appropriate to the size of the institution and the nature and scope of its activities and that provides for: 1. Adequate monitoring of the system of internal controls through an internal audit function. For an institution whose size, complexity or scope of operations does not warrant a full scale internal audit function, a system of independent reviews of key internal controls may be used; 2. Independence and objectivity; 3. Qualified persons; 4. Adequate testing and review of information systems; 5. Adequate documentation of tests and findings and any corrective actions; 6. Verification and review of management actions to address material weaknesses; and 7. Review by the institution's audit committee or board of directors of the effectiveness of the internal audit systems. C. Loan documentation. An institution should establish and maintain loan documentation practices that: 1. Enable the institution to make an informed lending decision and to assess risk, as necessary, on an ongoing basis; 2. Identify the purpose of a loan and the source of repayment, and assess the ability of the borrower to repay the indebtedness in a timely manner; 3. Ensure that any claim against a borrower is legally enforceable; 4. Demonstrate appropriate administration and monitoring of a loan; and 5. Take account of the size and complexity of a loan. An institution D. Credit underwriting. should establish and maintain prudent credit underwriting practices that: 1. Are commensurate with the types of loans the institution will make and consider the terms and conditions under which they will be made; 2. Consider the nature of the markets in which loans will be made; 3. Provide for consideration, prior to credit commitment, of the borrower's overall financial condition and resources, the financial responsibility of any guarantor, the nature and value of any underlying collateral, and the borrower's character and willingness to repay as agreed; 4. Establish a system of independent, ongoing credit review and appropriate communication to management and to the board of directors; 5. Take adequate account of concentration of credit risk; and 6. Are appropriate to the size of the institution and the nature and scope of its activities. E. Interest rate exposure. An institution should: 1. Manage interest rate risk in a manner that is appropriate to the size of the institu tion and the complexity of its assets and liabilities; and 2. Provide for periodic reporting to management and the board of directors regarding interest rate risk with adequate information for management and the board of directors to assess the level of risk. F. Asset growth. An institution's asset growth should be prudent and consider: 1. The source, volatility and use of the funds that support asset growth; 2. Any increase in credit risk or interest rate risk as a result of growth; and 3. The effect of growth on the institution's capital. G. Asset quality. An insured depository institution should establish and maintain a system that is commensurate with the institution's size and the nature and scope of its operations to identify problem assets and prevent deterioration in those assets. The institution should: 1. Conduct periodic asset quality reviews to identify problem assets; 2. Estimate the inherent losses in those assets and establish reserves that are sufficient to absorb estimated losses; 3. Compare problem asset totals to capital; 4. Take appropriate corrective action to resolve problem assets; 5. Consider the size and potential risks of material asset concentrations; and 6. Provide periodic asset reports with adequate information for management and the board of directors to assess the level of asset risk. H. Earnings. An insured depository institution should establish and maintain a system that is commensurate with the institution's size and the nature and scope of its operations to evaluate and monitor earnings and ensure that earnings are sufficient to maintain adequate capital and reserves. The institution should: 1. Compare recent earnings trends relative to equity, assets, or other commonly used benchmarks to the institution's historical results and those of its peers; 2. Evaluate the adequacy of earnings given the size, complexity, and risk profile of the institution's assets and operations; 3. Assess the source, volatility, and sustainability of earnings, including the effect of nonrecurring or extraordinary income or expense; 4. Take steps to ensure that earnings are sufficient to maintain adequate capital and reserves after considering the institution's asset quality and growth rate; and 5. Provide periodic earnings reports with adequate information for management and the board of directors to assess earnings performance. I. Compensation, fees and benefits. An institution should maintain safeguards to prevent the payment of compensation, fees, and benefits that are excessive or that could lead to material financial loss to the institution. III. PROHIBITION ON COMPENSATION THAT CONSTITUTES AN UNSAFE AND UNSOUND PRACTICE A. Excessive Compensation Excessive compensation is prohibited as an unsafe and unsound practice. Compensation shall be considered excessive when amounts paid are unreasonable or disproportionate to the services performed by an executive officer, employee, director, or principal shareholder, considering the following: 1. The combined value of all cash and noncash benefits provided to the individual; 2. The compensation history of the individual and other individuals with comparable expertise at the institution; 3. The financial condition of the institution; 4. Comparable compensation practices at comparable institutions, based upon such factors as asset size, geographic location, and the complexity of the loan portfolio or other assets; 5. For postemployment benefits, the projected total cost and benefit to the institution; 6. Any connection between the individual and any fraudulent act or omission, breach of trust or fiduciary duty, or insider abuse with regard to the institution; and 7. Any other factors the agencies determines to be relevant. B. Compensation Leading to Material Financial Loss Compensation that could lead to material financial loss to an institution is prohibited as an unsafe and unsound practice. [60 FR 35678, 35685, July 10, 1995; 61 FR 43951, Aug. 27, 1996] APPENDIX B TO PART 364-INTERAGENCY GUIDELINES ESTABLISHING YEAR 2000 NESS TABLE OF CONTENTS I. Introduction A. Preservation of existing authority B. Definitions II. Year 2000 Standards for Safety and Sound ness A. Review of mission-critical systems for Year 2000 readiness B. Renovation of internal mission-critical systems C. Renovation of external mission-critical systems D. Testing of mission-critical systems E. Business resumption contingency planning F. Remediation contingency planning H. Involvement of the board of directors and management I. INTRODUCTION The Interagency Guidelines Establishing Year 2000 Standards for Safety and Soundness (Guidelines) set forth safety and soundness standards pursuant to section 39 of the Federal Deposit Insurance Act (section 39) (12 U.S.C. 1831p-1) that are applicable to an insured depository institution's efforts to achieve Year 2000 readiness. The Guidelines, which also interpret the general standards in the Interagency Guidelines Establishing Standards for Safety and Soundness adopted in 1995, apply to all insured depository institutions. A. Preservation of Existing Authority Neither section 39 nor the Guidelines in any way limits the authority of the Federal banking agencies to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. The Federal banking agencies, in their sole discretion, may take appropriate actions so that insured depository institutions will be able to successfully continue business operations after January 1, 2000, including on a case-by-case basis requiring actions by dates that are later than the key dates set forth in the Guidelines. Action under section 39 and the Guidelines may be taken independently of, in conjunction with, or in addition to any other action, including enforcement action, available to the Federal banking agencies. B. Definitions 1. In general. For purposes of the Guidelines the following definitions apply: a. Business resumption contingency plan means a plan that describes how missioncritical systems of the insured depository institution will continue to operate in the event there are system failures in processing, calculating, comparing, or sequencing date or time data from, into, or between the 20th and 21st centuries; or the years 1999 and 2000; or with regard to leap year calculations. b. External system means a system the renovation of which is not controlled by the insured depository institution, including systems provided by service providers and any interfaces with external third party suppliers and other material third parties. personal computers, readers/sorters, and proof machines. Internal system also may include a system controlled by the insured depository institution with embedded integrated circuits (e.g., heating and cooling systems, vaults, communications, security systems, and elevators). e. Mission-critical system means an application or system that is vital to the successful continuance of a core business activity. An application or system may be mission-critical if it interfaces with a designated missioncritical system. Software products also may be mission-critical. f. Other material third party means a third party, other than an external third party supplier, to whom an insured depository institution transmits data or from whom an insured depository institution receives data, including business partners (e.g., credit bureaus), other insured depository institutions, payment system providers, clearinghouses, customers, and utilities. a g. Remediation contingency plan means plan that describes how the insured depository institution will mitigate the risks associated with the failure to successfully complete renovation, testing, or implementation of its mission-critical systems. h. Renovation means code enhancements, hardware and software upgrades, system replacements, and other associated changes that ensure that the insured depository institution's mission-critical systems and applications are Year 2000 ready. i. Year 2000 ready or readiness with respect to a system or application means the system or application accurately processes, calculates, compares, or sequences date or time data from, into, or between the 20th and 21st centuries; or the years 1999 and 2000; or with regard to leap year calculations. II. YEAR 2000 STANDARDS FOR SAFETY AND SOUNDNESS A. Review of Mission-Critical Systems For Year 2000 Readiness. Each insured depository institution shall in writing: 1. Identify all internal and external mission-critical systems that are not Year 2000 ready; 2. Establish priorities for accomplishing work and allocating resources to renovating internal mission-critical systems; 3. Identify the resource requirements and individuals assigned to the Year 2000 project on internal mission-critical systems; 4. Establish reasonable deadlines for commencing and completing the renovation of such internal mission-critical systems; 5. Develop and adopt a project plan that addresses the insured depository institution's Year 2000 renovation, testing, contingency planning, and management oversight process; and 6. Develop a due diligence process to monitor and evaluate the efforts of external third party suppliers to achieve Year 2000 readiness. B. Renovation of Internal Mission-Critical Systems. Each insured depository institution shall commence renovation of all internal mission-critical systems that are not Year 2000 ready in sufficient time that testing of the renovation can be substantially completed by December 31, 1998. C. Renovation of External Mission-Critical Systems. Each insured depository institution shall: 1. Determine the ability of external third party suppliers to renovate external missioncritical systems that are not Year 2000 ready and to complete the renovation in sufficient time to substantially complete testing by March 31, 1999; 2. Maintain written documentation of all its communications with external third party suppliers regarding their ability to renovate timely and effectively external mission-critical systems that are not Year 2000 ready; and 3. Develop in writing an ongoing due diligence process to monitor and evaluate the efforts of external third party suppliers to achieve Year 2000 readiness, including: a. monitoring the efforts of external third party suppliers to achieve Year 2000 readiness on at least a quarterly basis and documenting communications with these suppliers; and b. reviewing the insured depository institution's contractual arrangements with external third party suppliers to determine the parties' rights and obligations to achieve Year 2000 readiness. D. Testing of Mission-Critical Systems. Each insured depository institution shall: 1. Develop and implement an effective written testing plan for both internal and external systems. Such a plan shall include the testing environment, testing methodology, testing schedules, budget projections, participants to be involved in testing, and the critical dates to be tested to achieve Year 2000 readiness; 2. Verify the adequacy of the testing process and validate the results of the tests with the assistance of the project manager responsible for Year 2000 readiness, the owner of the system tested, and an objective independent party (such as an auditor, a consultant, or a qualified individual from within or outside of the insured depository institution who is independent of the process under review); 3. Substantially complete testing of internal mission-critical systems by December 31, 1998; 4. Commence testing of external missioncritical systems by January 1, 1999; 5. Substantially complete testing of external mission-critical systems by March 31, 1999; 6. Commence testing with other material third parties by March 31, 1999; and 7. Complete testing of all mission-critical systems by June 30, 1999. E. Business Resumption Contingency Planning. Each insured depository institution shall develop and implement an effective written business resumption contingency plan that, at a minimum: 1. Defines scenarios for mission-critical systems failing to achieve Year 2000 readi ness; 2. Evaluates options and selects a reasonable contingency strategy for those systems; 3. Provides for the periodic testing of the business resumption contingency plan; and 4. Provides for independent testing of the business resumption contingency plan by an objective independent party, such as an auditor, consultant, or qualified individual from another area of the insured depository institution who was not involved in the formulation of the business resumption contingency plan. F. Remediation Contingency Planning. Each insured depository institution that has failed to successfully complete renovation, testing, and implementation of a mission-critical system, or is in the process of remediation and is not on schedule with the key dates in section II.D, shall develop and implement an effective written remediation contingency plan that, at a minimum: 1. Outlines the alternatives available if remediation efforts are not successful, including the availability of alternative external third party suppliers, and selects a reasonable contingency strategy; and 2. Establishes trigger dates for activating the remediation contingency plan, taking into account the time necessary to convert to alternative external third party suppliers or to complete any other selected strategy. G. Customer Risk. Each insured depository institution shall develop and implement a written due diligence process that: 1. Identifies customers, including fund providers, fund takers, and capital market/asset management counterparties, that represent material risk exposure to the institution; 2. Evaluates their Year 2000 preparedness; 3. Assesses their existing and potential Year 2000 risk to the institution; and 4. Implements appropriate risk controls, including controls for underwriting risk, to manage and mitigate their Year 2000 risk to the institution. H. Involvement of the Board of Directors and Management. 1. During all stages of the renovation, testing, and contingency planning process, the board of directors and management of each insured depository institution shall: a. be actively involved in managing efforts to plan, allocate resources, and monitor progress towards attaining Year 2000 readiness; b. oversee the efforts of the insured depository institution to achieve Year 2000 readiness and allocate sufficient resources to resolve problems relating to the institution's Year 2000 readiness; and c. evaluate the Year 2000 risk associated with any strategic business initiatives contemplated by the insured depository institution, including mergers and acquisitions, major systems development, corporate alliances, and system interdependencies. 2. In addition, the board of directors, at a minimum, shall require from management, and management shall provide to the board of directors, written status reports, at least quarterly and as otherwise appropriate to keep the directorate fully informed, of the insured depository institution's efforts in achieving Year 2000 readiness. Such written status reports shall, at a minimum, include: a. The overall progress of the insured depository institution's efforts in achieving Year 2000 readiness; b. The insured depository institution's interim progress in renovating, validating, and contingency planning measured against the insured depository institution's Year 2000 project plan as adopted under section II.A.5. of appendix B; c. The status of efforts by key external third party suppliers and other material third parties in achieving Year 2000 readiness; d. The results of the testing process; e. The status of contingency planning efforts; and f. The status of the ongoing assessment of customer risk. [63 FR 55484, 55486, Oct. 15, 1998] PART 365-REAL ESTATE LENDING STANDARDS Sec. 365.1 Purpose and scope. 365.2 Real estate lending standards. APPENDIX A ΤΟ PART 365-INTERAGENCY GUIDELINES FOR REAL ESTATE LENDING POLICIES AUTHORITY: 12 U.S.C. 1828(0). SOURCE: 57 FR 62896, 62900, Dec. 31, 1992, unless otherwise noted. §365.1 Purpose and scope. This part, issued pursuant to section 304 of the Federal Deposit Insurance Corporation Improvement Act of 1991, 12 U.S.C. 1828(o), prescribes standards for real estate lending to be used by insured state nonmember banks (including state-licensed insured branches of foreign banks) in adopting internal real estate lending policies. § 365.2 Real estate lending standards. (a) Each insured state nonmember bank shall adopt and maintain written policies that establish appropriate limits and standards for extensions of credit that are secured by liens on or interests in real estate, or that are made for the purpose of financing permanent improvements to real estate. (b)(1) Real estate lending policies adopted pursuant to this section must: (i) Be consistent with safe and sound banking practices; (ii) Be appropriate to the size of the institution and the nature and scope of its operations; and (iii) Be reviewed and approved by the bank's board of directors at least annually. (2) The lending policies must establish: (i) Loan portfolio standards; diversification (ii) Prudent underwriting standards, including loan-to-value limits, that are clear and measurable; (iii) Loan administration procedures for the bank's real estate portfolio; and (iv) Documentation, approval, and reporting requirements to monitor compliance with the bank's real estate lending policies. (c) Each insured state nonmember bank must monitor conditions in the real estate market in its lending area to ensure that its real estate lending policies continue to be appropriate for current market conditions. (d) The real estate lending policies adopted pursuant to this section should reflect consideration of the Interagency Guidelines for Real Estate Lending Policies established by the Federal bank and thrift supervisory agencies. APPENDIX A TO PART 365-INTERAGENCY GUIDELINES FOR REAL ESTATE LENDING POLICIES The agencies' regulations require that each insured depository institution adopt and maintain a written policy that establishes appropriate limits and standards for all extensions of credit that are secured by liens on or interests in real estate or made for the purpose of financing the construction of a building or other improvements.5 These guidelines are intended to assist institutions in the formulation and maintenance of a real estate lending policy that is appropriate to the size of the institution and the nature and scope of its individual operations, as well as satisfies the requirements of the regulation. Each institution's policies must be comprehensive, and consistent with safe and sound lending practices, and must ensure that the institution operates within limits and according to standards that are reviewed and approved at least annually by the board of directors. Real estate lending is an integral part of many institutions' business plans and, when undertaken in a prudent manner, will not be subject to examiner criticism. LOAN PORTFOLIO MANAGEMENT CONSIDERATIONS The lending policy should contain a general outline of the scope and distribution of the institution's credit facilities and the manner in which real estate loans are made, serviced, and collected. In particular, the institution's policies on real estate lending should: • Identify the geographic areas in which the institution will consider lending. • Establish a loan portfolio diversification policy and set limits for real estate loans by type and geographic market (e.g., limits on higher risk loans). Identify appropriate terms and conditions by type of real estate loan. • Establish loan origination and approval procedures, both generally and by size and type of loan. • Establish prudent underwriting standards that are clear and measurable, including loan-to-value limits, that are consistent with these supervisory guidelines. • Establish review and approval procedures for exception loans, including loans with loan-to-value percentages in excess of supervisory limits. • Establish loan administration procedures, including documentation, disbursement, collateral inspection, collection, and loan review. • Establish real estate appraisal and evaluation programs. • Require that management monitor the loan portfolio and provide timely and adequate reports to the board of directors. The institution should consider both internal and external factors in the formulation of its loan policies and strategic plan. Factors that should be considered include: 5 The agencies have adopted a uniform rule on real estate lending. See 12 CFR part 365 (FDIC); 12 CFR part 208, subpart C (FRB); 12 CFR part 34, subpart D (OCC); and 12 CFR 563.100-101 (OTS). |