UDAAP Risk Assessment Matrix(Updated May 23, 2017)

Purpose

The below UDAAP Risk Assessment Matrix provides a systematic method to assess and manage UDAAP risk. Note that it is not designed to be the blueprint for a successful UDAAP program that works in isolation from your policies and procedures or your overall risk assessment framework.

The Matrix has three main sections:

1) Inherent Risk Indicators 2) Quality of UDAAP Risk Management (risk controls and mitigation)3) UDAAP Risk Summary (residual risk and risk direction)

This format is very similar to other risk assessment tools you have likely used or developed for such areas as fair lending, or compliance management systems. It is intended to be scalable. In other words, the methodology can be used at the institution level, business level, or at the product, service or activity level.

The matrix provides a universal list of possible risk issues and control features that could be at play in any specific financial institution. Your responsibility is to determine, based on the type of assessment you are preparing as well as your institution’s footprint, complexity of operations, use of third parties, loan and deposit products, services, and activities, among other things, which of the factors listed in the matrix are relevant to your UDAAP risk assessment. And because UDAAP is so dynamic, you will need to think about what you may need to add.

Lastly, keep in mind that this is not a once and done process. The risk assessment should be performed as often as you feel necessary to ensure you are staying on top of UDAAP risks that may arise in your institution.

The Matrix

Inherent Risk Indicators

The hardest part of the risk assessment process is identifying the level of inherent risk. The level of inherent risk is neither good nor bad; it is just a level of risk identified. Since the business of banking entails taking measured risks to make a reasonable profit it is normal to have risk present in an institution’s operations. Given the environment we are operating in, your risk is likely to be high.

In order to make sense of UDAAP and be able to get our arms around that risk, we identified four UDAAP risk sources; within each source we identified several key risk categories to consider when evaluating the level of inherent risk. These categories of risk provide a logical framework for documenting the UDAAP inherent risk level. When documenting inherent UDAAP risk we suggest

1

considering the following risk sources: Retail Footprint; Operational Structure; Compliance with Traditional Regulations; and UDAAP Environment (go to the risk assessment matrix to see the sub-categories).

The bottom line in this inherent risk section is that for whatever factors that are actually included in the matrix, UDAAP risk increases as each additional box is checked yes.

Quality of UDAAP Risk Management (risk controls and mitigation)

Once the inherent UDAAP risk have been identified, the next phase in the risk assessment process is to evaluate the level of controls in place to manage or mitigate the inherent risk. Note that there will not be a one on one match with the inherent risk factors that are typically present with most regulations.

We separated controls into two groups: Control Set I which covers the institution’s Compliance Management System. Control Set I identifies and categorized two sets of controls: Board of Directors and Senior Management Oversight and the Compliance Management program which consists of compliance risk management, policies and procedures, training, monitoring and corrective action, and compliance audit.

Control Set II consists of six UDAAP categories: advertisements and solicitations, disclosures, customer service, vendor management, consumer complaint response, and customer friendly features. We recognize that some of these of the risk management program could be combined, but it made sense to us to keep each set of controls unique, therefore, making it easier to digest and focus on specifics relevant to the compliance structure and the size and complexity of the institution’s operations.

UDAAP Risk Summary

In order to determine the level and degree of UDAAP risk (potential harm to consumers) the institution poses to consumers, we document the inherent risk and then apply the controls that help mitigate the level of inherent risk leaving us with a risk summary. Put another way, the risk summary is the level of risk left over after applying controls. We used a three category rating system as follows: • Inherent Risk of harm to consumers (Low, Moderate or High): what level of risk do the

institution’s product and service mix and marketing plan tend to pose to consumers?• Risk Controls and Mitigation (Strong, Adequate or Weak): what is the quality of your controls and

mitigation in place to monitor and manage the inherent risk level and how that impacts consumers? and

• Risk Summary (Low, Moderate or High): do the risk controls and mitigations sufficiently reduce inherent risk to a level consistent with the institution’s UDAAP risk tolerance? What risk gaps may need to be strengthened or otherwise addressed? Lastly, what is the trend of the UDAAP risk (increasing, decreasing or stable) and when did that last change?

2

Inherent Risk Indicators

Risk Sources - Overview:1. Retail Footprint

a. Customer Demographicsb. Product and Service Offeringsc. Complexity of Products and Servicesd. Delivery Channels

2. Strategic Directiona. Marketing Strategyb. New Product and Service Developmentc. Advertisements and Solicitationsd. Pricing and Profitability

3. Operationsa. General Operationsb. Role of Third Parties (Broker, Dealer, Vendor)c. Compliance With Traditional Regulations

4. UDAAP Environmenta. External: Supervisory Focusb. Internal: Customer Complaints

Risk Source #1 – RETAIL FOOTPRINT (4 sub-factors)

1(a) Customer DemographicsDoes your bank’s business or marketing plan target less financially savvy customers or are there a significant percentage of these customers in its market and / or CRA assessment area?

Elderly Students Military Immigrants or other Customers who speak English as a second language Consumers with poor credit Consumers living in LMI areas Others that could be considered less financially savvy

Are the bank’s customer demographics regularly reviewed?Has the bank’s retail footprint changed recently? Has that had an impact on the customer base that it serves?Have the bank’s customer demographic shifted in line with census data?Do the bank’s strategic growth plans reflect community growth and demographic trends? Is there a significant presence of vulnerable populations (e.g., military bases or retirement communities) in or near the bank’s trade area(s)?

1(b) Product and Service Offerings

3

Does the Bank offer or service any of the following products? Add-On Product Secured / Subprime Credit Cards Subprime or High Cost Mortgages Non-Traditional Mortgages (allow negative amortization) Gift Cards Fee-Based Overdraft Protection Plans Payday, Deposit Advance or Tax Refund Anticipation Loans Prepaid cards (e.g., Gift, Travel or Payroll cards) Reverse Mortgages Student Loans Other new and non-traditional banking products or services Rewards or Bonuses Remittances Age-based deposit product with a credit feature

Do different products or services penetrate geographic or consumer markets differently?Does the bank have an aggressive sales or cross-selling culture?Does the bank set sales goals and sales incentives?Are there significant repercussions for not meeting sales goals?Can consumers apply for a specific product or service and end-up with a different product or service than that requested? Does the bank place holds on any deposits?

1(c) Complexity of Products and ServicesDoes the bank offer inexpensive basic checking and savings products?Does the bank’s product mix include any that are complex in nature?Do any of the bank’s products require customers to jump through complex or non-transparent hoops to obtain a benefit?Does the bank offer any traditional products or services with non-typical features or requirements?Is pricing structured or products bundled in a way that makes it difficult for consumers to understand?

1(d) Delivery Channels How does the bank distribute its products?

Third Parties Subsidiaries or Loan Production Offices Any which generate business outside its retail footprint?

Is the bank utilizing any new delivery channels?Do marketing efforts differ by delivery channel or geographic area? Do product and service terms vary by delivery channel? Are special prices, products or services offered in some markets and not others?

Risk Source #2: Strategic Direction (4 sub-factors)

4

2(a) Marketing StrategyHave marketing and advertising media varied recently?Does the bank utilize social network channels to communicate products to customers and potential customers?Do marketing and advertising materials vary to promote special or limited time offers?Is the level of marketing and advertising tailored or targeted to address market competition?Is marketing ever targeted to potentially vulnerable customers?Is scripting for telephone sales representatives used?Are customers who call for a specific product, service, or general inquiry required to listen to sales pitches while waiting to secure the information for which they originally requested Do advertising patterns or practices include all customer demographics?

2(b) New Product and Service DevelopmentHave any new loan or deposit products, features, or fee-based services recently been introduced?Do community groups express concern about any of the products and services the bank offers or doesn’t offer?Is there pressure to provide any products or services to stay abreast of competition?Is the bank at the forefront in developing new and non-traditional products and services within its market?Does the local economy and competition impact willingness to experiment with new products and services?Has the bank modified any terms, fees, or any loan or deposit products recently?Does the bank have a formal procedure for evaluating UDAAP risk associated with new or modified products?

2(c) Advertisements and Solicitations Are customers provided with all the information needed to make an informed decision about the product in a clear, transparent and accurate manner?Are customers reasonably able to obtain the products and services, including interest rates, amounts of credit or rewards, as represented?If the bank markets using a language other than English, does it continue to provide customers with relevant disclosures in the same language?Are advertisements in print, audio, or visual media consistent with advertisements and product descriptions provided on the bank’s web site? Are prescreened or “pre-approved” solicitations utilized?Does the bank initiate any email messages for marketing purposes?Does the bank or a third-party on its behalf engage in outbound telephone/fax marketing? Does the bank create any native advertising, i.e., advertising which is indistinguishable from news, features or other content?

2(d) Pricing & ProfitabilityDo all new products and services provide customers with a benefit that will exceed their costs? Is pricing reasonable in relation to costs and risk? Does profitability depend on penalty fees?

5

Is fee income from product and services sales a significant portion of net income? Do the board and senior management push specific product or service offerings because of significant fee income?Is fee income significantly higher than at peer banks?Are product and service volumes exceeding management expectations?Is there an undue percentage of bank capital invested in loan/deposit products that have been associated with abusive, unfair, or deceptive acts or practices?Does the bank track products to ensure customers are utilizing what they have paid for? If they are not using a product, are fees refunded?Does the bank have a high volume of fee reversals (e.g., late fees, overdraft fees)?

Risk Source #3: Operations (3 sub-factors)

3(a) General OperationsAre operations decentralized or outsourced?Is there an effective enterprise-wide consumer protection compliance function? Are scoring systems used in any aspect of offering and maintaining customer product and service accounts?Are mandatory arbitration clauses required in product terms?Does the bank have an internal “ethics hotline” mechanism for reporting sales integrity issues?Does the bank communicate its expectation that employees are obligated to report all sales-integrity issues through an internal “hotline” mechanism?What areas of bank operations can impact a consumer or customer, or their accounts that are not under the oversight of the compliance department? This could take place through interaction with a bank employee, purchase of a product or service, or other activity through any delivery and communication channels the bank uses? Do product terms include a clause allowing the bank to file lawsuits in a location other than the consumer’s home state?Does the bank freeze customer’s electronic account access, for example, access to the customer’s debit or ATM card or mobile web platforms for managing customer accounts, and disable electronic services after consumers become delinquent on a bank credit account without reasonable customer notice?Does the bank charge for paper statements?Is there a high rate of employee turnover in key areas such as marketing, underwriting or delivery?Are staff incented by sales volume, interest rates or other methods which could encourage steering to specific product offerings or other unfair practices?Does the bank compensate loan officers using bonuses, retirement plans, or other compensation based on loan related profits? Does the bank collect debts for other parties?Does the bank sell its debt to third parties?Does the bank offset loan balances or garnish funds in consumer deposit accounts?Does the bank initiate foreclosure referrals, foreclosure sales, or offer any loss mitigation options to mortgage borrowers (e.g., modifications, payment forbearance plans, short-sales, or deed-in-lieu of foreclosure)?

6

Does the bank offer foreclosure/repossession prevention programs or credit repair programs?Has the bank recently changed loan or deposit platforms, software, or core processors?Has the bank suspended, terminated, or lowered the credit limit of any open-end loans recently?

3(b) Role of Third Parties (Broker, Dealer, Vendor)Does the bank work with brokers and dealers?How frequent or voluminous are staff or customer complaints about third party conduct, including chargeback rates?Are third-party marketers/advertisers used to develop marketing/advertising programs or scripts for any products or services? Are third party processers used?Has the bank’s use of third party vendors changed recently?Does the bank have/use any third-party collectors?Does the bank have any third-party relationships:

That have a material effect on bank revenues and expenses? Involving implementation of new bank activities? That stores, accesses, transmits, or performs transactions on sensitive customer

information?

3(c) Compliance with Traditional RegulationsHas the bank had recent violations of traditional lending regulations, particularly Reg Z, FCRA or FDCPA?Has the bank had recent violations of traditional deposit regulations, particularly Reg E or DD?Does the bank protect customer information from hackers and follow the Right to Financial Privacy Act?Are customers informed when fraud detection is noted?Does the bank perform due diligence procedures before selling confidential consumer information to third-parties?

Risk Source #4: UDAAP Environment (2 Sub-factors)

4(a) External -- Supervisory FocusAre regulator publications emphasizing consumer issues that impact the bank directly?Have the bank’s product and service types been the focus of news coverage?Has the bank been subject to any enforcement actions or been investigated by a regulatory or law enforcement agency for violations of consumer protection laws or regulations?Have any peer banks been subject to enforcement actions or investigated by a regulatory or law enforcement agency for violations of consumer protection laws or regulations related to products that it offers?Has anything material changed recently in consumer protection regulations or UDAAP standards or related state law? If so, did the bank have adequate time to implement and do all affected personnel understand the new requirements?Has the bank’s regulator recently communicated any information requests for specific bank data or related to specific activities?

7

4(b) Internal -- Consumer ComplaintsIs there any pending litigation regarding any of the bank’s product or service offerings?Is there litigation activity concerning products or services the bank offers?Does the bank have any consumer complaints that indicate potential UDAP concerns:

Misleading or false statements? Missing disclosures or information? Excessive fees? Inability to reach customer service? Previously undisclosed charges? High volume of complaints?

What is the level of consumer complaints related to consumer protection or UDAAP issues by bank, operating subsidiaries or third parties? Are there specific areas or specific customer demographics within the bank’s retail footprint with higher levels of consumer complaints than other areas? What is the level of complaints as a percentage of product or service volume?Can any bank employee handle and resolve consumer complaints on their own initiative?Have there been any spikes in customer refund requests?

Quality of UDAAP Risk Management (Risk Controls and Mitigation)

Control Sets -- Overview:1. General: Compliance Management Program

a. Board of Directors and Senior Management Oversightb. Compliance Program

i. Compliance Risk managementii. Policies and Procedures

iii. Trainingiv. Monitoring and Corrective Actionv. Compliance Audit

2. UDAAP Specifica. Advertisements and Solicitations b. Sales c. Disclosuresd. Customer Servicee. Vendor Managementf. Consumer Complaint Responseg. Customer Friendly Features

Control Set I: Compliance Management Program (2 sub-factors)

1(a) Board of Directors and Senior Management OversightHas the Board adopted clear consumer protection policies and operating procedures appropriate for the size and complexity of the bank’s operations?

8

Does the board foster a strong consumer protection compliance culture with clear and demonstrated compliance expectations and bank fairness objectives for the bank and third party vendors it uses? Do business line staff and managers understand that “they own” their unit’s consumer protection and “harm to consumers” risks and are responsible for managing it?Does senior management incorporate bank enterprise-wide consumer protection risk and performance reports in their business decisions and on-going corporate strategies?Is there appropriate communication or reporting across board, senior management, business lines and compliance groups to enable each to perform their roles and be accountable for their performance? Are there specific consumer protection compliance and “harm to consumers” requirements written into job descriptions of line management and staff, and is the compliance unit consulted to obtain feedback when performance reviews are done or before bonuses or other compensation are paid? Does management respond promptly to consumer protection and UDAAP regulatory examination findings? Are root causes determined for any weaknesses or violations found and are appropriate program changes implemented?Has senior management communicated the importance of compliance and commitment to consumer fairness throughout the organization?Do the Board and Senior Management receive regular and ongoing reports of consumer compliance adherence including compliance audits?Does the Board or a Board committee follow up on significant consumer protection issues?

Does management have a process in place to anticipate changes in the market, consumer needs or regulatory requirements?Has the Board appointed an appropriately qualified and experienced chief compliance officer to manage its compliance and consumer protection program? (In smaller or less complex entities where staffing is limited, a full-time compliance officer may not be necessary.)Has the Board appointed staff and allocated resources to the compliance function commensurate with the size and complexity of its operations and practices, the Federal consumer financial laws and regulations to which the entity is subject, and necessary to avoid potential consumer harm associated with violations of such laws and regulations.Has Senior Management addressed consumer compliance issues and associated risks of “harm to consumers” throughout product development, marketing, and account administration, and through the entity’s handling of consumer complaints and inquiries?Does the Board require audit coverage of compliance matters and review the results of periodic compliance audits?Does the Board review annually the consumer protection and UDAAP risk management program effectiveness?Does the Board incorporate consumer protection and UDAAP requirements in its strategic planning process?Do the board and management receive regular training on consumer protection issues, particularly those that may result in consumer harm?Does management have sufficient knowledge of any new products or services prior to launch?Is there a control in place to ensure all employee and third party compensation arrangements are reviewed prior to implementation to ensure they do not create unintended incentives to engage in unfair or deceptive practices, particularly with respect to sales, servicing and collections?

1(b) Compliance Program (5 elements)

9

1(b)(i) Compliance Risk ManagementDoes the Compliance Department have sufficient authority to carry out its mission, including monitoring, testing and performing self-assessments?Is Compliance sufficiently independent of the business lines?Does the compliance officer have direct access to the Board or to any governance units or committees?Are all employees held responsible for compliance and “harm to consumers”?Is the compliance program tailored to the size and complexity of the institution and consistent with adopted Board policies related to compliance?Does the program promptly address potential consumer protection or UDAAP issues?Does the program ensure corrective action for all identified system weaknesses and violations reported?Is Compliance involvement included throughout the product life cycle?Are telephone and advertising scripts developed with compliance staff involvement and periodically monitored?Does the bank have processes for assimilating legislative and regulatory changes, and new compliance hot topics being emphasized by regulatory agencies that affect its operations?

1(b)(ii) Policies and ProceduresRegarding consumer protection policies, guidelines or standards:

Are they clear and objectively determined? Are they easy to incorporate into daily employee tasks? Do they guide employee discretion clearly and objectively including for referrals to other products

or lending channels? Are they maintained to remain current? Are they amended when exceptions become the norm? Have there been any recent changes? Are changes clearly communicated to all appropriate personnel? Do they incorporate applicable regulatory guidance? Are they designed to detect and prevent violations and other “harm to consumers”?

Do policies and procedures cover processes for development and implementation of new consumer financial products, services, or other activities, distribution channels, and strategies to determine the degree of compliance function participation?Are there well-defined standards that can be applied to each consumer product, service or activity?Are there well-defined parameters for bank staff regarding exceptions to offering products, services, or activities?Do customer files have complete documentation showing the application and transaction history covering loan or deposit products or services requested and provided to the consumer?

1(b)(iii) TrainingAre the compliance officer and other bank compliance staff provided training opportunities to stay current with changing regulatory requirements and industry compliance challenges?Does the compliance officer or other compliance staff participate in compliance working groups with other local bank compliance officers or with state association compliance efforts?

10

Is there a regular, ongoing documented compliance training program that covers all staff to ensure all Federal rules are followed? Are training courses developed for specific staff audiences and include compliance with bank policies and procedures? Are review tests used to certify that staff has acquired the compliance knowledge necessary to perform their job? Does bank staff involved in product and service development and delivery activities have consumer protection and UDAAP knowledge appropriate to their responsibilities?Are all employees trained to take customer complaints seriously?Is there a formal new hire training program that includes existing employees with new roles?Are employees required to undergo training explaining expectations for proper sales practices including providing customers with sufficient information and obtaining customer consent on all products?

1(b)(iv) Monitoring and Corrective ActionDoes the bank devote sufficient staff resources to monitor call center employee sales practices?Does the bank devote sufficient staff resources to proactively monitor in-person sales practicesDoes the compliance function sample transactions of relevant product types and decision centers, including sales, processing, underwriting, collections, and servicing to ensure that policies are being followed on a day-to-day basis? Is monitoring conducted at the transaction level?Is monitoring conducted pursuant to an established schedule?Are the following monitored and tracked:

Product, service and servicing activity volume and solutions by customer demographics? Consumer acceptance rates for loan solicitations or pre-screened offers? Policy or procedural exceptions? Call center volume? Recorded telemarketer calls for consistency with product features and compliance with bank

policy and regulatory requirements? Advertising reviews? Customer satisfaction with products and servicing? New account activity within 60 days of account opening New account opening balances and whether funds to open were transferred from other accounts

Are servicing activities handled in an adequate control environment, including policies and procedures, quality assurance, ongoing monitoring, training, automation and management oversight, billing, call handling, automated dialers, payoffs, lien releases and payment processing?Has the bank conducted UDAAP mystery shopping or established other in-person sales monitoring?Are UDAAP risk issues reviewed by severity and frequency of occurrence? Are UDAAP control factors reviewed to determine strength?Are follow-up reviews performed for all identified UDAAP issues?Does management monitor the timeliness and accuracy of established consumer protection and UDAAP management information systems?Is there a process in place to ensure errors are corrected and do not recur?

1(b)(v) Compliance Audit Is the compliance audit work performed consistent with the established audit plan and scope?

11

Are the frequency and depth of audit coverage and review appropriate for the size and complexity of the bank and the nature and extend of its activities?Have there been a recent changes in auditors?Does the audit scope consider:

All applicable consumer protection laws and regulations? Adherence to internal policies and procedures? Number and type of consumer complaints received? All applicable departments and branches? High-risk areas including third-party relationships? Risk factors for each regulation as they relate to consumer harm? UDAP risk? Enterprise-wide view of the bank’s sales practices? Deposit amount discrepancies?

Is employee practice in complying with consumer protection compliance consistent with bank policies and procedures and regulatory requirements?Do compliance auditors determine the root causes for operational weaknesses, violations of law, or other deficiencies?Does management take corrective action to follow-up on any identified weaknesses or violations of laws and regulations?Are recommended and corrective actions tracked and follow-up reviews performed to ensure appropriate changes have been implemented?Does the compliance audit scope include a review of potential UDAAP?Does audit assess UDAAP compliance throughout the product or service life cycle?

Control Set II: UDAAP Specific Controls (6 sub-factors)

2(a) Advertisements and Solicitations:

Does the compliance program support the following marketing controls: Bank policy ensures that all marketing materials will be consumer friendlyMessages are in no way misleading All pertinent and asterisked information is in a location where customers can easily locate itAny specific offer dates within which a product or service is available are specifically and clearly notedFor pre-approved offers at a specific rate or at a specific cost, the bank guarantees that customers will get that rate or cost if they applyA significant majority of consumers who accept solicitations for rates ‘up to’ or ‘as low as’ actually obtain the product or service advertisedThe bank can substantiate all claims made, especially in regard to fees?If customers must affirmatively act to cancel a service following any “free trial period” to avoid being billed for it, the bank explains how to do that both at sign up and as the trial period is endingCustomers may close accounts that have been guaranteed without incurring any fees or penaltiesCustomer service representative activities are monitored to ensure customer cancellation requests

12

are not made difficult to accomplish Ads do not contain any word play (e.g., “no annual fees” have instead monthly fees or credit life insurance)If the bank offers products and services such as insurance, travel services, credit protection and consumer report update services, it is clear whether they are optional or requiredIf the bank offers add-on products, affirmative consent for the product is obtained.All marketing pictures are reflective of what customers can expectAll testimonials or endorsements are genuineAny TV or radio advertisement disclosures are placed in a way that customers can reasonably understand all of themContact information is always provided so customers can reach someone if they have questions or complaintsThe bank immediately stop solicitations when a customer requests itThe bank can actually deliver all the features of its products and services

Advertising is tracked and monitored to ensure it is not just in media serving specific customer demographics and to ensure that advertisements reflect a diversity of consumersAll persons who review marketing materials also review complaints to ensure they understand the customer’s point of view

2(b) Sales

Does the compliance program support the following sales controls: Are bank processes related to sales of deposit accounts, credit cards, unsecured lines of credit, and related products and services reasonably designed to ensure customer consent is obtained and retained before any such product or service is sold or issued to the customer?Are there adequate processes for:

Providing a grace period before assessing fees on any deposit account, credit card, or other accounts or service,

Closing such accounts in which there is no customer initiated activity during the grace period without assessing fees?

Are employee performance-management and sales goals consistent with preventing improper sales practices and other sales-integrity violations?Does the bank monitor new debit and credit card usage 3 months, six months, and 12 months after activation? Does the bank audit consumers enrolled in on-line banking services by comparing their name and email addresses on file for other authorized accounts? Does the bank verify that newly activated debit and credit card accounts from existing customers are authorized by the customer?Does the bank verify that new deposit accounts opened by existing customers were authorized by the customer? Does the bank regularly review sales staff incentive compensation programs?Does the bank review high incentive earners’ work?Does the bank interview outgoing employees regarding sales practices in their area?Is there an enterprise wide sales practices oversight program to prevent and detect sales issuesIf any employees are terminated for inappropriate sales practices, customer harm is remediated

13

immediately

2(c) Disclosures

Does the compliance program support the following disclosure controls: Bank policy ensures that disclosures are clearly written and provide customers with the information they need, regardless of whether it is required by regulationAll disclosures clearly and accurately describe terms, benefits and material limitations such as limits on interest rates, expiration dates, pre-requisites, and cancellation requirements, both affirmatively and by lack of omissionAll fees, penalties, and other charges are disclosed transparentlyAll disclosures are worded in a way that customers can understand (i.e., without jargon and legalese and written at an 8th grade level or below)All disclosures are periodically reviewed to ensure they are current, clear and transparentComplicated disclosures draw attention to key terms, including limitations and conditionsThe bank clearly states when product or service terms may be changedCustomers are informed before any less favorable rate takes effect

2(d) Customer ServiceDo procedures articulate bank expectations on providing consistent and good consumer assistance in daily banking activities?Does the bank ensure customers will obtain the specific product or service that they have requested rather than a more expensive alternative?Does the bank have friendly, consistent and knowledgeable staff that talks to customers in a way they can understand?Do counter-offers clearly, prominently and accurately explain the difference between the requested product and the offered product?Are employees required to obtain clear and affirmative assent before enrolling customers in a new product or service?Does the bank track customer service metrics to ensure it is appropriately staffed?

2(e) Vendor ManagementIs there a control in place to ensure customers are treated fairly by all vendors and brokers? Do all third parties contracts and agreements incorporate consumer protection compliance, employee training, and audit reporting to compliance?Could compensation arrangements or performance evaluation criteria create incentives to treat customers unfairly?Are all vendors vetted to ensure they are legitimate and that their products are useful and of value before offering it to customers?Is there a formal re-approval and risk assessment process to consider third party performance over the past period (year, quarter, etc.) to ensure that on an overall basis the relationship with the bank and its customers is satisfactory?Are regulatory agency guidelines considered in managing third party relationships?Does the bank approve all marketing or advertising scripts developed and used by third parties for its products and services?

14

Do third parties use the bank’s name in their advertisements even without an express agreement? Are vendors using the bank’s name or supposed bank letterhead without receiving consent?Does the bank offer or provide compliance training to third party vendors it uses or does the third party otherwise provide compliance training to their staff?Do third parties have a process to receive complaints? Is it clear to customers who to contact and how with any questions or problems? Are weaknesses in third party operations corrected promptly?Is it bank policy to discontinue using a third party if the third party is treating customers unfairly?Does the bank perform periodic compliance reviews of third party vendors that it uses to provide or service products or services on its behalf?Does the bank monitor third party compliance with state or federal consumer protection and UDAAP laws and regulations, and its policies or procedures?

2(f) Consumer Complaint ResponseIs there a process to respond to consumer complaints in a timely manner and determine whether consumer complaints raise potential UDAAP concerns?Does the bank have a comprehensive customer complaint monitoring process to access complaint activity across the bank and analyze and understand potential sales practices that create UDAAP risk?Are customer concerns or questions about their experiences with bank products, services, activities, or custom service recorded and evaluated by management for UDAAP red flags?Are consumer complaints and inquiries defined and differentiated and is staff knowledgeable of the differences? Are they handled differently?Do complaint procedures clearly identify the staff member(s) responsible for processing complaints? Does complaint staff have the ability to escalate issues of concern to management apart from normal complaint monitoring and reporting processes? Are these efforts documented and reviewed for resolution? Are UDAAP complaints and outcomes tracked to ensure that bank staff is adhering to bank policies and procedures, following regulatory requirements and treating customers consistent with bank customer service standards?Are complaints assessed for the following:

Information that may result in changes to products, services, marketing activities, policies, procedures or customer service standards to reduce issues?

Regulatory concerns that could result in violations of law or regulations such as discouraging applicants, discriminatory practices, unfair and deceptive acts and practices or abusive or predatory practices?

Is feedback from consumer response programs shared with managers so they can correct staff mistakes?Does management monitor complaints for response back to the customer and provide appropriate resolution as possible?Is social media monitored for consumer statements regarding your bank, subsidiaries or third party vendors?Are remedies implemented to resolve consumer complaint root causes?Are processes for customer appeals readily available, consistently provided and clearly

15

explained? Are complaints and inquiries categorized by type?Are there enough employees responding to complaints so that customers will receive a timely response?Is there a policy to ensure that complaints will be escalated to the appropriate level of management?Are similar complaints or inquiries aggregated to see if there are systemic problems or other trends indicating the potential for UDAAP issues?Does the bank track chargeback rates for its ACH merchants and escalate concerns to senior management when that rate exceeds a certain percentage?

2(g) Customer Friendly Features

Does the compliance program support the following product controls:

LoansApplication Processing

Loan applications are straightforward, easy to understand and requests only personal and creditworthiness information relevant to the credit productIf it will cost customers to apply for a loan, it is clear those fees will be before the application processThe following loan features are fully explained to customers:

Negative amortization Balloon payments Deferred interest All loan costs

UnderwritingAll requests for information are clearCustomers receive clear communication through the process so that they know what to expectCustomers receive clear and un-contradictory information about closing costsUnderwriting relies on ability to repay rather than collateral value Bank employees work consistently with all customers who have a low credit score or problems identified in their credit bureau that can be explainedMarginal applicants that could be approved receive the same treatment as other more qualified applicantsClosingCustomers receive all disclosure documentation in advance of their closing date Bank employees are available to answer any questions a customer may haveServicingPayments are promptly postedThe bank reports good payment history to the credit bureau, including for both joint applicantsInaccurate credit reporting will be updated immediatelyThe bank explains how it applies monthly payments and any fees or penalties

16

It is simple and clear for customers to determine their account balanceIt is simple and clear to obtain a payoff amountCollectionsNothing the bank does could be perceived as harassingCollections practices are clearly spelled out such that customers will be treated objectively and consistently The bank deals only with the delinquent borrower in its collection attemptsThe bank does not disclose debts to third partiesThe bank does not call or visit the borrower’s place of employment even when the borrower has requested that not be doneAl sworn statements made by the bank or an employee are accurateAll payment options are provided to customers, including those without costThe bank does not threaten or in fact contact military member’s commanding officersThe bank does not threaten to take any action it cannot or does not intend to takeThe bank does not make reference to credit scores or the customer’s future ability to secure a loanThe bank does not remove access to customer electronic accounts or debit cards as the result of an overdue loanThe bank clearly requests any information required for a loss mitigation application and does not request additional documents that are not neededThe bank does not in any way imply that an attorney is involved in collecting a loan unless the attorney has actually reviewed the caseCredit CardsThe amount of usable credit customers can expect is clearly spelled outFees and charges are low enough that customers have available credit on their cardsAvailable credit is verified before any convenience checks are mailedCustomers can rely on the ‘please pay by date’ to make timely paymentsThe bank clearly explains what will happen if customers pay the minimum amount or less than the minimum amountSecured Credit CardsWhen customers obtain a secured credit card, they have access to the majority of their credit lineThe bank’s secured card program provides customers with an opportunity to “graduate” to a higher credit line — and, eventually, to an unsecured card — through incremental credit line increases when they repay the cardSince the credit card is cash-secured, the interest rate is reasonably lower than an unsecured cardThe bank avoids marketing with terms like “refundable account holds”MortgagesIf refinances are a large part of the bank’s portfolio, the customers are receiving a benefitLending personnel regularly explain how to reduce the interest rate with pointsIf ‘no closing costs’ are advertised, then no closing costs are chargedCredit InsuranceIf there are upfront fees for this product, then all benefits and downsides are explained before signing the customer up for itIt is clear whether this product is included with a loan or required to obtain one

17

If customers must pay in advance for credit insurance, any unearned amounts are refunded if the customer pre-pays their loanEligibility standards are not so strict as to make it difficult for the majority of customers to obtain a benefitPayday LoansThe bank sets limits to prevent customers from getting into a cycle of debtCustomers may cancel payday loan transactions within one dayThe bank can explain all the costs and fees associated with this product before selling it and provides customers with a way to compare the fees with other similar productsTax Refund LoanThe product is marketed as a loan rather than as an advance of a tax refundAll costs are explained before a sale of this productStudent LoansCustomers can provide allocation instructionsPayments are allocated across multiple loans in a manner that does not maximize borrower costsThe bank provides clear direction on how co-signers can be released from private student loans

DepositsAccount OpeningDeposit products are explained in a simple and straightforward mannerThe costs of each product are explained clearly and in a way that customers can reasonably compare productsAll fees and penalties are clearly explained before they could be chargedAccount Maintenance

All fees and penalties that apply in customer periodic statements are clearly labeledDeposit amount discrepancies are resolved in a manner that favors the consumerOverdraftsMore than one overdraft is product availableThe bank is clear about when it will charge fees and when it will pay overdraftsThe bank is clear about how funds will be transferred to pay overdrafts from another accountThe bank is clear about fees charged and action to be taken when funds transferred from another account to cover an overdraft are insufficient to cover the overdraft The bank is clear about what it guarantees with regard to overdraftsThe bank listens in on CSR calls to ensure representatives are providing the scripted message and not altering the message providing incomplete, inaccurate, or misleading information to persuade consumers to enroll in opt-in programsThe bank obtains an affirmative customer opt-in before charging overdraft fees in connection with ATM and one-time debit card transactionsThe bank clearly and neutrally explains the consequences of opting in to overdraft protection including what transactions will be covered The bank clearly informs customers when terms are changingThe bank does not advertise an account as “free” if there could be overdraft chargesGift Cards

18

The bank is clear about any charges before a customer obtains a gift card including any monthly maintenance, dormancy or usage feeThe bank explains what will happen if a card is lost or stolen and who to call if this happensThe bank explains what can happen if the card is used at gas stations, hotels, restaurants, or other locations that may seek payment authorizationThe bank explains when it may or may not authorize payments on a gift cardThe bank explains how customers can redeem de minimis balancesCustomers understand how to obtain balance informationPrepaid CardsThe bank explains the risks of this product before customers obtain itThe bank clearly explains any costs for accessing fundsIt is clear whether there is no deposit insurance associated with this productIt is clear what happens if the holder of the funds declares bankruptcy

UDAAP Risk Summary

UDAAP Inherent Risk ProfileRisk Sources Rating Observations

Retail FootprintCustomer DemographicsProducts & ServicesComplexityPricing & Profitability Conclusion:Strategic DirectionDelivery ChannelsMarketing StrategyNew Products & ServicesAdvertisements Conclusion:OperationsGeneralThird PartiesTraditional Compliance Conclusion:UDAAP EnvironmentSupervisory FocusComplaints Conclusion:

Overall Inherent Risk Rating: Notes:

19

Quality of UDAAP Risk Management (Risk Mitigation and Controls)

20

Risk Controls & Mitigation

Rating ObservationsCompliance Program (General Controls)Board & Sr. ManagementCompliance Risk ManagementPolicies and ProceduresTrainingMonitoring & CorrectionCompliance Audit Conclusion:UDAAP ControlsAdvertising and SolicitationsSalesDisclosuresCustomer ServiceVendor ManagementConsumer Complaint Response Conclusion:Customer Friendly Features: LoansApplication processingUnderwritingClosingServicingCollectionsCredit CardsSecured Credit CardsMortgagesCredit InsurancePayday LoansTax Refund LoansConclusion on Loan FeaturesConsumer friendly Features: DepositsAccount OpeningAccount Maintenance OverdraftsGift CardsPrepaid CardsConclusion on Deposit Features

Overall Control Strength Rating: Notes:

Consumer Residual Risk

21

ConsumerRisk Gaps Identified

Gap 1

Level of Risk ConcernObservationsWhat Action TakenFollow-UpGap 2

Level of Risk ConcernObservationsWhat Action takenFollow-Up

Level of Risk Controls and Mitigation (Strong, Adequate or Weak)

Risk SummaryInherent Risk Rating Risk Controls and Mitigation Overall Risk

Risk Direction (Increasing, Decreasing or Stable)Date of Last Directional Change

22