the heads of business lines. Staff is hired that possess experience and expertise consistent with the scope and complexity of the organization’s business activities. There is a sufficient depth of staff to ensure sound operations. Management ensures compliance with laws and regulations and that employees have the integrity, ethical values, and competence consistent with a prudent management philosophy and operating style. Management responds appropriately to changes in the marketplace. It identifies all risks associated with new activities or products before they are launched, and ensures that the appropriate infrastructure and internal controls are established. Rating 2 (Satisfactory). An assessment of Satisfactory indicates that the board and senior management have an adequate understanding of the organization’s risk profile and provide generally effective risk management oversight. Risk management practices may be lacking to a modest degree; however, these practices can be adjusted in accordance with regulatory guidance. The board has approved appropriate policies and ensures that management is capable of guiding the BHC. Management’s day-to-day supervision is largely effective and the staff’s experience, expertise and depth is sufficient to operate in a safe and sound manner. Weaknesses noted are correctable in the normal course of business and should not have a significant effect on the safety and soundness of the institution. Senior management generally adjusts risk management practices appropriately in accordance with enhancements to industry practices and regulatory guidance, and adjusts exposure limits as necessary to reflect the institution’s changing risk profile, although these practices may be lacking in some modest degree. Policies, limits, and tracking reports are generally appropriate, understood, and regularly reviewed, and the new product approval process adequately identifies the associated risks and necessary controls. Senior management’s day-to-day supervision of management and staff at all levels is generally effective. The level of staffing, and its experience, expertise, and depth, is sufficient to operate the business lines in a safe and sound manner. Minor weaknesses may exist in the staffing, infrastructure, and risk management processes for individual business lines or products, but these weaknesses have been identified by management, are correctable in the normal course of business, and are in the process of being addressed. Weaknesses noted should not have a significant effect on the safety and soundness of the institution. Rating 3 (Fair). An assessment of Fair indicates that board and senior management oversight is lacking to some degree and requires more than normal supervisory attention. Weaknesses in risk management have precluded the institution from fully addressing significant risks to the institution. The deficiencies may include a lack of knowledge with respect to the organization’s risk profile, insufficient risk management practices, ineffective policies, inadequate or under-utilized management reporting, or a significant lack of regulatory compliance. The day-to-day supervision of officer activities or the depth and expertise of the staff may be lacking. Certain risk management practices are in need of improvement to ensure that management and the board is able to identify, monitor, and control all significant risks to the institution. Weaknesses noted could adversely affect the safety and soundness of the institution if corrective action is not taken by management. Rating 4 (Marginal). An assessment of Marginal indicates that the board and senior management oversight is deficient and reflects a lack of adequate guidance and supervision. A number of significant risks to the institution have not been adequately addressed. Multiple board and management weaknesses are in need of immediate improvement. Weaknesses may include inadequate knowledge with respect to the organization’s risk profile, insufficient oversight of risk management practices, ineffective policies or limits, inadequate or considerably under-utilized management reporting, or an inability to respond to regulatory guidance. Staff supervision may be lacking and officers may not possess the experience and expertise needed for the scope and complexity of the organization’s business activities. These conditions warrant a high degree of supervisory attention and could seriously affect the safety and soundness of the institution if not addressed. Rating 5 (Unsatisfactory). An assessment of Unsatisfactory indicates a critical absence of effective board and senior management oversight practices. Problems may include a severe lack of knowledge with respect to the organization’s risk profile, insufficient oversight of risk management practices, wholly ineffective policies or limits, critically inadequate or under-utilized management reporting, a complete inability to respond to industry enhancements and changes in regulatory guidance, or failure to execute appropriate business strategies. Staffing may be inadequate, inexpert, and/or inadequately supervised. The deficiencies require immediate and close supervisory attention, as management and the board have not demonstrated the capability to address them. Weaknesses could seriously jeopardize the continued viability of the institution. Policies, Procedures and Limits Rating 1 (Strong). An assessment of Strong indicates that policies, procedures, and limits provide effective identification, measurement, monitoring, and control of the risks posed by all significant activities. Practices are consistent with the institution’s goals and overall financial strength. Policies and procedures clearly delineate accountability and lines of authority across the institution’s activities. The policies also provide for the review of new activities to ensure that infrastructure is adequate to identify, monitor, and control all risks. Rating 2 (Satisfactory). An assessment of Satisfactory indicates that adequate policies, procedures and limits are in place to address all major business areas. Policies and procedures are generally consistent with the institution’s goals and objectives and its overall financial strength. Any identified deficiencies are minor in nature and correctable in the normal course of business. Weaknesses should not have a significant effect on the safety and soundness of the institution. Rating 3 (Fair). An assessment of Fair indicates that deficiencies exist in policies, procedures, and limits that require more than normal supervisory attention. Policies and procedures inadequately identify, measure, monitor, or control the risks posed by significant activities. Practices may reflect inadequate staff experience and be inconsistent with the financial strength of the organization. Weaknesses could have an adverse effect on the safety and soundness of the institution unless corrective action is taken by management. Rating 4 (Marginal). An assessment of Marginal indicates deficient policies, procedures, and limits that do not address a number of significant risks to the institution. Policies and procedures ineffectively identify, measure, monitor, or control the risks posed by significant activities. Multiple practices are in need of immediate improvement. These conditions warrant a high degree of supervisory attention and could seriously affect the safety and soundness of the institution if not addressed. Rating 5 (Unsatisfactory). An assessment of Unsatisfactory indicates a critical absence of effective policies, procedures, and limits. Practices are largely ineffective with regard to identifying, measuring, monitoring, or controlling the risks posed by significant activities. These deficiencies reflect inadequate staff experience and are inconsistent with a typical financial institution. Critical weaknesses could seriously jeopardize the continued viability of the institution and require immediate and close supervisory attention. Risk Monitoring and MIS Rating 1 (Strong). An assessment of Strong indicates that risk monitoring practices and MIS reports address all material risks. The key assumptions, data sources, and procedures used in measuring and monitoring risk are appropriate, adequately documented, and tested for reliability on an ongoing basis. Reports and other forms of communication are appropriately structured to monitor exposures and compliance with established goals. Management and Board reports are accurate and contain sufficient information to identify adverse trends and to adequately evaluate the level of risk faced by the institution. Rating 2 (Satisfactory). An assessment of Satisfactory indicates that risk monitoring practices and MIS reports cover major risks, although they may be lacking in some modest degree. In general, the reports contain valid assumptions that are periodically tested for accuracy and properly distributed to appropriate decision-makers. Reports and other forms of communication structured to monitor exposures and compliance with established goals. Identified weaknesses are in the process of being addressed. Rating 3 (Fair). An assessment of Fair signifies that weaknesses exist in the institution’s risk monitoring practices or the MIS reports that require more than normal supervisory attention. Deficiencies may contribute to ineffective risk identification or monitoring through inappropriate assumptions, incorrect data, poor documentation, or the lack of timely testing. In addition, MIS reports may not be distributed to the appropriate decision-makers, adequately monitor significant risks, or properly identify adverse trends and the level of risk faced by the institution. Weaknesses noted could have adverse effects on the safety and soundness of the institution if corrective action is not taken by management. Rating 4 (Marginal). An assessment of Marginal represents deficient risk monitoring practices or MIS reports that could seriously affect the safety and soundness of the institution. A number of significant risks to the institution are not adequately monitored or reported. Ineffective risk identification may result from notably inappropriate assumptions, incorrect data, poor documentation, or the lack of timely testing. In addition, MIS reports may not be distributed to the appropriate decision-makers, may inadequately monitor significant risks, or fail to identify adverse trends and the level of risk faced by the institution. The risk monitoring and MIS deficiencies warrant a high degree of supervisory attention and could seriously affect the safety and soundness of the institution if not addressed. Rating 5 (Unsatisfactory). An assessment of Unsatisfactory indicates a critical absence of risk monitoring and MIS. They are wholly deficient due to inappropriate assumptions, incorrect data, poor documentation, or the lack of timely testing. Moreover, MIS reports may not be distributed to the appropriate decision-makers, fail to monitor significant risks, or fail to identify adverse trends and the level of risk faced by the institution. These critical weaknesses require immediate and close supervisory attention, as they could seriously jeopardize the continued viability of the institution. Internal Controls Rating 1 (Strong). An assessment of Strong indicates that the system of internal controls is robust for the type of risks posed by the organization’s activities. The organizational structure establishes clear lines of authority and responsibility for monitoring adherence to policies, procedures, and limits. Procedures exist for ensuring separation of duties, compliance with applicable laws and regulations, and accurate financial, operational, and regulatory reports. Internal audit or other control review practices provide independence and objectivity. Information systems are thoroughly tested and reviewed. Internal control weaknesses are well documented and receive prompt managerial attention. The Board or its audit committee regularly reviews the effectiveness of internal audits and other control review activities. Rating 2 (Satisfactory). An assessment of Satisfactory indicates that the system of internal controls adequately covers major risks and business areas, although modest weaknesses are present. In general, the control functions are independent from the business lines, and there is appropriate separation of duties. The control system supports accuracy in record-keeping practices and reporting systems, is adequately documented, and verifies compliance with laws and regulations. Internal controls and information systems are adequately tested and reviewed, and the coverage, procedures, findings, and responses to audits and review tests are documented. Identified material weaknesses are given appropriate attention and management’s actions to address material weaknesses are objectively reviewed and verified. The board or its audit committee reviews the effectiveness of internal audits and other control review activities. Any weaknesses or deficiencies that have been identified are modest in nature and in the process of being addressed. Rating 3 (Fair). An assessment of Fair signifies that weaknesses exist in the system of internal controls that require more than normal supervisory attention. The weaknesses may include insufficient oversight of internal controls and audit by the board or its audit committee; unclear or conflicting lines of authority and responsibility; a lack of independence between control areas and business activities; or ineffective separation of duties. The internal control system may produce inadequate or untimely risk coverage and verification, including monitoring compliance with safety and soundness laws, inaccurate reporting and recordkeeping, or a lack of documentation for work performed. Weaknesses noted could have adverse effects on the safety and soundness of the institution if corrective action is not taken by management. Rating 4 (Marginal). An assessment of Marginal represents a deficient internal control system that does not adequately address a number of significant risks to the institution. The deficiencies may include neglect of internal controls and audit by the board or its audit committee; conflicting lines of authority and responsibility; a lack of independence between control areas and business activities; or no separation of duties in critical areas. The internal control system may produce inadequate risk coverage and verification in certain areas, including inaccurate reports and records, a lack of documentation for work performed, poor compliance monitoring for safety and soundness laws, or infrequent management review and correction of identified weaknesses. The internal control deficiencies warrant a high degree of supervisory attention and could seriously affect the safety and soundness of the institution if not addressed. Rating 5 (Unsatisfactory). An assessment of Unsatisfactory indicates a critical absence of an internal control system. There may be no oversight by the board or its audit committee; conflicting lines of authority and responsibility; no distinction between control areas and business activities; or no separation of duties. The internal control system may produce totally inadequate or untimely risk coverage and verification, including monitoring compliance with safety and soundness; completely inaccurate records or regulatory reporting; a severe lack of documentation for work performed; or no management review and correction of identified weaknesses. Such deficiencies require immediate and close supervisory attention, as they could seriously jeopardize the continued viability of the institution. Financial Condition Component Rating 1 (Strong). A rating of 1 indicates that the consolidated BHC is financially sound in almost every respect. Any negative findings are basically of a minor nature and can be handled in a routine manner. The capital adequacy, asset quality, earnings, and liquidity of the consolidated BHC are more than adequate to protect the company from reasonably foreseeable external economic and financial disturbances. The company generates more than sufficient cash flow to service its debt and fixed obligations with no harm to subsidiaries of the organization. Rating 2 (Satisfactory). A rating of 2 indicates that the consolidated BHC is fundamentally financially sound, but may have modest weaknesses correctable in the normal course of business. The capital adequacy, asset quality, earnings and liquidity of the consolidated BHC are adequate to protect the company from external economic and financial disturbances. The company also generates sufficient cash flow to service its obligations; however, areas of weakness could develop into areas of greater concern. To the extent minor adjustments are handled in the normal course of business, the supervisory response is limited. Rating 3 (Fair). A rating of 3 indicates that the consolidated BHC exhibits a combination of weaknesses ranging from fair to moderately severe. The company has less than adequate financial strength stemming from one or more of the following: modest capital deficiencies, substandard asset quality, weak earnings, or liquidity problems. As a result, the BHC and its subsidiaries are less resistant to adverse business conditions. The financial condition of the BHC will likely deteriorate if concerted action is not taken to correct areas of weakness. The company’s cash flow is sufficient to meet immediate obligations, but may not remain adequate if action is not taken to correct weaknesses. Consequently, the BHC is vulnerable and requires more than normal supervision. Overall financial strength and capacity are still such as to pose only a remote threat to the viability of the company. Rating 4 (Marginal). A rating of 4 indicates that the consolidated BHC has either inadequate capital, an immoderate volume of problem assets, very weak earnings, serious liquidity issues, or a combination of factors that are less than satisfactory. An additional weakness may be that the BHC’s cash flow needs are met only by upstreaming imprudent dividends and/or fees from subsidiaries. Unless prompt action is taken to correct these conditions, they could impair future viability. BHCs in this category require close supervisory attention and increased financial surveillance. Rating 5 (Unsatisfactory). A rating of 5 indicates that the volume and character of financial weaknesses of the BHC are so critical as to require urgent aid from shareholders or other sources to prevent insolvency. The imminent inability of such a company to service its fixed obligations and/or prevent capital depletion due to severe operating losses places its viability in serious doubt. Such companies require immediate corrective action and constant supervisory attention. Financial Condition Subcomponents The financial condition subcomponents can be evaluated along business lines, product lines, or legal entity lines--depending on which type of review is most appropriate for the holding company structure. Capital Adequacy Rating 1 (Strong). A rating of 1 indicates that the consolidated BHC maintains more than adequate capital to: 1) support the volume and risk characteristics of all parent and subsidiary business lines and products; 2) provide a sufficient cushion to absorb unanticipated losses arising from the parent company and subsidiary activities; and 3) support the level and composition of corporate and subsidiary borrowing. In addition, a company assigned a rating of 1 has more than sufficient capital to provide a base for the growth of risk assets and the entry into capital markets as the need arises for the parent company and subsidiaries. Rating 2 (Satisfactory). A rating of 2 indicates that the consolidated BHC maintains adequate capital to: 1) support the volume and risk characteristics of all parent and subsidiary business lines and products; 2) provide a sufficient cushion to absorb unanticipated losses arising from holding company and subsidiary activities; and 3) support the level and composition of corporate and subsidiary borrowing. In addition, a company assigned a rating of 2 has sufficient capital to provide a base for the growth of risk assets and the entry into capital markets as the need arises for the parent company and subsidiaries. Rating 3 (Fair). A rating of 3 indicates that the consolidated BHC may not maintain sufficient capital to ensure support for one or more of the following: 1) the volume and risk characteristics of all parent and subsidiary business lines and products; 2) the unanticipated losses arising from holding company and subsidiary activities; or 3) the level and composition of corporate and subsidiary borrowing. In addition, a company assigned a rating of 3 may not maintain a sufficient capital position to provide a base for the growth of risk assets and the entry into capital markets as the need arises for the parent company and subsidiaries. The capital position of the consolidated BHC could quickly become inadequate in the event of asset deterioration or other negative factors and therefore requires more than normal supervisory attention. Rating 4 (Marginal). A rating of 4 indicates that the capital level of the consolidated BHC is significantly below the amount needed to ensure support for one or more of the following: 1) the volume and risk characteristics of all parent and subsidiary business lines and products; 2) the unanticipated losses arising from holding company and subsidiary activities; and 3) the level and composition of corporate and subsidiary borrowing. In addition, a company assigned a rating of 4 does not maintain a sufficient capital position to provide a base for the growth of risk assets and the entry into capital markets as the need arises for the parent company and subsidiaries. If left unchecked, the consolidated capital position of the company might evolve into weaknesses or conditions that could threaten the viability of the institution. The capital position of the consolidated BHC requires immediate supervisory attention. Rating 5 (Unsatisfactory). A rating of 5 indicates that the level of capital of the consolidated BHC is critically deficient and in need of immediate corrective action. The consolidated capital position threatens the viability of the institution and requires constant supervisory attention. Asset Quality Rating 1 (Strong). A rating of 1 indicates that the BHC maintains strong asset quality across all parts of the organization, with a very low level of criticized and nonperforming assets. Credit risk across the organization is commensurate with management’s abilities and modest in relation to credit risk management practices. Rating 2 (Satisfactory). A rating of 2 indicates that the BHC maintains satisfactory asset quality across all parts of the organization, with a manageable level of criticized and nonperforming assets. Any identified weaknesses in asset quality are correctable in the normal course of business. Credit risk across the organization is commensurate with management’s abilities and generally modest in relation to credit risk management practices. Rating 3 (Fair). A rating of 3 indicates that the asset quality across all or a material part of the consolidated BHC is less than satisfactory. The BHC may be facing a decrease in the overall quality of assets currently maintained on and off balance sheet. The BHC may also be experiencing an increase in credit risk exposure that has not been met with an appropriate improvement in risk management practices. BHCs assigned a rating of 3 require more than normal supervisory attention. Rating 4 (Marginal). A rating of 4 indicates that the BHC’s asset quality is deficient. The level of problem assets and/or unmitigated credit risk subjects the holding company to potential losses that, if left unchecked, may threaten its viability. BHCs assigned a rating of 4 require immediate supervisory attention. Rating 5 (Unsatisfactory). A rating of 5 indicates that the BHC’s asset quality is critically deficient and presents an imminent threat to the institution's viability. BHCs assigned a rating of 5 require immediate remedial action and constant supervisory attention. Earnings Rating 1 (Strong). A rating of 1 indicates that the quantity and quality of the BHC’s consolidated earnings over time are more than sufficient to make full provision for the absorption of losses and accretion of capital when due consideration is given to asset quality and BHC growth. Generally, BHCs with a 1 rating have earnings well above peer-group averages. Rating 2 (Satisfactory). A rating of 2 indicates that the quantity and quality of the BHC’s consolidated earnings over time are generally adequate to make provision for the absorption of losses and accretion of capital when due consideration is given to asset quality and BHC growth. Generally, BHCs with a 2 earnings rating have earnings that are in line with or slightly above peer-group averages. Rating 3 (Fair). A rating of 3 indicates that the BHC’s consolidated earnings are not fully adequate to make provisions for the absorption of losses and the accretion of capital in relation to company growth. The consolidated earnings of companies rated 3 may be further clouded by static or inconsistent earnings trends, chronically insufficient earnings, or less than satisfactory asset quality. BHCs with a 3 rating for earnings generally have earnings below peer-group averages. Such BHCs require more than normal supervisory attention. Rating 4 (Marginal). A rating of 4 indicates that the BHC’s consolidated earnings, while generally positive, are clearly not sufficient to make full provision for losses and the necessary accretion of capital. BHCs with earnings rated 4 may be characterized by erratic fluctuations in net income, poor earnings (and the likelihood of the development of a further downward trend), intermittent losses, chronically depressed earnings, or a substantial drop from the previous year. The earnings of such companies are generally substantially below peer-group averages. Such BHCs require immediate supervisory attention. Rating 5 (Unsatisfactory). A rating of 5 indicates that the BHC is experiencing losses or reflecting a level of earnings that is worse than that described for the 4 rating. Such losses, if not reversed, represent a distinct threat to the BHC’s solvency through erosion of capital. Such BHCs require immediate and constant supervisory attention. Liquidity Rating 1 (Strong). A rating of 1 indicates that the BHC maintains strong liquidity levels and well developed funds management practices. The parent company and subsidiaries have reliable access to sufficient sources of funds on favorable terms to meet present and anticipated liquidity needs. Rating 2 (Satisfactory). A rating of 2 indicates that the BHC maintains satisfactory liquidity levels and funds management practices. The parent company and subsidiaries have access to sufficient sources of funds on acceptable terms to meet present and anticipated liquidity needs. Modest weaknesses in funds management practices may be evident, but those weaknesses are correctable in the normal course of business. Rating 3 (Fair). A rating of 3 indicates that the BHC’s liquidity levels or funds management practices are in need of improvement. BHCs rated 3 may lack ready access to funds on reasonable terms or may evidence significant weaknesses in funds management practices at the parent company and/or subsidiary levels. However, these deficiencies are considered correctable in the normal course of business. Such BHCs require more than normal supervisory attention. Rating 4 (Marginal). A rating of 4 indicates that the BHC’s liquidity levels or funds management practices are deficient. Institutions rated 4 may not have or be able to obtain a sufficient volume of funds on reasonable terms to meet liquidity needs at the parent company and/or subsidiary levels and require immediate supervisory attention. Rating 5 (Unsatisfactory). A rating of 5 indicates that the BHC’s liquidity levels or funds management practices are critically deficient and may threaten the continued viability of the institution. Institutions rated 5 require constant supervisory attention and immediate external financial assistance to meet maturing obligations or other liquidity needs.. Impact Component The I component rating reflects the aggregate potential impact of the nondepository entities on the subsidiary depository institution(s). The I component is rated on a five-point numerical scale. Ratings will be assigned in ascending order of supervisory concern as follows: 1 – low likelihood of significant negative impact; 2 – limited likelihood of significant negative impact; 3 – moderate likelihood of significant negative impact; 4 – considerable likelihood of significant negative impact; and 5 – high likelihood of significant negative impact. Rating 1 (Low Likelihood of Significant Negative Impact). A rating of 1 indicates that the nondepository entities of the BHC are highly unlikely to have a significant negative impact on the subsidiary depository institution(s) due to the sound financial condition of the nondepository entities, the strong risk management practices within the nondepository entities, or the corporate structure of the BHC. The BHC maintains an appropriate capital allocation across the organization commensurate with associated risks. Intra-group exposures, including servicing agreements, are very unlikely to undermine the financial condition of the subsidiary depository institution(s). Parent company cash flow is sufficient and not dependent on excessive dividend payments from subsidiaries. The potential risks posed to the subsidiary depository institution(s) by strategic plans, the control environment, risk concentrations, or legal or reputational issues within or facing the nondepository entities are minor in nature and can be addressed in the normal course of business. Rating 2 (Limited Likelihood of Significant Negative Impact). A rating of 2 indicates a limited likelihood that the nondepository entities of the BHC will have a significant negative impact on the subsidiary depository institution(s) due to the adequate financial condition of the nondepository entities, the satisfactory risk management practices within the parent nondepository entities, or the corporate structure of the BHC. The BHC maintains adequate capital allocation across the organization commensurate with associated risks. Intra-group exposures, including servicing agreements, are unlikely to undermine the financial condition of the subsidiary depository institution(s). Parent company cash flow is satisfactory and generally does not require excessive dividend payments from subsidiaries. The potential risks posed to the subsidiary depository institution(s) by strategic plans, the control environment, risk concentrations, or legal or reputational issues within the nondepository entities are modest and can be addressed in the normal course of business. Rating 3 (Moderate Likelihood of Significant Negative Impact). A rating of 3 indicates a moderate likelihood that the aggregate impact of the nondepository entities of the BHC on the subsidiary depository institution(s) will have a significant negative impact on the subsidiary depository institution(s) due to weaknesses in the financial condition and/or risk management practices of the nondepository entities. The BHC may have only marginally sufficient allocation of capital across the organization to support risks. Intragroup exposures, including servicing agreements, may have the potential to undermine the financial condition of the subsidiary depository institution(s). Parent company cash flow may at times require excessive dividend payments from subsidiaries. Strategic growth plans, weaknesses in the control environment, risk concentrations or legal or reputational issues within the nondepository entities may pose significant risks to the subsidiary depository institution(s). A BHC assigned a 3 impact rating requires more than normal supervisory attention, as there could be adverse effects on the safety and soundness of the subsidiary depository institution(s) if corrective action is not taken by management. Rating 4 (Considerable Likelihood of Significant Negative Impact). A rating of 4 indicates that there is a considerable likelihood that the nondepository entities of the BHC will have a significant negative impact on the subsidiary depository institution(s) due to weaknesses in the financial condition and/or risk management practices of the nondepository entities. A 4-rated BHC may have insufficient capital within the nondepository entities to support their risks and activities. Intra-group exposures, including servicing agreements, may also have the immediate potential to undermine the financial condition of the subsidiary depository institution(s). Parent company cash flow may be dependent on excessive dividend payments from subsidiaries. Strategic growth plans, weaknesses in the control environment, risk concentrations or legal or reputational issues within the nondepository entities may pose considerable risks to the subsidiary depository institution(s). A BHC assigned a 4 impact rating requires immediate remedial action and close supervisory attention because the nondepository entities could seriously affect the safety and soundness of the subsidiary depository institution(s). Rating 5 (High Likelihood of Significant Negative Impact). A rating of 5 indicates a high likelihood that the aggregate impact of the nondepository entities of the BHC on the subsidiary depository institution(s) is or will become significantly negative due to substantial weaknesses in the financial condition and/or risk management practices of the nondepository entities. Strategic growth plans, a deficient control environment, risk concentrations or legal or reputational issues within the nondepository entities may pose critical risks to the subsidiary depository institution(s). The parent company also may be unable to meet its obligations without excessive support from the subsidiary depository institution(s). The BHC requires immediate and close supervisory attention, as the nondepository entities seriously jeopardize the continued viability of the subsidiary depository institution(s). Composite Rating Rating 1 (Strong). BHCs in this group are sound in almost every respect; any negative findings are basically of a minor nature and can be handled in a routine manner. Risk management practices and financial condition provide resistance to external economic and financial disturbances. Cash flow is more than adequate to service debt and other fixed obligations, and the nondepository entities pose little risk to the subsidiary depository institution(s). Rating 2 (Satisfactory). BHCs in this group are fundamentally sound but may have modest weaknesses in risk management practices or financial condition. The weaknesses could develop into conditions of greater concern but are believed correctable in the normal course of business. As such, the supervisory response is limited. Cash flow is adequate to service obligations, and the nondepository entities are unlikely to have a significant negative impact on the subsidiary depository institution(s). Rating 3 (Fair). BHCs in this group exhibit a combination of weaknesses in risk management practices and financial condition that range from fair to moderately severe. These companies are less resistant to the onset of adverse business conditions and would likely deteriorate if concerted action is not effective in correcting the areas of weakness. Consequently, these companies are vulnerable and require more than normal supervisory attention and financial surveillance. However, the risk management and financial capacity of the company, including the potential negative impact of the nondepository entities on the subsidiary depository institution(s), pose only a remote threat to its continued viability. Rating 4 (Marginal). BHCs in this group have an immoderate volume of risk management and financial weaknesses, which may pose a heightened risk of significant negative impact on the subsidiary depository institution(s). The holding company’s cash flow needs may be being met only by upstreaming imprudent dividends and/or fees from its subsidiaries. Unless prompt action is taken to correct these conditions, the organization’s future viability could be impaired. These companies require close supervisory attention and substantially increased financial surveillance. Rating 5 (Unsatisfactory). The critical volume and character of the risk management and financial weaknesses of BHCs in this category, and concerns about the nondepository entities negatively impacting the subsidiary depository institution(s), could lead to insolvency without urgent aid from shareholders or other sources. The imminent inability to prevent liquidity and/or capital depletion places the BHC’s continued viability in serious doubt. These companies require immediate corrective action and constant supervisory attention. Depository Institutions Component The (D) component identifies the overall condition of the subsidiary depository institution(s) of the BHC. For BHCs with only one subsidiary depository institution, the (D) component rating will mirror the CAMELS composite rating for that depository institution. To arrive at a (D) component rating for BHCs with multiple subsidiary depository institutions, the CAMELS composite ratings for each of the depository institutions should be weighted, giving consideration to asset size and the relative importance of each depository institution within the overall structure of the organization. In general, it is expected that the resulting (D) component rating will reflect the lead depository institution’s CAMELS composite rating. 06-1 – Investments in Bank Premises Purpose This policy has been established in order to provide Arkansas state chartered banks with additional information regarding investments in bank premises and to provide guidance for the submission of the request to the Bank Commissioner. Regulation: Pursuant to the Arkansas Banking Code §23-47-103, “(a) A state bank or subsidiary trust company, acting with the prior approval of the Bank Commissioner, may acquire bank premises to be used, occupied, or owned by it. (b)(1) Any state bank acting with the prior approval of the commissioner may cause the title to its bank premises, now owned or at any time hereafter acquired by the bank to be held by a subsidiary corporation which shall be wholly owned by the bank. (2) A state bank having such a subsidiary may rent the bank premises or any portion thereof from the subsidiary or acquire the title to the premises by purchase from the subsidiary or through its liquidation under such terms and conditions as may be approved by the commissioner. (c) A state bank may with the prior approval of the commissioner invest in bank premises or in the stock, bonds, debentures, or other obligations of the subsidiary owning the bank premises, or make loans to, or upon the security of the stock of the subsidiary, if the aggregate of all such investments or loans, together with the amount of any indebtedness incurred by the subsidiary, will not exceed one hundred fifty percent (150%) of the capital base of such state bank.” Bank premises are defined as follows: “includes the state bank's or subsidiary trust company's main office site, all branch and other lawful office sites, the main office building and all other branch and other lawful office buildings, any or all of which may have additional space for occupancy by tenants, and any parking areas or parking structures that constitute adjuncts to any of the state bank or subsidiary trust company property;” Prior approval is required if an Arkansas state chartered bank desires to make an investment in premises through one of the following: The purchase of real estate for future expansion purposes or any other purpose. The construction or acquisition of a building or other structure (including a mobile facility) to be utilized by the bank for banking purposes. However, the construction or acquisition of a temporary or permanent facility to be utilized as a full service branch will require a branch application and the premises request would be addressed in the application. A remodel or renovation of an existing banking facility, if the costs associated with the remodel or renovations exceed a minimal sum. The Bank Commissioner considers a minimal sum to be $50,000 or less. The bank must submit to the Bank Commissioner, a written request that, at a minimum, addresses the following information: In the case of land, identify the property to be acquired and provide the location and legal description. The amount of the proposed expenditure. The purpose of the proposed expenditure. Discuss details concerning any involvement, directly or indirectly, by an insider (executive officers, directors, or shareholders who directly or indirectly control five (5) percent or more of any class of outstanding voting stock) of the bank or bank holding company (if applicable) or their immediate family or related interests. Provide the following information regarding any financial arrangements relating to fees, the acquisition of property, leasing of property, and construction contracts: a. Name of individual or related interest and relationship to Applicant; and a. Information to reflect that terms and conditions are not more favorable, for seller/lessor, than would be available in a comparable transaction with an unrelated party (information should include the fair market value or appraised value of any property, building, fixtures, equipment, etc., to be acquired and comparative sales information). The appraisal or evaluation, whichever is required, submitted must be prepared by an independent party. a. A copy of the Board minutes approving the transaction that reflects the bank insider’s abstention from the discussion and voting. Provide the current balance of the bank’s fixed asset account as of the previous month-end. Provide the current outstanding costs associated with any additional projects approved by the Commissioner and in process of completion. All of the information submitted with the request will be retained by the Bank Department. The Commissioner will review the proposed request and respond with a written decision. The Commissioner’s decision will be rendered in a reasonable amount of time. The aforementioned procedures do not include all possible scenarios regarding investment in premises and fixed assets. If a bank is uncertain as to any necessary approval regarding investments in fixed assets, contact the Bank Department for clarification.