- FINSER SSAE 18 SOC-1 2019 Report (FINSER SOC-1 2019 … · 2019. 12. 12. · internal control begins with the service organization’s Board. The Board meets four times a year to

FINSER CORPORATION

INVESTMENT PORTFOLIO REPORTING SERVICES

SERVICE ORGANIZATION CONTROL REPORT ON THE SUITABILITY OF THE DESIGN AND OPERATING EFFECTIVENESS OF CONTROLS FOR THE PERIOD

OF NOVEMBER 1, 2018 THROUGH OCTOBER 31, 2019

THIS DOCUMENT IS CONFIDENTIAL and has been prepared by Fisher, Herbst & Kemble, P.C. (“FHK”) and FinSer Corporation. This document is being provided to clients (and their authorized independent auditors) of FinSer Corporation under the condition that it be kept in confidence and solely for the purpose of allowing the clients to evaluate the controls placed in operation by FinSer Corporation and the procedures performed by FHK. If you are not the intended recipient, please notify the sender and destroy this document without copying or disclosing it.

TABLE OF CONTENTS I. Independent Service Auditors’ Report ........................................................................................ 1

Scope ......................................................................................................................................... 1

FinSer’s Responsibilities .......................................................................................................... 2

Service Auditor’s Responsibilities ........................................................................................... 2

Inherent Limitations .................................................................................................................. 3

Description of Test of Controls ................................................................................................ 3

Opinion ..................................................................................................................................... 3

Restricted Use ........................................................................................................................... 3 II. Management of FinSer Corporation’s Assertion ......................................................................... 4 III. Description of FinSer’s Investment Portfolio Reporting Services .............................................. 6

Overview of FinSer Corporation .............................................................................................. 6

Scope of the Description ........................................................................................................... 6

Internal Control Framework ..................................................................................................... 7

Description of Information Systems Process ............................................................................ 13 Description of the Investment Portfolio Reporting Service Process ........................................ 17 Changes to the Investment Portfolio Reporting Service During the Testing Period ................ 20 Control Objectives and Related Controls ................................................................................. 20

Complementary Subservice Organization’s Controls (CSOC) ................................................ 21 Complementary User Entity Controls ...................................................................................... 21

IV. Description of FinSer’s Control Objectives and Related Controls, Fisher, Herbst & Kemble,

P.C.’s Description of Tests of Controls and Results ................................................................... 23

Information Provided by Fisher, Herbst & Kemble, P.C. ........................................................ 23

Control Objectives, Related Controls and Results of Testing .................................................. 24 V. Other Information Provided by FinSer Corporation (Unaudited) ............................................... 40

Our examination did not extend to such complementary user entity controls and we have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls.

FINSER’S RESPONSIBILITIES In Section II, FinSer has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. FinSer is responsible for preparing the description and for the assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria stated in the assertion, and designing, implementing, and documenting controls that are suitably designed and operating effectively to achieve the related control objectives stated in the description.

SERVICE AUDITOR’S RESPONSIBILITIES Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether, in all material respects, based on the criteria in management’s assertion, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period of November 1, 2018 to October 31, 2019. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. An examination of a description of a service organization’s system and the suitability of the design and operating effectiveness of controls involves:

performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on the criteria in management’s assertion.

assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description.

testing the operating effectiveness of those controls that management considers necessary to provide reasonable assurance that the related control objectives stated in the description were achieved.

evaluating the overall presentation of the description, suitability of the control objectives stated therein, and suitability of the criteria specified by the service organization in its assertion.

6

III. DESCRIPTION OF FINSER’S INVESTMENT PORTFOLIO REPORTING SERVICES

OVERVIEW OF FINSER CORPORATION FinSer Corporation’s lines of business include consulting, service-bureau functions, software packages, information and other financial services for financial institutions throughout the United States of America. FinSer’s major services include:

Investment Portfolio Reporting Services (“IPRS” or “Portfolio System”) provides financial institutions with reports that help track and manage fixed-income investments. The monthly reports include bond-by-bond interest accruals, amortization and accretion calculations, fair market values, yields and principal and interest payment verification. In addition to the monthly information, quarterly reports include rate shock testing (-300 bp to +500 bp), year-to-date transactions, income, market gain/loss and rollforward from previous year-end. The service supports Accounting Standards Codification 320 (“ASC 320”), “Investments – Debt and Equity Securities” accounting.

Asset/Liability Management (“ALM”) services include software systems and consulting services to assist in the measurement and management of interest rate risk in financial institutions (i.e. banks and credit unions). The range of software systems provide tools to analyze the balance sheet structure, measure the impact of future interest rate changes on the earnings and economic value of the institution. Consulting services are available to financial institutions desiring assistance in developing and executing an active interest rate risk management program, including outsourcing of the modeling process. Software users may also secure consulting services from FinSer to assist in the interest rate risk measurement and management process.

Specialized software for financial institutions including: software designed to facilitate tracking and management of Regulation E and software to help manage an institution’s public fund deposits and pledges.

SCOPE OF THE DESCRIPTION This description of FinSer’s Investment Portfolio Reporting Services addresses only FinSer’s Investment Portfolio Reporting Services provided to its user entities and excludes other services provided by FinSer. The description is intended to provide information for user entities who use the investment reporting services and their independent auditors who audit and report on such user entities’ financial statements to be used in obtaining an understanding of the investment reporting services and the controls over that system that are likely to be relevant to user entities’ internal control over financial reporting. The description of the system includes certain business process controls and IT general controls that support the delivery of FinSer’s Investment Portfolio Reporting Services. FinSer uses ICE Data Pricing and Reference Data LLC, an ICE Data Services Company (ICE) and Bloomberg L.P. Valuation Service System (BVAL), subservice organizations, to provide appraisals for certain securities. FinSer uses Intex Solutions, Inc., a subservice organization, to provide cash flow factors used in calculating amortization and accretion for certain securities. The description includes

7

only the control objectives and related controls of FinSer and excludes the control objectives and related controls of the subservice organizations.

INTERNAL CONTROL FRAMEWORK This section provides information about the five interrelated components of internal control at FinSer, including FinSer’s:

Control environment;

Risk assessment process;

Information and communications,

Monitoring activities; and

Control activities.

Control Environment The control environment sets the tone of an organization, influencing the control awareness of the organization. The control environment is embodied by the organization’s awareness of the need for controls and the emphasis given to the appropriate controls through management’s actions supported by its policies, procedures, and organizational structure. The following are the primary elements of the service organization’s control environment:

Oversight Responsibility and Accountability by FinSer’s Board of Directors;

Assignment of Authority and Responsibility;

Commitment to Competence, Integrity and Ethical Values; and

Administration. Oversight Responsibility and Accountability by FinSer’s Board of Directors The control environment at FinSer originates with and is the responsibility of the Board of Directors (board), president (CEO), and executive management. FinSer’s commitment to an effective system of internal control begins with the service organization’s Board. The Board meets four times a year to fulfill its oversight responsibilities related to the financial reporting process, the system of internal control, internal and external audit activities, and the service organization’s process for managing risk and monitoring compliance with applicable laws, regulations, and internal policies and procedures. Additionally, senior managers of FinSer, including members of executive management, meet periodically to discuss changes needed, problems encountered and provide oversight on the IPRS. Assignment of Authority and Responsibility Executive management recognizes its responsibility for directing and controlling operations, managing risks, and establishing, communicating, and monitoring control policies and procedures, under the ultimate oversight of the Board. Management recognizes its responsibility for establishing and maintaining sound internal control and promoting integrity and ethical values to all personnel on a day-to-day basis.

8

FinSer’s Investment Portfolio Reporting Services’ organizational structure includes the following functions:

1. Operations; 2. Business development; 3. Systems development; 4. Finance; and 5. Technical support. Each department will be described in more detail. 1. Operations

The Operations group consists of the following sub-groups:

Customer service and report generation; Fair market evaluations; Conversion; and Client billing.

Each sub-group will be described in more detail. Customer Service and Report Generation The Customer Service group is the core group responsible for day-to-day maintenance functions, which include: Entering investment and related information received from the client into the Portfolio

System client file; Performing verification processes which include reconciling client data to information

processed in the Portfolio System; Reviewing the accuracy of the information input into the Portfolio System; Generating monthly and quarterly investment reports; and Report delivery.

Fair Market Evaluations The Vice President in charge of security appraisals oversees the pricing of all securities owned by FinSer’s clients. On a monthly basis, the current market prices are determined using a combination of resources, which include market activity, industry recognized information sources, yield curves, discounted cash flow models and other factors. Also, selected securities are outsourced to nationally-recognized pricing services. All prices are reviewed prior to being imported into the IPRS module. Conversion The conversion process is needed to set up the financial institution’s investment information on FinSer’s Portfolio System. Once a client signs a contract with FinSer to process its investment portfolio, the Vice President of IPRS contacts the client to begin the conversion process. The

9

conversion process includes: determination of amortization guidelines to be used in client’s portfolio, assigning a portfolio representative, inputting the current investment portfolio information into the system, generating reports, and reconciling the reports and the client’s general ledger balances. The portfolio reports are intended to serve as the client’s subsidiary ledger for the securities inventory. Client Billing A portfolio representative (“PR”) is responsible for creating invoices for all portfolio clients. The portfolio software billing function is run to determine the basic charges for each client based on the monthly item count and additional services received. Although some variation in individual invoice amounts from month-to-month is expected, any significant variation is explained and reviewed by the department supervisors. Invoices are sent to the client and the invoices are input by the Administrative/Accounting group into the SAGE 100 accounting system.

2. Business Development The Business Development group actively solicits new and expanded business relationships with banks and credit unions throughout the United States of America. The full array of products and services provided by FinSer Corporation are presented, as appropriate, including Investment Portfolio Reporting Services. FinSer also maintains and pursues remarketing agreements with organizations to direct new and potential clients to FinSer services.

3. Systems Development The Systems Development group is responsible for the administration of the investment portfolio and asset/liability system, developing new applications, and modifying the existing systems. The group is responsible for testing modifications to existing systems by evaluating whether the software code functions properly, examining data, and ensuring that the code meets corporate standards. The group is also responsible for library management and version retention.

4. Finance The Administrative/Accounting group performs all accounting and management reporting functions for FinSer Corporation. This includes: Accounts receivable & collections; Accounts payable; Monthly financial statements; and Sales and alliance commissions.

The widely used SAGE 100 package is utilized for primary accounting functions.

5. Technical Support The Software Development group is responsible for supporting the internal local area network (“LAN”), including Windows file, print servers and internet access. They are also responsible for software and hardware support, operating systems and database management.

10

Commitment to Competence, Integrity and Ethical Values FinSer’s commitment to employee competence begins with background checks for all employee candidates and formal hiring practices designed to ensure that new employees are qualified for their job responsibilities. Controls have been developed covering critical aspects of employment including: hiring, training and development, performance appraisals, advancement, and termination. New employees are provided with FinSer’s employee manual, which documents various procedural and administrative matters. The employee is required to acknowledge that they have read and accept the employee manual at time of hire. Senior Management is primarily responsible for recruiting and evaluating job applicants. Performance appraisals are given to employees by their immediate supervisor as deemed appropriate. Administration Administrative and operational controls for each major functional area are documented in various policies, standards and procedures manuals. These manuals are updated periodically and available to the appropriate personnel. Risk Assessment Process The service organization operates in an environment faced with a variety of risks from internal and external sources. Objectives The service organization’s risk assessment approach involves an iterative process for identifying and assessing risks to the achievement of the service organization’s objectives. This approach forms the basis for determining how risks will be managed by the service organization. Identification and Analysis of Risks Risk management is primarily the responsibility of senior management, which perform periodic risk assessments in their areas of responsibility that identify and document the significant risks facing the service organization, including any fraud risks. The results of these risk assessments determine how senior management develops and implements controls, operating procedures, and compliance processes for addressing and mitigating such risks. Service organization policies require that any instances of suspected or actual fraud be brought to the immediate attention of senior management and the Board of Directors. Additionally, FinSer’s senior management evaluate and address risks related to the IPRS in their normal course of operation. Information and Communications FinSer communicates its policies and procedures and other information necessary to help achieve the service organization’s business objectives through several means, including the service organization’s intranet, emails, memoranda, meetings, and training sessions. The service organization’s policies and procedures enforce the importance of adherence to and compliance with rules and regulations that govern its business and operations.

11

Each client is assigned a Portfolio Representative (“PR”) that communicates with the clients via phone, fax, letter or email. Clients are encouraged to communicate questions to their PR. Monthly, each client receives an e-mail from their PR notifying them of any current or significant events related to FinSer IPRS. The monthly e-mail includes the date processing begins and ends and information on how to contact the PR (name, phone number, fax number, e-mail address). FinSer also produces daily “Focus” reports containing general information about the markets, the economy and rates. They are available on the FINSER.COM website. Monitoring Activities FinSer employs a combination of ongoing and periodic monitoring activities to monitor that controls are functioning effectively and that risks are appropriately mitigated. Ongoing Monitoring The service organization uses a variety of reports and monitoring mechanisms to help ensure that controls are functioning as intended. Various reports and computer scans search for missing and/or unrealistic data that has been input or downloaded. Portfolio Representatives check program output (verification reports) against information submitted by the client to verify that appropriate updates were made. Data is downloaded from industry-recognized information sources (“IRIS”) whenever possible to keep invalid data out of the system. Data entry screens reject invalid dates and inappropriate numeric values. Warnings are displayed when values outside a normal range are entered. Date, time, and User ID stamps are recorded with changes. All data for each portfolio is scanned prior to processing to detect any missing or invalid data. During the portfolio calculation and reporting process, logs are created to report all errors and warnings. IPRS and development personnel use these logs to diagnose and correct processing problems. Management regularly reviews and assesses business operations to determine that reporting and monitoring mechanisms are used and effective in managing the operations of the business, controls, and related risks. Periodic Assessments and Monitoring In addition to ongoing monitoring activities described above, each business group conducts specific evaluations of risks and controls to maximize the effectiveness of its operations. The results of audits and any identified deficiencies are reported to management as well as to the Board. Management prepares and implements corrective measures to address any significant deficiencies. Monitoring of Subservice Organizations FinSer uses ICE Data Pricing and Reference Data LLC, an ICE Data Services Company (“ICE”) and Bloomberg L.P. Valuation Service System (“BVAL”), subservice organizations, to provide appraisals for certain securities. FinSer uses Intex Solutions, Inc. (“Intex”), a subservice organization, to provide cash flow factors used in calculating amortization and accretion for certain securities. Management of FinSer receive and review the type 2 SOC 1 or 2 report of ICE and BVAL on an annual basis. In addition, through its daily operational activities, management of FinSer monitors the services performed by ICE, Intex and BVAL to ensure operations and controls expected to be implemented at the subservice organization are functioning effectively.

12

Management communicates periodically with the subservice organization personnel to stay abreast of changes planned and to communicate any issues or concerns related to ICE, Intex and BVAL services. Internal Control Framework – ICE, BVAL and Intex Subservice Organizations (SOS) This section provides information about the five interrelated components of control at the Subservice Organizations listed above used by FinSer, including:

Control Environment The SOS control environment has a pervasive influence on the way business activities are structured, objectives are established and risks are assessed. It also influences control activities, information and communication systems, and monitoring procedures. SOS’s control environment is influenced by its history and managerial culture. SOS, as effectively controlled entities, strives to have competent people, instills an enterprise-wide attitude of integrity and control consciousness, and sets a positive “tone at the top”. SOS establishes appropriate controls, which foster shared values and teamwork in pursuit of each organization's objectives. Risk Assessment Process A formal risk assessment program has been implemented at SOS to identify risks to the business and to monitor ongoing compliance with key operational and internal control policies and procedures, as well as to identify other potential operational risks requiring attention. Compliance reviews are performed routinely by management. Operational areas with a higher inherent risk are evaluated more frequently than areas with a lower inherent risk. Findings associated with each compliance review are documented and assigned a risk rating based upon likelihood of occurrence and overall impact on the existing operations and internal control structure. Compliance review results are published periodically and provided to management for review of remediation efforts. Information and Communications SOS is focused on the satisfaction of its Clients and employees, as well as the quality of its service delivery. To ensure that these priorities are continually achieved, SOS has implemented formal policies and procedures that address critical operational processes, human resources, and information systems. SOS management believes that the internal controls contained in these policies and procedures are critical to running the business operations effectively. SOS management has implemented various methods of internal communication so that employees are aware of significant events and initiatives and, in addition, understand their individual roles and responsibilities within the organization. These methods include frequent company updates from the senior management, which discuss significant projects and initiatives, new client deals, partnership updates and overall strategic direction. SOS employees are encouraged to communicate questions and concerns directly to management. Monitoring Activities SOS employs a combination of ongoing and periodic monitoring activities to monitor that controls are functioning effectively and that risks are appropriately mitigated. SOS management monitors the quality of day-to-day business and operational activities, including the internal control environment. Operational performance is discussed during meetings and planning calls, as well as

13

key business development and improvement initiatives that are in process. In addition, reports are generated from various internal systems to help guide management with operational priorities and decisions. Monitoring is a significant component in SOS’s service delivery approach. Various tools and software allow personnel to proactively monitor the workload scheduling of the production systems. Designated personnel are the first to respond to any system-related alerts and/or alarms 24 hours a day, 7 days a week, and 365 days a year. Issues identified are escalated immediately to the appropriate personnel, who resolve and close out the issues.

Control Activities The service organization has developed a variety of policies and procedures including related control activities to help ensure the service organization’s objectives are carried out and risks are mitigated. These control activities help ensure that investment reporting is administered in accordance with the service organization’s policies and procedures. Controls may be preventive or detective in nature and may encompass a range of manual and automated controls, including authorizations, reconciliation, and IT controls. Duties and responsibilities – such as duties related to the processing and recording of transactions, reconciliation activities, application development, compliance, and control monitoring – are allocated among personnel to ensure that a proper segregation of duties is maintained. A formal program is in place to review and update the service organization’s policies and procedures on at least an annual basis. Any changes to the policies and procedures are reviewed and approved by management and communicated to employees. Specific control activities are provided in the Description of the Information Systems Process and the Description of the Investment Portfolio Reporting Service Process below.

DESCRIPTION OF INFORMATION SYSTEMS PROCESS The following describes the Information Systems processing environment and general controls related to the Investment Portfolio Reporting Services: Overview of Processing Environment; Production Processing; Physical Access; Logical Security; Change Control; Systems Development; System Backup; and Environmental Controls.

Overview of Processing Environment The FinSer Portfolio System is an internally developed software system comprised of application, processing and client communication servers plus several desktop PCs which all reside in FinSer’s corporate offices in San Antonio, Texas. Software development staff manages the interfaces to this system and are responsible for all updates to the software.

14

The Pricing System is an internally developed software system generating market valuations for all securities maintained in the FinSer Portfolio System. The resulting market prices are interfaced into the FinSer Portfolio System securities database. Industry-recognized Information Sources (“IRIS”) are contracted by FinSer to provide current information on securities. Primary IRIS includes:

IRIS Type of Information Provided How Information is Used

in IPRS Bloomberg® Data Services

Basic information on all types of securities including historical trade information and current data such as factors, rates, and speeds.

Verify information from clients.

ICE Data Services Kennybase

Basic security information on all types of bullet securities including refunding and escrow information on municipal bonds as well as redemptions on callable securities.

Verify information from clients, set up securities, call schedules, and refund status. The security database is updated to reflect a “called” status.

Bloomberg® BVAL (Subservice Organization)

Appraisals and cash flow information on selected securities.

Imported into pricing system and security database.

Intex Solutions, Inc. (Subservice Organization)

Principal and interest cash flow projections for CMOs and reference data on pass thru pools and CMOs.

Populate security database with current information and cash flows based on historical and dealer consensus speeds.

ICE Data Pricing and Reference Data LLC, an ICE Data Services Company (Subservice Organization)

Appraisals on selected securities. Imported into pricing system

and security database.

FNMA, FHLMC and GNMA Websites

Current factors and rates on MBS pools.

Update security database.

FHLMC, FNMA, FHLB Websites

Recently called issues. Update client’s portfolio.

Texas Municipal Reports published by the Texas Municipal League

Information on municipalities and outstanding bond issues including call schedules, refund status, source of repayment, etc.

Update security database.

CUSIP Global Services

CUSIP Identifiers Identify securities in the

portfolio reports and in the portfolio and pricing software.

15

Production Processing The Investment Portfolio Reporting software program includes automated scheduling and monitoring processes that verify that required jobs and tasks are executed completely and in the proper sequence. E-mail notification of failure in any process is sent to the individual that submitted the process. Program bugs identified after production implementation are formally documented, prioritized and tracked by the FinSer staff via bug tracking software. Physical Access FinSer utilizes procedures to control access to its processing facilities and assets. These procedures identify the levels of access permitted. Access to data is password protected based on user need. The office building where FinSer is located has 24-hour security. During regular business hours, a receptionist is also on duty to direct and observe all public access to the FinSer office. The two other entrances into the FinSer office are secured with combination locks at all times. After hours, the entire FinSer office is secured and separated from the elevator lobby by locked doors. All employees have keys and combinations to the office doors. Video cameras in public areas and at all building exits further secure the premises. After hours and on weekends, entry into the building requires a proper access card. All FinSer employees have magnetic cards that allow them to access the building after hours. Logical Security The Systems Development group (“S&D Group”) is responsible for developing standards and administering logical security for selected systems and applications based on maintaining appropriate access to information assets. Authorized employees are required to have User IDs and passwords established at various levels to access production applications and information. Each production application utilizes integrated security processing that limits users to specific functions and views of data.

Use of Individual IDs – User IDs and passwords for the network, platform and most applications include internal settings that allow three invalid access attempts before deactivation. Intervention by the S & D Group is required to restore authorized access when a password has been deactivated. Process for Obtaining User IDs – Individuals requiring access to the information assets of IPRS are given User IDs at the employment start date once approved by senior management. The User IDs are programmed with access levels appropriate to the employee’s job duties. Ongoing Monitoring and Maintenance – The S & D Group is informed of all terminations and transfers, through immediate notification from management or the Administrative Group, and update user access appropriately. Additionally, user access lists are reviewed and analyzed periodically by the S & D Group to identify if current employees’ access to processes are needed.

16

Change Control Responsibilities for Change Control – Major software changes and client requests are reviewed by Portfolio and Development Group management. Priorities and responsibilities are assigned as needed. Bug tracking software is utilized by portfolio and development personnel and management to track progress and testing. Process for Performing System Code Changes – A source code version control system is used to track and document program changes. The developer checks out the current version of source code for a given program, makes changes, and performs preliminary testing on the changes. If the scope or impact of the change is significant, a testing environment is configured with copies of production data. More extensive testing is then performed and the portfolio department supervisor reviews the results. Program source code changes are then checked into the version control system and the modified programs are installed in the production environment. Implementation Tracking – The version of the program used to calculate report information is documented within the system on an individual client, individual process and individual security basis. Systems Development FinSer follows a specific standardized methodology to upgrade, develop, and change product and system processes. The methodology establishes the necessary protocols and reinforces a series of controls that enable the completion of projects that focus on good business practice, as well as, client and customer satisfaction. System Backup A full system image backup is performed on all FinSer computers, both file servers and user computers on a weekly basis. Incremental updates of these system images are performed daily. The backup data is housed on an internal backup server and all data is replicated to a cloud system for off-premises redundancy. Environmental Controls FinSer maintains facilities and support equipment for controlling environmental conditions of its computer and telecommunications equipment. The computer center that houses all servers contains industry standard environmental controls that include: Temperature/humidity controls; Fire detection/suppression devices; and Redundant electrical support equipment.

17

DESCRIPTION OF THE INVESTMENT PORTFOLIO REPORTING SERVICE PROCESS

The following describes the Investment Portfolio Reporting Service Process environment and application controls: Organize, Document and Verify Portfolio Changes Received from Client Throughout the month, clients send their Portfolio Representative changes that need to be reflected in the next month-end report. These changes include purchase and sale transactions settled during the month, partial calls and changes to pledge, safekeeping, or ASC 320 designations. Clients are asked to send copies of the broker’s confirmation for purchases and sales and to document specific instructions in writing. The modifications sent by the client are logged onto a “change sheet” created by the PR for each individual client. The change sheet summarizes all the activity on that portfolio for the month. The authorized information sent by the client is attached to the change sheet along with related printed information from IRIS. This information is used to update the client’s portfolio and to serve as permanent documentation for the source of the change. Update the Portfolio System In addition to maintaining each client’s portfolio, the securities database of the Portfolio System is updated each month. This update is made up of three main categories; updating security data, updating appraisals and adding new securities.

Updating Security Data Most security data is updated through electronic downloads from IRIS. Data downloads of current information are performed prior to the generation of security appraisals with daily updates during the processing period through the end of the month. The information downloaded includes factors, rates, speeds, cash flows, pool type, collateral, and refund status. Information that is unavailable through IRIS is input manually by the PR. Edit lists ensure that information is complete. Scans within the portfolio process also check for missing data. Updating Appraisals Security appraisals are generated or imported monthly for investments tracked by FinSer’s investment portfolio software. Most security types are priced using internally developed software and procedures. Appraisals for direct obligations of the U.S. Treasury, exchange listed stock and preferred stock are obtained from on-line real-time databases. Subscription pricing services by BVAL and ICE supplement FinSer’s internal pricing system particularly on security types where underlying collateral, cash flow projections or trade data is not readily available. The price source for each individual security is available in the monthly portfolio report. Internal Pricing Model Bulk pricing of all active securities in the database is done once a month, prior to the beginning of month-end processing. For the remainder of the month, the pricing program and related procedures

18

are implemented daily to calculate appraisals for any securities added to the database. The appraisals do not necessarily reflect net results obtainable in the event of actual liquidation. Fair market values assigned to infrequently traded securities or securities with unique cash flow and liquidity characteristics or obscure collateral are particularly susceptible to variances from the true market or liquidation values. FinSer’s internally developed pricing software primarily uses the discounted cash flow methodology to arrive at fair market value. In simplified terms, discounted cash flow analysis is based on the net present value of a security's projected cash flow. Given a stream of cash flows, the present value (fair value) can be calculated if the discount yield is known. Therefore, the process of calculating fair value can be divided into two parts: estimating cash flows and establishing a discount yield for those cash flows. Additionally, option adjusted spread methodology is also utilized for callable agency securities and step-up bonds.

Estimating Cash Flows Cash flow streams for bullet type securities (i.e. treasuries, municipals, CDs and some agencies) are calculated based on their coupon rate and payment schedule. The interest is paid on coupon dates, and the principal is paid at maturity. Cash flow streams for amortizing securities are dependent upon prepayments and the overall structure of the security. Appraising all types of amortizing securities requires cash flow modeling capabilities. Cash flows on pass thru securities are calculated by the pricing software. For CMO cash flows, FinSer uses proprietary models and models available through providers that reverse engineer CMO cash flows such as Intex Solutions, Inc. and Bloomberg. Cash flows generated by FinSer’s proprietary models, Intex Solutions, Inc. and/or Bloomberg are significant estimates. Establishing Discount Rates Once the cash flow stream is established, a discount yield is required to calculate the fair market value. The discount rate is applied to the cash flows to arrive at the fair market value or net present value. Quotes, current yields and their spreads to benchmark rate curves are obtained for most types of securities. This data, derived from market observations, is utilized to create a yield curve for each unique category. Finally, all bonds within that category are priced by discounting the established cash flow stream by the appropriate yield found on the yield curve. Prior to month-end processing, the FinSer appraisal department creates a pricing grid. This pricing grid allows for the creation of discount yields for each sector of securities (agencies, municipals, mortgage backs, certificates of deposit, etc.) based on maturity term or average life, if applicable. The discount yield is created using various yield curves from IRIS and adding basis points based on the unique traits of each group of securities including coupon rate, prepayment and call options. Adjustments to CMO discount rates are based on collateral type and coupon. On municipal bonds, the discount yield is adjusted by an internal credit index assigned to the security. The internal index is based on perceived credit quality and other characteristics. The discount yields are reviewed analytically and graphs are reviewed to ensure yields appear reasonable. Once deemed reasonable, the yields are uploaded into the

19

Pricing System and in combination with the estimated cash flow calculations, a report of the fair market values on all securities that automatically price are reviewed for reasonableness. This review includes a comparison of calculated MBS prices to the active TBA (to be announced) market for GSE mortgage-backed securities, as applicable. Exceptions to Standard Cash Flow Methodology Securities that are not candidates for FinSer’s internal pricing model are outsourced to nationally-recognized pricing services or priced by FinSer’s analyst from a trader’s perspective (price override). These exceptions include (but are not limited to): Securities with unique characteristics that complicate assigning a discount rate;

Securities for which projected cash flows are not available from IRIS;

Securities with unusual cash flow features; and

Securities which are unique as to marketability. Once all security sectors, price overrides and imported prices are completely established, the pricing is loaded to the security database. Some adjustments to the established prices are made at the portfolio level based on size (or lack of) of the investment.

Adding New Securities The final update to the securities database includes adding securities that have been purchased by clients since the previous month-end. The PR, using information available through IRIS, downloads or manually enters detailed information on newly added securities into the database. Information downloaded from IRIS is verified by the PR prior to purchase into a client’s portfolio.

Update Clients’ Portfolios After adding the required securities to the securities database the PR begins the process of maintaining the client’s portfolio. Purchase and sale transactions are input from the change sheet and the portfolio is updated to reflect client instructions regarding pledge and/or safekeeping changes, impairments, partial calls, early CD redemptions, etc. Maturities and total calls are updated by the program. Submit to Processing A client’s portfolio is ready to process when the client indicates that they have sent all of the updates for the month, all of the changes have been entered into the portfolio system and all of the security data for that portfolio (including appraisals) has been updated. During processing, the monthly accrual for interest, amortization and accretion, yield, book value, unrealized gains/loss, weighted average life and modified duration is calculated on a security-by-security basis. Also, during processing, reports are created, export data files are prepared and verification reports are printed. However, if a processing error occurs, the verification reports are not produced and an error message is logged to explain what error occurred. The PR makes corrections as needed, involving the S & D Group if necessary, and the portfolio is resubmitted for processing.

20

Check Reports Once reports are produced, the PR reviews key reports (the verification reports). Accuracy and completeness are verified through comparison with the client’s change sheet, exception reports generated by the software and, if needed, source documents. The PR further verifies that all transactions are reflected and that the values entered into and calculated by the portfolio system agree with those received from the client. Distribute Reports and Export Files Once it has been determined that the reports are free from known errors, the report is available for distribution. FinSer provides report delivery through electronic and traditional mail and overnight delivery services. E-mail delivery of reports is established upon client request and receipt of written consent. Encryption of report and data files is available upon request at no additional charge. Encryption passkeys are assigned by FinSer, and are updated upon client request. The PR completes distribution of electronically delivered reports. Client’s delivery instructions are maintained in the portfolio software. A publishing process performed by the PR generates an e-mail to the appropriate contact and attaches all applicable data and report files. The PR is prompted by the program to verify the recipients before the e-mail is sent. Instructions for mailed copies are maintained in the portfolio software. A log is maintained to track the date mailed reports are sent. Additionally, the portfolio program performs a scan each afternoon during the processing period that searches for reports that have been processed, but not yet published or printed. At month-end the scan results include all active portfolios that have not yet been processed. Scan results are e-mailed to the appropriate PR as well as the department supervisor.

CHANGES TO THE INVESTMENT PORTFOLIO REPORTING SERVICE DURING THE TESTING PERIOD

The following changes were made to the IPRS from November 1, 2018 to October 31, 2019: Minor enhancements to portfolio reports and data files

Added support for regulatory report changes implemented by NCUA

CONTROL OBJECTIVES AND RELATED CONTROLS FinSer has specified the control objectives and identified the controls that are designed to achieve the stated control objectives. The specified control objectives and related controls are presented in Section IV, “Description of FinSer’s Control Objectives and Related Controls, Fisher, Herbst & Kemble, P.C.’s Description of Tests of Controls and Results,” and are an integral component of FinSer’s description of its Investment Portfolio Reporting Service process.

21

COMPLEMENTARY SUBSERVICE ORGANIZATION’S CONTROLS (CSOC) FinSer’s controls relating to the Investment Portfolio Reporting Services cover only a portion of the overall internal control structure of each user entity of FinSer. It is not feasible for the control objectives relating to investment reporting services to be solely achieved by FinSer. Therefore, each user entity’s internal control over financial reporting must be evaluated in conjunction with FinSer’s controls and related testing detailed in Section IV of this report, taking into account the complementary subservice organization controls expected to be implemented at the subservice organization as described below.

ICE, Intex and BVAL are responsible for maintaining logical security over the servers and other hardware devices upon which the calculations and appraisals are hosted;

ICE, Intex and BVAL are responsible for maintaining physical security over the data centers upon which the calculations and appraisals are hosted;

ICE, Intex and BVAL are responsible for maintaining the FinSer data is received and processed accurately and timely;

ICE and BVAL are responsible for ensuring that market data is obtained and accurately input into their pricing systems;

ICE and BVAL are responsible for ensuring that prices are subject to quality control reviews;

ICE and BVAL are responsible for ensuring that third party prices are received from accurate sources and input properly;

Intex is responsible for ensuring that security data is obtained and accurately input into their validation model; and

Intex is responsible for ensuring that their model is validated on a regular basis and compared to actual results when applicable.

COMPLEMENTARY USER ENTITY CONTROLS FinSer’s controls relating to the investment portfolio reporting services cover only a portion of the overall internal control structure of each user entity of FinSer. It is not feasible for the control objectives relating to investment reporting services to be solely achieved by FinSer. Therefore, each user entity’s internal control over financial reporting must be evaluated in conjunction with FinSer’s controls and related testing detailed in Section IV of this report, taking into account the related complementary user entity controls identified below. In order for user entities to rely on the controls reported on herein, each user entity must evaluate its own internal control structure to determine if the identified complementary user entity controls are in place.

Client should ensure that address changes, changes in the name of the institution and changes related to authorized client personnel are forwarded in writing to FinSer (CO #4, 5, 7);

Client should notify FinSer when all portfolio changes have been submitted and processing can be completed (CO#4, 6);

22

Client should determine that transactions are appropriately authorized, complete, and accurate; and that portfolio reports agree with source documentation (CO #4, 5, 6, 7, 8);

Client should ensure ASC 320 classification, pledge and safekeeping assignments noted on the FinSer report are accurate per client records (CO #4, 5, 7);

Client should consider controls to verify that the portfolio regulatory reports reflect the appropriate call report categorizations; particularly with securities (specifically SBA pools) with non-transparent collateral or limited publically-available information (CO #8);

Bank clients should verify that the method for risk weighting securitization exposures (SSFA or Gross-up) is consistent with client instructions (CO #8);

Client should consider controls to periodically verify that the amortization and accretion methods used by FinSer and displayed on the “Accounting Method by Security” report accurately reflect the Client’s instructions, institutional policies and generally accepted accounting principles (CO #8);

Client should ensure output reports are reviewed by appropriate client personnel for completeness and accuracy and are reconciled to general ledger book value and interest receivable accounts monthly (CO #7, 8);

Client should ensure that FinSer Portfolio Representatives are informed in a timely manner of erroneously input data and that corrections are made (CO #6, 8);

Client should review the “Fair Value Measurement Detail” report to ensure the ASC 820 level listed is accurate as the classification levels shown are based on FinSer’s interpretation of the ASC 820 accounting guidance (CO #6, 8);

Client should be aware of all securities owned with non-transparent collateral, with limited or no pertinent information available publicly, or which do not actively trade as these securities are particularly difficult to appraise (CO #3, 6);

Client should consider controls to address other than temporary impairment and notify FinSer in writing if book value adjustments are needed (CO #6, 8); and

Client should notify FinSer Portfolio Representative in writing of any securities they want placed on non-accrual status and that have realized credit losses. Client should ensure that impairment treatment is in accordance with appropriate accounting policies used (CO #6, 8).

23

IV. DESCRIPTION OF FINSER’S CONTROL OBJECTIVES AND RELATED CONTROLS, FISHER, HERBST & KEMBLE, P.C.’S DESCRIPTION OF

TESTS OF CONTROLS AND RESULTS

INFORMATION PROVIDED BY FISHER, HERBST & KEMBLE, P.C This report, when combined with an understanding of the controls at user entities, is intended to assist auditors in planning the audit of user entities’ financial statements or user entities’ internal control over financial reporting and in assessing control risk for assertions in user entities’ financial statements that may be affected by controls at FinSer. Our examination was limited to the control objectives and related controls specified by FinSer in Sections III and IV of the report, and did not extend to controls in effect at user entities. It is the responsibility of each user entity and its independent auditor to evaluate this information in conjunction with the evaluation of internal control over financial reporting at the user entity in order to assess total internal control. If internal control is not effective at user entities, FinSer’s controls may not compensate for such weaknesses. FinSer’s internal control represents the collective effect of various factors on establishing or enhancing the effectiveness of the controls specified by FinSer. In planning the nature, timing, and extent of our testing of the controls to achieve the control objectives specified by FinSer, we considered aspects of FinSer’s control environment, risk assessment process, monitoring activities, and information and communications. The following clarifies certain terms used in this section to describe the nature of the tests performed: Inquiry – Made inquiries of appropriate personnel and corroborated responses with other

personnel to ascertain the compliance of the controls.

Observation – Observed the application, performance or existence of the control.

Inspection – Inspected documents or reports indicating performance of the control.

Reperformance – Re-performed the controls.

In addition, as required by paragraph .35 of AT-C section 205, Examination Engagements (AICPA, Professional Standards), and paragraph .30 of AT-C section 320, when using information produced or provided by the service organization, we evaluated whether the information was sufficiently reliable for our purposes by obtaining evidence about the accuracy and completeness of such information and evaluating whether the information was sufficiently precise and detailed for our purposes.

CONTROLS SPECIFIED BY FINSER TESTS OF CONTROLS

RESULTS OF TESTS

1.1 Employee's Guide addresses rules of conduct and consequences of disregarding them.

1.2 Employee's Guide addresses the critical importance of protecting the confidentiality of FinSer and each of our clients.

1.3 Employee's Guide includes FinSer's policy on equal opportunity employment, harassment and drug/alcohol use.

1.4 Violations of rules of conduct or confidentiality, drug/alcohol or harassment policies are addressed by senior management with consequences up to and including employment termination.

We inquired and noted no violations occurred during the testing period regarding the Employee Guide. We noted that new employees are required to acknowledge they have read the Employee Guide upon hire.

No deviations noted.

CONTROL OBJECTIVES, RELATED CONTROLS AND RESULTS OF TESTING

PERSONNEL

Control Objective #1: Controls provide reasonable assurance that FinSer management is committed to organizational integrity and ethical business practices.

We obtained the most current Employee Guide and noted the following were included:- rules of conduct were defined- consequences for disregarding rules- confidentiality importance- equal opportunity employment- harassment and drug/alcohol use


24


RESULTS OF TESTS

2.1 Reference data for new securities is downloaded from industry recognized information sources (IRIS) and verified for accuracy by a PR.

We selected 25 portfolio reports and observed that applicable information was compared to industry recognized sources by FinSer personnel.


Through corroborative inquiry and observation, we noted that FinSer primarily uses Bloomberg, Intex and ICE Data Service's Kennybase to gather accurate security data and preliminary data on a regular basis.


Through corroborative inquiry and observation of System settings, we noted the verification process for securities added is completed.


2.3 Further checks for missing or erroneous data are performed during the processing phase of the portfolio.

We attempted to leave blank certain data in one portfolio and observed that the portfolio passed the initial scan but failed during processing due to missing or incorrect data in October 2019. The PR received an e-mail warning that an error was present and the report was not produced.


2.4 Remote users send in data requests for new securities in their inventory to get from FinSer's security database.

We selected 3 security set-up requests from November 2018 to September 2019 to ensure an e-mail was sent to the PR indicating security input was needed. We also viewed that all securities for 3 requests were properly input into the security database. Per corroborative inquiry, it appears the requests are handled immediately if possible.


2.2 Current data is downloaded throughout the month as it becomes available from various IRIS.

SECURITY DATABASE MAINTENANCE

Control Objective #2: Controls provide reasonable assurance that reference and cash flow data updates/changes are appropriate and complete.

25


RESULTS OF TESTS

3.1 The schedule for dating fair values is determined at the beginning of each calendar year and the dates are not altered by market conditions.

We inspected the dates of the yield curve reports used for pricing for November 2018 through October 2019 to ensure they agreed to the set schedule.


3.2 Comparisons against other pricing sources are performed periodically.

Through corroborative inquiry, we determined that third party pricing models are reviewed to ensure FinSer prices generated are reasonable.


We selected a sample of 5,446 securities from all types of market segments from November 2018 through October 2019 and compared the market price recorded by FinSer to an independent source. Price differences under 500 basis points are deemed acceptable due to the variant nature of the pricing assumptions used by different sources.

NOTE TO READER:We noted that for 36 securities which resulted in price differences above 500 basis points when comparing to a particular independent source, FinSer provided detailed analysis and support of the pricing assumptions, market observations, variables and additional independent sources used in estimating the final price. Based on the review of information provided, FHK deemed the explanations and final prices reasonable.


3.3 Senior management determines the most reliable pricing source for various market segments.

Via corroborative inquiry, we noted that senior management obtains pricing from the most reasonable source.


3.4 Prior to the generation of security appraisals, the security database is updated to obtain the most recent factors, rates, speeds, etc.

For Bloomberg and Intex update submissions from November 2018 through October 2019, we inspected computer logs that showed submissions are being completed before the pricing is completed.


Control Objective #3: Unbiased fair value appraisals are calculated using FinSer's pricing software or are obtained from industry-recognized pricing services (IRPS).

26


RESULTS OF TESTS

3.5 Discount rates are reviewed and compared to prior periods to ensure obvious errors are noted. They are also reviewed by a person independent of the input function to ensure input accuracy.

We inspected the input sheets for bulk pricing from November 2018 through October 2019, each report had various graphs and figures that were reviewed to ensure proper input.

Discount rates are compared by sector using graphs to ensure they are greater than the base line. We inspected the graphs from November 2018 through October 2019 to ensure comparison was noted.

We traced the treasury yield curve rates listed on the pricing matrix spreadsheets to the Bloomberg data for each month in accordance with the yield curve date listed in the processing calendar and each quarter end date to ensure accuracy of the rates used.

We observed the independent review was completed for each month from November 2018 through October 2019.





3.6 Calculated and overridden prices are reviewed for reasonableness by comparing the percentage change from prior period for appropriateness and direction.

We inspected the November 2018 through October 2019 first run reports printed by the pricing system, once discount rates had been entered. The reports listed all securities, the prior and current period’s price, the directional change, and large changes in bold type.

We observed that the reports were reviewed by the Pricing Team and changes were made as necessary. We selected a sample of 32 price changes noted in the November 2018 through October 2019 pricing reports to ensure price was properly changed in Pricing System.



3.7 ASC 820 classification levels are updated with each pricing cycle.

We observed the Appraisal Methodology matrix and agreed the level classification listed was in accordance with ASC 820.

We also selected 32 securities to confirm their classification level was listed in the portfolio report or security database in accordance with ASC 820.



27


RESULTS OF TESTS

4.1 Client (or their broker) initiates changes usually in the form of broker's confirmations.

We judgmentally selected a sample of 25 portfolio accounts and inspected documents to ensure the information was received from an authorized source.


4.2 FinSer receives information from the client or client’s broker regarding portfolio changes via fax, mail, telephone or e-mail.

We judgmentally selected a sample of 25 portfolio accounts and inspected documents to ensure the information was received from an authorized source.


4.3 On new securities, reference data is downloaded and verified against IRIS (when applicable) before being added to a client's portfolio. The security data verification is documented in the system with a checkbox.

We attempted to leave blank the check box on the purchase screen confirming verification and were unable to move forward without input.

Of the 25 portfolios judgmentally selected, 70 purchases were noted. We observed that the FinSer representative compared the broker confirmation to IRIS data before inputting into the system.



4.4 Purchase or sale cost and accrued interest shown on the broker's confirmation is verified for accuracy by FinSer representative.

Of the 25 portfolios judgmentally selected, 70 purchases and 41 sales were noted. We observed that the FinSer representative verified the accrued interest on the purchases and sales for accuracy.


4.5 The portfolio program reduces input error by questioning possible duplications, invalid or missing dates and values.

We attempted to input incorrect, invalid, duplicated, unusual and/or erroneous information into the set-up screens to ensure warning and error messages would generate, as applicable.


PORTFOLIO MAINTENANCE

Control Objective #4: Controls provide reasonable assurance that portfolio updates/changes are authorized, recorded and posted completely and accurately.

28


RESULTS OF TESTS

5.1 Management oversees execution of contract between FinSer and new client.

We tested 3 of the 6 conversions that occurred during the testing period and observed a signed contract was on file.


5.2 New portfolios are set up using client-provided documentation of current inventory including current book value and interest receivable balances (if applicable).

We tested 3 of the 6 conversions that occurred during the testing period and observed the client provided data was used and reconciled to the converted FinSer data.


5.3 A conversion report is generated that compares the book values and interest receivable balances calculated by FinSer with those on the client's books. Effort is made to explain large differences and support findings with appropriate documentation. The report, documentation and any general ledger adjustments required for reconciliation are reviewed with the new client.

We tested 3 of the 6 conversions that occurred during the testing period and observed a conversion report was printed and reviewed. Reports included a reconciliation report, and detailed bond by bond explanation for proposed adjustments, total adjustment report and supporting documentation for pricing differences.


Control Objective #5: Controls provide reasonable assurance that new client portfolios are set up completely, correctly and have appropriate initial documentation.

29


RESULTS OF TESTS

6.1 Portfolios submitted for processing are scanned by the program for missing factors, rates, cash flows, fair values, etc. Missing information is listed immediately so a determination can be made by the PR whether or not to proceed with processing.

We observed the portfolios being submitted for October processing on October 28, 2019 and we noted scans had been properly completed. Information was missing and a list was generated as applicable.


6.2 Successful processing generates and spools to the printer a condensed report that is used by the PRs to verify that transactions were input correctly.

A sample of 25 portfolio accounts were observed from November 2018 through October 2019 to determine that the condensed report was processed and the PR reviewed it to ensure all changes were made.


6.3 Accrued interest purchased (AIP) is calculated by the portfolio program (if applicable) and compared by the PR to AIP on the client-provided confirmation or trade ticket.

Of the 25 portfolios judgmentally selected, 8 purchases were tested to observe that the FinSer representative verified that the accrued interest was accurately calculated.


6.4 Processing generates, when applicable, an exception report that details possible calculation errors such as negative interest accruals or unreasonable yields. This report is reviewed by the PR.

A sample of 25 portfolio accounts were observed from November 2018 through October 2019 to determine that the PR reviewed the report for obvious errors and correct processing of entered information.


6.5 PRs are informed of processing failures by email from the system. Logs document the reason for the failure and PRs are responsible for resolving the issues and making sure reports are produced.

We attempted to leave blank certain data and/or input incorrect data into one portfolio and observed that the portfolio passed the initial scan but failed during processing due to missing or incorrect data in October 2019. The PR received an e-mail warning that an error was present and the report was not produced.


6.6 Each PR is responsible for processing and supporting a defined list of clients and portfolios. On the last day of processing, a list of all portfolios that have not been processed is sent to the department managers and applicable PRs.

We observed this list was received via email by the PR on the last day of processing in October 2019 and all portfolios still remaining are processed.


Control Objective #6: Controls provide reasonable assurance that portfolios are processed completely, accurately and in a timely manner.

30


RESULTS OF TESTS

7.1 A verification report is reviewed by the PR before the month-end report is sent to the client. The report is checked to ensure all transactions were entered and that the calculations appear to be reasonable.

A sample of 25 portfolio accounts were observed from November 2018 through October 2019 to determine that the PR reviewed the report for obvious errors and correct processing of entered information.

For 1 of the 25 portfolios tested, the review of the report did not identify that one sale was not recorded. However, it was noted that the sale was identified and recorded in the following month.

REPORT CONTENT & DELIVERY

Control Objective #7: Controls provide reasonable assurance that reports reflect the updates submitted by the client.

Management's Response to Exception:

Client sold 31 bonds in the month observed and one of two bonds from the same issuer was missed by the portfolio representative. Client didn't notify FinSer of the omission until the next month's processing. The sale was included in the next month's report.

31


RESULTS OF TESTS

8.1 Amortization or accretion is calculated during the process based on FinSer default or method specified by client.

We judgmentally selected 25 securities (from the 25 portfolio clients tested as applicable) and recalculated the current period amortization or accretion and the remaining amortization or accretion.


8.2 Interest accruals, accrued interest purchased or sold and coupon payments are calculated during the process based on information that is available at the time of the process.

We judgmentally selected 25 securities (one from each of the 25 portfolio clients tested) and recalculated the total interest accrual and the current period interest.


8.3 Reports to aid clients in completing specific regulatory schedules are produced by the portfolio software. Reports are based on FDIC and NCUA guidelines and are updated as needed. Reports to help with regulatory schedules RC-B, RC-B Memoranda and RC-R are produced for banks and reports to assist with the 5300 Call Report and Schedule B are included in credit union reports.

Of the 25 portfolio clients selected, 8 had quarterly reports selected for review in the period of December 2018, March, June or September 2019. For those 8 client reports, we observed that the appropriate regulatory reports were generated as part of the quarterly process and that the regulatory reports were accurate according to current FDIC and NCUA guidelines.

NOTE TO READER:We noted that for securities guaranteed by the SBA, they are assumed to be non-mortgage backed securities in the regulatory reports. Collateral is unknown by FinSer so client must determine the correct reporting of these securities. Some SBA securities may in fact be mortgage backed securities or pass-through securities, although publically available information may be limited.


Control Objective #8: Controls provide reasonable assurance that program calculations are accurate based on accounting guidelines in place and data provided by client and IRIS.

32


RESULTS OF TESTS

8.4 Quarterly reports containing year-to-date transactions and accruals, a roll forward from previous year-end (summary and detail), unrealized loss detail, maturity classifications and contractual maturities are produced.

Of the 25 portfolio clients selected, 8 had quarterly reports selected for review in the period of December 2018, March, June or September 2019. For those 8 client reports, we performed the following:

-Recalculated year-to-date interest on one security per report;-Recalculated year-to-date amortization or accretion on one security per report;-Ensured rollforward detail for one security per report was accurate;-Ensured unrealized loss detail for one security per report was accurate and properly recalculated;-Ensured maturity classification on the contractual maturity schedule for one security per report was accurate;-Agreed the rollforward summary to the rollforward detail;-Agreed the unrealized losses summary to the unrealized losses detail;


-Agreed the contractual maturity summary to the contractual maturity detail; and-Verified the mathematical accuracy of various reports.

33


RESULTS OF TESTS

9.1 Report recipients are set up based on the client's instructions. Email delivery requires written authorization.

A sample of 25 portfolio clients with delivery via e-mail were selected to verify that written authorization was obtained before being set up to receive reports via e-mail.


9.2 Mailed reports are signed out to note the date the report was mailed.

Per review of the monthly processing log for each month from November 2018 to October 2019, it appears the reports are being produced and mailed timely.


9.3 Reports are emailed through a proprietary publishing program that directs the portfolio files to the email recipients set up for that specific client.

We observed that the client specified delivery methods are adhered to via contact list information maintained in the Portfolio System.


9.4 PR is notified of email failures and of portfolios that were processed, but not published.

We observed emails were sent to the PR documenting email failures and unpublished portfolios listed.


Control Objective #9: Controls provide reasonable assurance that portfolio reports are distributed in accordance with client specifications.

34


RESULTS OF TESTS

10.1 The computer server equipment is locked in a climate controlled room within FinSer's corporate offices and is accessible by only certain authorized employees and building security personnel.

Through corroborative inquiry and observation, we noted that the server equipment is locked at all times in a climate controlled room within FinSer’s corporate offices and that only authorized employees and the security guards have access to this area.


10.2 During business hours, FinSer's only public access point is monitored by a receptionist. Other entrances are secured by combination door locks.

Through corroborative inquiry and observation, we noted that a receptionist is located at the only public access point in the office; visitors are screened and management is alerted to suspicious individuals. We observed combination locks are used on all unmanned entrance doors and secured at all times.


10.3 The office building where FinSer offices are located has 24-hour security. Video cameras are located at all building exits. Emergency exits are locked to allow exit, but no re-entry.

Through corroborative inquiry, observation and inspection, we noted the office building where FinSer is located has 24-hour video coverage, with cameras located at all building exits and that emergency exits allow no re-entry.


10.4 After hours, FinSer's offices are secured from public access by locked doors. Only employees and authorized building personnel have keys to office doors. An access card is required for building access after normal business hours.

Through corroborative inquiry, inspection and observation, we noted that the FinSer office is locked after hours and that only employees and authorized building personnel have keys to the doors.


10.5 Upon employee termination, keys and access cards are collected and secured by senior management. Access cards are disabled.

Through corroborative inquiry of building security and observation, we noted that access to the building is granted to employees through magnetic card entry. We inspected reports confirming that only current employees have access cards.


10.6 All servers and personal computers have anti-virus software with updated definitions and regular scans.

Through corroborative inquiry and observation, we sighted that all computers connected to the network and the six servers had updated virus definitions and daily scans were being completed.


Control Objective #10: Controls provide reasonable assurance that physical access to FinSer's Investment Portfolio Reporting Software application, FinSer's corporate office and storage media is restricted to authorized personnel.

GENERAL COMPUTER CONTROLS

35


RESULTS OF TESTS

11.1 Access to FinSer's network, Portfolio and Pricing systems are limited by: - User ID and secure password controls - User failed log-on features - Password protected screensaver controls

We observed a sample of personnel log-in using User IDs and passwords on the Network, Portfolio and Pricing Systems. We observed the password policies, failed log-in policies and screen saver policies to ensure they were enabled.


11.2 Department manager submits requests to the system administrator for changes in program access. The Security Administrator reviews the requests for reasonableness and appropriate approvals prior to granting the user access.

Through corroborative inquiry, we noted that a department manager authorizes the request and the system administrator approves the request.


11.3 Upon employee termination, the User ID is disabled from the Network, Portfolio and Pricing systems.

Through corroborative inquiry, we noted terminations are disabled from all systems and programs.


11.4 On an annual basis, management reviews a list of activated users on the Network, Bug Net system, Visual Source Safe system and the Portfolio/Pricing systems to ensure access is limited to authorized staff and/or functions.

We inspected Management's review of the various user lists and noted all users were authorized staff and/or functions.


11.5 Access rights to the FinSer Portfolio and Pricing systems are periodically reviewed to ensure rights are aligned with the individual’s functional responsibilities.

We inspected the access report showing rights to the FinSer Portfolio and Pricing Systems are aligned to each employee’s functional responsibility, and access levels are reviewed periodically.


Control Objective #11: Controls provide reasonable assurance that logical access to systems relative to FinSer's Portfolio and Pricing programs are in effect and data is limited to authorized individuals.

36


RESULTS OF TESTS

12.1 New operating systems are tested in both the software development and application test environments and approved by senior management prior to migrating into production.

Through corroborative inquiry, we noted senior management is required to approve implementation of new operating systems. Through corroborative inquiry, we noted no operating system or software changes were made during the testing period.

No changes occurred during the period tested so no testing could be completed.

12.2 System Administrator monitors and authorizes the implementation of vendor-proposed changes and new operating systems.

Through corroborative inquiry of the S & D Group, vendor requests are being monitored and being authorized for proposed changes.

No changes occurred during the period tested so no testing could be completed.

Control Objective #12: Controls provide reasonable assurance that new operating system software and changes to existing operating system software are authorized, tested, approved, implemented and documented.

37


RESULTS OF TESTS

13.1 Senior management determines and prioritizes changes and assigns programming and testing responsibilities.

By inspecting the Bug Net Software open and closed reports, we noted program requests are being reviewed, approved when reasonable, input and prioritized before being given to the S & D Group for completion.


13.2 A log of support calls with remote users is maintained to monitor program changes that may be needed specifically for remote users.

We observed the support call log from November 2018 through September 2019 to ensure Ron Weaver and the PRs are documenting the problems incurred. Per corroborative inquiry, the S & D Group is reviewing the log for recurring entries, etc.


13.3 The status of program changes is documented using the Bug Net software.

Through inspection of a sample of the Bug Net Software Reports, we noted program requests and project statuses are being monitored.


13.4 A segregated environment, controlled through user access, is used to develop changes made to FinSer's Portfolio and Pricing software applications.

Through corroborative inquiry, we noted a separate server is used for software development, which is controlled through access rights to that server. For all users who have access to the production environment, we inspected the access reports to ensure access levels are appropriate.


13.5 Significant changes are tested in a segregated environment and approved by senior management prior to being moved into production.

Through corroborative inquiry and sample inspections, we noted changes to the software applications in the period covered were approved and tested before going into production.


13.6 Version control software is used to maintain the history of FinSer’s Portfolio and Pricing software application changes.

Through observation, version control software is being used to maintain a history of software application changes. Additionally, we observed that a separate detailed log of changes is also maintained for the Portfolio System.


Control Objective #13: Controls provide reasonable assurance that changes to FinSer's Portfolio and Pricing software applications are authorized, tested, implemented and documented.

38


RESULTS OF TESTS

14.1 Back up logs are maintained to document and track successful completion of the back ups.

For a sample of weekly and daily backups, we inspected the logs to ensure they were being maintained and adequately tracked the backup files.


14.2 Image backups of all servers and user computers are performed weekly and retained for 4 weeks.

We observed that weekly backups are being completed successfully and stored onsite for at least 4 weeks.


14.3 Incremental updates to the image back ups are performed daily and retained for 4 days.

We observed that incremental backups are being completed successfully and stored onsite for the minimum period.


14.4 FinSer has an effective disaster recovery and business contingency plan on file that includes recovery of data and program files from off-site back up and insurance coverage for replacement equipment.

Through corroborative inquiry and observation, we noted that FinSer has a disaster recovery plan, which includes recovery of data and program files via offsite storage, and adequate insurance for the replacement of equipment as needed.


14.5 Pertinent steps of the disaster recovery/business contingency plan are tested annually.

Through corroborative inquiry and observation, we noted the annual testing of the Disaster Recovery Plan was completed. We inspected the results on a sample of items reproduced during the testing to ensure data was successfully restored and processed.


Control Objective #14: Controls provide reasonable assurance that data is backed up completely, stored securely and can be restored in the event of an emergency.

39

40

V. OTHER INFORMATION PROVIDED BY FINSER CORPORATION (UNAUDITED)

TABLE OF CONTENTS Investment Portfolio Reporting Service – Monthly Procedures ............................................................ 41 2020 Processing Calendar ...................................................................................................................... 42 FinSer Spreadsheet Data Export ............................................................................................................ 43 Investment Portfolio Reporting Service Appraisal Methodology ......................................................... 46 FinSer Investment Portfolio Reporting Service Fair Value Sources and ASC 820 Levels ................... 49 FinSer Investment Portfolio Reporting Service Amortization Method Options ................................... 50 FinSer Standard Amortization Methodology for Declining Balance Securities ................................... 52 Summary of Effective Interest Method Calculation .............................................................................. 53 FinSer Corporation Privacy Policy ........................................................................................................ 54 FinSer Corporation Business Continuity and Disaster Recovery Plan Summary ................................. 55

9601 McAllister Freeway ♦ Suite 301 San Antonio, Texas 78216-4633

(210) 224-5492 ♦ www.finser.com

Investment Portfolio Reporting Service

Monthly Procedures Step Responsible Procedure

1. Client Send confirms to portfolio representative throughout the month as you buy and sell securities - Indicate whether AFS, HTM or Non-ASC 320 - Specify safekeeping location

2. FinSer Send e-mail reminder to clients - States when monthly processing will begin - Goes out around the 20th of the month

3. Client Notify portfolio rep when you are ready to process - Phone, e-mail or fax notification to rep - Process date can vary according to your situation that month

4. FinSer Make final changes, process and check report - Processing is done at night - Turn around is normally 24 - 48 hours

5. FinSer Deliver report - Report and data files are e-mailed to client or - Paper reports are mailed to client

6. Client Make month-end accruals - Make entries to GL for amortization, accretion, interest, and unrealized gains/losses - Reconcile general ledger accounts and FinSer reports

Rev. 11/11/19

41

Sun. Mon. Tues. Wed. Thurs. Fri. Sat. Sun. Mon. Tues. Wed. Thurs. Fri. Sat. Sun. Mon. Tues. Wed. Thurs. Fri. Sat.1 2 3 4 1 1 2 3 4 5 6 7

5 6 7 8 9 10 11 2 3 4 5 6 7 8 8 9 10 11 12 13 14

12 13 14 15 16 17 18 9 10 11 12 13 14 15 15 16 17 18 19 20 21

19 20 21 22 23 24 25 16 17 18 19 20 21 22 22 23 24 25 26 27 28

26 27 28 29 30 31 23 24 25 26 27 28 29 29 30 31

Sun. Mon. Tues. Wed. Thurs. Fri. Sat. Sun. Mon. Tues. Wed. Thurs. Fri. Sat. Sun. Mon. Tues. Wed. Thurs. Fri. Sat.1 2 3 4 1 2 1 2 3 4 5 6

5 6 7 8 9 10 11 3 4 5 6 7 8 9 7 8 9 10 11 12 13

12 13 14 15 16 17 18 10 11 12 13 14 15 16 14 15 16 17 18 19 20

19 20 21 22 23 24 25 17 18 19 20 21 22 23 21 22 23 24 25 26 27

26 27 28 29 30 2431

25 26 27 28 29 30 28 29 30

Sun. Mon. Tues. Wed. Thurs. Fri. Sat. Sun. Mon. Tues. Wed. Thurs. Fri. Sat. Sun. Mon. Tues. Wed. Thurs. Fri. Sat.1 2 3 4 1 1 2 3 4 5

5 6 7 8 9 10 11 2 3 4 5 6 7 8 6 7 8 9 10 11 12

12 13 14 15 16 17 18 9 10 11 12 13 14 15 13 14 15 16 17 18 19

19 20 21 22 23 24 25 16 17 18 19 20 21 22 20 21 22 23 24 25 26

26 27 28 29 30 31 2330

2431

25 26 27 28 29 27 28 29 30

Sun. Mon. Tues. Wed. Thurs. Fri. Sat. Sun. Mon. Tues. Wed. Thurs. Fri. Sat. Sun. Mon. Tues. Wed. Thurs. Fri. Sat.1 2 3 1 2 3 4 5 6 7 1 2 3 4 5

4 5 6 7 8 9 10 8 9 10 11 12 13 14 6 7 8 9 10 11 12

11 12 13 14 15 16 17 15 16 17 18 19 20 21 13 14 15 16 17 18 19

18 19 20 21 22 23 24 22 23 24 25 26 27 28 20 21 22 23 24 25 26

25 26 27 28 29 30 31 29 30 27 28 29 30 31

FebruaryJanuary March

April May June

July August September

October November December

2020 Processing Calendar

YC Yield Curve Processing Begins

P End of Processing X FinSer Holiday H

H

H P

X

YC

H X X

P YC

X

P YC

YC

X X

P

X X X

P YC YC YC

H H X

P YC

X

P YC

H

P

X

P YC

X

P

X

H

YC

X

H P

P

YC

42

Spreadsheet Data Export (.csv file) Revised 11/11/19

# Column Description # Column Description1 A CUSIP 51 AY 1mo. PSA/CPR2 B Record ID 52 AZ 3mo. PSA/CPR3 C Description 53 BA 6mo. PSA/CPR4 D Major Code 54 BB 12mo. PSA/CPR5 E Minor Code 55 BC 1mo. WAL6 F Par at Purchase 56 BD 3mo. WAL7 G Book Value 57 BE 6mo. WAL8 H Fair Value 58 BF 12mo. WAL9 I Fair Value Price 59 BG 1mo. YTM

10 J Current Profit or Loss 60 BH 3mo. YTM11 K Prior Profit or Loss 61 BI 6mo. YTM12 L Profit or Loss Adjustment 62 BJ 12mo. YTM13 M Coupon 63 BK 1mo. Accounting Yield14 N Yield 64 BL 3mo. Accounting Yield15 O Issue Date 65 BM 6mo. Accounting Yield16 P Maturity Date 66 BN 12mo. Accounting Yield17 Q Purchase Date 67 BO Last mo. Factor18 R Next Call Date 68 BP 3mo. Factor19 S Next Call Price 69 BQ 6mo. Factor20 T Put Date 70 BR 12mo. Factor21 U Put Price 71 BS Delay Days22 V ASC 320 72 BT Servicing Fee23 W Pricing Duration 73 BU Pool Type24 X Pledged 74 BV Pays25 Y Safekeeping Location 75 BW Index26 Z Safekeeping Receipt 76 BX Spread27 AA State 77 BY Lag28 AB Risk Category 78 BZ Ceiling29 AC Year Basis 79 CA Floor30 AD Month Basis 80 CB Floats31 AE First Coupon Day 81 CC Amortization or Accretion32 AF Original Premium or Discount 82 CD Portfolio Number33 AG Amortization or Accretion To Date 83 CE Brokerage Firm34 AH Unamortized or Unaccreted Balance 84 CF Index Code235 AI Interest Accrual 85 CG Status36 AJ Interest Receivable 86 CH Date Sold37 AK Accrued Interest Purchased 87 CI Last Interest Date38 AL Moody Rating 88 CJ Next Payment Date39 AM S&P Rating 89 CK Next Interest Amount40 AN Fitch Rating 90 CL Book At Sale41 AO Tax Type 91 CM Total Sales Proceeds42 AP Revenue Type 92 CN Daily Amort/Accret43 AQ Purchase Cost 93 CO Daily Interest Accrual44 AR Purchase Dollar Price 94 CP Next Rate Review Date45 AS Original Face Value 95 CQ YTD Interest Accrued46 AT Current Face Value 96 CR Average Life Date47 AU Principal Change 97 CS Bond Structured48 AV Principal Change To Date 98 CT Prev Year Acc Int49 AW Beginning Pay Date 99 CU Prev YE Book Value50 AX Ending Pay Date 100 CV Prev YE Par Value

43


# Column Description # Column Description101 CW Prev YE Cost 151 EU Below Investment Grade102 CX Prev YE Amort/Accre TD 152 EV Non-Agency CMO/ABS/OAS103 CY Prev YE Int Rec Bal 153 EW Consecutive Months at Loss104 CZ Delayed Interest Payments 154 EX Next Step Up Rate105 DA Delayed Principal Payments 155 EY Docket106 DB ASC 320 Transfer Date 156 EZ Purchases this period107 DC RC-B Code 157 FA Sales this period108 DD Tax Equivalent Yield 158 FB AIP this period109 DE Collateral 159 FC AIS this period110 DF Next Principal Payment 160 FD Principal Payments this period111 DG Final Amortization Date 161 FE Interest Payments this period112 DH Pledge Code 162 FF Payment Date this period113 DI Fair Value Pledged 163 FG Part 703114 DJ Call Type 164 FH Current (0bp Shift) Price To Date115 DK Period Cap 165 FI Down 300bp Shift Price To Date116 DL Taxable 166 FJ Down 200bp Shift Price To Date117 DM Hist Speed Type 167 FK Down 100bp Shift Price To Date118 DN NA1 168 FL Up 100bp Shift Price To Date119 DO NA2 169 FM Up 200bp Shift Price To Date120 DP NA3 170 FN Up 300bp Shift Price To Date121 DQ NA4 171 FO Up 400bp Shift Price To Date122 DR NA5 172 FP Up 500bp Shift Price To Date123 DS NA6 173 FQ User Data 1124 DT NA7 174 FR User Data 2125 DU Current (0bp Shift) Fair Value 175 FS User Data 3126 DV Down 300bp Shift Fair Value 176 FT User Data 4127 DW Down 200bp Shift Fair Value 177 FU User Data 5128 DX Down 100bp Shift Fair Value 178 FV Muni Tax Status129 DY Up 100bp Shift Fair Value 179 FW Current (0bp Shift) WAL130 DZ Up 200bp Shift Fair Value 180 FX 5300 WAL or Reset131 EA Up 300bp Shift Fair Value 181 FY Transfer Price132 EB Adj. Dur. to Reset 182 FZ Transferred Premium or Discount133 EC Market Segment 183 GA Amortization this period134 ED Reporting Group 184 GB Accretion this period135 EE Tranche Type 185 GC Index Name136 EF ASC 820 Level 186 GD Market Sector137 EG Price Source 187 GE Full Record ID138 EH Price Date 188 GF Year Basis 2139 EI NA8 189 GG Month Basis 2140 EJ NA9 190 GH Pays 2141 EK Up 400bp Shift Fair Value 191 GI Safekeeping Loc 2142 EL Up 500bp Shift Fair Value 192 GJ Accounting Method143 EM Down 300bp Shift WAL 193 GK Acct Prepmt Speed144 EN Down 200bp Shift WAL 194 GL Sinking Fund145 EO Down 100bp Shift WAL 195 GM Insurer146 EP Up 100bp Shift WAL 196 GN Current Factor147 EQ Up 200bp Shift WAL 197 GO Amortization to Date148 ER Up 300bp Shift WAL 198 GP Accretion to Date149 ES Up 400bp Shift WAL 199 GQ Remaining Premium150 ET Up 500bp Shift WAL 200 GR Remaining Discount

201 GS Book Price44


1. Major and minor codes: Please refer to Market Segment (133 - EC) and Reporting Group (134 - ED) fields2. Year basis: 1 = 360; 2 = 365; 3 = 366 (alternate: Year Basis 2, column 188 - GF)3. Month basis: 1 = actual; 2 = 30 (alternate: Month Basis 2, column 189- GG)4. Pays: 1 = monthly; 2 = quarterly; 3 = semi-annual; 4 = annual; 5 = at maturity (alternate: Pays 2, column 190 - GH)5. Index/Index Code2: (alternate: Index Name, column 185 - GC) 6. FDIC/Charter number on asset CDs provided by client

45


(210) 224-5492 ♦ www.finser.com

Investment Portfolio Reporting Service Appraisal Methodology

For the majority of the securities on our system, FinSer prices are determined using internally developed software and procedures. Subscription pricing services supplement FinSer's internal pricing system. (See “Fair Value Sources” document attached.) The price source for each individual security is displayed in the monthly portfolio report. Internal Pricing Model

FinSer’s internally developed pricing software primarily uses the discounted cash flow methodology to arrive at fair market value. In simplified terms, discounted cash flow analysis is based on the net present value of a security's projected cash flow. Given a stream of cash flows, the present value (fair value) can be calculated if the discount rate (market yield) is known. Therefore, the process of calculating fair value can be divided into two parts: estimating cash flows and establishing a discount rate (yield) for those cash flows.

Estimating cash flows: Cash flow streams for bullet type securities (i.e. treasuries, municipals, CDs and some agencies) are fairly easy to calculate. The interest is paid on coupon dates, and the principal is paid at maturity. Cash flow streams for amortizing securities, however, are more difficult to calculate. For pass-through securities, expected prepayments result in a life that is shorter than the final maturity. Collateralized Mortgage Obligations (CMOs) REMICS and Asset-Backed Securities (ABS) also have variable cash flows that are dependent upon prepayments and the overall structure of the security. Appraising all types of amortizing securities requires cash flow modeling capabilities. FinSer uses a variety of simulation models, including proprietary models and those available through vendors that specialize in reverse engineering CMO cash flows.

Establishing discount rates: Once the cash flow stream is established a discount rate (yield) is required to calculate the fair market value. Discount rates for municipal and corporate bonds are adjusted to allow for perceived differences in credit quality. Mortgage-backed securities are adjusted for coupon and type of collateral backing the securities, i.e., GNMA vs. FNMA or FHLMC. This includes incorporating the active TBA market for GSE mortgaged-backed securities. Pass-through securities with explicit calls or other options are treated in accordance with the industry standard of discount rate or yield to worst. The discount rate is applied to the cash flows to arrive at the fair market or net present value. Market quotes, current yields and their spreads to benchmark indices are obtained for most types of securities. This data, derived from market observations, is utilized to create a yield curve for each unique category. Finally, all bonds within that category are priced by discounting the established cash flow stream by the appropriate yield found on the yield curve.

Option Adjusted Spread Model for Callable Agencies: Option Adjusted Spread (OAS) is a methodology that evaluates a bond based on multiple interest rate scenarios as depicted by implied volatility and the impact on various bond redemption dates. In other words, the OAS model evaluates an option based on the likelihood of it being exercised in the future. The FinSer model starts with the risk-free,

46


(210) 224-5492 ♦ www.finser.com

U.S. Treasury curve then adds a spread, stated in basis points, that relates to the incremental return over the benchmark yield curve. The model values each cash flow at its appropriate term rate for each scenario. The required inputs to the model, the option adjusted spread for the various maturities and structure and the expected volatilities, are drawn from market observations, dealer offerings/bid and actual trades.

FinSer TBA Pricing Model:

Most agency pass thru pools are priced based on TBA (to-be-announced) price observations that FinSer obtains from broker offering sheets and other industry sources. These TBAs are used to derive market values for various MBS collateral and origination dates. Additionally, adjusted TBA pricing is used to determine fair values on non-standard (i.e., 10 and 20 year amortizing) Agency MBS securities.

Manual Pricing

FinSer has opted to use methods other than our internal discounted cash flow analysis on several categories of securities. These exceptions include (but are not limited to):

• Securities for which projected cash flows are not available through vendors • Securities with unusual cash flow features • Securities with unique characteristics that complicate assigning a discount rate • Securities which are unique as to marketability

These securities are priced manually using the same general process as outlined on page one of estimating cash flows and establishing discount rates. However, some securities have cash flow features that require special handling outside of FinSer's pricing software. These generally include, but are not limited to, certain structured notes, and derivatives that are not reverse engineered by cash flow vendors. Alternate sources (when available) and calculators are used to do a manual analysis of the security's cash flows. Securities which are unique as to marketability or which contain uncommon characteristics are assigned a discount rate (or discount margin for floating rate securities) manually. This is done in the same manner described previously under the heading "Establishing discount rates." A spread is obtained from trading history and adjusted for changes in the market's (and analyst’s) perception of the way the security might trade should it trade. In the absence of timely actual trade information, active bids from brokerage firms are considered as well as fair values modeled by pricing services. Securities that defy proper identification or lack adequate information are also given a "hands on" approach. In instances where an outside pricing source is not available, the analyst enters a trader perspective. This incorporates making assumptions about the security as to what similarities it shares with other investment vehicles in which the market value is known or determinable. Adjustments are then made to arrive at a valuation of the security in question.

47


(210) 224-5492 ♦ www.finser.com

Please note: Security appraisals are generated monthly for investments tracked by FinSer’s investment portfolio software. Market value appraisals of securities are derived from a program evaluating effects of a series of current market indices. The appraisals do not necessarily reflect net results obtainable in the event of actual liquidation. Fair market values assigned to infrequently traded securities or securities with unique cash flow and liquidity characteristics or obscure collateral are particularly susceptible to variances from the true market or liquidation values. Bulk pricing of all active securities in the database is done once a month, around mid-month. For the remainder of the month, the pricing program and related procedures are implemented daily to calculate appraisals for any securities added to the database. At quarter-end, clients may elect to have their portfolio inventory reappraised for an additional fee. Fair value measurement techniques used by FinSer and accompanying fair value “levels” shown in FinSer’s Investment Portfolio Reports are based on with FinSer's interpretation of ASC 820 (formerly in FASB 115 and 157). Financial institution management is ultimately responsible for determining applicable fair values and classification levels. Rev 11/11/19

48

FinSer Investment Portfolio Reporting ServiceFair Value Sources and ASC 820 Levels

Security Type Primary Methodology Inputs Primary Source ASC 820FV Level

Trea

sury

U.S. Treasury BillsU.S. Treasury Notes Outsourced to external pricing source Bid Price External 1

Non-callable Discounted cash flow analysis based on the net present value of security's projected cash flow

Market quotesCurrent yields

Offering Sheets

FinSer Pricing Model 2

Callable Option adjusted spread modelMarket quotesCurrent yields

Offering Sheets


Discounted cash flow analysis based on the net present value of security's projected cash flow


Offering Sheets


Outsourced to external pricing source. External 2

Frequently traded Outsourced to external pricing source. External 2

CDOs, CLOs,Trust Preferreds

FinSer is unable to provide fair values on these securities N/A Client Client

Equi

ties

Corporate and bank stock Use close of business price on pricing day Market quote Exchange 1

CD

s

Callable and Non-callable Discounted cash flow analysisMarket quotesCurrent yields

Offering Sheets


FinSer TBA Pricing Model for new and moderately seasoned agency MBS.


Offering Sheets


Offering Sheets2

Discounted cash flow analysis for seasoned agency MBS. Projected cash flows based on consensus speeds.


Offering Sheets


Offering Sheets2

SBA Pools Outsourced to external pricing source External 2

HECMs Outsourced to external pricing source External 2

Agency Issued Discounted cash flow analysis with projected cash flows based on consensus speeds


Offering Sheets


HECMs, Non-Agency Issued (Private Label/ Whole Loan) Outsourced to external pricing source External 2

Agency Reference Notes (IAN, FMAN)

Discounted cash flow analysis with projected cash flows based on consensus speeds

Market quote on similar securities FinSer 2

Home Equity Outsourced to external pricing source External 2

Asset Back Securities Outsourced to external pricing source External 2

Revised 11/11/19

Age

ncy

Cor

pora

tes

CM

Os

Oth

er A

mor

tizin

g Pa

ss T

hrus

Tax Exempt, Taxable, Callable, Non-Callable, Prerefunded, Escrowed to Maturity, Sinking Funds, Safe Harbor, QTEO, non-QTEOM

unic

ipal

s

GNMA, FHMA, FHLMC (Single Family, Multi-family, CMBS)

See "Fair Value Measurement Detail (ASC 820)" report in client monthly report for bond-by-bond detail.

49

FinSer Investment Portfolio Reporting ServiceAmortization Method Options*

(FinSer Defaults Indicated in Bold)

*Additional charges may apply for changes to amortization method or additional data requirements. Revised 11/11/2019

Security Type Available Options Speed Options Straight-line

Constant Yield

U.S. Treasury Notes Amort/accre to date that produces the worst yield √ √

Agency Debentures Amort/accre to maturity √ √

Step-Up bonds Amort/accre to call √ √

Municipal Bonds Amort/accre to specific date √ √

Corporate Bonds Amort/Accre a specific daily amount √CDs

Amort/accre to date that produces the worst yield √ √Amort/accre to maturity √Amort/accre to call √ √Amort/accre to specific date √Amort/Accre a specific daily amount √ √

1 month CPR

3 month CPR

6 month CPR

12 month CPR

Dealer Consensus

Fixed CPR

Amort/accre to specific date n/a √ √

Amort/Accre a specific daily amount n/a √

1 month PSA or CPR

3 month PSA or CPR

6 month PSA or CPR

12 month PSA or CPR

Dealer Consensus

Fixed PSA or CPR



1 month CPR

3 month CPR

6 month CPR

12 month CPR

Dealer Consensus

Fixed CPR



(All methods above are options for these security types. Straight-line vs. Constant Yield is client's choice.)

n/a

Hybrid ARMSDUS Bonds

Constant yield method using anticipated prepayments

FinSer default uses cash flows based on the 3 month CPR with a final amortization date equal to the weighted average first reset date for hybrid ARMS and the yield maintenance date for DUS bonds.

√

Zero coupon bonds (all markets)

CMOsAsset-backed SecuritiesOther Amoritizing Securities

Constant yield method using anticipated prepayments √

Pass Thru Pools

Constant yield method using anticipated prepayments √

n/a

50

FinSer Investment Portfolio Reporting ServiceAmortization Method Options*

(FinSer Defaults Indicated in Bold)

*Additional charges may apply for changes to amortization method or additional data requirements. Revised 11/11/2019

Security Type Available Options Speed Options Straight-line

Constant Yield

1 month PSA or CPR

3 month PSA or CPR

6 month PSA or CPR

12 month PSA or CPR

Dealer Consensus

Fixed PSA or CPR



1 month PSA or CPR

3 month PSA or CPR

6 month PSA or CPR

12 month PSA or CPR

Dealer Consensus

Fixed PSA or CPR



Reverse Mortgage pools and CMOs


FinSer default: 100 HPC converted to CPR√

SBICsSBAPsDUSFNA


FinSer default: SBICs, DUS, FNA - Zero CPR SBAPs - 5 CPR

√

51


(210) 224-5492 ♦ www.finser.com

Standard Amortization Methodology for Declining Balance Securities

Calculating amortization or accretion on declining balance securities is significantly more complicated than on bonds that pay semi-annual coupons and principal at maturity. The difficulty relates to prepayments that result in a life that is shorter than final maturity and the uncertainty surrounding the timing of the cash flows. The first step in FinSer's default method of creating an amortization schedule for a declining balance security is to approximate the future cash flows. For pass thru pools, this is accomplished by accelerating a normal mortgage loan amortization schedule according to anticipated prepayments. FinSer uses the 3-month average CPR as a default assumption, but other speed options and amortization options are available. Please refer to "FinSer Investment Portfolio Reporting Services Amortization/Accretion Method Options." For CMO cash flow projections, FinSer has contracted with an industry-recognized vendor that specializes in reverse engineering the structure of the entire CMO. FinSer's default is to use the 3 month PSA in determining the anticipated cash flows. After determining the anticipated cash flows, we solve for yield using the current book value as the "price" in the YTM equation. Through an iterative process, successive discount rates are chosen until the sum of the discounted cash flows is equal to the most recent book value. This discount rate or yield is used in the Effective Interest Method to calculate amortization or accretion. Unlike the Straight Line Method, which holds the amount of amortization or accretion constant over the life of the bond, the Effective Interest Method holds the yield constant over the life of the bond. Thus, the Effective Interest Method is also known as the Constant Yield Method (see “Summary of Effective Interest Method” attached). A problem occurs when expected prepayments accelerate or decelerate from the level expected in the prior month. In such a case, an adjustment is required in the current period. Because of this adjustment, even though the effective interest method calculations are used, the yield in any specific month is very rarely, if ever, constant. However, the cumulative effect of these monthly adjustments should be to keep the yield to maturity constant over the remaining life of the security. The speeds and cash flow projections are updated each month and new yields and amortization schedules are calculated based on the latest information. Please note that the process described above is FinSer's default methodology. Other methods and speed options are available that can be put in place with written instruction from the client. Rev 11/11/19

52

Date Interest Income 1 Revenue 2

Discount Accretion 3 Book Value 4

1/1/2019 97,250 7/1/2019 1,000 1,259 259 97,509 1/1/2020 1,000 1,263 263 97,772 7/1/2020 1,000 1,266 266 98,038 1/1/2021 1,000 1,270 270 98,308 7/1/2021 1,000 1,273 273 98,581 1/1/2022 1,000 1,277 277 98,858 7/1/2022 1,000 1,280 280 99,138 1/1/2023 1,000 1,284 284 99,422 7/1/2023 1,000 1,288 288 99,709 1/1/2024 1,000 1,291 291 100,000

10,000 12,750 2,750

2% bonds purchased to yield 2.59%Effective Interest Method

Schedule of Interest, Revenue and Discount Accretion

Summary of Effective Interest Method Calculation* When a premium or discount is amortized under the straight-line method, the rate of return is not the same year after year. Although the interest received is constant from period to period, the book value of the bond is either increasing or decreasing by the amount of the discount accretion or premium amortization. The straight-line method produces a constant revenue, but produces a variable rate of return on the book value of the investment. Although the effective interest method results in a varying amount being recorded as revenue from period to period, its virtue is that it produces a constant rate of return on the book value of the investment from period to period. ASC 320 "Investments - Debt and Equity Securities," specifies a preference for the effective interest method but permits other methods if the results obtained are not significantly different from those produced by the effective interest method. On bullet-type securities, the effective interest rate or yield is computed at the time of investment and is applied to the beginning book value of the investment for each period. The yield on declining balance securities (such as mortgage pools or CMOs) should be recalculated each period to reflect the effect of prepayments that result in a life that is shorter than final maturity. In each period the book value of the investment is increased by the discount accretion or decreased by the amortized premium. To illustrate, assume that a financial institution purchased $100,000 of 2% bonds on January 1, 2019 paying $97,250. The bonds mature January 1, 2024 and interest is payable each July 1 and January 1. The discount of $2,750 ($100,000 minus $97,250) provided an effective interest yield of 2.59%. The schedule below discloses the effect of the discount accretion on the revenue recorded each period using the effective interest method of amortization if the bonds are held to maturity.

1 Interest Income = Par x Coupon x 6 / 12 2 Revenue = Previous Book Value x Yield x 6 /12 3 Accretion = Revenue - Interest 4 Book Value = Previous Book Value + Accretion

1,000 = 100,000 x 2% x 6 /12 1,259 = 97,250 x 2.59% x 6 /12 259 = 1,259 -1,000 97,509 = 97,250 + 259

*Also known as the constant or level yield method. Rev 11/11/19

53


(210) 224-5492 ♦ www.finser.com

FinSer Corporation Privacy Policy

In order to assist our clients in meeting the requirements of the Gramm-Leach-Bliley Financial Modernization Act (the “GLBA”), FinSer Corporation hereby sets out in writing our policy and practices regarding the privacy of information provided by our clients and their customers. Until amended or superseded, this Policy constitutes our contractual commitment to our client’s customers as follows: FinSer Corporation (“FinSer”) will not disclose any such confidential information of a client or its customers, except to those specifically required to perform the services called for in FinSer’s contractual agreement with its clients. Nor will FinSer use or allow such access to confidential information for any purpose other than performing the services called for in the contractual agreement. FinSer agrees to take all reasonable precautions to prevent the disclosure to outside parties of such information and to protect against any anticipated threats or hazards to the security of such information. FinSer will take all reasonable steps to protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any client or its customers, except as may be necessary by reason of legal, accounting or regulatory requirements beyond the reasonable control of FinSer or client. If a breach in security results in an unauthorized intrusion into FinSer systems, which directly and materially affects a client or its customers, FinSer will within a reasonable time report on the intrusion and the information compromised to the affected client, and will subsequently report the corrective action taken in response.

54


(210) 224-5492 ♦ www.finser.com

FinSer Corporation Business Continuity and

Disaster Recovery Plan Summary

FinSer, recognizing their operational dependency on computer systems and the potential loss of operational control and revenue that may occur in the event of a disaster; authorized the preparation and maintenance of the following Business Continuity and Disaster Recovery Plan (DRP). The FinSer DRP was written with the following objectives:

• To ensure the life/safety of all FinSer employees throughout the emergency condition and recovery process.

• To provide a written guideline directing the computer system and other daily business activity recovery process.

• To restore the essential client services provided by FinSer and mitigate the impact to FinSer’s customers through the implementation of effective recovery strategies.

The plan is designed to guide recovery from total loss of our current operating facility. It assumes sufficient employee resources to effect recovery of computer services and other daily business activities at a temporary site. It does not attempt to contend with a statewide or regional catastrophe that would preclude relocation to temporary facilities. FinSer maintains insurance coverage including business interruption coverage to provide replacement of lost or damaged equipment and other property. The DRP includes

• Delineation of primary and extended disaster recovery teams • Establishment of a temporary recovery control center • Outline for establishing operations from a temporary location including

- Establishing communication - Procuring computer equipment - Recovery of computer systems and data from weekly and (incremental)

daily back-ups stored on cloud system. - Acquiring furniture and supplies

• Confidential contact information for employees, vendors, real estate management and clients

Revised 11/11/19

55

Documents

- FINSER SSAE 18 SOC-1 2019 Report (FINSER SOC-1 2019 … · 2019. 12. 12. · internal control begins with the service organization’s Board. The Board meets four times a year to