bank holding company rating system section 4070 · revised bank holding company (bhc) rating system...

Bank Holding Company Rating SystemSection 4070.0

WHAT’S NEW IN THIS REVISEDSECTION

Effective January 2015, footnote 5 of this sec-tion was revised to delete a reference to SR-99-15, which was superseded by SR-12-17/CA-12-14, “Consolidated Supervision Framework forLarge Financial Institutions.”

On December 1, 2004, the Board of Governorsapproved for System-wide implementation arevised bank holding company (BHC) ratingsystem to more closely align the supervisoryrating system for BHCs, including financialholding companies, with the Federal Reserve’scurrent supervisory practices.1 The revised rat-ing system became effective January 1, 2005,and is to be used for all inspections commenc-ing after that date.

Each BHC is assigned a composite rating‘‘C’’ based on an evaluation and rating of itsmanagerial and financial condition and anassessment of future potential risk to its subsidi-ary depository institution(s). The main compo-nents of the rating system represent Risk man-agement (R); Financial condition (F); andpotential Impact (I) of the parent company andnondepository subsidiaries (collectively nonde-pository entities) on the subsidiary depositoryinstitution(s). While all BHCs are required toact as sources of strength to their subsidiarydepository institutions, pursuant to the Board’srules and policies, the impact rating (I) focuseson downside risk—that is, on the likelihood ofsignificant negative Impact on the subsidiarydepository institutions. A fourth component rat-ing, Depository institution (D), will generallymirror the primary regulator’s assessment of thesubsidiary depository institution(s). Thus, theprimary component and composite ratings aredisplayed:

RFI/C(D)

To provide a consistent framework for assess-ing risk management, the R component is sup-ported by four subcomponents that reflect theeffectiveness of the banking organization’s riskmanagement and controls. The subcomponentsare board and senior management oversight;policies, procedures, and limits; risk monitoring

and MIS; and internal controls. The F compo-nent is similarly supported by four subcompo-nents reflecting an assessment of the quality ofthe banking organization’s capital, asset quality,earnings, and liquidity. A simplified version ofthe rating system that requires only the assign-ment of the risk-management component ratingand composite rating will be applied to noncom-plex BHCs with assets below $1 billion.

Composite, component, and subcomponentratings are assigned based on a 1 to 5 numericscale. A 1 indicates the highest rating, strongestperformance and practices, and least degree ofsupervisory concern; a 5 indicates the lowestrating, weakest performance, and highest degreeof supervisory concern.

The Federal Reserve recognizes the interrela-tionship between the risk-management andfinancial-performance components of the revisedrating system, an interrelationship that is inher-ent in all supervisory rating systems. Accordingly,examiners are expected to consider that a risk-management factor may have a bearing on theassessment of a financial subcomponent or com-ponent rating and vice versa. In general, how-ever, the risk-management component and sub-components should be viewed as the moreforward-looking aspect of the rating system, andthe financial-condition component and subcom-ponents should be viewed as the current aspectof the rating system. For example, a BHC’sability to monitor and manage market risk (orsensitivity to market risk) should be evaluatedtogether with the organization’s ability to moni-tor and manage all risks under the R componentof the rating system. However, poor market-riskmanagement may also be reflected in the Fcomponent if it impacts earnings or capital. (SeeSR-04-18 and its attachment.)

All of the BHC numeric ratings, including thecomposite, component, and subcomponent rat-ings, should be presented in the report of inspec-tion, in accordance with the Federal Reserve’ssupervisory practices. The management of eachBHC under inspection should be made aware ofthe fact that this rating is furnished solely for itsconfidential use and under no circumstancesshould the BHC or any of its directors, officers,or employees disclose or make public any of theratings.

1. The Federal Reserve System’s previous BHC rating

system was the BOPEC rating system. The components of the

name represented the Bank, Other nonbank subsidiaries, Par-

ent company, Earnings, and Capital.

BHC Supervision Manual January 2015

4070.0.1 THE BANK HOLDINGCOMPANY RFI/C(D) RATINGSYSTEM

The bank holding company (BHC) rating sys-tem provides an assessment of certain risk-management and financial-condition factors thatare common to all BHCs, as well as an assess-ment of the potential impact of the parent BHCand its nondepository subsidiaries (collectivelynondepository entities) on the BHC’s subsidiarydepository institutions. Under this system, theFederal Reserve endeavors to ensure that allBHCs, including financial holding companies(FHCs), are evaluated in a comprehensive anduniform manner, and that supervisory attentionis appropriately focused on the BHCs that exhibitfinancial and operational weaknesses or adversetrends. The rating system serves as a usefulvehicle for identifying problem or deterioratingBHCs, as well as for categorizing BHCs withdeficiencies in particular areas. Further, the rat-ing system assists the Federal Reserve in follow-ing safety-and-soundness trends and in assess-ing the aggregate strength and soundness of thefinancial industry.

Each BHC2 is assigned a composite rating‘‘C’’ based on an overall evaluation and ratingof its managerial and financial condition and anassessment of future potential risk to its subsidi-ary depository institution(s). The main compo-nents of the rating system represent Risk man-agement (R); Financial condition (F); andpotential Impact (I) of the nondepository entitieson the subsidiary depository institutions. Whilethe Federal Reserve expects all BHCs to act as asource of strength to their subsidiary depositoryinstitutions, the Impact (I) rating focuses ondownside risk—that is, on the likelihood ofsignificant negative impact by the nondeposi-tory entities on the subsidiary depository institu-tion(s). A fourth rating, Depository institution(s)(D), will generally mirror the primary regula-tor’s assessment of the subsidiary depositoryinstitution(s). Thus, the primary component andcomposite ratings are displayed:

RFI/C(D)

To provide a consistent framework for assess-ing risk management, the R component is sup-

ported by four subcomponents that reflect theeffectiveness of the banking organization’s riskmanagement and controls. The subcomponentsare board and senior management oversight;policies, procedures, and limits; risk monitoringand MIS; and internal controls. The F compo-nent is also supported by four subcomponentsreflecting an assessment of the quality of theconsolidated banking organization’s capital, assetquality, earnings, and liquidity.

Composite, component, and subcomponentratings are assigned based on a 1 to 5 numericscale. A 1 numeric rating indicates the highestrating, strongest performance and practices, andleast degree of supervisory concern, whereas a 5numeric rating indicates the lowest rating, weak-est performance, and the highest degree ofsupervisory concern.

The following three sections contain detaileddescriptions of the composite, component, andsubcomponent ratings; implementation guidanceby BHC type; and definitions of the ratings.

4070.0.2 DESCRIPTION OF THERATING-SYSTEM ELEMENTS

4070.0.2.1 The Composite (C) Rating

‘‘C’’ is the overall composite assessment of theBHC as reflected by consolidated risk manage-ment, consolidated financial strength, and thepotential impact of the nondepository entities onthe subsidiary depository institutions. The com-posite rating encompasses both a forward-looking and static assessment of the consoli-dated organization, as well as an assessment ofthe relationship between the depository and non-depository entities. Consistent with current Fed-eral Reserve practice, the C rating is not derivedas a simple numeric average of the R, F, and Icomponents; rather, it reflects examiner judg-ment with respect to the relative importance ofeach component to the safe and sound operationof the BHC.

4070.0.2.2 The Risk-Management (R)Component

‘‘R’’ represents an evaluation of the ability ofthe BHC’s board of directors and senior man-agement, as appropriate for their respective posi-tions, to identify, measure, monitor, and controlrisk. The R rating underscores the importance ofthe control environment, taking into consider-ation the complexity of the organization and therisk inherent in its activities.

2. A simplified version of the rating system that includes

only the R and C components will be applied to noncomplex

bank holding companies with assets at or below $1 billion.

Bank Holding Company Rating System 4070.0


The R rating is supported by four subcompo-nents that are each assigned a separate rating.The four subcomponents are as follows: (1) boardand senior management oversight; (2) policies,procedures, and limits; (3) risk monitoring andMIS; and (4) internal controls. The subcompo-nents are evaluated in the context of the risksundertaken by and inherent in a banking organi-zation and the overall level of complexity of thefirm’s operations. They provide the FederalReserve System with a consistent framework forevaluating risk management and the controlenvironment. Moreover, the subcomponents pro-vide a clear structure and basis for discussion ofthe R rating with BHC management, reflect theprinciples of SR-95-51, are familiar to examin-ers, and parallel the existing risk-assessmentprocess. SR-95-51 contains a detailed descrip-tion of the four risk-management subcomponents.

4070.0.2.2.1 Risk-ManagementSubcomponents

4070.0.2.2.1.1 Board and Senior ManagementOversight

This subcomponent evaluates the adequacy andeffectiveness of board and senior management’sunderstanding and management of risk inherentin the BHC’s activities, as well as the generalcapabilities of management. It also includesconsideration of management’s ability to iden-tify, understand, and control the risks under-taken by the institution, to hire competent staff,and to respond to changes in the institution’srisk profile or innovations in the banking sector.

4070.0.2.2.1.2 Policies, Procedures, andLimits

This subcomponent evaluates the adequacy of aBHC’s policies, procedures, and limits giventhe risks inherent in the activities of the consoli-dated BHC and the organization’s stated goalsand objectives. This analysis will include con-sideration of the adequacy of the institution’saccounting and risk-disclosure policies and pro-cedures.

4070.0.2.2.1.3 Risk Monitoring andManagement Information Systems

This subcomponent assesses the adequacy of aBHC’s risk measurement and monitoring, andthe adequacy of its management reports andinformation systems. This analysis will include

a review of the assumptions, data, and proce-dures used to measure risk and the consistencyof these tools with the level of complexity of theorganization’s activities.

4070.0.2.2.1.4 Internal Controls

This subcomponent evaluates the adequacy of aBHC’s internal controls and internal audit pro-cedures, including the accuracy of financialreporting and disclosure and the strength andinfluence of the internal audit team within theorganization. This analysis will also include areview of the independence of control areasfrom management and the consistency of thescope coverage of the internal audit team withthe complexity of the organization.

4070.0.2.3 The Financial-Condition (F)Component

‘‘F’’ represents an evaluation of the consoli-dated organization’s financial strength. The Frating focuses on the ability of the BHC’sresources to support the level of risk associatedwith its activities. The F rating is supported byfour subcomponents: capital (C), asset quality(A), earnings (E), and liquidity (L). The CAELsubcomponents can be evaluated along indi-vidual business lines, product lines, or on alegal-entity basis, depending on what is mostappropriate given the structure of the organiza-tion. The assessment of the CAEL componentsshould use benchmarks and metrics appropriateto the business activity being evaluated.

Consistent with current supervisory practices,examination staff should continue to review rel-evant market indicators, such as external debtratings, credit spreads, debt and equity prices,and qualitative rating-agency assessments as asource of information complementary to exami-nation findings.

4070.0.2.3.1 Financial-ConditionSubcomponents (CAEL)

4070.0.2.3.1.1 Capital Adequacy

‘‘C’’ reflects the adequacy of an organization’sconsolidated capital position, from a regulatorycapital perspective and an economic capital per-



spective, as appropriate to the BHC.3 The evalu-ation of capital adequacy should consider therisk inherent in an organization’s activities andthe ability of capital to absorb unanticipatedlosses, to provide a base for growth, and tosupport the level and composition of the parentcompany and subsidiaries’ debt.

4070.0.2.3.1.2 Asset Quality

‘‘A’’ reflects the quality of an organization’sconsolidated assets. The evaluation shouldinclude, as appropriate, both on-balance-sheetand off-balance-sheet exposures and the level ofcriticized and nonperforming assets. Forward-looking indicators of asset quality, such as theadequacy of underwriting standards, the level ofconcentration risk, the adequacy of credit-administration policies and procedures, and theadequacy of MIS for credit risk, may also formthe Federal Reserve’s view of asset quality.

4070.0.2.3.1.3 Earnings

‘‘E’’ reflects the quality of consolidated earn-ings. The evaluation considers the level, trend,and sources of earnings, as well as the ability ofearnings to augment capital as necessary to pro-vide ongoing support for a BHC’s activities.

4070.0.2.3.1.4 Liquidity

‘‘L’’ reflects the consolidated organization’s abil-ity to attract and maintain the sources of fundsnecessary to support its operations and meet itsobligations. The funding conditions for each ofthe material legal entities in the holding com-pany structure should be evaluated to determineif any weaknesses exist that could affect thefunding profile of the consolidated organization.

4070.0.2.4 The Impact (I) Component

Like the other components and subcomponents,the I component is rated on a five-point numeri-cal scale. However, the descriptive definitions ofthe numerical ratings for I are different than

those of the other components and subcompo-nents. The I ratings are defined as follows:

1 — low likelihood of significant negative impact2 — limited likelihood of significant negative

impact3 — moderate likelihood of significant negative

impact4 — considerable likelihood of significant nega-

tive impact5 — high likelihoodof significantnegative impact

The I component is an assessment of thepotential impact of the nondepository entities onthe subsidiary depository institution(s). The Iassessment will evaluate both the risk-management practices and financial condition ofthe nondepository entities—an analysis that willborrow heavily from the analysis conducted forthe R and F components. Consistent with cur-rent practices, nondepository entities will beevaluated using benchmarks and analysis appro-priate for those businesses. In addition, for func-tionally regulated nondepository subsidiaries,examination staff will continue to rely, to theextent possible, on the work of those functionalregulators to assess the risk management prac-tices and financial condition of those entities. Inrating the I component, examination staff isrequired to evaluate the degree to which currentor potential issues within the nondepositoryentities present a threat to the safety and sound-ness of the subsidiary depository institution(s).In this regard, the I component will give aclearer indication of the degree of risk posed bythe nondepository entities to the federal safetynet than does the current rating system.

The I component focuses on the aggregateimpact of the nondepository entities on the sub-sidiary depository institution(s). In this regard,the I rating does not include individual subcom-ponent ratings for the parent company and non-depository subsidiaries. An I rating is assignedalways for each BHC; however, as is currentlythe case, nonmaterial nondepository subsidi-aries4 may be excluded from the I analysis at theexaminer’s discretion. Any risk-managementand financial issues at the nondepository entitiesthat potentially impact the safety and soundnessof the subsidiary depository institution(s) shouldbe identified in the written comments under theI rating. This approach is consistent with theFederal Reserve’s objective not to extend bank-like supervision to nondepository entities.

3. The regulatory minimum capital ratios for BHCs are

8 percent for total risk-based capital, 4 percent for tier 1

risk-based capital, 3 percent for tier 1 leverage for BHCs rated

strong, and 4 percent for tier 1 leverage for all other BHCs.

See 12 C.F.R. 225, appendices A and D.4. As a general rule, nondepository subsidiaries should be

included in the I analysis whenever their assets exceed 5 per-

cent of the BHC’s consolidated capital or $10 million, which-

ever is lower.



The analysis of the parent company for thepurpose of assigning an I rating should empha-size weaknesses that could directly impact therisk-management or financial condition of thesubsidiary depository institution(s). Similarly,the analysis of the nondepository subsidiariesfor the purpose of assigning an I rating shouldemphasize weaknesses that could negativelyimpact the parent company’s relationship withits subsidiary depository institution(s) and weak-nesses that could have a direct impact on therisk-management practices or financial condi-tion of the subsidiary depository institution(s).The analysis under the I component should con-sider existing as well as potential issues andrisks that may impact the subsidiary depositoryinstitution(s) now or in the future. Particularattention should be paid to the following risk-management and financial factors in assigningthe I rating:

4070.0.2.4.1 Risk-Management Factors

• Strategic considerations. The potential risksposed to the subsidiary depository institu-tion(s) by the nondepository entities’ strategicplans for growth in existing activities andexpansion into new products and services.

• Operational considerations. The spilloverimpact on the subsidiary depository institu-tion(s) from actual losses, a poor control envi-ronment, or an operational loss history in thenondepository entities.

• Legal and reputational considerations. Thespillover effect on the subsidiary depositoryinstitution(s) of complaints and litigation thatname one or more of the nondepository enti-ties as defendants, or involve violations oflaws or regulations, especially pertaining tointercompany transactions where the subsidi-ary depository institution(s) is involved.

• Concentration considerations. The potentialrisks posed to the subsidiary depository insti-tution(s) by concentrations within the nonde-pository entities in business lines, geographicareas, industries, customers, or other factors.

4070.0.2.4.2 Financial Factors

• Capital distribution. The distribution and trans-ferability of capital across the legal entities.

• Intra-group exposures. The extent to whichintra-group exposures, including servicingagreements, have the potential to underminethe condition of subsidiary depositoryinstitution(s).

• Parent company cash flow and leverage. Theextent to which the parent company is depen-dent on dividend payments, from both thenondepository subsidiaries and the subsidiarydepository institution(s), to service debt andcover fixed charges. Also, the effect that theseupstreamed cash flows have had, or can beexpected to have, on the financial condition ofthe BHC’s nondepository subsidiaries andsubsidiary depository institution(s).

4070.0.2.5 The Depository Institutions(D) Component

The (D) component will reflect generally thecomposite CAMELS rating assigned by the sub-sidiary depository institution’s primary supervi-sor. In a multibank BHC, the (D) rating willreflect a weighted average of the CAMELScomposite ratings of the individual subsidiarydepository institutions, weighted by both assetsize and the relative importance of each deposi-tory institution within the holding companystructure. In this regard, the CAMELS compos-ite rating for a subsidiary depository institutionthat dominates the corporate culture may figuremore prominently in the assignment of the (D)rating than would be dictated by asset size,particularly when problems exist within thatdepository institution.

The (D) component conveys important super-visory information, reflecting the primary super-visor’s assessment of the legal entity. The (D)component stands outside of the composite rat-ing, although significant risk-management andfinancial-condition considerations at the deposi-tory institution level are incorporated in theconsolidated R and F ratings, which are thenfactored into the C rating.

Consistent with current practice, if, in theprocess of analyzing the financial condition andrisk-management programs of the consolidatedorganization, a major difference of opinionregarding the safety and soundness of the sub-sidiary depository institution(s) emerges betweenthe Federal Reserve and the depository institu-tion’s primary regulator, then the (D) ratingshould reflect the Federal Reserve’s evaluation.

To highlight the presence of one or moreproblem depository institution(s) in a multibankBHC whose depository institution component,based on weighted averages, might not other-wise reveal their presence (i.e., depository insti-tution ratings of 1, 2, or 3), a problem modifier,P, would be attached to the depository institu-



tion rating (e.g., 1P, 2P, or 3P). Thus, 2P wouldindicate that, while on balance the depositorysubsidiaries are rated Satisfactory, there exists aproblem depository institution (composite 4 or5) among the subsidiary depository institutions.The problem identifier is unnecessary when thedepository institution component is rated 4 or 5.

4070.0.3 IMPLEMENTATION OF THEBHC RATING SYSTEM BY BHC TYPE

The Federal Reserve’s BHC rating system alignsthe rating system with current Federal Reservesupervisory practices. The rating system requiresanalysis and support for BHCs of all sizes.5 Assuch, the level of analysis and support will varybased upon whether a BHC has been deter-mined to be ‘‘complex’’ or ‘‘noncomplex.’’6 Inaddition, the resources dedicated to the inspec-tion of each BHC will continue to be deter-mined by the risk posed by the subsidiary deposi-tory institution(s) to the federal safety net7 andthe risk posed by the BHC to the subsidiarydepository institution(s).

4070.0.3.1 Noncomplex BHCs withAssets of $1 Billion or Less (ShellHolding Companies)

Rating: R and C

Consistent with SR-13-21, examination staffwill assign only an R and a C rating for all

companies in the shell BHC program (noncom-plex BHCs with assets under $1 billion). The Rrating is the M rating from the subsidiary deposi-tory institution’s CAMELS rating. To provideconsistent rating terminology across BHCs ofall sizes, the terminology is changed to R fromthe former M. The C rating is the subsidiarydepository institution’s composite CAMELSrating.

4070.0.3.2 Noncomplex BHCs withAssets Greater Than $1 Billion

4070.0.3.2.1 One-Bank HoldingCompanies

Rating: RFI/C(D)

For all noncomplex one-bank holding compa-nies with assets of greater than $1 billion, exami-nation staff will assign all component and sub-component ratings; however, examination staffshould continue to rely heavily on informationand analysis contained in the primary regula-tor’s report of examination for the subsidiarydepository institution to assign the R and Fratings. If examination staff have reviewed theprimary regulator’s examination report and arecomfortable with the analysis and conclusionscontained in that report, then the BHC ratingsshould be supported with concise language thatindicates that the conclusions are based on theanalysis of the primary regulator. No additionalanalysis will be required.

In cases where the analysis and conclusionsof the primary regulator are insufficient to assignthe ratings, the primary regulator should be con-tacted to ascertain whether additional analysisand support may be available. Further, if discus-sions with the primary regulator do not providesufficient information to assign the ratings, dis-cussions with BHC management may be war-ranted to obtain adequate information to assignthe ratings. In most cases, additional informa-tion or support obtained through these steps willbe sufficient to permit the assignment of the Rand F ratings. To the extent that additionalanalysis is deemed necessary, the level of analy-sis and resources spent on this assessment shouldbe in line with the level of risk the subsidiarydepository institution poses to the federal safetynet. In addition, any activities that involve infor-mation gathering with respect to the subsidiarydepository institution should be coordinated withand, if possible, conducted by, the primary regu-lator of that institution.

Examination staff are required to make anindependent assessment in order to assign the

5. As described in this manual, SR-95-51, SR-97-24, and

SR-12-17/CA-12-14.

6. The determination of whether a holding company is

‘‘complex’’ versus ‘‘noncomplex’’ is made at least annually

on a case-by-case basis taking into account and weighing a

number of considerations, such as the size and structure of the

holding company; the extent of intercompany transactions

between depository institution subsidiaries and the holding

company or nondepository subsidiaries of the holding com-

pany; the nature and scale of any nondepository activities,

including whether the activities are subject to review by

another regulator and the extent to which the holding com-

pany is conducting Gramm-Leach-Bliley–authorized activi-

ties (e.g., insurance, securities, merchant banking); whether

risk-management processes for the holding company are con-

solidated; and whether the holding company has material debt

outstanding to the public. Size is a less important determinant

of complexity than many of the factors noted above, but

generally companies of significant size (e.g., assets of $10 bil-

lion on balance sheet or managed) would be considered

complex, irrespective of the other considerations.

7. The federal safety net includes the federal deposit insur-

ance fund, the payments system, and the Federal Reserve’s

discount window.



I rating, which provides an evaluation of theimpact of the BHC on the subsidiary depositoryinstitution. Analysis for the I rating in noncom-plex one-bank holding companies should placeparticular emphasis on issues related to parentcompany cash flow and compliance with sec-tions 23A and 23B of the Federal Reserve Actand the Board’s Regulation W.

4070.0.3.2.2 Multibank HoldingCompanies

Rating: RFI/C(D)

For all noncomplex BHCs with assets of greaterthan $1 billion and more than one subsidiarydepository institution, examination staff willassign all component and subcomponent ratingsof the new system. Examiners should rely, to theextent possible, on the work conducted by theprimary regulators of the subsidiary depositoryinstitutions to assign the R and F ratings. How-ever, any risk-management or other importantfunctions conducted by the nondepository enti-ties of the BHC, or conducted across legal-entity lines, should be subject to review byFederal Reserve examination staff. These reviewsshould be conducted in coordination with theprimary regulator(s). The assessment for the Irating requires an independent assessment byFederal Reserve examination staff.

4070.0.3.3 Complex BHCs

Rating: RFI/C(D)

For complex BHCs, examination staff will assignall component and subcomponent ratings of thenew rating system. The ratings analysis shouldbe based on the primary and functional regula-tors’ assessment of the subsidiary entities, aswell as on the examiners’ assessment of theconsolidated organization as determined throughoff-site review and the BHC inspection process,as appropriate. The resources needed for theinspection and the level of support needed fordeveloping a full rating will depend on thecomplexity of the organization, including struc-ture and activities (see footnote 5), and shouldbe commensurate with the level of risk posed bythe subsidiary depository institution(s) to thefederal safety net and the level of risk posed bythe BHC to the subsidiary depositoryinstitution(s).

4070.0.3.4 Nontraditional BHCs

Rating: RFI/C(D)

Examination staff are required to assign the full

rating system for nontraditional BHCs. Nontra-ditional BHCs include BHCs in which most orall nondepository entities are regulated by afunctional regulator and in which the subsidiarydepository institution(s) are small in relation tothe nondepository entities. The rating system isnot intended to introduce significant additionalwork in the rating process for these organiza-tions. As discussed above, the level of analysisconducted and resources needed to inspect theBHC and to assign the consolidated R and Fratings should be commensurate with the levelof risk posed by the subsidiary depository insti-tution(s) to the federal safety net and the level ofrisk posed by the BHC to the subsidiary deposi-tory institution(s). The report of examination by,and other information obtained from, the func-tional and primary bank regulators should pro-vide the basis for the consolidated R and Fratings. On-site work, to the extent it involvesareas that are the primary responsibility of thefunctional or primary bank regulator, should becoordinated with and, if possible, conducted by,those regulators. Examination staff should con-centrate their independent analysis for the R andF ratings around activities and risk managementconducted by the parent company and non–functionally regulated nondepository subsidi-aries, as well as around activities and risk-management functions that are related to thesubsidiary depository institution(s), for exam-ple, audit functions for the depository institu-tion(s) and compliance with sections 23A and23B and the Board’s Regulation W.

Examination staff are required to make anindependent assessment of the impact of thenondepository entities on the subsidiary deposi-tory institution(s) in order to assign the I rating.

4070.0.4 RATING DEFINITIONS FORTHE RFI/C(D) RATING SYSTEM

All component and subcomponent ratings arerated on a five-point numeric scale. With theexception of the I component, ratings will beassigned in ascending order of supervisory con-cern as follows:

1 — Strong2 — Satisfactory3 — Fair4 — Marginal5 — Unsatisfactory



A description of the I component ratings is inthe I section (see section 4070.0.4.4).

As is current Federal Reserve practice, thecomponent ratings are not derived as a simplenumeric average of the subcomponent ratings;rather, weight afforded to each subcomponent inthe overall component rating will depend on theseverity of the condition of that subcomponentand the relative importance of that subcompo-nent to the consolidated organization. Similarly,some components may be given more weightthan others in determining the composite rating,depending on the situation of the BHC. Assign-ment of a composite rating may incorporate anyfactor that bears significantly on the overallcondition and soundness of the BHC, althoughgenerally the composite rating bears a closerelationship to the component ratings assigned.

4070.0.4.1 Composite Rating

Rating 1 (Strong). BHCs in this group are soundin almost every respect; any negative findingsare basically of a minor nature and can behandled in a routine manner. Risk-managementpractices and financial condition provide resis-tance to external economic and financial distur-bances. Cash flow is more than adequate toservice debt and other fixed obligations, and thenondepository entities pose little risk to the sub-sidiary depository institution(s).

Rating 2 (Satisfactory). BHCs in this group arefundamentally sound but may have modest weak-nesses in risk-management practices or financialcondition. The weaknesses could develop intoconditions of greater concern but are believedcorrectable in the normal course of business. Assuch, the supervisory response is limited. Cashflow is adequate to service obligations, and thenondepository entities are unlikely to have asignificant negative impact on the subsidiarydepository institution(s).

Rating 3 (Fair). BHCs in this group exhibit acombination of weaknesses in risk-managementpractices and financial condition that range fromfair to moderately severe. These companies areless resistant to the onset of adverse businessconditions and would likely deteriorate if con-certed action is not effective in correcting theareas of weakness. Consequently, these compa-nies are vulnerable and require more-than-normal supervisory attention and financial sur-

veillance. However, the risk-management andfinancial capacity of the company, including thepotential negative impact of the nondepositoryentities on the subsidiary depository institu-tion(s), pose only a remote threat to its contin-ued viability.

Rating 4 (Marginal). BHCs in this group havesignificant risk-management and financial weak-nesses, which may pose a heightened risk ofsignificant negative impact on the subsidiarydepository institution(s). The holding co-mpany’s cash-flow needs may be being metonly by upstreaming imprudent dividends and/orfees from its subsidiaries. Unless prompt actionis taken to correct these conditions, the organi-zation’s future viability could be impaired. Thesecompanies require close supervisory attentionand substantially increased financial surveillance.

Rating 5 (Unsatisfactory). The magnitude andcharacter of the risk-management and financialweaknesses of BHCs in this category, and con-cerns about the nondepository entities nega-tively impacting the subsidiary depository insti-tution(s), could lead to insolvency without urgentaid from shareholders or other sources. Theimminent inability to prevent liquidity and/orcapital depletion places the BHC’s continuedviability in serious doubt. These companiesrequire immediate corrective action and con-stant supervisory attention.

4070.0.4.2 Risk-Management Component

Rating 1 (Strong). A rating of 1 indicates thatmanagement effectively identifies and controlsall major types of risk posed by the BHC’sactivities. Management is fully prepared toaddress risks emanating from new products andchanging market conditions. The board and man-agement are forward-looking and active partici-pants in managing risk. Management ensuresthat appropriate policies and limits exist and areunderstood, reviewed, and approved by the board.Policies and limits are supported by risk-monitoring procedures, reports, and MIS thatprovide management and the board with theinformation and analysis that is necessary tomake timely and appropriate decisions in responseto changing conditions. Risk-management prac-tices and the organization’s infrastructure areflexible and highly responsive to changing indus-try practices and current regulatory guidance.Staff has sufficient experience, expertise, anddepth to manage the risks assumed by theinstitution.



Internal controls and audit procedures are suf-ficiently comprehensive and appropriate to thesize and activities of the institution. There arefew noted exceptions to the institution’s estab-lished policies and procedures, and none ismaterial. Management effectively and accu-rately monitors the condition of the institutionconsistent with the standards of safety and sound-ness, and in accordance with internal and super-visory policies and practices. Risk-managementprocesses are fully effective in identifying, moni-toring, and controlling the risks to the institution.

Rating 2 (Satisfactory). A rating of 2 indicatesthat the institution’s management of risk islargely effective, but lacking in some modestdegree. Management demonstrates a responsive-ness and ability to cope successfully with exist-ing and foreseeable risks that may arise in carry-ing out the institution’s business plan. Althoughthe institution may have some minor risk-management weaknesses, these problems havebeen recognized and are in the process of beingresolved. Overall, board and senior managementoversight, policies and limits, risk-monitoringprocedures, reports, and MIS are consideredsatisfactory and effective in maintaining a safeand sound institution. Risks are controlled in amanner that does not require more-than-normalsupervisory attention.

The BHC’s risk-management practices andinfrastructure are satisfactory and generally areadjusted appropriately in response to changingindustry practices and current regulatory guid-ance. Staff experience, expertise, and depth aregenerally appropriate to manage the risks assumedby the institution.

Internal controls may display modest weak-nesses or deficiencies, but they are correctablein the normal course of business. The examinermay have recommendations for improvement,but the weaknesses noted should not have asignificant effect on the safety and soundness ofthe institution.

Rating 3 (Fair). A rating of 3 signifies thatrisk-management practices are lacking in someimportant ways and, therefore, are a cause formore-than-normal supervisory attention. One ormore of the four elements of sound risk manage-ment8 (active board and senior managementoversight; adequate policies, procedures, and

limits; adequate risk-management monitoringand MIS; comprehensive internal controls) areconsidered less than acceptable, and has pre-cluded the institution from fully addressing oneor more significant risks to its operations. Cer-tain risk-management practices are in need ofimprovement to ensure that management andthe board are able to identify, monitor, andcontrol all significant risks to the institution.Also, the risk-management structure may needto be improved in areas of significant businessactivity, or staff expertise may not be commen-surate with the scope and complexity of busi-ness activities. In addition, management’sresponse to changing industry practices andregulatory guidance may need to improve.

The internal control system may be lacking insome important aspects, particularly as indi-cated by continued control exceptions or by afailure to adhere to written policies and proce-dures. The risk-management weaknesses couldhave adverse effects on the safety and sound-ness of the institution if corrective action is nottaken by management.

Rating 4 (Marginal). A rating of 4 representsdeficient risk-management practices that fail toidentify, monitor, and control significant riskexposures in many material respects. Generally,such a situation reflects a lack of adequate guid-ance and supervision by management and theboard. One or more of the four elements ofsound risk management are deficient and requiresimmediate and concerted corrective action bythe board and management.

The institution may have serious identifiedweaknesses, such as an inadequate separation ofduties, that require substantial improvement ininternal control or accounting procedures, orimproved adherence to supervisory standards orrequirements. The risk-management deficien-cies warrant a high degree of supervisory atten-tion because, unless properly addressed, theycould seriously affect the safety and soundnessof the institution.

Rating 5 (Unsatisfactory). A rating of 5 indi-cates a critical absence of effective risk-management practices with respect to the identi-fication, monitoring, or control over significantrisk exposures. One or more of the four ele-ments of sound risk management are consideredwholly deficient, and management and the boardhave not demonstrated the capability to addressthese deficiencies.8. See the Federal Reserve System handbook Framework

for Risk-Focused Supervision of Large Complex Institutions,August 1997, and SR-95-51, ‘‘Rating the Adequacy of RiskManagement Processes and Internal Controls at State Mem-ber Banks and Bank Holding Companies.’’


BHC Supervision Manual July 2005

Internal controls are critically weak and, assuch, could seriously jeopardize the continuedviability of the institution. If not already evi-dent, there is an immediate concern as to thereliability of accounting records and regulatoryreports and the potential for losses if correctivemeasures are not taken immediately. Deficien-cies in the institution’s risk-management proce-dures and internal controls require immediateand close supervisory attention.

4070.0.4.2.1 Risk-ManagementSubcomponents

4070.0.4.2.1.1 Board and Senior ManagementOversight

Rating 1 (Strong). An assessment of Strongsignifies that the board and senior managementare forward-looking, fully understand the typesof risk inherent in the BHC’s activities, andactively participate in managing those risks. Theboard has approved overall business strategiesand significant policies, and ensures that seniormanagement is fully capable of managing theactivities that the BHC conducts. Consistentwith the standards of safety and soundness,oversight of risk-management practices is strongand the organization’s overall business strategyis effective.

Senior management ensures that risk-management practices are rapidly adjusted inaccordance with enhancements to industry prac-tices and regulatory guidance, and exposure lim-its are adjusted as necessary to reflect the institu-tion’s changing risk profile. Policies, limits, andtracking reports are appropriate, understood, andregularly reviewed.

Management provides effective supervisionof the day-to-day activities of all officers andemployees, including the supervision of thesenior officers and the heads of business lines. Ithires staff that possess experience and expertiseconsistent with the scope and complexity of theorganization’s business activities. There is a suf-ficient depth of staff to ensure sound operations.Management ensures compliance with laws andregulations and that employees have the integ-rity, ethical values, and competence consistentwith a prudent management philosophy andoperating style.

Management respondsappropriately tochangesin the marketplace. It identifies all risks associ-ated with new activities or products before they

are launched and ensures that the appropriateinfrastructureand internalcontrolsareestablished.

Rating 2 (Satisfactory). An assessment of Satis-factory indicates that board and senior manage-ment have an adequate understanding of theorganization’s risk profile and provide largelyeffective oversight of risk-management prac-tices. In this regard, the board has approved allmajor business strategies and significant poli-cies and ensures that senior management iscapable of managing the activities that the BHCconducts. Oversight of risk-management prac-tices is satisfactory, and the organization’s over-all business strategy is generally sound.

Senior management generally adjusts risk-management practices appropriately in accor-dance with enhancements to industry practicesand regulatory guidance, and adjusts exposurelimits as necessary to reflect the institution’schanging risk profile, although these practicesmay be lacking in some modest degree. Poli-cies, limits, and tracking reports are generallyappropriate, understood, and regularly reviewed,and the new-product approval process adequatelyidentifies the associated risks and necessarycontrols.

Senior management’s day-to-day supervisionof management and staff at all levels is gener-ally effective. The level of staffing, and its expe-rience, expertise, and depth, is sufficient to oper-ate the business lines in a safe and sound manner.Minor weaknesses may exist in the staffing,infrastructure, and risk-management processesfor individual business lines or products, butthese weaknesses have been identified by man-agement, are correctable in the normal course ofbusiness, andare in theprocessofbeingaddressed.Weaknesses noted should not have a significanteffect on the safety and soundness of theinstitution.

Rating 3 (Fair). An assessment of Fair signifiesthat board and senior management oversight islacking in some important way and, therefore, isa cause for more-than-normal supervisory atten-tion. The weaknesses may involve a broad rangeof activities or be material to a major businessline or activity. Weaknesses in one or moreaspect of board and senior management over-sight have precluded the institution from fullyaddressing one or more significant risks to theinstitution. The deficiencies may include a lackof knowledge with respect to the organization’srisk profile, insufficient oversight of risk-management practices, ineffective policies orlimits, inadequate or under-utilized manage-ment reporting, an inability to respond to indus-



try enhancements and changes in regulatoryguidance, or a failure to execute appropriatebusiness strategies. Staffing may not be adequateor staff may not possess the experience andexpertise needed for the scope and complexityof the organization’s business activities. Theday-to-day supervision of officer and staff activi-ties, including the management of senior offi-cers or heads of business lines, may be lacking.Certain risk-management practices are in needof improvement to ensure that management andthe board are able to identify, monitor, andcontrol all significant risks to the institution.Weaknesses noted could have adverse effects onthe safety and soundness of the institution ifcorrective action is not taken by management.

Rating 4 (Marginal). An assessment of Mar-ginal represents deficient oversight practices thatreflect a lack of adequate guidance and supervi-sion by management and the board. A numberof significant risks to the institution have notbeen adequately addressed, and the board andsenior management function warrants a highdegree of supervisory attention. Multiple boardand senior management weaknesses are in needof immediate improvement. They may include asignificant lack of knowledge with respect to theorganization’s risk profile, largely insufficientoversight of risk-management practices, ineffec-tive policies or limits, inadequate or consider-ably under-utilized management reporting, aninability to respond to industry enhancementsand changes in regulatory guidance, or a failureto execute appropriate business strategies. Staff-ing may not be adequate or possess the experi-ence and expertise needed for the scope andcomplexity of the organization’s business activi-ties, and the day-to-day supervision of officerand staff activities, including the managementof senior officers or heads of business lines, maybe considerably lacking. These conditions war-rant a high degree of supervisory attention be-cause, unless properly addressed, they couldseriously affect the safety and soundness of theinstitution.

Rating 5 (Unsatisfactory). An assessment ofUnsatisfactory indicates a critical absence ofeffective board and senior management over-sight practices. Problems may include a severelack of knowledge with respect to the organiza-tion’s risk profile, insufficient oversight of risk-management practices, wholly ineffective poli-cies or limits, critically inadequate or under-utilized management reporting, a completeinability to respond to industry enhancementsand changes in regulatory guidance, or failure to

execute appropriate business strategies. Staffingmay be inadequate, inexpert, and/or inad-equately supervised. The deficiencies requireimmediate and close supervisory attention, asmanagement and the board have not demon-strated the capability to address them. Weak-nesses could seriously jeopardize the continuedviability of the institution.

4070.0.4.2.1.2 Policies, Procedures, andLimits

Rating 1 (Strong). An assessment of Strongindicates that the policies, procedures, and lim-its provide for effective identification, measure-ment, monitoring, and control of the risks posedby all significant activities, including lending,investing, trading, trust, and fiduciary activities.Policies, procedures, and limits are consistentwith the institution’s goals and objectives andits overall financial strength. The policies clearlydelineate accountability and lines of authorityacross the institution’s activities. The policiesalso provide for the review of new activities toensure that the infrastructure necessary to iden-tify, monitor, and control the associated risks isin place before the activities are initiated.

Rating 2 (Satisfactory). An assessment of Satis-factory indicates that the policies, procedures,and limits cover all major business areas, arethorough and substantially up-to-date, and pro-vide a clear delineation of accountability andlines of authority across the institution’s activi-ties. Policies, procedures, and limits are gener-ally consistent with the institution’s goals andobjectives and its overall financial strength.Also, the policies provide for adequate due dili-gence before engaging in new activities or prod-ucts. Any deficiencies or gaps that have beenidentified are minor in nature and in the processof being addressed. Weaknesses should not havea significant effect on the safety and soundnessof the institution.

Rating 3 (Fair). An assessment of Fair signifiesthat deficiencies exist in policies, procedures,and limits that require more-than-normal super-visory attention. The deficiencies may involve abroad range of activities or be material to amajor business line or activity. The deficienciesmay include policies, procedures, or limits (orthe lack thereof) that do not adequately identify,measure, monitor, or control the risks posed by



significant activities; are not consistent with theexperience of staff, the organization’s strategicgoals and objectives, or the financial strength ofthe institution; or do not clearly delineate account-ability or lines of authority. Also, the policiesmay not provide for adequate due diligencebefore engaging in new activities or products.Weaknesses noted could have adverse effects onthe safety and soundness of the institution unlesscorrective action is taken by management.

Rating 4 (Marginal). An assessment of Mar-ginal indicates deficient policies, procedures,and limits that do not address a number ofsignificant risks to the institution. Multiple prac-tices are in need of immediate improvement,which may include policies, procedures, or lim-its (or the lack thereof) that ineffectively iden-tify, measure, monitor, or control the risks posedby significant activities; are not commensuratewith the experience of staff, the institution’sstrategic goals and objectives, or the financialstrength of the institution; or do not delineateaccountability or lines of authority. Moreover,policies may be considerably lacking with regardto providing for effective due diligence beforeengaging in new activities or products. Theseconditions warrant a high degree of supervisoryattention because, unless properly addressed,they could seriously affect the safety and sound-ness of the institution.

Rating 5 (Unsatisfactory). An assessment ofUnsatisfactory indicates a critical absence ofeffective policies, procedures, and limits. Poli-cies, procedures, or limits (or the lack thereof)are largely or entirely ineffective with regard toidentifying, measuring, monitoring, or control-ling the risks posed by significant activities; arecompletely inconsistent with the experience ofstaff, the organization’s strategic goals andobjectives, or the financial strength of the insti-tution; or do not delineate accountability or linesof authority. Also, policies may be completelylacking with regard to providing for effectivedue diligence before engaging in new activitiesor products. Critical weaknesses could seriouslyjeopardize the continued viability of the institu-tion and require immediate and close supervi-sory attention.

4070.0.4.2.1.3 Risk Monitoring andManagement Information Systems

Rating 1 (Strong). An assessment of Strongindicates that risk-monitoring practices and MISreports address all material risks. The key assump-tions, data sources, and procedures used in mea-suring and monitoring risk are appropriate, thor-oughly documented, and frequently tested forreliability. Reports and other forms of communi-cation are consistent with activities; are struc-tured to monitor exposures and compliance withestablished limits, goals, or objectives; and com-pare actual versus expected performance whenappropriate. Management and board reports areaccurate and timely and contain sufficient infor-mation to identify adverse trends and to thor-oughly evaluate the level of risk faced by theinstitution.

Rating 2 (Satisfactory). An assessment of Satis-factory indicates that risk-monitoring practicesand MIS reports cover major risks and businessareas, although they may be lacking in somemodest degree. In general, the reports containvalid assumptions that are periodically tested foraccuracy and reliability and are adequately docu-mented and distributed to the appropriate deci-sionmakers. Reports and other forms of commu-nication generally are consistent with activities;are structured to monitor exposures and compli-ance with established limits, goals, or objec-tives; and compare actual versus expected per-formance when appropriate. Management andboard reports are generally accurate and timely,and broadly identify adverse trends and the levelof risk faced by the institution. Any weaknessesor deficiencies that have been identified are inthe process of being addressed.

Rating 3 (Fair). An assessment of Fair signifiesthat weaknesses exist in the institution’s risk-monitoring practices or MIS reports that requiremore-than-normal supervisory attention. Theweaknesses may involve a broad range of activi-ties or be material to a major business line oractivity. They may contribute to ineffective riskidentification or monitoring through inappropri-ate assumptions, incorrect data, poor documen-tation, or the lack of timely testing. In addition,MIS reports may not be distributed to the appro-priate decisionmakers, adequately monitor sig-nificant risks, or properly identify adverse trendsand the level of risk faced by the institution.Weaknesses noted could have adverse effects onthe safety and soundness of the institution ifcorrective action is not taken by management.



Rating 4 (Marginal). An assessment of Mar-ginal represents deficient risk-monitoring prac-tices or MIS reports that, unless properlyaddressed, could seriously affect the safety andsoundness of the institution. A number of sig-nificant risks to the institution are not adequatelymonitored or reported. Ineffective risk identifi-cation may result from notably inappropriateassumptions, incorrect data, poor documenta-tion, or the lack of timely testing. In addition,MIS reports may not be distributed to the appro-priate decisionmakers, may inadequately moni-tor significant risks, or fail to identify adversetrends and the level of risk faced by the institu-tion. The risk-monitoring and MIS deficiencieswarrant a high degree of supervisory attentionbecause, unless properly addressed, they couldseriously affect the safety and soundness of theinstitution.

Rating 5 (Unsatisfactory). An assessment ofUnsatisfactory indicates a critical absence ofrisk monitoring and MIS. They are wholly defi-cient due to inappropriate assumptions, incor-rect data, poor documentation, or the lack oftimely testing. Moreover, MIS reports may notbe distributed to the appropriate decisionmak-ers, fail to monitor significant risks, or fail toidentify adverse trends and the level of riskfaced by the institution. These critical weak-nesses require immediate and close supervisoryattention, as they could seriously jeopardize thecontinued viability of the institution.

4070.0.4.2.1.4 Internal Controls

Rating 1 (Strong). An assessment of Strongindicates that the system of internal controls isrobust for the type and level of risks posed bythe nature and scope of the organization’s activi-ties. The organizational structure establishesclear lines of authority and responsibility formonitoring adherence to policies, procedures,and limits, and, wherever applicable, exceptionsare noted and promptly investigated. Reportinglines provide clear independence of the controlareas from the business lines and separation ofduties throughout the organization. Robust pro-cedures exist for ensuring compliance with appli-cable laws and regulations, including consumerlaws and regulations. Financial, operational, andregulatory reports are reliable, accurate, andtimely. Internal audit or other control reviewpractices provide for independence and objectiv-ity. Internal controls and information systemsare thoroughly tested and reviewed; the cover-age, procedures, findings, and responses to audits

and review tests are well documented; identifiedmaterial weaknesses are given thorough andtimely high-level attention; and management’sactions to address material weaknesses are objec-tively reviewed and verified. The board or itsaudit committee regularly reviews the effective-ness of internal audits and other control reviewactivities.

Rating 2 (Satisfactory). An assessment of Satis-factory indicates that the system of internal con-trols adequately covers major risks and businessareas, with some modest weaknesses. In gen-eral, the control functions are independent fromthe business lines, and there is appropriate sepa-ration of duties. The control system supportsaccuracy in recordkeeping practices and report-ing systems, is adequately documented, andverifies compliance with laws and regulations,including consumer laws and regulations. Inter-nal controls and information systems areadequately tested and reviewed, and the cover-age, procedures, findings, and responses to auditsand review tests are documented. Identified mate-rial weaknesses are given appropriate attention,and management’s actions to address materialweaknesses are objectively reviewed and veri-fied. The board or its audit committee reviewsthe effectiveness of internal audits and othercontrol review activities. Any weaknesses ordeficiencies that have been identified are modestin nature and in the process of being addressed.

Rating 3 (Fair). An assessment of Fair signifiesthat weaknesses exist in the system of internalcontrols that require more-than-normal supervi-sory attention. The weaknesses may involve abroad range of activities or be material to amajor business line or activity. The weaknessesmay include insufficient oversight of internalcontrols and audit by the board or its auditcommittee; unclear or conflicting lines of author-ity and responsibility; a lack of independencebetween control areas and business activities; orineffective separation of duties. The internalcontrol system may produce inadequate oruntimely risk coverage and verification, includ-ing monitoring compliance with both safety-and-soundness and consumer laws and regula-tions; inaccurate records or financial, operational,or regulatory reporting; a lack of documentationfor work performed; or a lack of timeliness inmanagement review and correction of identifiedweaknesses. Weaknesses noted could haveadverse effects on the safety and soundness of



the institution if corrective action is not taken bymanagement.

Rating 4 (Marginal). An assessment of Mar-ginal represents a deficient internal control sys-tem that does not adequately address a numberof significant risks to the institution. The defi-ciencies may include neglect of internal controlsand audit by the board or its audit committee,conflicting lines of authority and responsibility,a lack of independence between control areasand business activities, or no separation of dutiesin critical areas. The internal control systemmay produce inadequate, untimely, or nonexist-ent risk coverage and verification in certainareas, including monitoring compliance withboth safety-and-soundness and consumer lawsand regulations; inaccurate records or financial,operational, or regulatory reporting; a lack ofdocumentation for work performed; or infre-quent management review and correction ofidentified weaknesses. The internal control defi-ciencies warrant a high degree of supervisoryattention because, unless properly addressed,they could seriously affect the safety and sound-ness of the institution.

Rating 5 (Unsatisfactory). An assessment ofUnsatisfactory indicates a critical absence of aninternal control system. There may be no over-sight by the board or its audit committee, con-flicting lines of authority and responsibility, nodistinction between control areas and businessactivities, or no separation of duties. The inter-nal control system may produce totally inad-equate or untimely risk coverage and verifica-tion, including monitoring compliance with bothsafety-and-soundness and consumer laws andregulations; completely inaccurate records orregulatory reporting; a severe lack of documen-tation for work performed; or no managementreview and correction of identified weaknesses.Such deficiencies require immediate and closesupervisory attention, as they could seriouslyjeopardize the continued viability of theinstitution.

4070.0.4.3 Financial-ConditionComponent

Rating 1 (Strong). A rating of 1 indicates thatthe consolidated BHC is financially sound inalmost every respect; any negative findings arebasically of a minor nature and can be handled

in a routine manner. The capital adequacy, assetquality, earnings, and liquidity of the consoli-dated BHC are more than adequate to protectthe company from reasonably foreseeable exter-nal economic and financial disturbances. Thecompany generates more-than-sufficient cashflow to service its debt and fixed obligationswith no harm to subsidiaries of the organization.

Rating 2 (Satisfactory). A rating of 2 indicatesthat the consolidated BHC is fundamentallyfinancially sound, but may have modest weak-nesses correctable in the normal course of busi-ness. The capital adequacy, asset quality, earn-ings, and liquidity of the consolidated BHC areadequate to protect the company from externaleconomic and financial disturbances. The com-pany also generates sufficient cash flow to ser-vice its obligations; however, areas of weaknesscould develop into areas of greater concern. Tothe extent minor adjustments are handled in thenormal course of business, the supervisoryresponse is limited.

Rating 3 (Fair). A rating of 3 indicates that theconsolidated BHC exhibits a combination ofweaknesses ranging from fair to moderatelysevere. The company has less-than-adequatefinancial strength stemming from one or moreof the following: modest capital deficiencies,substandard asset quality, weak earnings, orliquidity problems. As a result, the BHC and itssubsidiaries are less resistant to adverse busi-ness conditions. The financial condition of theBHC will likely deteriorate if concerted actionis not taken to correct areas of weakness. Thecompany’s cash flow is sufficient to meet imme-diate obligations, but may not remain adequateif action is not taken to correct weaknesses.Consequently, the BHC is vulnerable and requiresmore-than-normal supervision. Overall financialstrength and capacity are still such as to poseonly a remote threat to the viability of thecompany.

Rating 4 (Marginal). A rating of 4 indicates thatthe consolidated BHC has either inadequatecapital, an immoderate volume of problem assets,very weak earnings, serious liquidity issues, or acombination of factors that are less than satis-factory. An additional weakness may be that theBHC’s cash flow needs are met only by upstream-ing imprudent dividends and/or fees from sub-sidiaries. Unless prompt action is taken to cor-rect these conditions, they could impair futureviability. BHCs in this category require closesupervisory attention and increased financialsurveillance.



Rating 5 (Unsatisfactory). A rating of 5 indi-cates that the volume and character of financialweaknesses of the BHC are so critical as torequire urgent aid from shareholders or othersources to prevent insolvency. The imminentinability of such a company to service its fixedobligations and/or prevent capital depletion dueto severe operating losses places its viability inserious doubt. Such companies require immedi-ate corrective action and constant supervisoryattention.

4070.0.4.3.1 The Financial-ConditionSubcomponents

The financial-condition subcomponents can beevaluated along business lines, product lines, orlegal-entity lines—depending on which type ofreview is most appropriate for the holding com-pany structure.

4070.0.4.3.1.1 Capital Adequacy

Rating 1 (Strong). A rating of 1 indicates thatthe consolidated BHC maintains more-than-adequate capital to support the volume and riskcharacteristics of all parent and subsidiary busi-ness lines and products, provide a sufficientcushion to absorb unanticipated losses arisingfrom the parent and subsidiary activities, andsupport the level and composition of parent andsubsidiary borrowing. In addition, a companyassigned a rating of 1 has more-than-sufficientcapital to provide a base for the growth of riskassets and the entry into capital markets as theneed arises for the parent company andsubsidiaries.

Rating 2 (Satisfactory). A rating of 2 indicatesthat the consolidated BHC maintains adequatecapital to support the volume and risk character-istics of all parent and subsidiary business linesand products, provide a sufficient cushion toabsorb unanticipated losses arising from the par-ent and subsidiary activities, and support thelevel and composition of parent and subsidiaryborrowing. In addition, a company assigned arating of 2 has sufficient capital to provide abase for the growth of risk assets and the entryinto capital markets as the need arises for theparent company and subsidiaries.

Rating 3 (Fair). A rating of 3 indicates that theconsolidated BHC may not maintain sufficientcapital to ensure support for the volume and riskcharacteristics of all parent and subsidiary busi-

ness lines and products, the unanticipated lossesarising from the parent and subsidiary activities,or the level and composition of parent and sub-sidiary borrowing. In addition, a companyassigned a rating of 3 may not maintain a suffi-cient capital position to provide a base for thegrowth of risk assets and the entry into capitalmarkets as the need arises for the parent com-pany and subsidiaries. The capital position ofthe consolidated BHC could quickly becomeinadequate in the event of asset deterioration orother negative factors and therefore requiresmore-than-normal supervisory attention.

Rating 4 (Marginal). A rating of 4 indicates thatthe capital level of the consolidated BHC issignificantly below the amount needed to ensuresupport for the volume and risk characteristicsof all parent and subsidiary business lines andproducts, the unanticipated losses arising fromthe parent and subsidiary activities, and the leveland composition of parent and subsidiary bor-rowing. In addition, a company assigned a rat-ing of 4 does not maintain a sufficient capitalposition to provide a base for the growth of riskassets and the entry into capital markets as theneed arises for the parent company and subsidi-aries. If left unchecked, the consolidated capitalposition of the company might evolve into weak-nesses or conditions that could threaten theviability of the institution. The capital positionof the consolidated BHC requires immediatesupervisory attention.

Rating 5 (Unsatisfactory). A rating of 5 indi-cates that the level of capital of the consolidatedBHC is critically deficient and in need of imme-diate corrective action. The consolidated capitalposition threatens the viability of the institutionand requires constant supervisory attention.

4070.0.4.3.1.2 Asset Quality

Rating 1 (Strong). A rating of 1 indicates thatthe BHC maintains strong asset quality acrossall parts of the organization, with a very lowlevel of criticized and nonperforming assets.Credit risk across the organization is commen-surate with management’s abilities and modestin relation to credit-risk management practices.

Rating 2 (Satisfactory). A rating of 2 indicatesthat the BHC maintains satisfactory asset qual-



ity across all parts of the organization, with amanageable level of criticized and nonperform-ing assets. Any identified weaknesses in assetquality are correctable in the normal course ofbusiness. Credit risk across the organization iscommensurate with management’s abilities andgenerally modest in relation to credit-risk man-agement practices.

Rating 3 (Fair). A rating of 3 indicates that theasset quality across all or a material part of theconsolidated BHC is less than satisfactory. TheBHC may be facing a decrease in the overallquality of assets currently maintained on- andoff-balance-sheet. The BHC may also be experi-encing an increase in credit-risk exposure thathas not been met with an appropriate improve-ment in risk-management practices. BHCsassigned a rating of 3 require more-than-normalsupervisory attention.

Rating 4 (Marginal). A rating of 4 indicates thatthe BHC’s asset quality is deficient. The level ofproblem assets and/or unmitigated credit risksubjects the holding company to potential lossesthat, if left unchecked, may threaten its viability.BHCs assigned a rating of 4 require immediatesupervisory attention.

Rating 5 (Unsatisfactory). A rating of 5 indi-cates that the BHC’s asset quality is criticallydeficient and presents an imminent threat to theinstitution’s viability. BHCs assigned a rating of5 require immediate remedial action and con-stant supervisory attention.

4070.0.4.3.1.3 Earnings

Rating 1 (Strong). A rating of 1 indicates thatthe quantity and quality of the BHC’s consoli-dated earnings over time are more than suffi-cient to make full provision for the absorptionof losses and/or accretion of capital when dueconsideration is given to asset quality and BHCgrowth. Generally, BHCs with a 1 rating haveearnings well above peer-group averages.

Rating 2 (Satisfactory). A rating of 2 indicatesthat the quantity and quality of the BHC’s con-solidated earnings over time are generallyadequate to make provision for the absorptionof losses and/or accretion of capital when dueconsideration is given to asset quality and BHCgrowth. Generally, BHCs with a 2 earnings rat-

ing have earnings that are in line with or slightlyabove peer-group averages.

Rating 3 (Fair). A rating of 3 indicates that theBHC’s consolidated earnings are not fullyadequate to make provisions for the absorptionof losses and the accretion of capital in relationto company growth. The consolidated earningsof companies rated 3 may be further clouded bystatic or inconsistent earnings trends, chroni-cally insufficient earnings, or less-than-satisfactory asset quality. BHCs with a 3 ratingfor earnings generally have earnings below peer-group averages. Such BHCs require more-than-normal supervisory attention.

Rating 4 (Marginal). A rating of 4 indicates thatthe BHC’s consolidated earnings, while gener-ally positive, are clearly not sufficient to makefull provision for losses and the necessary accre-tion of capital. BHCs with earnings rated 4 maybe characterized by erratic fluctuations in netincome, poor earnings (and the likelihood of thedevelopment of a further downward trend), inter-mittent losses, chronically depressed earnings,or a substantial drop from the previous year. Theearnings of such companies are generally sub-stantially below peer-group averages. Such BHCsrequire immediate supervisory attention.

Rating 5 (Unsatisfactory). A rating of 5 indi-cates that the BHC is experiencing losses or alevel of earnings that is worse than that describedfor the 4 rating. Such losses, if not reversed,represent a distinct threat to the BHC’s solvencythrough erosion of capital. Such BHCs requireimmediate and constant supervisory attention.

4070.0.4.3.1.4 Liquidity

Rating 1 (Strong). A rating of 1 indicates thatthe BHC maintains strong liquidity levels andwell-developed funds-managementpractices.Theparent company and subsidiaries have reliableaccess to sufficient sources of funds on favor-able terms to meet present and anticipated liquid-ity needs.

Rating 2 (Satisfactory). A rating of 2 indicatesthat the BHC maintains satisfactory liquiditylevels and funds-management practices. Theparent company and subsidiaries have access tosufficient sources of funds on acceptable termsto meet present and anticipated liquidity needs.Modest weaknesses in funds-management prac-tices may be evident, but those weaknesses arecorrectable in the normal course of business.



Rating 3 (Fair). A rating of 3 indicates that theBHC’s liquidity levels or funds-managementpractices are in need of improvement. BHCsrated 3 may lack ready access to funds on rea-sonable terms or may evidence significant weak-nesses in funds-management practices at theparent company or subsidiary levels. However,these deficiencies are considered correctable inthe normal course of business. Such BHCsrequire more-than-normal supervisory attention.

Rating 4 (Marginal). A rating of 4 indicates thatthe BHC’s liquidity levels or funds-managementpractices are deficient. Institutions rated 4 maynot have or be able to obtain a sufficient volumeof funds on reasonable terms to meet liquidityneeds at the parent company or subsidiary levelsand require immediate supervisory attention.

Rating 5 (Unsatisfactory). A rating of 5 indi-cates that the BHC’s liquidity levels or funds-management practices are critically deficientand may threaten the continued viability of theinstitution. Institutions rated 5 require constantsupervisory attention and immediate externalfinancial assistance to meet maturing obliga-tions or other liquidity needs.

4070.0.4.4 Impact Component

The I component rating reflects the aggregatepotential impact of the nondepository entities onthe subsidiary depository institution(s). It israted on a five-point numerical scale. Ratingswill be assigned in ascending order of supervi-sory concern as follows:

1 — low likelihood of significant negative impact2 — limited likelihood of significant negative

impact3 — moderate likelihood of significant negative

impact4 — considerable likelihood of significant nega-

tive impact5 — high likelihoodof significantnegative impact

Rating 1 (low likelihood of significant negativeimpact). A rating of 1 indicates that the nonde-pository entities of the BHC are highly unlikelyto have a significant negative impact on thesubsidiary depository institution(s) due to thesound financial condition of the nondepositoryentities, the strong risk-management practiceswithin the nondepository entities, or the corpo-rate structure of the BHC. The BHC maintainsan appropriate capital allocation across the orga-nization commensurate with associated risks.

Intra-group exposures, including servicing agree-ments, are very unlikely to undermine the finan-cial condition of the subsidiary depository insti-tution(s). Parent company cash flow is sufficientand not dependent on excessive dividend pay-ments from subsidiaries. The potential risksposed to the subsidiary depository institution(s)by strategic plans, the control environment, riskconcentrations, or legal or reputational issueswithin or facing the nondepository entities areminor in nature and can be addressed in thenormal course of business.

Rating 2 (limited likelihood of significant nega-tive impact). A rating of 2 indicates a limitedlikelihood that the nondepository entities of theBHC will have a significant negative impact onthe subsidiary depository institution(s) due tothe adequate financial condition of the nonde-pository entities, the satisfactory risk-management practices within the parent nonde-pository entities, or the corporate structure ofthe BHC. The BHC maintains adequate capitalallocation across the organization commensu-rate with associated risks. Intra-group expo-sures, including servicing agreements, are un-likely to undermine the financial condition ofthe subsidiary depository institution(s). Parentcompany cash flow is satisfactory and generallydoes not require excessive dividend paymentsfrom subsidiaries. The potential risks posed tothe subsidiary depository institution(s) by strate-gic plans, the control environment, risk concen-trations, or legal or reputational issues withinthe nondepository entities are modest and canbe addressed in the normal course of business.

Rating 3 (moderate likelihood of significantnegative impact). A rating of 3 indicates a mod-erate likelihood that the aggregate impact of thenondepository entities of the BHC on the sub-sidiary depository institution(s) will have a sig-nificant negative impact on the subsidiary deposi-tory institution(s) due to weaknesses in thefinancial condition and/or risk-management prac-tices of the nondepository entities. The BHCmay have only marginally sufficient allocationof capital across the organization to supportrisks. Intra-group exposures, including servicingagreements, may have the potential to under-mine the financial condition of the subsidiarydepository institution(s). Parent company cashflow may at times require excessive dividendpayments from subsidiaries. Strategic-growthplans, weaknesses in the control environment,



risk concentrations, or legal or reputational issueswithin the nondepository entities may pose sig-nificant risks to the subsidiary depository insti-tution(s). A BHC assigned a 3 impact ratingrequires more-than-normal supervisory atten-tion, as there could be adverse effects on thesafety and soundness of the subsidiary deposi-tory institution(s) if corrective action is nottaken by management.

Rating 4 (considerable likelihood of significantnegative impact). A rating of 4 indicates thatthere is a considerable likelihood that the nonde-pository entities of the BHC will have a signifi-cant negative impact on the subsidiary deposi-tory institution(s) due to weaknesses in thefinancial condition and/or risk-management prac-tices of the nondepository entities. A 4-ratedBHC may have insufficient capital within thenondepository entities to support their risks andactivities. Intra-group exposures, including ser-vicing agreements, may also have the immedi-ate potential to undermine the financial condi-tion of the subsidiary depository institution(s).Parent company cash flow may be dependent onexcessive dividend payments from subsidiaries.Strategic-growth plans, weaknesses in the con-trol environment, risk concentrations, or legal orreputational issues within the nondepositoryentities may pose considerable risks to the sub-sidiary depository institution(s). A BHC assigneda 4 impact rating requires immediate remedialaction and close supervisory attention becausethe nondepository entities could seriously affectthe safety and soundness of the subsidiary deposi-tory institution(s).

Rating 5 (high likelihood of significant negativeimpact). A rating of 5 indicates a high likeli-hood that the aggregate impact of the nonde-pository entities of the BHC on the subsidiarydepository institution(s) is or will become sig-nificantly negative due to substantial weak-nesses in the financial condition and/or risk-

management practices of the nondepository enti-ties. Strategic-growth plans, a deficient controlenvironment, risk concentrations, or legal orreputational issues within the nondepositoryentities may pose critical risks to the subsidiarydepository institution(s). The parent companyalso may be unable to meet its obligations with-out excessive support from the subsidiary deposi-tory institution(s). The BHC requires immediateand close supervisory attention, as the nonde-pository entities seriously jeopardize the contin-ued viability of the subsidiary depositoryinstitution(s).

4070.0.4.5 (D) Depository InstitutionsComponent

The (D) component identifies the overall condi-tion of the subsidiary depository institution(s) ofthe BHC. For BHCs with only one subsidiarydepository institution, the (D) component ratinggenerally will mirror the CAMELS compositerating for that depository institution. To arrive ata (D) component rating for BHCs with multiplesubsidiary depository institutions, the CAMELScomposite ratings for each of the depositoryinstitutions should be weighted, giving consider-ation to asset size and the relative importance ofeach depository institution within the overallstructure of the organization. In general, it isexpected that the resulting (D) component ratingwill reflect the lead depository institution’sCAMELS composite rating.

If, in the process of analyzing the financialcondition and risk-management programs of theconsolidated organization, a major difference ofopinion regarding the safety and soundness ofthe subsidiary depository institution(s) emergesbetween the Federal Reserve and the depositoryinstitution’s primary regulator, then the (D) rat-ing should reflect the Federal Reserve’sevaluation.



Rating Risk-Management Processes and Internal Controls of BHCsHaving $50 Billion or More in Total Assets Section 4070.1


Effective July 2016, this section is amended toacknowledge the issuance of SR-16-11, “Super-visory Guidance for Assessing Risk Manage-ment at Supervised Institutions with Total Con-solidated Assets Less than $50 Billion.” Withthe issuance of SR-16-11, SR-95-51 is applica-ble to only state member banks and bank hold-ing companies having $50 billion or more intotal assets.

The guidance within this section pertains toSR-95-51 and applies to the rating of risk man-agement, processes, and internal controls ofstate member banks and bank holding compa-nies that have $50 billion or more in total assets.

The Federal Reserve places significant super-visory emphasis on the importance of soundrisk-management processes and strong internalcontrols when evaluating the activities of bank-ing organizations it supervises. Properly manag-ing risks is always critical to the conduct of safeand sound banking activities, and it is evenmore important as new technologies, productinnovation, and the size and speed of financialtransactions change the nature of banking mar-kets.

A bank holding company’s failure to estab-lish a management structure that adequatelyidentifies, measures, monitors, and controls therisks involved in its various products and linesof business has long been considered unsafe andunsound conduct. Accordingly, while a bankholding company’s financial performance is animportant indicator of the adequacy of manage-ment, it is essential that examiners give signifi-cant weight to the quality of risk-managementpractices and internal controls when they evalu-ate the management and overall financial condi-tion of banking organizations.

Consistent with the greater supervisoryemphasis given to risk management in FederalReserve examination and supervisory policystatements, System examiners are to assign aformal supervisory rating to the adequacy of abank holding company’s risk-management pro-cesses, including its internal controls. This stepis a natural extension of current procedures thatincorporate an assessment of risk managementand internal controls during each on-site full-scope inspection. The specific rating of riskmanagement and internal controls should begiven significant weight when evaluating man-agement under the bank holding company

RFI/C(D) rating system. Like the other compo-nents of this system, the risk-management ratingshould be based on a five-point numerical scale.

The rating of the risk-management process isdesigned to bring together and summarize muchof the analysis of and many of the findingsabout a bank holding company’s process formanaging and controlling risks, which are animportant part of the examiner’s review of theseindividual areas. The formal rating is intendedto highlight and incorporate both the quantita-tive and qualitative aspects of an examiner’sreview of an organization’s overall process foridentifying, measuring, monitoring, and control-ling risk and to facilitate appropriate follow-upaction.

The overall profitability, asset quality, andcapital adequacy of a bank or bank holdingcompany should continue to influence the exam-iner’s assessment of management, but theseindicators can to some extent be affected, eitherfavorably or adversely, by factors outside man-agement’s control. For this reason, the specificevaluation of the risk-management process shouldbe a primary factor when rating management,especially in the case of larger banking organi-zations whose activities and structures requiremore-formal and extensive procedures.

Examiners should apply the guidance in thissection flexibly to appropriately reflect the bank-ing organization’s circumstances and the nature,scope, and complexity of its operations. Risk-management ratings should be assigned to allbank holding companies, regardless of theirsize.

In the appropriate open sections of the inspec-tion report, examiners should discuss in a clearand straightforward manner the nature andseverity of any problems or deficiencies foundand the steps required to correct them, particu-larly if the risk-management rating is less thansatisfactory. Serious lapses or deficiencies ininternal controls, including inadequate separa-tion of duties, can constitute an unsafe andunsound practice and possibly lead to signifi-cant losses or otherwise compromise the finan-cial integrity of the organization. If appropriate,the bank holding company’s directors and offi-cers should be advised that the Federal Reservewill initiate supervisory actions if its failure toseparate critical operational duties creates thepotential for serious losses or if material defi-ciencies or situations that threaten the safe and

BHC Supervision Manual July 2016Page 1

sound conduct of its activities are not adequatelyaddressed in a timely manner. Such supervisoryactions may include formal enforcement actionsagainst the bank holding company, its respon-sible officers and directors, or both; supervisoryactions would also require the immediate imple-mentation of all necessary corrective measures.(See SR-95-51, as amended by SR-04-18 andSR-16-11.)

4070.1.1 ELEMENTS OF RISKMANAGEMENT

When rating the quality of risk management atbank holding companies as part of the evalua-tion of the overall quality of management, exam-iners should place primary consideration onfindings relating to the following elements of asound risk-management system:

1. active board and senior management over-sight

2. adequate policies, procedures, and limits3. adequate risk measurement, risk monitoring,

and management information systems4. comprehensive internal controls

Examiners should recognize that the consider-ations specified in SR-04-18 and SR-95-51 areintended only to assist in the evaluation of risk-management practices. They are not a checklistof requirements for an individual organization.Moreover, while all bank holding companiesshould be able to assess the major risks of theconsolidated organization, examiners shouldexpect parent companies that centrally managethe operations and functions of their subsidiarybanks to have more-comprehensive, detailed,and developed risk-management systems thancompanies that delegate the management ofrisks to relatively autonomous bankingsubsidiaries.

4070.1.1.1 Active Board and SeniorManagement Oversight

In assessing the quality of oversight by boardsof directors and senior management, examinersshould consider whether the bank holding com-pany follows policies and practices such asthose described below:

1. The board and senior management have iden-tified and have a clear understanding and

working knowledge of the types of risksinherent in the bank holding company’sactivities, and they make appropriate effortsto remain informed about these risks as finan-cial markets, risk-management practices, andthe bank holding company’s activities evolve.

2. The board has reviewed and approved appro-priate policies to limit risks inherent in thebank holding company’s lending, investing,trading, trust, fiduciary, and other significantactivities or products.

3. The board and management are sufficientlyfamiliar with and are using adequate record-keeping and reporting systems to measureand monitor the major sources of risk to theorganization.

4. The board periodically (1) reviews andapproves risk-exposure limits to conformwith any changes in the bank holding com-pany’s strategies, (2) addresses new prod-ucts, and (3) reacts to changes in marketconditions.

5. Management ensures that its lines of busi-ness are managed and staffed by personnelwhose knowledge, experience, and expertiseare consistent with the nature and scope ofthe bank holding company’s activities.

6. Management ensures that the depth of staffresources is sufficient to operate and soundlymanage the bank holding company’s activi-ties and that its employees have the integrity,ethics, and competence that are consistentwith a prudent management philosophy andoperating style.

7. All levels of management adequately super-vise the day-to-day activities of officers andemployees, including management supervi-sion of senior officers or heads of businesslines.

8. Management is able to respond to risks thatmay arise from changes in the competitiveenvironment or from innovations in marketsin which the organization is active.

9. Before embarking on new activities or intro-ducing new products, management identifiesand reviews all risks associated with theactivity or product and ensures that the infra-structure and internal controls necessary tomanage the related risks are in place.

4070.1.1.2 Adequate Policies, Procedures,and Limits

A bank holding company’s board of directorsand senior management should tailor their risk-management policies and procedures to the typesof risks that arise from the organization’s

Rating Risk-Management Processes and Internal Controls of BHCs Having $50 Billion or More in Total Assets 4070.1


activities. The following guidelines should assistexaminers in evaluating the adequacy of a bankholding company’s policies, procedures, andlimits:

1. The bank holding company’s policies, proce-dures, and limits provide for adequate identi-fication, measurement, monitoring, and con-trol of the risks posed by its lending, investing,trading, trust, fiduciary, and other significantactivities.

2. The policies, procedures, and limits are con-sistent with management’s experience level,the organization’s stated goals and objec-tives, and its overall financial strength.

3. Policies clearly delineate accountability andlines of authority across the organization’sactivities.

4. Policies provide for the review of new activi-ties of the organization to ensure that theinfrastructures necessary to identify, monitor,and control risks associated with an activityare in place before the activity is initiated.

4070.1.1.3 Adequate Risk Monitoringand Management Information Systems

Effective risk monitoring requires banking orga-nizations to identify and measure all materialrisk exposures. Consequently, risk-monitoringactivities must be supported by information sys-tems that provide senior managers and directorswith timely reports on the financial condition,operating performance, and risk exposure of theconsolidated organization, as well as provideregular and sufficiently detailed reports for linemanagers engaged in the day-to-day manage-ment of the organization’s activities.

In assessing the adequacy of a bank holdingcompany’s measurement and monitoring of riskand the adequacy of its management reports andinformation systems, examiners should considerwhether the following conditions exist:

1. The bank holding company’s risk-monitoringpractices and reports address all of its mate-rial risks.

2. Key assumptions, data sources, and proce-dures used in measuring and monitoring riskare appropriate and adequately documentedand tested for reliability on an ongoing basis.

3. Reports and other forms of communicationare consistent with the bank holding com-pany’s activities; are structured to monitorexposures and compliance with establishedlimits, goals, or objectives; and, as appropriate,compare actual versus expected performance.

4. Reports to management or the directors areaccurate and timely and contain sufficientinformation for decision makers to identifyany adverse trends and to adequately evalu-ate the level of risk the bank holding com-pany faces.

4070.1.1.4 Adequate Internal Controls

A bank holding company’s internal control struc-ture is critical to its safe and sound functioningin general and to its risk-management system, inparticular. Establishing and maintaining aneffective system of controls, including theenforcement of official lines of authority and theappropriate separation of duties—such as trad-ing, custodial, and back-office—is one of man-agement’s more important responsibilities.

Appropriate segregation of duties is a funda-mental and essential element of a sound risk-management and internal control system. Fail-ure to implement and maintain an adequateseparation of duties can constitute an unsafe andunsound practice and possibly lead to seriouslosses or otherwise compromise the financialintegrity of the bank holding company. Seriouslapses or deficiencies in internal controls,including inadequate segregation of duties, maywarrant supervisory action, including formalenforcement action.

When properly structured, a system of inter-nal controls promotes effective operations andreliable financial and regulatory reporting; safe-guards assets; and helps to ensure compliancewith relevant laws, regulations, and bank hold-ing company policies. Ideally, internal controlsare tested by an independent internal auditorwho reports directly to either the bank holdingcompany’s board of directors or a designatedboard committee, typically the audit committee.Personnel who perform these reviews shouldgenerally be independent of the function theyare assigned to review. Given the importance ofappropriate internal controls to banking organi-zations of all sizes and risk profiles, the resultsof audits or reviews, whether conducted by aninternal auditor or other personnel, should beadequately documented, as should manage-ment’s responses to them. In addition, commu-nication channels should exist that allow nega-tive or sensitive findings to be reported directlyto the board of directors or the relevant boardcommittee.

In evaluating the adequacy of a bank holding



company’s internal controls and audit proce-dures, examiners should consider whether thefollowing conditions are met:

1. The system of internal controls is appropri-ate to the type and level of risks posed bythe nature and scope of the organization’sactivities.

2. The bank holding company’s organizationalstructure establishes clear lines of authorityand responsibility for monitoring adherenceto policies, procedures, and limits.

3. Reporting lines ensure that control areas aresufficiently independent from the businesslines, and the reporting lines adequately sepa-rate duties throughout the organization, suchas those duties relating to trading, custodial,and back-office activities.

4. Official organizational structures reflect actualoperating practices.

5. Financial, operational, and regulatory reportsare reliable, accurate, and timely. When appli-cable, exceptions are noted and promptlyinvestigated.

6. Adequate procedures exist for ensuring com-pliance with applicable laws and regulations.

7. Internal audit or other control reviewpractices ensure independence andobjectivity.

8. Internal controls and information systems areadequately tested and reviewed; the cover-age, procedures, findings, and responses toaudits and review tests are adequately docu-mented; identified material weaknesses aregiven appropriate and timely high-levelattention; andmanagement’sactions toaddressmaterial weaknesses are objectively verifiedand reviewed.

9. The audit committee or the board of directorsregularly reviews the effectiveness of inter-nal audits and other control review activities.

4070.1.2 RATING DEFINITIONS

The rating for risk management is based on ascale of one through five, in ascending order ofsupervisory concern. Examiners should assignthis rating to reflect their findings in all fourof the elements of sound risk managementdescribed above. The risk-management ratingshould be reflected in the overall “Risk-Management” rating of the bank holding com-pany and should be consistent with the follow-ing criteria:

Rating 1 (Strong). A rating of 1 indicates thatmanagement effectively identifies and controlsall major types of risk posed by the BHC’sactivities. Management is fully prepared toaddress risks emanating from new products andchanging market conditions. The board and man-agement are forward looking and active partici-pants in managing risk. Management ensuresthat appropriate policies and limits exist and areunderstood, reviewed, and approved by the board.Policies and limits are supported by risk-monitoring procedures, reports, and manage-ment information systems that provide manage-ment and the board with the information andanalysis necessary to make timely and appropri-ate decisions in response to changing condi-tions. Risk-management practices and the orga-nization’s infrastructure are flexible and highlyresponsive to changing industry practices andcurrent regulatory guidance. Staff has sufficientexperience, expertise, and depth to manage therisks assumed by the institution.

Internal controls and audit procedures are suf-ficiently comprehensive and appropriate to thesize and activities of the institution. There arefew noted exceptions to the institution’s estab-lished policies and procedures, and none ismaterial. Management effectively and accu-rately monitors the condition of the institutionconsistent with the standards of safety and sound-ness and in accordance with internal and super-visory policies and practices. Risk-managementprocesses are fully effective in identifying, moni-toring, and controlling the risks to the institution.

Rating 2 (Satisfactory). A rating of 2 indicatesthat the institution’s management of risk islargely effective but lacking in some modestdegree. Management demonstrates a responsive-ness and ability to cope successfully with exist-ing and foreseeable risks that may arise in carry-ing out the institution’s business plan. While theinstitution may have some minor risk-management weaknesses, these problems havebeen recognized and are in the process of beingresolved. Overall, board and senior managementoversight, policies and limits, risk-monitoringprocedures, reports, and management informa-tion systems are considered satisfactory andeffective in maintaining a safe and sound institu-tion. Risks are controlled in a manner that doesnot require more-than-normal supervisoryattention.

The BHC’s risk-management practices andinfrastructure are satisfactory and generally areadjusted appropriately in response to changingindustry practices and current regulatory guid-ance. Staff experience, expertise, and depth are



generally appropriate to manage the risks assumedby the institution.

Internal controls may display modest weak-nesses or deficiencies, but they are correctablein the normal course of business. The examinermay have recommendations for improvement,but the weaknesses noted should not have asignificant effect on the safety and soundness ofthe institution.

Rating 3 (Fair). A rating of 3 signifies thatrisk-management practices are lacking in someimportant ways and, therefore, are a cause formore-than-normal supervisory attention. One ormore of the four elements of sound risk manage-ment1 (active board and senior managementoversight; adequate policies, procedures, andlimits; adequate risk-management monitoringand management information systems; compre-hensive internal controls) are considered lessthan acceptable and have precluded the institu-tion from fully addressing one or more signifi-cant risks to its operations. Certain risk-management practices are in need of improvementto ensure that management and the board areable to identify, monitor, and control all signifi-cant risks to the institution. Also, the risk-management structure may need to be improvedin areas of significant business activity, or staffexpertise may not be commensurate with thescope and complexity of business activities. Inaddition, management’s response to changingindustry practices and regulatory guidance mayneed to improve.

The internal control system may be lacking insome important aspects, particularly as indi-cated by continued control exceptions or by afailure to adhere to written policies and proce-dures. The risk-management weaknesses couldhave adverse effects on the safety and sound-ness of the institution if corrective action is nottaken by management.

Rating 4 (Marginal). A rating of 4 representsdeficient risk-management practices that fail toidentify, monitor, and control significant riskexposures in many material respects. Generally,such a situation reflects a lack of adequate guid-ance and supervision by management and the

board. One or more of the four elements ofsound risk management are deficient and requireimmediate and concerted corrective action bythe board and management.

The institution may have serious identifiedweaknesses, such as an inadequate separation ofduties, that require substantial improvement ininternal control or accounting procedures or thatrequire improved adherence to supervisory stan-dards or requirements. The risk-managementdeficiencies warrant a high degree of supervi-sory attention because, unless properly addressed,they could seriously affect the safety and sound-ness of the institution.

Rating 5 (Unsatisfactory). A rating of 5 indi-cates a critical absence of effective risk-management practices with respect to the identi-fication, monitoring, or control over significantrisk exposures. One or more of the four ele-ments of sound risk management are consideredwholly deficient, and management and the boardhave not demonstrated the capability to addressthese deficiencies.

Internal controls are critically weak and, assuch, could seriously jeopardize the continuedviability of the institution. If not already evi-dent, there is an immediate concern as to thereliability of accounting records and regulatoryreports and the potential for losses if correctivemeasures are not immediately taken. Deficien-cies in the institution’s risk-management proce-dures and internal controls require immediateand close supervisory attention.

4070.1.3 REPORTING CONCLUSIONS

For bank holding companies, the separatenumerical rating for the risk-management com-ponent and the rationale for the rating assignedshould be included as the “Risk-ManagementRating: (numerical rating)” and discussed onconfidential page B, “Condition of Bank Hold-ing Company,” of the bank holding companyinspection report. Comments, conclusions, andcriticisms relating to a bank holding company’srisk-management process should be brought tothe attention of management and included onthe “Policies and Supervision” page2 of the bankholding company inspection report, as well as

1. See the Federal Reserve System handbook Framework

for Risk-Focused Supervision of Large Complex Institutions,

August 1997; SR-95-51, “Rating the Adequacy of Risk Man-

agement Processes and Internal Controls at State Member

Banks and Bank Holding Companies” (as amended by SR-04-

18, “Bank Holding Company Rating System” and SR-16-11,

“Supervisory Guidance for Assessing Risk Management at

Supervised Institutions with Total Consolidated Assets Less

than $50 Billion.”).

2. If a problem area is cited within the core section, the

respective supporting report pages (the “Policies and

Supervision” page) are to be included in the report to support

the critical comments. See section 5010.1.3.



on core page 1, “Examiner’s Comments andMatters Requiring Special Board Attention,” ifconsidered appropriate and particularly if therating is less than satisfactory.

Inspection reports and transmittal letters toboards of directors of bank holding companiesshould specifically describe the types and natureof corrective actions that bank holding compa-nies need to take to address noted risk-management and internal control deficiencies.When appropriate, bank holding companiesshould also be advised that the Federal Reservewill initiate supervisory actions if the failure toseparate critical operational duties creates thepotential for serious losses or if material defi-ciencies or situations that threaten the safe andsound conduct of a BHC’s activities are notadequately addressed in a timely manner. Suchsupervisory actions may include formal enforce-ment actions against the bank holding company(or a state member bank), its responsible officersand directors, or both; supervisory actions wouldalso require the immediate implementation ofall necessary corrective measures.



Revising Supervisory RatingsSection 4070.3

Supervisory ratings should be revised wheneverthere is strong evidence that the financial condi-tion or risk profile of an institution has signifi-cantlychanged.1 Ina risk-focusedandcontinuous-supervision environment, supervisory ratingsshould be viewed as a continuum, rather than asa point-in-time assessment of an institution’sfinancial condition.2 It is important that super-visory ratings reflect a current assessment ofan institution’s financial condition and risk pro-file. The ratings can affect risk-based depositinsurance premiums; statutory and regulatoryrequirements, including applications and theprompt-corrective-action provisions of the Fed-eral Deposit Insurance Act; supervisory reportingand inspection or examination requirements; andother factors. While supervisory ratings are mostfrequently revised as a result of on-site supervi-sory activities, other sources of information re-viewed off-site may also indicate the need for arating change.3 See SR-99-17.

When a component of one of the supervisoryrating systems is changed, the Reserve Bankmust also reaffirm or revise the other componentratings and the composite rating, based on infor-mation available at that time. The factors con-tributing to a change in the rating of a selectedcomponent can affect one or more of the othercomponents in the rating system, as well as thecomposite rating. Accordingly, if there is a com-pelling reason to change a selected componentrating, all of the other components in the super-visory rating system must be either reaffirmedor revised. As applicable for bank holding com-panies and state member banks, the risk-management subcomponent rating must also bereaffirmed or revised when a CAMELS orRFI/C(D) rating is changed.4

Any change to a component or compositerating and the rationale for that change must becommunicated in writing via a letter or report tothe board of directors of the affected institution(or to the senior U.S. management official in thecase of a U.S. branch, agency, office, or nonbanksubsidiary of a foreign bank) and to the appro-priate state and federal supervisory agencies.

1. SR-99-17 supersedes SR-92-31, which suspended thepractice of revising CAMELS ratings for state member banksbetween examinations.

2. The procedures in SR-99-17 pertain to supervisory rat-ing systems for bank holding companies (RFI/C(D)); statemember banks (CAMELS); U.S. branches and agencies offoreign banking organizations (ROCA); and Edge and agree-ment corporations, overseas subsidiaries of U.S. banks, andU.S. nonbank subsidiaries of foreign banking organizations(CAMEO).

3. For example, a significant change in financial conditionmay be evident from some combination of the following:reports of examinations conducted by other agencies, meet-ings or other communications with management of the institu-tion, published financial reports or press releases, statusreports submitted by the institution as required by an enforce-ment action, and information generated by ongoing surveil-lance activities.

4. Pursuant to the guidelines set forth in SR-04-18, theassignment of a risk-management (R) rating and a composite(C) rating is required for noncomplex shell bank holdingcompanies.


Nondisclosure of Supervisory RatingsSection 4070.5


Effective July 2008, this section was revised to

include the Federal Reserve’s statement and

clarification on its expectations regarding confi-

dentiality provisions that are contained in agree-

ments between a banking organization and its

counterparties (for example, mutual funds, hedge

funds, and other trading counterparties) or other

third parties. See section 4070.5.3. (See also

SR- 07-19 and SR-97-17.)

4070.5.1 LIMITED DISCLOSURE OFCONFIDENTIAL COMPOSITE ANDCOMPONENT RATINGS ININSPECTIONS AND EXAMINATIONS

The Federal Reserve’s long-standing policy is todiscuss fully and clearly in examination andinspection reports, and during meetings withsenior management and boards of directors,supervisory issues, problems, or concerns relat-ing to banking organizations that are under Sys-tem supervision. Beginning on December 16,1988, the Board authorized examiners to dis-close to the senior officials and boards of direc-tors of inspected bank holding companies thecomposite numeric rating assigned in an inspec-tion, as part of the inspection report process.(See SR-88-37.) Generally, the Federal Reservehas also provided senior management and direc-tors with the corresponding word descriptions(consisting of a single word or a few words) forthe numeric component ratings assigned.

Beginning on January 1, 1997, in an effort tofurther strengthen communication with super-vised banking organizations, the Federal Reservehas provided senior management and directorswith the numeric and alphabetic component rat-ings assigned under various supervisory ratingsystems.1 (See SR-96-26 and section 5010.4).This disclosure includes the alphabetic compo-

nent ratings assigned to management under thebank holding company RFI/C(D) rating system.Building on existing practice, this step is intendedto better focus management’s attention on pos-sible areas of weakness and the need for timelycorrective actions.

The disclosure of the rating and its compo-nents should be made in the ‘‘Examiner’s Com-ments and Matters Requiring Special BoardAttention’’ page of inspection reports, in thesummary reports prepared for boards of direc-tors of inspected institutions, and in meetingswith senior management and directors. In con-junction with disclosing the ratings and theircomponents, examiners or supervisory officialsshould clearly explain what they mean. Duringthe exit meeting, the examiner should discusskey overall inspection findings, including pre-liminary composite and component numeric rat-ings. Examiner-assigned ratings are subject to areview by Reserve Bank supervisory officials,and final ratings are to be included in the inspec-tion report. In disclosing composite and compo-nent ratings, the examiner-in-charge shouldremind the board of directors and managementthat the ratings assigned are part of the findingsof the inspection and are privileged and confi-dential under applicable law. If composite andcomponent ratings need to be changed betweeninspections as a result of off-site analysis, theboard of directors and management should beinformed of the change. Ratings should not bedisclosed to the bank holding company’s direc-tors and management until preliminary approvalhas been received from the appropriate seniorReserve Bank supervisory officials.

4070.5.2 INTERAGENCY ADVISORYON THE CONFIDENTIALITY OF THESUPERVISORY RATING AND OTHERNONPUBLIC SUPERVISORYINFORMATION

A February 28, 2005, interagency advisoryreminds all banking organizations of thestatutory prohibitions on the disclosure ofsupervisory ratings and other confidentialsupervisory information to third parties. Theagencies2 learned that some insurers had

1. The composite rating and the supporting componentrating are disclosed for the following rating systems:

• CAMELS (state member banks)• RFI/C(D) (bank holding companies, including financial

holding companies)• CAMEO (Edge and agreement corporations and overseas

subsidiaries of U.S. banks)• ROCA (U.S. branches and agencies of foreign banking

organizations)• Uniform Interagency Trust Rating System (UITRS)• the interagency Uniform Rating System for Information

Technology (URSIT)

2. The Board of Governors of the Federal Reserve System(FRB), the Office of the Comptroller of the Currency (OCC),


requested or required banks and other savingsassociations (financial institutions) to disclosetheir CAMELS rating during the underwritingprocess when those institutions had soughtdirectors’ and officers’ liability (D&O) cover-age.3 The agencies responded by issuing theadvisory to remind all banking organizationsthat, except in very limited circumstances, theyare prohibited by law from disclosing their bankholding company’s RFI/C(D) rating or theirfinancial institution’s CAMELS rating, or othernonpublic rating, and other supervisory informa-tion to insurers as well as other nonrelated thirdparties without permission from their appropriatefederal banking agency. (See SR-05-4, SR-04-18and its attachment, SR-96-26, and SR-88-37.)

Federal banking regulations provide that thebank holding company inspection report, whichcontains the RFI/C(D) rating, or the financialinstitution examination report, which containsits CAMELS rating, is nonpublic informationand the property of the agency issuing thereport.4 These regulations specifically providethat, except in very limited circumstances, bankholding companies, banks, and other financialinstitutions may not disclose their inspection orexamination report findings or any portion ofthe report, nor make any representations con-cerning the report or the report’s findings, with-out the prior written permission of the appropri-ate federal banking agency.5 The circumstancesfor release of nonpublic supervisory informationmay include disclosure to a parent holding com-pany, a director, an officer, an attorney, an audi-

tor, or another specified third party, as indicatedin the regulations of the appropriate federalbanking agency.6 Any person who discloses oruses nonpublic information except as expresslypermitted by one of the appropriate federalbanking agencies or as provided by the agency’sregulations may be subject to the criminal penal-ties provided in 18 U.S.C. 641.

The legal prohibition on the release of non-public supervisory information applies to allfinancial institutions supervised by the agencies,including bank and thrift holding companies,Edge corporations, and the U.S. branches oragencies of foreign banking organizations, thatreceive confidential supervisory ratings, includ-ing the RFI/C(D) rating, ROCA rating, CORErating, and CAMEO rating.7 As with theCAMELS rating, these ratings are transmitted tothe regulated institutions in inspection or exami-nation reports, which are the property of theagencies.

Financial institutions that receive requests forconfidential supervisory ratings should refer allrequesters to the following publicly availableinformation in lieu of disclosing any confiden-tial regulatory information, including theCAMELS rating. (See the National InformationCenter on the Federal Financial InstitutionsExamination Council [FFIEC] website: www.ffiec.gov.)

• for banks, an institution’s quarterly reports ofcondition (Call Reports) (see 12 U.S.C. 1817)

• for holding companies or foreign banks withU.S. operations, an institution’s quarterly andannual FR Y or H-(b)11 reports (see 12 U.S.C.1844, 3106, 3108, 601–604a, and 611–631)

the Federal Deposit Insurance Corporation (FDIC), and theOffice of Thrift Supervision (OTS).

3. As part of the bank holding company inspection pro-cess, a bank holding company RFI/C(D) confidential supervi-sory rating is assigned to each bank holding company regu-lated by the FRB. (Each BHC is assigned a Composite ratingbased on an evaluation and rating of its managerial andfinancial condition and an assessment of future potential riskto its subsidiary depository institution(s). In addition, themain component ratings are also assigned for Risk manage-ment, Financial condition, and potential Impact of the parentcompany and nondepository subsidiaries on the BHC’s sub-sidiary depository institutions.) See section 4070.0 for a com-plete description of the RFI/C(D) rating system. For financialinstitution examinations, a confidential supervisory ratingcalled a CAMELS rating is assigned to each depository insti-tution regulated by the agencies. (A CAMELS rating is basedon an evaluation of the financial institution’s Capital, Assets,Management, Earnings, Liquidity, and Sensitivity to marketrisk; the rating may range from 1 to 5, with 1 being thehighest rating.) See the appendix of the Commercial Bank

Examination Manual, section A.5020.1, for a completedescription of the CAMELS rating system.

4. See 12 C.F.R. 261.2(c)(1), 261.20(g), and 261.22(e).5. See 12 C.F.R. 261.22.

6. See 12 U.S.C. 326, and 12 C.F.R. 261.20(b) (exceptions).7. RFI/C(D), ROCA, and CAMEO ratings are assigned by

the Federal Reserve Board as a result of an examination orinspection. As of January 1, 2005, the Federal Reserve Boardadopted a new rating system, RFI/C(D) ratings, for bankholding companies that replaces the former BOPEC ratingsystem. RFI/C(D) ratings components are Risk management,Financial condition, potential Impact of the parent and nonde-pository subsidiaries on the subsidiary depository institutions,Composite, and Depository institution. For noncomplex bankholding companies with assets of $1 billion or less, onlyrisk-management and composite ratings are assigned. ROCAratings are assigned to the U.S. branches, agencies, and com-mercial lending companies of foreign banking organizations.The ROCA rating components are Risk management, Opera-tional controls, Compliance, and Asset quality. CORE ratingsare assigned to complex holding company enterprises. TheCORE rating components are Capital, Organizational struc-ture, Relationship, and Earnings. CAMEO ratings are assignedto Edge corporations and the overseas branches and subsidi-aries of U.S. banks. The CAMEO ratings components areCapital, Asset quality, Management, Earnings, and Opera-tions and internal controls.

Nondisclosure of Supervisory Ratings 4070.5


• for national banks, the annual disclosure state-ment (see 12 C.F.R. 18.3)

• for banks, an institution’s Uniform Bank Per-formance Report (UBPR), which is availableto all interested parties at www.ffiec.gov andis designed for summary and in-depth analy-sis of banks; for savings associations, the Uni-form Thrift Performance Report (UTPR) isavailable from the Office of Thrift Supervi-sion upon request

• an institution’s publicly available filings, ifany, filed with the appropriate federal bankingagency (15 U.S.C. 78(I)(i)) or with the U.S.Securities and Exchange Commission

• any reports or ratings on the institution com-piled by private companies that track the per-formance of financial institutions8

• any reports or ratings issued by private ratingservices on public debt issued by an institution

• any publicly available cease-and-desist orderor enforcement proceeding against aninstitution9

• any reports or other sources of information oninstitution performance or internal matterscreated by the institution that do not containinformation prohibited from release by law orregulation

The National Association of Insurance Commis-sioners (NAIC) was advised by the agencies thatsome insurers were inappropriately requestingor requiring disclosure of CAMELS ratings as apart of the underwriting process. The agenciesrequested NAIC’s assistance in notifying insur-ance companies that this practice should be dis-continued because of the confidential nature ofthe CAMELS rating.

4070.5.3 CONFIDENTIALITYPROVISIONS IN THIRD-PARTYAGREEMENTS

Reports of BHC inspections and their ratingsare strictly confidential and cannot be disclosed

without the approval of the Board, or in the caseof a subsidiary bank, the bank’s primary regula-tor. Under the Board’s rules regarding the avail-ability of information, Board-supervised bank-ing organizations are prohibited from disclosingconfidential supervisory informationwithoutpriorwritten permission of the Board’s GeneralCounsel.10 Confidential supervisory informationincludes information related to the supervisionor inspection of a banking organization.11 Boardstaff has taken the position that identification ofinformation requested by, or provided to, super-visory staff—including the fact that an inspec-tion has taken or will take place—is related toan inspection and falls within the definition ofconfidential supervisory information. It is con-trary to Federal Reserve regulation and policyfor agreements to contain confidentiality provi-sions that (1) restrict the banking organizationfrom providing information to Federal Reservesupervisory staff; (2) require or permit, withoutthe prior approval of the Federal Reserve, thebanking organization to disclose to a counter-party that any information will be or was pro-vided to Federal Reserve supervisory staff; or(3) require or permit, without the prior approvalof the Federal Reserve, the banking organiza-tion to inform a counterparty of a current orupcoming Federal Reserve inspection or anynonpublic Federal Reserve supervisory initia-tive or action. Banking organizations that haveentered into agreements containing such confi-dentiality provisions are subject to legal risk.(See SR- 07-19, SR-97-17, and section 1040.0.)

8. For bank rating services, see the guidance atwww.fdic.gov/bank/individual/bank/index.html.

9. Information on enforcement actions taken by the Fed-eral Reserve may be found at www.federalreserve.gov/boarddocs/enforcement/search.cfm. Information on enforce-ment actions taken by other federal agencies, such as theSecurities and Exchange Commission, the Financial CrimesEnforcement Network, and the Department of Justice, as wellas foreign authorities, may also be publicly available.

10. See 12 C.F.R. 261.20(g).11. See the definition in 12 C.F.R. 261.2(c)(1)(i).

Nondisclosure of Supervisory Ratings 4070.5


Supervisory Guidance for Assessing Risk Management atSupervised Institutions with Total Consolidated AssetsLess than $50 Billion Section 4071.0

Managing risks is fundamental to the businessof banking. Accordingly, the Federal Reserveplaces significant supervisory emphasis on aninstitution’s management of risk, including itssystem of internal controls, when evaluating theoverall effectiveness of an institution’s risk man-agement. An institution’s failure to establish amanagement structure that adequately identifies,measures, monitors, and controls the risks of itsactivities has long been considered unsafe-and-unsound conduct. Principles of sound manage-ment should apply to the entire spectrum ofrisks facing an institution including, but notlimited to, credit, market, liquidity, operational,compliance, and legal risk:

• Credit risk arises from the potential that aborrower or counterparty will fail to performon an obligation.

• Market risk is the risk to a financial institu-tion’s condition resulting from adverse move-ments in market rates or prices, including, butnot limited to, interest rates, foreign exchangerates, commodity prices, or equity prices.

• Liquidity risk is the potential that a financialinstitution will be unable to meet its obliga-tions as they come due because of an inabilityto liquidate assets or obtain adequate funding(referred to as “funding liquidity risk”) or thatit cannot easily unwind or offset specific expo-sures without significantly lowering marketprices because of inadequate market depth ormarket disruptions (referred to as “marketliquidity risk”).

• Operational risk is the risk resulting frominadequate or failed internal processes, people,and systems or from external events.1

• Compliance risk is the risk of regulatory sanc-tions, fines, penalties or losses resulting fromfailure to comply with laws, rules, regula-tions, or other supervisory requirements appli-cable to a financial institution.

• Legal risk is the potential that actions againstthe institution that result in unenforceablecontracts, lawsuits, legal sanctions, or adversejudgments can disrupt or otherwise negativelyaffect the operations or condition of a finan-cial institution.

The risk-management expectations outlined inthis guidance are applicable to all supervisedinstitutions with total consolidated assets lessthan $50 billion, including state member banks,bank holding companies, savings and loan hold-ing companies, and foreign banking organiza-tions with combined total U.S. assets of lessthan $50 billion. This guidance also applies toinsurance and commercial savings and loanholding companies with total consolidated assetsless than $50 billion by providing core risk-management guidance. Reserve Bank staff mayfurther consult with Board staff on appropriatelytailoring this guidance for these institutions.

These risks and the activities associated withthem are addressed in greater detail in the Fed-eral Reserve’s supervision manuals and otherguidance documents.2 In practice, an institu-tion’s business activities present various combi-nations, concentrations, and interrelationshipsof these risks depending on the nature and scopeof the particular activity. The following discus-sion provides guidelines for the supervisoryassessment of the overall effectiveness of aninstitution’s risk management and its formal orinformal systems for identifying, measuring,monitoring, and controlling these risks. Refer toSR-16-11 and its attachment.

4071.0.1 ELEMENTS OF RISKMANAGEMENT

When evaluating the risk management at aninstitution as part of the evaluation of the over-all effectiveness of management, examinersshould place primary consideration on findingsrelating to the following elements of a soundrisk-management system:

• board3 and senior management oversight• policies, procedures, and limits

1. This definition conforms to the Basel Committee on

Banking Supervision’s “Principles for the Sound Manage-

ment of Operational Risk,” June 2011, Bank for International

Settlements.

2. Refer to the Federal Reserve’s Commercial Bank Exami-

nation Manual, this Bank Holding Company Supervision

Manual, Examination Manual for U.S. Branches and Agencies

of Foreign Banking Organizations, and relevant FFIEC Exami-

nation Manuals.

3. For the purpose of this guidance, for foreign banking

organizations, “board of directors” refers to the equivalent

governing body of the U.S. operations of the FBO.


• risk monitoring and management informationsystems

• internal controls

Each of these elements is described furtherbelow, along with a list of considerations rel-evant to assessing each element. Examinersshould recognize that the considerations speci-fied in these guidelines are intended only toassist in the evaluation of risk-management prac-tices and are not a checklist of requirements foreach institution.

An institution’s risk-management processesare expected to evolve in sophistication, com-mensurate with the institution’s asset growth,complexity, and risk. At a larger or more com-plex organization, the institution should havemore sophisticated risk-management processesthat address the full range of risks regardless ofwhere the activity is conducted in the organiza-tion. Moreover, while a holding company shouldbe able to assess the major risks of the consoli-dated organization, examiners should expect aparent company that centrally manages the op-erations and functions of its subsidiary banks tohave more comprehensive, detailed, and devel-oped risk-management systems than a parentcompany that delegates the management of risksto relatively autonomous subsidiaries.4

For a small community banking organization(CBO) engaged solely in traditional bankingactivities and whose senior management is ac-tively involved in the details of day-to-dayoperations, relatively basic risk-management sys-tems may be adequate. In accordance with theInteragency Guidelines Establishing Standardsfor Safety and Soundness, a CBO is expected, ata minimum, to have internal controls, informa-tion systems, and internal audits that are appro-priate for the size of the institution and thenature, scope, and risk of its activities.5

The risk-management processes of a regionalbanking organization (RBO) would typicallycontain detailed guidelines that set specific pru-dent limits on the principal types of risks rel-

evant to a RBO’s consolidated activities.6 Fur-thermore, because of the diversity and thegeographic dispersion of their activities, theseinstitutions will require relatively more sophisti-cated information systems that provide manage-ment with timely information that supports themanagement of risks. The information systems,in turn, should provide management with infor-mation that present a consolidated and inte-grated view of risks that are relevant to theduties and responsibilities of individual manag-ers, senior management, and the board of direc-tors.7

Consistent with the principle of national treat-ment,8 the Federal Reserve has the same super-visory goals and standards for the U.S. opera-tions of FBOs as for domestic organizations ofsimilar size, scope, and complexity. Given theadded element of foreign ownership, an FBO’srisk-management processes and control func-tions for the U.S. operations may be imple-mented domestically or outside of the UnitedStates. In cases where these functions are per-formed outside of the United States, the FBO’soversight function, policies and procedures, andinformation systems need to be sufficiently trans-parent to allow U.S. supervisors to assess theiradequacy. Additionally, the FBO’s U.S. seniormanagement need to demonstrate and maintaina thorough understanding of all relevant risksaffecting the U.S. operations and the associatedmanagement information systems, used to man-age and monitor these risks within the U.S.operations.

The information systems at a larger institu-tion will naturally require frequent monitoringand testing by independent control areas and byboth internal and external auditors, to ensure theintegrity of the information used by the board ofdirectors and senior management in overseeingcompliance with policies and limits. Therefore,an institution’s risk oversight function needs tobe sufficiently independent of the business linesto achieve an adequate separation of duties andthe avoidance of conflicts of interest.

4. If these subsidiaries are regulated by another federal

banking agency, Federal Reserve examiners should rely to the

fullest extent possible on the conclusions drawn by relevant

regulators regarding risk management. See also, SR-16-4,

“Relying on the Work of the Regulators of the Subsidiary

Insured Depository Institution(s) of Bank. Holding Compa-

nies and Savings and Loan Holding Companies with Total

Consolidated Assets of Less than $50 Billion.”

5. Refer to 12 CFR 208, Appendix D-1, the Interagency

Guidelines Establishing Standards for Safety and Soundness.

6. The Federal Reserve considers an RBO to be a midsize

financial institution with total consolidated assets between

$10 and $50 billion.

7. Additionally, the Federal Reserve’s Regulation YY

includes specific and enhanced prudential standard require-

ments regarding risk management for RBOs.

8. National treatment requires nondiscrimination between

domestic and foreign firms, or treatment of foreign entities

that is no less favorable than that accorded to domestic

enterprises in like circumstances. The International Banking

Act of 1978 generally gives foreign banks operating in the

United States the same powers as domestic banking organiza-

tions and subjects them to the same restrictions and obliga-

tions.

Assessing Risk Management at Institutions with Total Consolidated Assets Less than $50 Billion 4071.0


4071.0.1.1 Board and SeniorManagement Oversight

The board of directors has the responsibility forestablishing the level of risk that the institutionshould take. Accordingly, the board of directorsshould approve the institution’s overall businessstrategies and significant policies, including thoserelated to managing risks. Further, the board ofdirectors should also ensure that senior manage-ment is fully capable of implementing the insti-tution’s business strategies and risk limits. Inevaluating senior management, the board ofdirectors should consider whether managementis taking the steps necessary to identify, mea-sure, monitor, and control these risks.

The board of directors should collectivelyhave a balance of skills, knowledge, and experi-ence to clearly understand the activities andrisks to which the institution is exposed. Theboard of directors should take steps to developan appropriate understanding of the risks theinstitution faces, through briefings from expertsinternal to their organization and potentiallyfrom external experts. The institution’s manage-ment information systems should provide theboard of directors with sufficient information toidentify the size and significance of the risks.Using this knowledge and information, the boardof directors should provide clear guidance regard-ing the level of exposures acceptable to theinstitution and oversee senior management’simplementation of the procedures and controlsnecessary to comply with approved policies.

Senior management is responsible for imple-menting strategies set by the board of directorsin a manner that controls risks and that complieswith laws, rules, regulations, or other supervi-sory requirements on both a long-term and day-to-day basis. Accordingly, senior managementshould be fully involved in and possess suffi-cient knowledge of all activities to ensure thatappropriate policies, controls, and risk monitor-ing systems are in place and that accountabilityand lines of authority are clearly delineated.Senior management is also responsible for estab-lishing and communicating a strong awarenessof the need for effective risk management, inter-nal controls, and high ethical business practices.To fulfill these responsibilities, senior manage-ment needs to have a thorough understanding ofbanking and financial market activities and de-tailed knowledge of the institution’s activities,including the internal controls that are necessaryto limit the related risks.

In assessing the quality of the oversight pro-vided by the board of directors and senior man-

agement, examiners should consider thefollowing:

• The board of directors has approved signifi-cant policies to establish risk tolerances forthe institution’s activities and periodicallyreviews risk exposure limits to align withchanges in the institution’s strategies, addressnewactivitiesandproducts, and react tochangesin the industry and market conditions.

• Senior management has identified and has aclear understanding and working knowledgeof the risks inherent in the institution’s activi-ties. Senior management also remains in-formed about these risks as the institution’sbusiness activities evolve or expand and aschanges and innovations occur in financialmarkets and risk-management practices.

• Senior management has identified and re-viewed risks associated with engaging in newactivities or introducing new products to en-sure that the necessary infrastructure and inter-nal controls are in place to manage the relatedrisks.

• Senior management has ensured that the insti-tution’s activities are managed and staffed bypersonnel with the knowledge, experience,and expertise consistent with the nature andscope of the institution’s activities and risks.

• All levels of senior management provide ap-propriate management of the day-to-day activi-ties of officers and employees, including over-sight of senior officers or heads of businesslines.

• Senior management has established and main-tains effective information systems to identify,measure, monitor, and control the sources ofrisks to the institution.

4071.0.1.2 Policies, Procedures, andLimits

Although an institution’s board of directors ap-proves an institution’s overall business strategyand policy framework, senior management de-velops and implements the institution’s risk-management policies and procedures that ad-dress the types of risks arising from its activities.Once the risks are properly identified, the insti-tution’s policies and procedures should provideguidance for the day-to-day implementation ofbusiness strategies, including limits designed toprevent excessive and imprudent risks. An insti-tution should have policies and procedures that



address its significant activities and risks withthe appropriate level of detail to address thetype and complexity of the institution’s opera-tions. A smaller, less complex institution thathas effective senior management directly in-volved in day-to-day operations would gener-ally not be expected to have policies as sophisti-cated as larger institutions. In a larger institution,where senior managers rely on widely-dispersedstaffs to implement strategies for more variedand complex businesses, far more detailed poli-cies and procedures would generally be expected.In either case, senior management is expected toensure that policies and procedures address theinstitution’s material areas of risk and that poli-cies and procedures are modified when neces-sary to respond to significant changes in theinstitution’s activities or business conditions.

The following guidelines should assist exam-iners in evaluating an institution’s policies,procedures, and limits

• The institution’s policies, procedures, and lim-its provide for adequate identification, mea-surement, monitoring, and control of the risksposed by its significant risk-taking activities.

• The institution’s policies, procedures, and lim-its are consistent with its stated strategy andrisk profile.

• The policies and procedures establish account-ability and lines of authority across the institu-tion’s activities.

• The policies and procedures provide for thereview and approval of new business lines,products, and activities, as well as materialmodifications to existing activities, services,and products, to ensure that the institution hasthe infrastructure necessary to identify, mea-sure, monitor, and control associated risksbefore engaging in a new or modified busi-ness line, product, or activity.

4071.0.1.3 Risk Monitoring andManagement Information Systems

Institutions of all sizes are expected to have riskmonitoring and management information sys-tems in place that provide the board of directorsand senior management with timely informationand a clear understanding of the institution’sbusiness activities and risk exposures. The so-phistication of risk monitoring and managementinformation systems should be commensuratewith the complexity and diversity of the institu-

tion’s operations. Accordingly, a smaller andless complex institution may require less fre-quent management and board reports to supportrisk monitoring activities. For example, thesereports may include, daily or weekly balancesheets and income statements, a watch list forpotentially troubled loans, a report on past dueloans, an interest rate risk report, and similaritems. In contrast, a larger, more complex insti-tution would be expected to have much morecomprehensive reporting and monitoring sys-tems, which includes more frequent reporting toboard and senior management, tighter monitor-ing of high-risk activities, and the ability toaggregate risks on a fully consolidated basisacross all business lines, legal entities, andactivities.

In assessing an institution’s measurement andmonitoring of risk and its management reportsand information systems, examiners shouldconsider whether these conditions exist:

• The institution’s risk monitoring practices andreports address all of its material risks.

• Key assumptions, data sources, models, andprocedures used in measuring and monitoringrisks are appropriate and adequately docu-mented and tested for reliability on an on-going basis.9

• Reports and other forms of communicationaddress the complexity and range of an insti-tution’s activities, monitor key exposures andcompliance with established limits and strat-egy, and as appropriate, compare actual versusexpected performance.

• Reports to the board of directors and seniormanagement are accurate, and provide timelyand sufficient information to identify any ad-verse trends and to evaluate the level of risksfaced by the institution.

4071.0.1.4 Internal Controls

An effective internal control structure is criticalto the safe and sound operation of an institution.Effective internal controls promote reliable finan-cial and regulatory reporting, safeguard assets,and help to ensure compliance with relevantlaws, rules, regulations, supervisory require-ments, and institutional policies. Therefore, aninstitution’s senior management is responsiblefor establishing and maintaining an effectivesystem of controls, including the enforcement ofofficial lines of authority and the appropriate

9. See also SR-11-7, “Guidance on Model Risk Manage-

ment.”



segregation of duties.Adequate segregation of duties is a funda-

mental and essential element of a sound riskmanagement and internal control system. Fail-ure to implement and maintain an adequate seg-regation of duties can constitute an unsafe-and-unsound practice and possibly lead to seriouslosses or otherwise compromise the integrity ofthe institution’s internal controls. Serious lapsesor deficiencies in internal controls, includinginadequate segregation of duties, may warrantsupervisory action, including formal enforce-ment action.

Internal controls should be tested by an inde-pendent party who reports either directly to theinstitution’s board of directors or its designatedcommittee, which is typically the auditcommittee.10 However, small CBOs whose sizeand complexity do not warrant a full scale inter-nal audit function may rely on regular reviewsof essential internal controls conducted by otherinstitution personnel. Given the importance ofappropriate internal controls to institutions of allsizes and risk profiles, the results of audits orreviews, whether conducted by an internal audi-tor or by other personnel, should be adequatelydocumented, as should management’s responsesto the findings. In addition, communication chan-nels should allow for adverse or sensitive find-ings to be reported directly to the board ofdirectors or to the relevant board committee.

In evaluating internal controls, examinersshould consider whether these conditions aremet:

• The system of internal controls is appropriateto the type and level of risks posed by thenature and scope of the institution’s activities.

• The institution’s organizational structure estab-lishes clear lines of authority and responsibil-ity for risk management and for monitoringadherence to policies, procedures, and limits.

• Internal audit or other control functions, suchas loan review and compliance, provide forindependence and objectivity.

• The official organizational structures reflectactual operating practices and managementresponsibilities and authority over a particularbusiness line or activity.

• Financial, operational, risk management, and

regulatory reports are reliable, accurate, andtimely; and wherever applicable, material ex-ceptions are noted and promptly investigatedor remediated.

• Policies and procedures for control functionssupport compliance with applicable laws, rules,regulations, or other supervisory require-ments.

• Internal controls and information systems areadequately tested and reviewed; the coverage,procedures, findings, and responses to audits,regulatory examinations, and other reviewtests are adequately documented; identifiedmaterial weaknesses are given appropriate andtimely, high-level attention; and manage-ment’s actions to address material weaknessesare objectively verified and reviewed.

• The institution’s board of directors, or auditcommittee, and senior management are respon-sible for developing and implementing aneffective system of internal controls and thatthe internal controls are operating effectively.

4071.0.1.5 Conclusions

Examiners are expected to assess risk manage-ment for an institution and assign formal ratingsof “risk management” as described in the Com-mercial Bank Examination Manual for statemember banks, the Bank Holding CompanyManual for bank holding companies, and theExamination Manual for U.S. Branches andAgencies of Foreign Banking Organizations.11

In reports of examination or inspection, and intransmittal letters to the boards of directors ofstate member banks, holding companies,12 andto the FBO officer of the U.S. operations, exami-nation staff should specifically reference thetypes and nature of corrective actions that need

10. Given the importance of the internal audit function,

several additional policy statements have been issued. For

comprehensive guidance on internal audit, see SR-03-5,

“Amended Interagency Guidance on the Internal Audit Func-

tion and its Outsourcing” and for institutions with more than

$10 billion in assets, see SR-13-1/ CA-13-1, “Supplemental

Policy Statement on the Internal Audit Function and Its Out-

sourcing.”

11. Refer to section A.5020.1 of the Commercial Bank

Examination Manual; section 4070.1 of the Bank Holding

Company Supervision Manual; and section 2003.1 of the

Examination Manual for U.S. Branches and Agencies of For-

eign Banking Organizations. For savings and loan holding

companies, see also SR-11-11, “Supervision of Savings and

Loan Holding Companies (SLHCs);” SR-13-8, “Extension of

the Use of Indicative Ratings for Savings and Loan Holding

Companies;” and SR-14-9, “Incorporation of Federal Reserve

Policies into the Savings and Loan Holding Company Super-

vision Program.”

12. SR-16-11 applies to insurance and commercial savings

and loan holding companies with total consolidated assets less

than $50 billion by providing core risk-management guid-

ance. Reserve Bank staff should further consult with Board

staff on appropriately tailoring this guidance for these institu-

tions.



to be taken by an institution to address notedrisk management and internal control deficien-cies. Where appropriate, the Federal Reservewill advise an institution that supervisory actionwill be initiated, if the institution fails to timelyremediate risk-management weaknesses whensuch failures create the potential for seriouslosses or if material deficiencies or situationsthreaten its safety and soundness. Such supervi-sory actions may include formal enforcementactions against the institution, or its responsibleofficers and directors, or both, and would requirethe immediate implementation of all necessarycorrective measures.

If bank or holding company subsidiaries areregulated by another federal banking agency,Federal Reserve examiners should rely to thefullest extent possible on the conclusions drawnby relevant regulators regarding risk manage-ment. See also, SR-16-4, “Relying on the Workof the Regulators of the Subsidiary InsuredDepository Institution(s) of Bank Holding Com-panies and Savings and Loan Holding Compa-nies with Total Consolidated Assets of Lessthan $50 Billion.”



Federal Reserve System BHC Surveillance ProgramSection 4080.0


The BHC Surveillance Program is incorporat-ing a new early-warning model (Holding Com-pany Statistical Assessment of Bank Risk) andother risk identification algorithms (“OutlierMetrics”), while extending its coverage to sav-ings and loan holding companies.

The Federal Reserve’s Holding Company (HC)Surveillance Program covers top-tier bank andsavings and loan holding companies. It deploysrisk identification algorithms and other surveil-lance products to process financial and eco-nomic data and generate forward-looking, action-able intelligence on HCs. Results are used toassess exposures, outlooks, and possible compli-ance shortcomings, with the goal of calibratingsupervisory resources to risk. (Refer to SR-15-16 and its attachment.)

Objectives fall under these headings: (1) HCmonitoring, (2) industry analysis, and (3) metricdistribution. In HC monitoring, forward-lookingmetrics target high-risk HCs and those withemerging financial difficulties for enhanced su-pervisory attention, while identifying low-riskHCs for more streamlined approaches. The met-rics also detect possible regulatory violations ordepartures from supervisory guidance and feedinto financial reports on individual HCs. Inindustry analysis, aggregate data views and ac-companying financial analyses inform FederalReserve leaders of broad financial institutionconditions and trends. In metric distribution,web applications deliver surveillance results toexaminers and other supervisory staff.

As fully integrated into the supervisory pro-cess, the HC Surveillance Program involvesthree distinct phases. First, data are processedby the risk identification algorithms, rangingfrom simple rules to financial models, machinelearning, and signal processing. The algorithmicsystem’s main components are the Outlier List,Watch List, HC Monitoring Screen, and Inter-company Transactions Exception List, all de-scribed below. When the algorithms detect de-partures from expected patterns involving HCs,the results are transmitted via Performance Re-port Information and Surveillance Monitoring(PRISM), a web application available to FederalReserve examiners and other supervisory stafffor interactive data analysis.

The second phase begins as supervisory staffuse additional surveillance products to solidifythe initial impressions presented by first-phase

surveillance results. Key examples of these addi-tional products are the BHC Performance Re-port (BHCPR), a quarterly financial report onindividual HCs, described below, and the FocusReport, a web application available to FederalReserve examiners and other supervisory stafffor interactive risk assessment. In addition, aggre-gate data views and reports of financial condi-tion at the supervisory portfolio and industrylevels can help place a particular HC’s status incontext.

The third phase involves the development ofsupervisory responses to the information gener-ated in the first two. A primary goal is to focussupervisory resources on excessive risk-taking,the risk of emerging financial difficulties, andpossible compliance shortcomings. When prob-lems are identified, follow-up by examiners pro-motes correction and resolution. By also identi-fying low-risk situations, the HC SurveillanceProgram promotes the application of more stream-lined supervisory approaches for such cases.

4080.0.1 OUTLIER LIST

An Outlier List highlights HCs with elevatedrisk-taking and identifies those with expandedor new areas of risk-taking. It is supported by“Outlier Metrics” in the form of algorithms gen-erating risk classifications of Low, Moderate, orHigh for individual risk and performance dimen-sions. The Outlier List includes HCs (FR Y-9Cfilers only) categorized as High risk within atleast one risk or performance dimension. Therisk identification algorithms can be based on abroad range of approaches and may evolve overtime.

Examiners and other supervisory staff use theOutlier List to monitor risk-taking and promoteadequate risk management and mitigation, withthe goal of bolstering HCs’ capacity to preventor buffer financial losses. The Outlier List andits metrics also assist supervisory staff in scop-ing HC inspections. No regular write-up ordocumentation requirement is tied to the OutlierList.

4080.0.2 WATCH LIST

The Watch List identifies the risk of emergingfinancial weaknesses among HCs. It includes

BHC Supervision Manual January 2016Page 1

HCs (FR Y-9C filers only) with composite safety-and-soundness ratings consistent with financialviability, but surveillance grades of ’D’ or ’F,’pointing to the possibility of deterioration ininspection findings going forward.

To generate the surveillance grades, the Hold-ing Company Statistical Assessment of BankRisk (HC-SABR) early-warning model is ap-plied to financial and supervisory informationfor each HC filing consolidated financial state-ments on the FR Y-9C. The HC-SABR ratingconsists of the composite rating most recentlyassigned to an HC via the inspection process,coupled with a surveillance letter grade (A, B,C, D, or F) reflecting the HC’s estimated finan-cial condition relative to others in the samerating class.

HC-SABR ratings are designed for use bothin monitoring and in determining the scope ofan inspection. An accompanying Schedule ofRisk Factors (SRF) highlights specific indica-tors leading the model to flag a particular HC asstrong or weak. Through ongoing monitoring,examiners and other supervisory staff revieweach Watch List HC to assess its financial condi-tion and discern whether substantial deteriora-tion is evident or impending. In such cases, theydetermine whether an inspection or other super-visory initiative might be needed. The WatchList, much like the Outlier List and its metrics,can also be used in scoping HC inspections totarget potentially deteriorating situations for themost extensive reviews.

At times, Reserve Bank staff may need toproduce supporting documentation to explainthe reasons for an HC’s placement on the WatchList and outline the appropriate supervisoryresponse. For HCs other than community bank-ing organizations (CBOs), this type of informa-tion is often already contained in quarterly super-visory write-ups outside of the Watch List process.Separate surveillance write-ups are required forCBO HCs on the Watch List when any of thefollowing criteria are met:

1. The current HC-SABR rating is worse thanthe prior quarter; or

2. The HC-SABR rating is the same as the priorquarter, but the SRF identifies one or morenew contributing factors; or

3. The most recent requirement for a write-upoccurred four quarters earlier.

The assessments and conclusions comprisinga write-up should be brief and supported by

analysis. A Watch List write-up should accom-plish the following:

1. summarize the factors leading to Watch Listplacement;

2. describe any response from the HC to thosefactors;

3. assess the likelihood of further financial dete-rioration;

4. judge whether assigned safety-and-soundnessratings are accurate; and

5. determine whether the timing of the nextinspection should be accelerated.

Corrective action associated with newly iden-tified problems must be initiated promptly byReserve Banks. Follow-up action may includecorrespondence or meetings with an HC’s man-agement or an on-site inspection. Problem situa-tions should be closely monitored by supervi-sory staff until they have been corrected orotherwise resolved.

4080.0.3 HC MONITORING SCREEN

The HC Monitoring Screen includes a focus onthe parent company and non-depository subsidi-aries; addresses issues such as cash flow, lever-age, and complexity; identifies risks to deposi-tory institution subsidiaries; and helps monitorcompliance with regulations and supervisoryguidance. It provides examiners and other super-visory staff with additional perspective on therisk position and financial condition of HCs bysupplementing the Outlier List and Watch List.The FR Y-9SP is utilized, among other reports,allowing the HC Monitoring Screen to provide asurveillance view of smaller HCs. Those HCsthat fail screening criteria are identified, withthe criteria themselves updated periodically.

Examiners and other supervisory staff reviewHC Monitoring Screen results quarterly and fol-low up with supervisory initiatives when appro-priate. Detailed instructions may accompanyparts of the screen linked to specific supervisoryprograms, as for example, the guidance dis-cussed in this manual’s section 4080.1, “Sur-veillance Program for Small Holding Compa-nies,” and further described in SR-13-21. Unlessotherwise instructed as part of a specific super-visory program, staff are not generally requiredto produce surveillance write-ups or maintainsurveillance documentation for HCs on the HCMonitoring Screen.

Federal Reserve System BHC Surveillance Program Section 4080.0


4080.0.4 INTERCOMPANYTRANSACTIONS EXCEPTION LIST

The Intercompany Transactions Exception List(ITEL) helps track compliance with section 23Aof the Federal Reserve Act; it is a specializedmonitoring process utilizing data from the FRY-8, together with information from the bankCall report.

Foreachdepository institutionpossiblyexceed-ing section 23A limits, supervisory staff per-form the following: (1) follow up with the HCsubmitting the FR Y-8 to verify the data areaccurate; (2) if an error caused the exception,require an amended report; and (3) if the dataare correct, and a depository institution appearsto have had covered transactions exceeding sec-tion 23A limits, determine the nature and extentof the apparent violation. Reserve Bank staffproduce a written review of their findings foreach depository institution on the list. The reviewaddresses any apparent violations or reportingerrors, along with any corrective action taken.

4080.0.5 THE SURVEILLANCEPROGRAM’S BHC PERFORMANCEREPORT

The HC Surveillance Program generates quar-terly financial reports on individual HCs, includ-ing a publically available BHCPR consisting ofconsolidated and parent-only financial informa-tion and peer-group percentiles for HCs filingthe FR Y-9C. The information is useful in ana-lyzing HCs on the Outlier List, Watch List, orHC Monitoring Screen. By reviewing the per-formance reports, examiners and other supervi-sory staff gain insight into potential HC weak-nesses. Parent leverage, cash-flow, and coverageratios can indicate problems at the parent levelthat could adversely affect depository institutionsubsidiaries. Information on the parent’s incomefrom subsidiaries can help illuminate problemsat non-depository subsidiaries that could nega-tively affect depository institution subsidiaries.

The financial indicators produced by theBHCPR are leveraged in surveillance modelssuch as HC-SABR and used in the financial

analysis of HCs. Some documentation is re-quired to help support the report. Specifically,the BHCPR’s peer group analysis involves theidentification of HCs that for a variety of rea-sons could be considered atypical.

To support this process, Reserve Bank staffannually produce a list of atypical HCs. The listprovides (1) the name, location, and ID RSSDof a company; and (2) the reason why the HC isconsidered atypical. HCs removed from theatypical list relative to the previous year are alsoidentified and discussed.

4080.0.6 ROLE IN INSPECTIONPROCESS

HCs identified through the surveillance processas (1) taking on positions or pursuing strategiesthat could lead to problem situations, (2) havinga weak or declining financial condition, or (3)failing to comply with regulations or supervi-sory guidance should, in general, be inspectedmore intensely and frequently than companieswithout such deficiencies.

Regarding the positions and strategies of HCs,the Outlier List is designed to identify excessiverisk-taking, as are parts of the HC MonitoringScreen. Similarly, the Watch List is intended toidentify companies having a weak or decliningfinancial condition, as are parts of the HC Moni-toring Screen. Also, the HC Monitoring Screenand the Intercompany Transactions ExceptionList help detect possible compliance problemsamong HCs and their subsidiaries.

The full array of risk identification algorithmsand products deployed in the HC SurveillanceProgram can be used in the scheduling andscoping of HC inspections, so as to target, in atimely manner, the riskiest situations for themost extensive reviews, while conserving super-visory resources when risk is low. The examiner-in-charge should exercise prudent supervisoryjudgment and consider an HC’s status on eachsurveillance list and screen, together with allother available information sources, includingthe BHCPR and Focus Report, when determin-ing the scope and nature of the inspection workrequired.

Federal Reserve System BHC Surveillance Program Section 4080.0


Surveillance Program for Small Holding CompaniesSection 4080.1


This section has been modified to reflect changesto the small holding company surveillance pro-gram. (See SR-13-21.) The surveillance pro-gram for holding companies under $1 billion intotal consolidated assets currently includes bothbank holding companies and savings and loanholding companies.

The surveillance program for holding compa-nies having total consolidated assets of less than$1 billion is described below. (See SR-13-21.)The surveillance program is a primary tool foridentifying potentially significant changes in thecondition of these organizations between reviewsand for targeting the work of any on-site reviews.Quarterly surveillance screens identify potentialparent-company and nonbank issues that mayadversely affect affiliated insured depositoryinstitutions. In particular, the screens addressparent-company cash flow; intercompany trans-actions; parent-company leverage; and consoli-dated capital ratios, where applicable. The sur-veillance screens are periodically updated toreflect industry trends and issues as well aschanges in regulatory reporting requirements.

Upon receipt and finalization of Y-9 data,Board surveillance staff provide each ReserveBank with the results of the small holding com-pany surveillance screens on a quarterly basis,which identify companies that fail key screeningcriteria. Reserve Banks should evaluate thisinformation and make a determination as to anyappropriate supervisory actions within 45 daysof receipt. In doing so, Reserve Banks shoulddetermine whether the screen results reveal thatthe holding company or its affiliates could poseor exacerbate a material risk to a depositoryinstitution subsidiary. If the screen results revealno basis for a significant concern, a short note toexamination files documenting this conclusionshould be prepared and filed, and no furtheraction is required.

If a Reserve Bank determines that the screenresults reveal the potential for material risk to adepository institution, the Reserve Bank should

take appropriate follow-up action within 90 daysafter initially receiving the surveillance resultsfrom the Board. Follow-up actions may include

• contacting the holding company to obtainmore information,

• requesting from the holding company a cor-rective action plan,

• implementing heightened monitoring proce-dures, or

• commencing an on-site review.

In most cases, follow-up action can be com-pleted off-site. If an on-site review is recom-mended, the review is to commence within 90days of the Reserve Bank’s initial notification ofthe surveillance results from the Board. Theratings assigned as a result of the on-site reviewshould be promptly entered into the NationalExamination Data System (NED) and communi-cated to the company, Board staff, and appropri-ate state and federal regulatory authorities within120 days of that notification.

In addition to the surveillance monitoringscreens, Board staff will provide Reserve Bankswith program support screens that provide addi-tional information to assist in the supervision ofsmall bank holding companies. One set of sup-port screens identifies companies that are classi-fied as noncomplex, but which exhibit character-istics of complex organizations. Reserve Banksare to evaluate any of these companies to deter-mine whether their designation as noncomplexshould be changed and their supervision pro-gram modified accordingly. A second set ofsupport screens monitors compliance of finan-cial holding companies with the capital, mana-gerial, and Community Reinvestment Act stan-dards set forth in the Gramm-Leach-Bliley Act.

Surveillance information is crucial to identi-fying potential issues between reviews and forensuring that on-site work is risk-focused. Ac-cordingly, Reserve Banks are to continue takingsteps to ensure the accuracy of the regulatoryreports that are the basis for the surveillanceprogram. In particular, System staff is to followup promptly on identified inaccuracies.


Country RiskSection 4090.0


Effective January 2009, this section has beenrevised to recognize the supervisory guidancecontained in SR-08-12 and its interagency attach-ment, ‘‘Changes to the Interagency CountryExposure Review Committee (ICERC) Process.’’A significant change was made to the ICERCrating process—ICERC will only rate countriesthat are in default.1

4090.0.05 DEFINITION,COMPOSITION, AND EXPOSURES OFCOUNTRY RISK AND EVALUATINGTHE ADEQUACY OF COUNTRY-RISKMANAGEMENT

Apart from the consideration of the creditwor-thiness of individual borrowers, holding compa-nies engaged in international activities are sub-ject to elements of country risk. Country riskencompasses the entire spectrum of risks arisingfrom the economic, social, and political environ-ments of a foreign country, as well as the gov-ernmental policies structured to respond to theseconditions. These factors may have potentiallyfavorable or adverse consequences for foreign-ers’ debt and equity investments in a particularcountry. The Federal Reserve, along with theOffice of the Comptroller of the Currency andFederal Deposit Insurance Corporation, haveissued supervisory guidance concerning the ele-ments of an effective country-risk managementprocess for banking organizations. (See SR-02-05andSR-08-12, including their attachments.)

Country risk is the risk that economic, social,or political conditions in a foreign country mightadversely affect an organization’s financial con-dition, primarily through impaired credit qualityor transfer risk.2 Country risk is also an impor-tant consideration when evaluating the level ofcredit risk associated with individual counter-parties in a country. Regardless of the availabil-ity of foreign exchange, macroeconomic condi-tions and events that are beyond the control of

individual borrowers can strain or impair thefinancial capacity of otherwise sound borrow-ers. Significant depreciation of a country’sexchange rate, for example, increases the cost ofservicing external debt and can adversely affectnot only transfer risk for the country, but alsothe credit risk associated with even the strongestcounterparties in the country.

Country risk can occur in many differentforms, and the nature of specific risks can changeover time. It is essential that a U.S. bankingorganization with significant direct or indirectinternational exposure have in place an effectivecountry-risk management process that is com-mensurate with the volume and complexity ofits international activities. More specifically,country risk focuses on a borrower’s capacity toobtain the foreign exchange required to servicecross-currency debt. A borrower’s debt-servicecapacity may also be affected by the risks ofpolitical and social upheaval, nationalizationand expropriation, governmental repudiation ofexternal indebtedness, exchange controls, anddevaluation. Events such as these may materi-ally affect the condition of investments and theprofitability of lending activities overseas; exam-iners must alert management to those risks thatmay be difficult for the holding company and itssubsidiaries to absorb.

Using uniform examination procedures andtechniques for evaluating country-risk expo-sures for domestic banks, examiners segregatecountry-risk factors from the evaluation of otherlending risks. The procedures emphasize diver-sification of exposure to individual countries asthe primary method of moderating country riskin international portfolios. The approach gener-ally consists of three parts:

1. measuring exposure in each country where abusiness relationship exists

2. analyzing exposure in relation to the bank’scapital resources and the economic and finan-cial conditions of each country in which thebank has outstanding credits

3. evaluating the risk-management system usedby the bank in relation to the size and natureof its foreign lending activities

Examiners should evaluate the adequacy ofthe country-risk management process at interna-tionally active bank holding companies. Thisrisk-assessment process should include, at a

1. With the adoption of revised ICERC procedures inNovember 2008, the Federal Reserve and the other bankingagencies eliminated the rating categories of Other TransferRisk Problems, Weak, Moderately Strong, and Strong.

2. Transfer risk is the possibility that an asset cannot beserviced in the currency of payment because of a lack of, orrestraints on the availability of, needed foreign exchange inthe country of the obligor. For more information, see the‘‘Guide to the Interagency Country Exposure Review Com-mittee Process’’ (SR-08-12’s attachment).


minimum, effective oversight by the board ofdirectors, adequate risk-management policiesand procedures, an accurate country-exposurereporting system, an effective country-risk analy-sis process, a country-risk rating system, country-exposure limits, ongoing monitoring of countryconditions, periodic stress testing of foreignexposures, and adequate internal controls and anaudit function. A bank holding company’scountry-risk management process should giveparticular attention to any concentrations ofcountry risk, first at the consolidated level andthen within the parent company and nonbanksubsidiaries, as well as to any concentrationsreported by supervisors at the bank subsidiaries.

4090.0.1 COUNTRY RISKS ANDFACTORS

Country or sovereign risk encompasses the entirespectrum of risks and factors that arise from theeconomic, social, and political environments ofa foreign country that may have potential conse-quences for foreigners’ debt and equity invest-ments in that country. A detailed description ofthese factors is described below.

4090.0.1.1 Macroeconomic Factors

The first factor affecting country risk is the sizeand structure of a country’s external debt inrelation to its economy, more specifically—

1. the current level of short-term debt and thepotential effect that a liquidity crisis wouldhave on the ability of otherwise creditworthyborrowers in the country to continue servic-ing their obligations, and

2. to the extent the external debt is owed by thepublic sector, the ability of the governmentto generate sufficient revenues, from taxesand other sources, to service its obligations.

The condition and vulnerability of the country’scurrent account is also an important consider-ation, including—

1. the level of international reserves, includingforward market positions of the country’smonetary authority (especially when theexchange rate is fixed);

2. the level of import coverage provided by thecountry’s international reserves;

3. the importance of commodity exports as asource of revenue, the existence of any price-stabilization mechanisms, and the country’svulnerability to a downturn in either its exportmarkets or the price of an exported commod-ity; and

4. the potential for sharp movements in exchangerates and the effect on the relative price ofthe country’s imports and exports.

The role of foreign sources of capital in meetingthe country’s financing needs is another impor-tant consideration in the analysis of countryrisk, including—

1. the country’s access to international financialmarkets and the potential effects of a loss ofmarket liquidity;

2. the country’s relationships with private-sector creditors, including the existence ofloan commitments and the attitude amongbankers toward further lending to borrowersin the country;

3. the country’s current standing with multilat-eral and official creditors, including the abil-ity of the country to qualify for and sustainan International Monetary Fund or other suit-able economic adjustment program;

4. the trend in foreign investments and thecountry’s ability to attract foreign invest-ments in the future; and

5. the opportunities for privatization ofgovernment-owned entities.

Past experience has highlighted the importanceof a number of other important macroeconomicconsiderations, including—

1. the degree to which the country’s economymay be adversely affected through the conta-gion of problems in other countries;

2. the size and condition of the country’s bank-ing system, including the adequacy of thecountry’s system for bank supervision andany potential burden of contingent liabilitiesthat a weak banking system might place onthe government;

3. the extent to which state-directed lending orother government intervention may haveadversely affected the soundness of the coun-try’s banking system, or the structure andcompetitiveness of the favored industries orcompanies; and

4. for both in-country and cross-border expo-sures, the degree to which macroeconomicconditions and trends may have adverselyaffected the credit risk associated with coun-terparties in the country.

Country Risk 4090.0


4090.0.1.2 Social, Political, and LegalClimate

The analysis of country risk should also con-sider the country’s social, political, and legalclimate, including—

1. the country’s natural- and human-resourcepotential;

2. the willingness and ability of the governmentto recognize economic or budgetary prob-lems and implement appropriate remedialaction;

3. the degree to which political or regional fac-tionalism or armed conflicts are adverselyaffecting the government of the country;

4. any trends toward government-imposed price,interest-rate, or exchange controls;

5. the degree to which the country’s legal sys-tem can be relied on to fairly protect theinterests of foreign creditors and investors;

6. the accounting standards in the country andthe reliability and transparency of financialinformation;

7. the extent to which the country’s laws andgovernment policies protect parties in elec-tronic transactions and promote the develop-ment of technology in a safe and soundmanner;

8. the extent to which government policies pro-mote the effective management of the bankholding company’s exposures; and

9. the level of adherence to international legaland business-practice standards.

4090.0.1.3 Factors Specific to BankingOrganizations

Finally, a bank holding company’s analysis ofcountry risk should consider factors relating tothe nature of its actual (or approved) exposuresin the country, including, for example—

1. the bank holding company’s business strat-egy and its exposure-management plans forthe country;

2. the mix of exposures and commitments,including the types of investments and bor-rowers, the distribution of maturities, thetypes and quality of collateral, the existenceof guarantees, whether exposures are held fortrading or investment, and any other distin-guishing characteristics of the portfolio;

3. the economic outlook for any specificallytargeted industries within the country;

4. the degree to which political or economicdevelopments in a country are likely to affect

the bank holding company’s chosen lines ofbusiness in the country (for instance, theunemployment rate or changes in local bank-ruptcy laws may affect certain activities morethan others);

5. for a bank holding company involved in capi-tal markets, its susceptibility to changes invalue based on market movements (As themarket value of claims against a foreigncounterparty rise, the counterparty maybecome less financially sound, thus increas-ing the risk of nonpayment (this is espe-cially true for over-the-counter derivativeinstruments.));

6. the degree to which political or economicdevelopments are likely to affect the creditrisk of individual counterparties in the coun-try (for example, foreign counterparties withhealthy export markets or whose business istied closely to supplying manufacturing enti-ties in developed countries may have signifi-cantly less exposure to the local country’seconomic disruptions than do other counter-parties in the country); and

7. the bank holding company’s ability to effec-tively manage its exposures in a countrythrough in-country or regional representa-tion, or by some other arrangement that ensuresthe timely reporting of, and response to, anyproblems.

4090.0.2 RISK-MANAGEMENTPROCESS FOR COUNTRY RISK

Country risk has an overarching effect on a bankholding company’s international activities andshould explicitly be taken into account in therisk assessment of all exposures (including off-balance-sheet) to all public- and private-sectorforeign-domiciled counterparties. The risk asso-ciated with even the strongest counterparties ina country will increase if, for example, politicalor macroeconomic conditions cause the exchangerate to depreciate and the cost of servicing exter-nal debt to rise. Country risk can occur in manydifferent forms, and the nature of specific riskscan change over time. A U.S. banking organiza-tion with significant direct or indirect interna-tional exposure should have in place an effec-tive country-risk management process that iscommensurate with the volume and complexityof its international activities. Examiners shouldbe continually evaluating the adequacy of thecountry-risk management process at internation-

Country Risk 4090.0


ally active bank holding companies, and theyshould regularly update their assessments. Abank holding company’s country-risk manage-ment process should give particular attentionto any concentrations of country risk at theparent level or within its bank and nonbanksubsidiaries.

Country risk is not necessarily limited tobanking organizations with direct internationalexposures. Domestic counterparties with signifi-cant economic dependence on a foreign countryor region (for example, through export depen-dence) can pose an indirect country risk to bank-ing organizations that do not have direct interna-tional activity. While banking organizations arenot required to incorporate indirect country riskinto a formal country-risk management process,they should, nevertheless, take these country-risk factors into account, where appropriate,when assessing the creditworthiness of domesticcounterparties. Examiners should ensure that theoverall credit-risk management process takesinto account indirect country risk where applica-ble in all Federal Reserve–supervised bankingorganizations.

To effectively control the risk associated withinternational activities, bank holding companiesmust have a risk-management process thatfocuses on the broadly defined concept of coun-try risk. The elements of a sound country-riskmanagement process are discussed in furtherdetail below.

4090.0.2.1 Oversight by the Board ofDirectors

If country risk is to be managed properly, theboard of directors must oversee the processeffectively. The board is responsible for periodi-cally reviewing and approving policies govern-ing its international activities to ensure that theyare consistent with the bank holding company’sstrategic plans and goals. The board is alsoresponsible for reviewing and approving limitson country exposure and ensuring that manage-ment is effectively controlling the risk. Whenevaluating the adequacy of the bank holdingcompany’s capital and allowance for loan andlease losses (ALLL), the board should take intoaccount the volume of foreign exposures andthe ratings of the countries to which it isexposed.

4090.0.2.2 Policies and Procedures forManaging Country Risk

Bank management is responsible for implement-ing sound, well-defined policies and proceduresfor managing country risk that—

1. establish risk-tolerance limits;2. delineate clear lines of responsibility and

accountability for country-risk managementdecisions;

3. specify authorized activities, investments, andinstruments; and

4. identify both desirable and undesirable typesof business.

Management should also ensure that country-risk management policies, standards, and prac-tices are clearly communicated to the affectedoffices and staff.

4090.0.2.3 Country-Exposure ReportingSystem

To effectively manage country risk, the bankholding company must have a reliable systemfor capturing and categorizing the volume andnature of foreign exposures. The reporting sys-tem should cover all aspects of the bank holdingcompany’s operations, whether conductedthrough paper transactions or electronically. Anaccurate country-exposure reporting system isalso necessary to support the regulatory report-ing of foreign exposures on the quarterly Coun-try Exposure Report, FFIEC 009, and the supple-mental Country Exposure Information Report,FFIEC 009a.

The board of directors should regularly receivereports on the level of foreign exposures. If thelevel of foreign exposures in a bank holdingcompany is significant,3 or if a country to whichthe bank holding company is exposed is consid-ered to be high risk, exposures should be reportedto the board at least quarterly. More frequentreporting is appropriate when a deterioration inforeign exposures would threaten the soundnessof the bank holding company.

3. For purposes of this guidance, concentrations of expo-sures to individual countries that exceed 25 percent of thebank holding company’s or bank’s tier 1 capital plus theALLL are considered significant. However, in the case ofparticularly troubled countries, lesser degrees of exposuremay also be considered to be significant.

Country Risk 4090.0


4090.0.2.4 Country-Risk AnalysisProcess

Although the nature of the country-risk analysisprocess and the level of resources devoted to itwill vary, depending on the size and sophistica-tion of the banking organization’s internationaloperations, a number of considerations are rel-evant to evaluating the process in all bankingorganizations:

1. Is there a quantitative and qualitative assess-ment of the risk associated with each countryin which the banking organization is con-ducting or planning to conduct business?

2. Is a formal analysis of country risk con-ducted at least annually, and does the bank-ing organization have an effective system formonitoring developments in the interim?

3. Does the analysis take into account all aspectsof the broadly defined concept of countryrisk, as well as any unique risks associatedwith specific groups of counterparties thebanking organization may have targeted inits business strategy?

4. Is the analysis adequately documented, andare conclusions concerning the level of riskcommunicated in a way that provides deci-sion makers with a reasonable basis for deter-mining the nature and level of the bankingorganization’s exposures in a country?

5. Given the size and sophistication of the bank-ing organization’s international activities, arethe resources devoted to the analysis of coun-try risk adequate?

6. As a final check of the process, are the bank-ing organization’s conclusions concerning acountry reasonable in light of informationavailable from other sources, including exter-nal research and rating services and the Inter-agency Country Exposure Review Commit-tee (ICERC)?

4090.0.2.5 Country-Risk Ratings

Country-risk ratings summarize the conclusionsof the country-risk analysis process. The ratingsare an important component of country-riskmanagement because they provide a frameworkfor establishing country-exposure limits thatreflect the bank holding company’s tolerance forrisk.

Because some counterparties may be moreexposed to local country conditions than others,it is a common and acceptable practice for bank-ing organizations to distinguish between differ-ent types of exposures when assigning their

country-risk ratings. For example, trade-relatedand banking-sector exposures typically receivebetter risk ratings than other categories of expo-sure because the importance of these types oftransactions to a country’s economy has usuallymoved governments to give them preferentialtreatment for repayment.

The risk-rating systems of some bankingorganizations differentiate between public-sector and private-sector exposures. In somebanking organizations, a country’s private-sector credits cannot be rated less severely thanits public-sector credits (that is, the bankingorganization imposes a ‘‘sovereign ceiling’’ onthe rating for all exposures in a country). Bothare acceptable practices.

A banking organization’s country-risk ratingsmay differ from the ICERC-assigned transfer-risk ratings because the two ratings differ inpurpose and scope. A banking organization’sinternally assigned ratings help it to decidewhether to extend additional credit, as well ashow it should manage existing exposures. Suchratings should, therefore, have a forward-looking and broad country-risk focus. TheICERC’s more narrowly focused transfer-riskratings are primarily a supervisory tool to iden-tify countries where concentrations of transferrisk might warrant greater scrutiny and to deter-mine whether some minimum level of reservesagainst transfer risk should be established. TheICERC rating process only rates countries indefault. Default occurs when a country is notcomplying with its external debt-service obliga-tions or is unable to service the existing loanaccording to its terms, as evidenced by failure topay principal and interest fully and on time,arrearages, forced restructuring, or rollovers.For more information on ICERC ratings, seesection 7040.3 of the Commercial Bank Exami-nation Manual and SR-08-12.

4090.0.2.6 Country-Exposure Limits

As part of their country-risk managementprocess, internationally active bank holding com-panies should adopt a system of country-exposure limits. Because the limit-setting pro-cess often involves divergent interests withinthe banking organization (such as the countrymanagers, the bank holding company’s over-all country-risk manager, and the country-riskcommittee), country-risk limits will usually

Country Risk 4090.0


reflect a balancing of several considerations,including—

1. the overall strategy guiding the bank holdingcompany’s international activities,

2. the country’s risk rating and the bank hold-ing company’s appetite for risk,

3. perceived business opportunities in the coun-try, and

4. the desire to support the international busi-ness needs of domestic customers.

Country-exposure limits should be approved bythe board of directors, or a committee thereof,and communicated to all affected departmentsand staff. Exposure limits should be reviewedand approved at least annually—and more fre-quently when concerns about a particular coun-try arise.

A bank holding company’s board of directorsand senior management should consider whetherits international operations are such that it shouldsupplement its aggregate exposure limits withmore discrete controls. Such controls might takethe form of limits on the different lines of busi-ness in the country, limits by type of counter-party, or limits by type or tenor of exposure. Abank holding company might also limit its expo-sure to local currencies. Bank holding compa-nies that have both substantial capital-marketexposures and credit-related exposures typicallyset separate aggregate exposure limits for eachbecause exposures to the two lines of businessare usually measured differently.

Although country-by-country exposure limitsare customary, bank holding companies shouldalso consider limiting (or at least monitoring)exposures on a broader (for example, regional)basis. A troubled country’s problems often affectits neighbors, and the adverse effects may alsoextend to geographically distant countries withclose ties through trade or investment. By moni-toring and controlling exposures on a regionalbasis, bank holding companies are in a betterposition to respond if the adverse effects of acountry’s problems begin to spread.

For bank holding companies that are engagedprimarily in direct lending activities, monthlymonitoring of compliance with country-exposure limits is adequate. However, bankholding companies with more volatile port-folios, including those with significant tradingaccounts, should monitor compliance withapproved limits more frequently. Exceptions toapproved country-exposure limits should be

reported to an appropriate level of managementor the board of directors so that it can considercorrective measures.

4090.0.2.7 Monitoring CountryConditions

The bank holding company should have a sys-tem in place to monitor current conditions ineach of the countries where it is significantlyexposed. The level of resources devoted tomonitoring conditions within a country shouldbe proportionate to the bank holding company’slevel of exposure and the perceived level of risk.If the bank holding company maintains an in-country office, reports from the local staff are anobviously valuable resource for monitoring coun-try conditions. In addition, periodic country vis-its by the regional or country manager areimportant to properly monitor individual expo-sures and conditions in a country. The bankholding company may also draw on informationfrom rating agencies and other external sources.

Communication between senior managementand the responsible country managers should beregular and ongoing. The bank holding com-pany should not rely solely on informal lines ofcommunication and ad hoc decision making intimes of crisis. Established procedures shouldbe in place for dealing with exposures in troubledcountries, including contingency plans forreducing risk and, if necessary, exiting thecountry.

4090.0.2.8 Stress Testing

Bank holding companies should periodicallystress-test their foreign exposures and report theresults to the board of directors and senior man-agement. As used here, stress testing does notnecessarily refer to the use of sophisticatedfinancial modeling tools, but rather to the needfor all bank holding companies to evaluate insome way the potential impact different sce-narios may have on their country-risk profiles.The level of resources devoted to this effortshould be commensurate with the significanceof foreign exposures in the bank holding compa-ny’s overall operations.

4090.0.2.9 Internal Controls and Audit

Bank holding companies should ensure thattheir country-risk management process includesadequate internal controls and that an audit

Country Risk 4090.0


mechanism ensures the integrity of the informa-tion used by senior management and the boardto monitor compliance with country-risk poli-cies and exposure limits. The system of internalcontrols should, for example, ensure that theresponsibilities of marketing and lending per-sonnel are properly segregated from the respon-sibilities of personnel who analyze country risk,rate country risk, and set country limits.

4090.0.3 REPORTINGREQUIREMENTS

4090.0.3.1 Country Exposure Report(FFIEC 009)

Banks and bank holding companies required tofile the Country Exposure Report (Form FFIEC009, formerly Form FR 2036) when the bank orbanks have a foreign branch, a foreign subsidi-ary, or an Edge corporation, and when theyhave, on a consolidated basis, total outstandingclaimsonresidentsof foreigncountriesof$30mil-lion or more. The report is to be filed quarterlywithin 45 days of the end of March, June, Sep-tember, and December.

The report measures lending to residents offoreign countries by U.S. banking organizations.It is used to provide information on the distribu-tion, by country, of foreign claims held by suchbanking organizations to (1) determine the degreeof risk in bank portfolios and how adversedevelopments in particular countries affect theU.S. banking system; (2) assess country risk forsupervisory purposes, and (3) assist the Bankfor International Settlements in compiling world-wide data on cross-border claims. The reportalso includes information on revaluation gainsfor off-balance-sheet items and for securitiesheld in trading accounts.

4090.0.3.2 Country Exposure InformationReport (FFIEC 009a)

The County Exposure Information Report (FormFFIEC 009a) supplements the Country ExposureReport. The purpose of FFIEC 009a is to pro-vide public disclosure of significant countryexposures of U.S. banking institutions. Everyinstitution that submits the FFIEC 009 and thathas exposures to a country that exceed 1 percentof total assets or 20 percent of capital of thereporting institution submits the FFIEC 009a.FFIEC 009a respondents also furnish a list ofcountries in which exposures were between

3⁄4 of 1 percent and 1 percent of total assets orbetween 15 and 20 percent of capital. Filing ofthe report is required.

4090.0.3.3 Country Exposure Report forU.S. Branches and Agencies of ForeignBanks (FFIEC 019)

The Country Exposure Report for U.S. Branchesand Agencies of Foreign Banks (Form FFIEC019) is similar to the FFIEC 009 report that isfiled by U.S. banks. The FFIEC 019 report col-lects information, by country, on the directclaims, indirect claims, and total adjusted claimson foreign residents; information on direct claimson related non–U.S. offices domiciled in coun-tries other than the home country of the parentbank that are ultimately guaranteed in the homecountry that are included in total adjusted claimson the home country; and information on thebreakdown of adjusted claims on unrelated for-eign residents. The data are used by the super-visory agencies to monitor significant foreign-country exposures of U.S. branches and agenciesof foreign banks. The reports are also used toevaluate the financial condition of these branchesand agencies.

The FFIEC 019 is collected quarterly fromthose branches and agencies of foreign banksthat have, as of the quarterly report date, morethan $30 million in total direct claims on resi-dents of foreign countries. The FFIEC 019 pro-vides data on the foreign-risk exposure of eachreporting branch and agency.

Respondents to the FFIEC 019 must preparethe data as of the close of each calendar quarterand submit the forms to the appropriate ReserveBank no later than 45 days following the reportdate. Data are due at the Board 60 days follow-ing the report date. Bank holding companiesshould obtain, from the management of theirrespective foreign bank subsidiaries, writtenconfirmation that the FFIEC 019 and all otherFederal Reserve and FFIEC reports have beenfiled, as required.

4090.0.4 INSPECTION OBJECTIVES

1. If the bank holding company is internation-ally active, to determine the nature andextent of its direct and indirect country-riskexposures.

2. If the bank holding company has significant

Country Risk 4090.0


direct or indirect international exposure, toevaluate and determine whether it has inplace an effective country-risk managementprocess that is commensurate with the vol-ume and complexity of its internationalactivities.

3. To review and determine if the bank hold-ing company’s system of policies, proce-dures, internal controls, rating system, andstress testing for county-risk managementare adequate and reliable.

4. To determine if the bank holding compa-ny’s board of directors oversees and regu-larly reviews its country-risk managementprocess, approves limits on country expo-sure, provides for adequate capital that iscommensurate with its direct and indirectcountry-risk exposures, and ensures thatmanagement is effectively controlling therisk.

5. To determine if management clearly com-municates the bank holding company’scountry-risk management policies, stan-dards, and practices to the affected officesand staff.

6. To (1) determine if the scope of the bankholding company’s audit function is ade-quate and if the function is sufficiently com-prehensive to ensure the integrity of theinformationseniormanagementand theboarduse to monitor the bank holding company’scountry-risk management process, and(2) ensure that the board of directors or itsaudit committee has provided for adequateaudit coverage of country-risk managementfunctions.

7. To recommend corrective action if a bankholding company’s country-risk manage-ment process and controls are deficientin relation to the level of country-riskexposure.

8. To determine if the bank holding companyis properly preparing the Country ExposureReport, FFIEC 009, and the supplementalCountry Exposure Information Report,FFIEC 009a, both of which are required tobe filed quarterly with the respective ReserveBanks, as applicable.

9. To identify and report individual exposuresconsidered significant in relation to the bankholding company’s capital and the eco-nomic performance of the country.

10. To prepare a report on the bank holdingcompany’s country-exposure managementsystem and on any noted deficiencies.

4090.0.5 INSPECTION PROCEDURES

When performing and updating the bank hold-ing company’s risk assessment, the central pointof contact for the bank holding company shouldinclude an analysis of its direct and indirectcountry-risk exposures (including any signifi-cant country-risk concentrations) and of theadequacy and reliability of its country-risk man-agement. The analysis of the bank holding com-pany’s country-risk management systems shouldconsist of three important components.

One component is the provision for evalua-tion of economic trends, political developments,and the social fabric within countries where thebank holding company’s funds are at risk. Theseso-called country studies are derived from eco-nomic data supplied by the borrower or pub-lished by institutional lenders; sociopoliticalcommentaries; on-site reports from bankbranches, subsidiaries, or affiliates; or bank-officer visits to the country.

In the second component, the board of direc-tors and senior management define the level ofcountry exposure the bank is willing to assume.This undertaking normally includes the estab-lishment of limits on aggregate outstandings,maturities, and categories of risk exposures bycountry, which serve as a guide to operatingmanagement in the development and servicingof the bank holding company’s internationalcredit portfolio.

The third component is the bank holdingcompany’s internal reporting system, whichshould be designed to monitor and control coun-try exposure. A comprehensive reporting sys-tem is required to accurately assign risk expo-sures to the country of risk, ensure adherence tothe directives of the board of directors, providefor at least an annual review of portfolio compo-sition in individual countries, and establish aclear-cut methodology for reporting exceptionsto established limits.

A summary of the country-risk managementsystem should be prepared. Set forth below areguidelines and procedures for examiners to usein evaluating the systems banks use to monitorand control country-risk elements in their inter-national loan portfolios. In assessing the qualityof the country-risk management system, exam-iners should, as a matter of course, spot-checkthe accuracy of the data submitted on the Coun-try Exposure Report, FFIEC 009, and the supple-mental Country Exposure Information Report,FFIEC 009a, as applicable. The review shouldinclude a review of the exposures for at leastseveral countries. The report page, Examiners’Comments and Matters Requiring Special Board

Country Risk 4090.0


Attention, should be used to comment on mate-rial exceptions.

1. Obtain any written policies, procedures, orsummaries of the bank holding company’scountry-risk management system. Determinewhether the bank holding company’s country-risk management system includes—a. effective oversight by the board of

directors,b. adequate risk-management policies and

procedures,c. an accurate country-exposure reporting

system,d. an effective country-risk analysis process,e. a country-risk rating system,f. country-exposure limits,g. ongoing monitoring of country conditions,h. periodic stress testing of foreign expo-

sures, andi. adequate internal controls and an audit

function. (See SR-02-05.)2. Review international-lending policies and

determine—a. if the board of directors regularly reviews

and gives final approval to the limits oncountry exposure at least annually (orquarterly, if the foreign exposures are highrisk or the concentrations are significant);

b. who initiates the country ratings and coun-try limits;

c. how frequently and by whom country rat-ings and limits are reviewed and changed;

d. how the bank holding company definesthe ratings assigned to the variouscountries;

e. how country limits are determined;f. who is responsible for monitoring compli-

ance with country limits;g. if country-risk limits consider—

(1) the overall strategy guiding the insti-tution’s international activities,

(2) the country’s risk rating and the insti-tution’s appetite for risk,

(3) perceived business opportunities inthe country, and

(4) the desire to support the interna-tional business needs of domesticcustomers;

h. to what extent country limits are viewedas guidelines that may be exceeded;

i. if the bank holding company has differentsublimits for private- and public-sectorcredits;

j. if separate limits are established for private-and public-sector credits;

k. if the board of directors or a committeethereof periodically reviews country rat-

ings and limits, and evaluates the bankholding company’s performance againstthose standards;

l. to what extent comments or classifica-tions of bank supervisors are consideredin establishing, increasing, or decreasingcountry limits;

m. how the system has been changed sincethe last examination;

n. if the bank holding company has a reli-able system for capturing and categoriz-ing the volume and nature of foreignexposures;

o. whether the bank holding company has asystem to monitor current conditions ineach of the countries where it is signifi-cantly exposed;

p. if there is regular, ongoing communica-tion between senior management and theresponsible country managers;

q. if established procedures are in place fordealing with exposures in troubled coun-tries, including contingency plans forreducing risk and, if necessary, exiting thecountry; and

r. whether the bank holding company peri-odically conducts stress tests (financialmodeling or measuring the impact of vari-ous scenarios on its country-risk profiles)of its foreign exposures, and if the resultsare reported to senior management andthe board of directors.

3. Review reports furnished to the board or theappropriate committee to ensure that compre-hensive and accurate information is beingsubmitted on a timely basis.

4. Obtain the bank holding company’s reporton the general distribution and characteris-tics of the international loan portfolio andcompare loan-category distributions foradherence to guidelines.

5. During a discussion with senior manage-ment, direct inquiries to—a. gain insight into general management’s

international-lending philosophy, andb. elicit management’s responses for correc-

tion of deficiencies.6. When reporting on the bank holding compa-

ny’s country-risk management system, con-sider factors such as—a. the quality of internal policies, practices,

procedures, and controls over theinternational-lending functions;

b. the scope and adequacy of the internal

Country Risk 4090.0


loan-review system as it pertains to coun-try risk;

c. causes of existing problems;d. commitments from management for cor-

rection of deficiencies;e. expectations for continued sound interna-

tional lending or correction of existingdeficiencies;

f. the ability of management to monitor andcontrol transfer risk;

g. the general level of adherence to internalpolicies, practices, procedures, and con-trols; and

h. the scope and adequacy of the bank hold-ing company’s analysis of countryconditions.

Country Risk 4090.0


bank holding company rating system section 4070 · revised bank holding company (bhc) rating system...

Documents