Background

2. Background • Harris Financial Corp is owned by BMO Financial Group, based in Toronto. BMO Financial Group provides a broad and comprehensive range of retail banking, wealth management and investment banking products and solutions. Our financial services professionals provide access to services our customers require across our enterprise. We serve our clients through three operating groups: Personal and Commercial Banking, Private Client Group and Investment Banking Group. • Harris’ goal is to be the leading personal and commercial bank in the U.S. Midwest. Our community banking strategy leverages strong local leaders focused on exceptional customer service, offering a broad range of products and services through an expanding distribution network. This approach underlies our successful growth in the highly competitive and fragmented Chicago market and provides us with a strategic advantage when entering new markets. Strategies include: • Provide a best-in-class customer experience by emphasizing a strong performance culture and putting our best people in key positions with clear accountabilities. • Align our retail, business and wealth management offerings to meet all of our clients’ needs. • Expand our distribution network through a combination of acquisitions and new branches.

3. BMO/Harris Structure – Legal, Audit, Compliance, and Risk • Risk, Legal, and Compliance all report through the same executive chain of command. Audit is independent. This consistency allows for ease of communication, and consistent message in how we work with the Lines of Business (“LOBs”) • Disciplines are aligned enterprise-wide • The U.S. heads of each discipline report independently to Harris Board or Committees of the Board

4. Group Mandates • Compliance Mandate: U.S. Corporate Compliance is responsible for the monitoring and oversight of regulatory risk within the U.S. Compliance performs independent reviews of controls in place to manage regulatory risk. • Audit Mandate: Corporate Audit Division provides an independent assessment as to the effectiveness of internal control within the Enterprise. Audit performs independent reviews of controls in place to manage all risk types. • Risk Management Mandate: Risk Management ensures the organization’s credit, market, liquidity/funding, fiduciary and operational risks are understood, quantified, documented, mitigated where appropriate, aggregated where necessary and constrained in keeping Corporate Policy. Risk management facilitates risk and control self assessment (“RCSA”) sessions with the lines of business. • Legal Department Mandate: Law Department is responsible for management of legal services enterprise-wide across the Enterprise, including (without limitation) the management of litigation matters and external legal counsel management, and providing advice and recommendations to LOBs and other internal groups on their legal (including fiduciary) risks and mitigating their legal (including fiduciary) risk exposure. Fiduciary Risk is a subset of Legal Risk. Legal oversees the resolution of compliance and litigation matters that may result in legal or regulatory sanctions.

5. Is Structure Effective? How to maximize information sharing • Legal, Audit, Compliance, and Risk Management meet on a frequent basis • All new products and revised policies are reviewed by Legal, Audit, Compliance, and Risk • Audit reviews the work performed by Compliance prior to performing a review and adjusts their scope based upon work done by Compliance. To be able to rely on their work, Audit performs a full audit of Compliance every 12 months • Audit and Compliance obtain most current RCSA as part of planning process for reviews • Audit is copied on all Compliance reports, and Compliance is copied on all Audit reports – these reports are used in planning process • Legal, Audit, and Compliance are invited to all independently facilitated RCSA sessions that are managed by Risk • Compliance meets with Legal before reviews. Legal is copied on all Compliance reports • Reports to Audit Committee are coordinated to reduce duplication – Legal and Audit review Compliance Report. One report is produced for Communications with Regulators that includes input from all three areas. • Compliance developed a “universe” document detailing all business units and the regulations applicable to those units. Compliance worked with Legal, Audit, and Risk to review the document in detail, and obtained their concurrence on its completeness. Each group reconciled “universe” to their population document.

6. Is Structure Effective? What to watch out for • Areas that are heavily regulated result in more overlap. Areas such as trust, broker-dealer, and registered investment advisors. We work closely to reduce overlap, but some naturally exists. • Challenge exists in managing the need and desire of primary banking regulator to have an “enterprise-wide” view of compliance risk management, with the separately regulated subsidiary’s primary regulator’s need and desire to have the compliance staff an embedded part of their entity. We manage this through dual reporting structures, which adds complexity. • Legal, Audit, Compliance, and Risk are all “independent” of the line of business, so who works with the LOB to implement corrective action? Need to have the ability to cross that line or LOB ends up having issues that they cannot address. • Issues that are reported to executive management and the Board – need to be careful that as issue is presented by various areas giving their point of view or “spin”, there is consistency in how the issue is portrayed, and that the facts are accurate. Risk having item reported several times and more risky is that item is reported differently based upon who is making the report. • Risk that one area assumes another area is covering something when in fact they aren’t – risk of “white space”. For example, Audit assumed Compliance was doing something or Risk was covering it, when Risk and Compliance thought Audit was covering it.

7. Is Structure Effective? Key to Success COMMUNICATE COMMUNICATE COMMUNICATE