Federal Housing Finance Agency Print
Home / Supervision & Regulation / Advisory Bulletins / FHFA Examination Rating System
Advisory Bulletin

FHFA Examination Rating System

Number: AB 2012-03
Pertains To: All
12/19/2012

​ADVISORY BULLETIN

AB 2012-03

FHFA EXAMINATION RATING SYSTEM

 

Purpose:

This Advisory Bulletin communicates the new examination rating system to be used when examining the entities regulated by the Federal Housing Finance Agency (FHFA). The FHFA Examination Rating System (known as CAMELSO) replaces the rating systems previously applied by the Division of Bank Regulation (DBR) and the Division of Enterprise Regulation (DER).

Issue:

DBR and the DER applied different examination rating systems developed by the predecessor agencies that were merged to form the FHFA. Those rating systems differed in certain respects, but both addressed risks common to the Federal Home Loan Banks (FHLB), the Office of Finance (OF), and Fannie Mae and Freddie Mac (Enterprises). FHFA concluded that the agency should have a single examination rating system that would allow examination ratings to be organized and presented in a consistent manner.

Background:

DBR assigned ratings to the Federal Home Loan Banks and the Office of Finance based on guidelines developed by the Federal Housing Finance Board (FHFB). The FHLB Rating System was a numeric system that used a four-point rating scale. FHFA used that system to assign a composite rating and component ratings to each FHLBank and the Office of Finance.

DER assigned ratings to Fannie Mae and Freddie Mac based on guidelines developed by the Office of Federal Housing Enterprise Oversight (OFHEO). The OFHEO rating system, known as GSEER (Governance, Solvency, Earnings, and Enterprise Risk), was a four-tier system to assign ratings that ranged from “No or Minimal Concerns” to “Critical Concerns.”

FHFA published detail on the previous examination rating systems in the Federal Register on June 19, and November 13, 2012. The remainder of this directive contains the description of the CAMELSO examination rating system that was attached to FHFA’s final Federal Register public notice.

  1. I. Introduction and Overview

    The FHFA Examination Rating System is a risk-focused rating system under which each regulated entity and the Office of Finance is assigned a composite rating based on an evaluation of various aspects of its operations. Specifically, the composite rating of a Federal Home Loan Bank or an Enterprise is based on an evaluation and rating of seven components: Capital, Asset quality; Management; Earnings; Liquidity; Sensitivity to market risk; and Operational risk (CAMELSO). The composite rating of the Office of Finance is based primarily on an evaluation of two components: Management and Operational risk.

    Under the rating system, each Federal Home Loan Bank, Enterprise and the OF is assigned a composite rating from “1” to “5.” A “1” rating indicates the lowest degree of supervisory concern, while a “5” rating indicates the highest level of supervisory concern. The composite rating of each Federal Home Loan Bank and Enterprise and the OF reflects the ratings of the underlying components, which are also rated on a scale of “1” to “5.” The composite rating is not an arithmetic average of the component ratings. Instead, the relative importance of each component is determined on a case-by-case basis, within the parameters established by this rating system.

  2. II. Composite Ratings

    Composite ratings are based on a careful evaluation of: a Federal Home Loan Bank’s or Enterprise’s capital, asset quality, management, earnings, liquidity, sensitivity to market risk, and operational risk; and the OF’s management and operational risk. A regulated entity will be assigned a composite rating of “1” to “5” as described below.

    Composite 1 - The regulated entity is sound in every respect and typically each component is rated “1” or “2.” Any weaknesses are minor and can be addressed in a routine manner by the board of directors and management. The regulated entity is well positioned to withstand business fluctuations and adverse changes in the economic environment. Risk management practices are effective given the regulated entity’s size, complexity and risk profile, and the regulated entity is in substantial compliance with laws, regulations, and regulatory requirements.

    Composite 2 - The regulated entity is generally sound and most components are rated “1” or “2” and typically no component is rated more severely than a “3.” Weaknesses are moderate and the board and management have demonstrated the ability and willingness to take necessary corrective action. The regulated entity is able to withstand business fluctuations and adverse changes in the economic environment. Risk management practices are satisfactory given the regulated entity’s size, complexity and risk profile,and the regulated entity is in substantial compliance with laws, regulations, and regulatory requirements.

    Composite 3 - The regulated entity exhibits moderate to severe weaknesses in one or more respects but most components are rated “3” or better and no component is rated more severely than a “4.” Board and management may have demonstrated a lack of willingness or ability to address identified weaknesses within appropriate timeframes. The regulated entity is generally less capable of withstanding business fluctuations and adverse changes in the economic environment than regulated entities rated a composite “1” or “2.” Risk management practices typically need improvement given the regulated entity’s size, complexity and risk profile, and the regulated entity may be in non-compliance with certain laws, regulations, and/or regulatory requirements.

    Composite 4 - The regulated entity generally exhibits severe weaknesses in multiple respects that result in serious deficiencies and unsatisfactory performance given its risk profile. The weaknesses may range from serious to critically deficient, to unsafe or unsound practices that have not been satisfactorily addressed or resolved by the board of directors and management within approved timeframes. The regulated entity is susceptible to further deterioration in condition or performance from business fluctuations and adverse changes in the economic environment. Risk management practices are deficient given the regulated entity’s size, complexity and risk profile, and the regulated entity may be in non-compliance with critical laws, regulations and regulatory requirements. The viability of the regulated entity may be threatened if the problems and weaknesses are not satisfactorily resolved within an appropriate timeframe.

    Composite 5 - The regulated entity exhibits a volume and severity of problems that are beyond the ability of the board of directors or management to correct. The regulated entity exhibits unsafe or unsound practices or conditions. Changes to the board of directors or management are needed and outside financial or other assistance may be needed in order for the regulated entity to be viable. Risk management practices are critically deficient given the regulated entity’s size, complexity and risk profile, and the regulated entity may be in significant non-compliance with laws, regulations and regulatory requirements.

  3. III. Component Ratings

    The composite rating is derived from the seven component ratings that are described below. Each of the component rating descriptions provides a list of evaluative factors that relate to that component. The listing of evaluative factors is not exhaustive, and is not in order of importance.

    CAPITAL – when rating a regulated entity’s capital, examiners determine whether the regulated entity has sufficient capital relative to the entity’s risk profile. When making this determination, examiners assess:

    • the extent to which the regulated entity meets (or fails to meet) applicable capital requirements (laws, regulations, orders, guidance);

    • the overall financial condition of the regulated entity;

    • the composition of the balance sheet, including the nature and amount of intangible assets, the composition of capital, market risk, and concentration risk;

    • the level, composition and risk exposure inherent in off-balance sheet activities;

    • the types and quantity of risk inherent in the regulated entity’s activities and management’s ability to effectively identify, measure, monitor and control each of these risks;

    • the potentially adverse consequences these risks may have on the regulated entity’s capital;

    • the adequacy of the allowance for loan losses and other reserves, as well as the nature, trend and volume of problem assets;

    • the quality and strength of earnings and the reasonableness of dividends;

    • the regulated entity’s prospects and plans for growth, as well as the regulated entity’s past experience in managing growth;

    • the ability of management to address emerging needs for additional capital; and

    • the regulated entity’s access to capital markets and other sources of capital.

    Capital ratings

    1. A rating of 1 indicates: The level and composition of capital is strong relative to the regulated entity’s risk profile. The regulated entity meets or exceeds all regulatory and statutory capital requirements and is expected to continue to be well-capitalized considering potential risks to the regulated entity. Capital management practices are strong.

    2. A rating of 2 indicates: The level and composition of capital is satisfactory relative to the regulated entity’s risk profile. The regulated entity meets or exceeds all regulatory and statutory capital requirements and is expected to continue to be satisfactorily capitalized considering potential risks to the regulated entity. Capital management practices are satisfactory, although minor weaknesses may be identified.

    3. A rating of 3 indicates: The level and/or composition of capital needs improvement and does not fully support the regulated entity’s risk profile. Although the regulated entity may currently meet or exceed minimum regulatory and statutory capital requirements, capital should be augmented when considering potential risks to the regulated entity. Capital management practices need improvement.

    4. A rating of 4 indicates: The level and/or composition of capital is not adequate relative to the regulated entity’s risk profile. The regulated entity may not meet all minimum regulatory and statutory capital requirements, and the viability of the entity may be in question. Capital management practices exhibit deficiencies.

    5. A rating of 5 indicates: The level and composition of capital are critically deficient and the viability of the regulated entity may be threatened. The regulated entity does not meet minimum regulatory and statutory capital requirements. Outside financial assistance may be needed in order for the regulated entity to be viable.

    ASSET QUALITY – when rating a regulated entity’s asset quality, examiners determine the quantity of existing and potential credit risk associated with the loan and investment portfolios, advances, real estate owned, and other assets, as well as off-balance sheet transactions, and management’s ability to identify, measure, monitor and control credit risk. When making this determination, examiners assess:

    •  the adequacy of underwriting standards;

    •  the soundness of credit administration practices;

    • the appropriateness of risk identification and rating practices;

    • the level, distribution, severity of problem, adversely classified, nonaccrual, restructured, delinquent, and nonperforming assets for both on- and off-balance sheet transactions;

    • the level and trend of charge-offs;

    • the adequacy of the allowance for loan losses and other asset valuation reserves;

    • the credit risk arising from or reduced by off-balance sheet transactions, such as unfunded commitments, credit derivatives, and lines of credit;

    • the diversification and quality of the loan and investment portfolios;

    • the extent of securities underwriting activities and exposure to counterparties in trading activities;

    • the existence of asset concentrations;

    • the level and pace of asset growth;

    • the adequacy of loan and investment policies, procedures and practices;

    • the ability of management to properly administer its assets, including the timely identification and collection of problem assets;

    • the adequacy of internal controls and management information systems; and

    • the volume and nature of credit documentation exceptions.

    Asset quality ratings

    1. A rating of 1 indicates: Asset quality and credit risk management practices are strong. Any identified weaknesses are minor in nature and risk exposure is minimal in relation to the regulated entity’s capital protection and management’s ability to identify, monitor and mitigate risks

    2. A rating of 2 indicates: Asset quality and credit risk management practices are satisfactory. Identified weaknesses, such as the level and severity of adversely-rated or classified assets, are moderate and in-line with the regulated entity’s capital protection and management’s ability to identify, monitor and mitigate risks.

    3. A rating of 3 indicates: Asset quality or credit risk management practices need improvement. Identified weaknesses, such as the level and severity of adversely rated or classified assets, are significant and not in-line with the regulated entity’s capital protection or management’s ability to identify, monitor and mitigate risks.

    4. A rating of 4 indicates: Asset quality or credit risk management practices are deficient. Identified weaknesses, such as the level of problem assets are significant and inadequately controlled. The weaknesses subject the regulated entity to potential losses, which if left unchecked may threaten the regulated entity’s viability.

    5. A rating of 5 indicates: Asset quality or credit risk management practices are critically deficient and may represent an imminent threat to the regulated entity’s viability.

    MANAGEMENT – When rating a regulated entity’s management, examiners determine the capability and willingness of the board of directors and management, in their respective roles, to identify, measure, monitor, and control the risks of the regulated entity’s activities and to ensure that the regulated entity’s safe, sound and efficient operations are in compliance with applicable laws and regulations. When making this determination, examiners assess:

    • the level and quality of oversight and support of all entity activities by the board of directors and management;

    • the quality and effectiveness of strategic planning;

    • the ability of the board of directors and management, in their respective roles, to plan for, and respond to, risks that may arise from changing business conditions or the initiation of new activities or products;

    • the adequacy of, and conformance with, appropriate internal policies and controls addressing the operations and risks of significant activities;

    • the accuracy, timeliness and effectiveness of management information and risk monitoring systems appropriate for the regulated entity’s size, complexity and risk profile;

    • the ability and willingness to identify, measure, monitor, and control risks across the regulated entity;

    • the adequacy of audits and internal controls to promote effective operations and reliable financial and regulatory reporting; safeguard assets; and ensure compliance with laws, regulations, regulatory requirements, and internal policies;

    • the adequacy of anti-money laundering processes and other processes designed to identify, manage and/or report financial fraud;

    • the regulated entity’s compliance with laws and regulations, including Prudential Management and Operational Standards (PMOS), Office of Minority and Women Inclusion (OMWI) and relevant provisions of the Dodd-Frank Act;

    • the regulated entity’s responsiveness to findings made by regulatory authorities, the regulated entity’s risk management function, internal/external audit functions or outside consultants;

    • the depth of management and management succession;

    • the extent that the board of directors and management is affected by, or susceptible to, dominant influence or concentration of authority;

    • the reasonableness and comparability of compensation and compensation policies and avoidance of self-dealing;

    • the ability of the regulated entity to achieve mission-related goals and requirements, including affordable housing and community investment requirements; and

    • the overall performance of the regulated entity and its risk profile.

    Management ratings

    1. A rating of 1 indicates: The performance by the board of directors and management, and risk management practices relative to the regulated entity’s size, complexity and risk profile are strong. All significant risks are consistently and effectively identified, measured, monitored and controlled. The regulated entity is in substantial compliance with laws, regulations and regulatory requirements, including mission-related and affordable housing goals and requirements. The board of directors and management demonstrate the ability to promptly and successfully address existing and potential problems and risks.

    2. A rating of 2 indicates: The performance by the board of directors and management, and risk management practices relative to the regulated entity’s size, complexity and risk profile are satisfactory. Generally, significant risks and problems are effectively identified, measured, monitored and controlled. The regulated entity is in substantial compliance with laws, regulations and regulatory requirements, including mission-related and affordable housing goals and requirements. Minor weaknesses may exist, but they are not material to the safety and soundness of the regulated entity, and are being satisfactorily addressed.

    3. A rating of 3 indicates: The performance by the board of directors and management, and/or risk management practices need improvement given the regulated entity’s size, complexity and risk profile. Problems and significant risks may be inadequately identified, measured, monitored or controlled. The regulated entity may be in non-compliance with laws, regulations and regulatory requirements, including mission-related and affordable housing goals and requirements. The capabilities of the board of directors or management may be insufficient for the type, size or condition of the regulated entity.

    4. A rating of 4 indicates: The performance by the board of directors and management and/or risk management practices are deficient given the regulated entity’s size, complexity and risk profile. Operational or performance problems and significant risks are inadequately identified, measured, monitored or controlled, and require immediate action to preserve the soundness of the regulated entity. The regulated entity may be in significant non-compliance with laws, regulations and regulatory requirements, including mission-related and affordable housing goals and requirements.

    5. A rating of 5 indicates: The performance by the board of directors and management and/or risk management practices are critically deficient. Problems and significant risks are inadequately identified, measured, monitored or controlled, and may threaten the viability of the regulated entity. The regulated entity is in significant non-compliance with laws, regulations and regulatory requirements, including mission-related and affordable housing goals and requirements. The board of directors and management fail to demonstrate the ability or willingness to correct problems and implement appropriate risk management practices.

    EARNINGS - when rating a regulated entity’s earnings, examiners determine the quantity, trend, sustainability, and quality of earnings. When making this determination, examiners assess:

      • the level, trend and stability of earnings from core business activities;

      • the ability to provide for adequate capital through retained earnings;

      • the quality and source of earnings, including the level of reliance on extraordinary gains, nonrecurring events, or favorable tax effects;

      • the level of expenses in relations to operations;

      • the adequacy of the budgeting systems, forecasting processes, and management information systems in general;

      • the adequacy of provisions to maintain the allowance for loan losses and other valuation allowance accounts; and

      • the earnings exposure to market risk.

    Earnings ratings

    1. A rating of 1 indicates: The quality, quantity, and sustainability of earnings are strong. The regulated entity’s earnings are more than sufficient to support operations and maintain adequate capital and allowance levels after considering the regulated entity’s overall condition, growth and other factors.

    2. A rating of 2 indicates: The quality, quantity, and sustainability of earnings are satisfactory. The regulated entity’s earnings are sufficient to support operations and maintain adequate capital and allowance levels after considering the regulated entity’s overall condition, growth and other factors.

    3. A rating of 3 indicates: The quality, quantity, or sustainability of earnings needs improvement. The regulated entity’s earnings may not fully support the regulated entity’s operations or provide for adequate capital and/or allowance levels in relation to the regulated entity’s overall condition, growth, and other factors.

    4. A rating of 4 indicates: The quality, quantity, and/or sustainability of earnings is deficient. The regulated entity’s earnings are insufficient to support operations and maintain adequate capital and allowance levels.

    5. A rating of 5 indicates: The quality, quantity, and/or sustainability of earnings is critically deficient. The regulated entity’s earnings are inadequate to cover expenses, and losses may threaten the regulated entity’s viability through the erosion of capital.

    LIQUIDITY – when rating a regulated entity’s liquidity, examiners determine the current level and prospective sources of liquidity compared to funding needs, as well as the adequacy of funds management practices relative to the regulated entity’s size, complexity and risk profile. When making this determination, examiners assess:

    • the adequacy of liquidity sources to meet present and future needs and the ability of the regulated entity to meet liquidity needs without adversely affecting its operations or condition;

    • the availability of assets readily convertible to cash without undue loss;

    • the regulated entity’s access to money markets and other secondary sources of funding;

    • the level and diversification of funding sources, both on- and off-balance sheet;

    • the degree of reliance on short-term, volatile sources of funding to fund longer term assets;

    • the ability to securitize and sell certain pools of assets; and

    • the capability and willingness of management to properly identify, measure, monitor and control the regulated entity’s liquidity position, including the effectiveness of funds management strategies, liquidity policies, management information systems and contingency liquidity plans.

    Liquidity ratings

    1. A rating of 1 indicates: The level of liquidity and the regulated entity’s management of its liquidity position are strong. Any identified weaknesses in its liquidity management practices are minor. The regulated entity has reliable access to sufficient sources of funds on favorable terms to meet current and anticipated liquidity needs. The regulated entity meets or exceeds regulatory guidance related to liquidity.

    2. A rating of 2 indicates: The level of liquidity and the regulated entity’s management of its liquidity position are satisfactory. The regulated entity may have moderate weaknesses in its liquidity management practices, but these are correctable in the normal course of business. The regulated entity has reliable access to sufficient sources of funds on acceptable terms to meet current and anticipated liquidity needs. The regulated entity meets or exceeds regulatory guidance related to liquidity.

    3. A rating of 3 indicates: The level of liquidity or the regulated entity’s management of its liquidity position needs improvement. The regulated entity may evidence moderate weaknesses in funds management practices, or weaknesses that are not correctable in the normal course of business. The regulated entity may lack ready access to funds on reasonable terms. The regulated entity may not meet all regulatory guidance related to liquidity.

    4. A rating of 4 indicates: The level of liquidity or the regulated entity’s management of its liquidity position is deficient. The regulated entity may not have or be able to obtain sufficient funds on reasonable terms. The regulated entity does not meet all regulatory guidance related to liquidity.

    5. A rating of 5 indicates: The level of liquidity or the regulated entity’s management of its liquidity position is critically deficient. The viability of the regulated entity may be threatened and the regulated entity may need to seek immediate external financial assistance to meet maturing obligations or other liquidity needs. The regulated entity does not meet regulatory guidance related to liquidity.

    SENSITIVITY TO MARKET RISK – when rating a regulated entity’s sensitivity to market risk, examiners determine the degree to which changes in interest rates, foreign exchange rates, commodity prices, or equity prices can adversely affect the regulated entity’s earnings or economic capital. When making this determination, examiners assess:

    • the sensitivity of the regulated entity’s earnings, or the economic value of its capital to adverse changes in interest rates, foreign exchange rates, commodity prices or equity prices;

    • the ability of management to identify, measure, monitor and control exposure to market risk given the regulated entity’s size, complexity and risk profile;

    • the nature and complexity of interest rate risk exposure arising from non-trading positions; and

    • the nature and complexity of market risk exposure arising from trading, asset management activities and foreign operations.

    Sensitivity to market risk ratings

    1. A rating of 1 indicates: Market risk sensitivity is well controlled and there is minimal potential that the regulated entity’s earnings performance or capital position will be adversely affected by market risk sensitivity. Risk management practices are strong for the size, sophistication and market risk accepted by the regulated entity. Earnings and capital provide substantial support for the amount of market risk taken by the regulated entity.

    2. A rating of 2 indicates: Market risk sensitivity is satisfactorily controlled and there is moderate potential that the regulated entity’s earnings performance or capital position will be adversely affected by market risk sensitivity. Risk management practices are satisfactory for the size, sophistication and market risk accepted by the regulated entity. Earnings and capital provide adequate support for the amount of market risk taken by the regulated entity.

    3. A rating of 3 indicates: Market risk sensitivity control needs improvement or there is significant potential that the regulated entity’s earnings performance or capital position will be adversely affected by market risk sensitivity. Risk management practices need improvement given the size, sophistication and market risk accepted by the regulated entity. Earnings and capital may not adequately support the amount of market risk taken by the regulated entity.

    4. A rating of 4 indicates: Market risk sensitivity control is deficient or there is a high potential that the regulated entity’s earnings performance or capital position will be adversely affected by market risk sensitivity. Risk management practices are deficient for the size, sophistication and market risk accepted by the regulated entity. Earnings and capital provide inadequate support for the amount of market risk taken by the regulated entity.

    5. A rating of 5 indicates: Market risk sensitivity control is critically deficient or the level of market risk taken by the regulated entity may be an imminent threat to the regulated entity’s viability. Risk management practices are critically deficient for the size, sophistication and level of market risk accepted by the regulated entity.

    OPERATIONAL RISK - when rating a regulated entity’s operational risk, examiners determine the exposure to loss from inadequate or failed internal processes, people, and systems, including internal controls and information technology, or from external events, including all direct and indirect economic losses related to legal liability, reputational setbacks, and compliance and remediation costs to the extent such costs are consequences of operational events. When making this determination examiners assess:

    • the efficiency and effectiveness of operations and technology;

    • the effectiveness of the operational risk framework in identifying and assessing threats posed to operations;

    • the ability of management to identify, measure, monitor and control operational risk;

    • the effectiveness of controls over third-party vendors;

    • the quality of operational risk management in the administration of the regulated entity’s mission-related activities, including affordable housing and community investment activities;

    • the organizational structure, including lines of authority and responsibility for adhering to prescribed policies;

    • the accuracy of recording transactions;

    • the effectiveness of internal controls over financial reporting (i.e., the level of compliance with Sarbanes-Oxley section 404);

    • the controls surrounding limits of authorities, including: safeguarding access to and use of records and assets; segregation of duties;

    • the effectiveness of the control environment in preventing and/or detecting errors and unauthorized activity;

    • the accuracy, effectiveness and security of information systems, data and management reporting;

    • the effectiveness of business continuity planning; and

    • the effectiveness, accuracy and security of models.

    Operational risk ratings

    1. A rating of 1 indicates: Operational risk management is strong and the number and severity of operational risk events are low. There is minimal potential that the regulated entity’s earnings performance or capital position will be adversely affected by the level of operational risk.

    2. A rating of 2 indicates: Operational risk management is satisfactory and the number and severity of operational risk events are moderate. There is moderate potential that the regulated entity’s earnings performance or capital position will be adversely affected by the level of operational risk.

    3. A rating of 3 indicates: Operational risk management needs improvement or there is significant potential that the regulated entity’s earnings performance or capital position will be adversely affected by the level of operational risk. The number and severity of operational risk events are moderate to serious.

    4. A rating of 4 indicates: Operational risk management is deficient or there is a high potential that the regulated entity’s earnings performance or capital position will be adversely affected by the level of operational risk. The number and severity of operational risk events are serious to critical.

    5. A rating of 5 indicates: Operational risk management is critically deficient or the level of operational risk taken by the regulated entity may be an imminent threat to the regulated entity’s viability. The number and severity of operational risk events may threaten the regulated entity’s viability.

EFFECTIVE DATE

The rating system described in this Advisory Bulletin is effective for all FHFA examination activities that commence after January 1, 2013.

Attachments:
© 2020 Federal Housing Finance Agency