exv10w9

Endorsement Effective Date

Agency Name

Stat Number

Exhibit 10.9

Agency Agreement

Symetra Life Insurance Company

This agency agreement (“Agreement”) is executed by the undersigned party(ies) (hereinafter collectively called “Agency”) and Symetra Life Insurance Company (hereinafter called “Company” ). If more than one agency is listed below, any reference in this Agreement to “Agency” shall be deemed to refer to the appropriate Agency as the context requires. It shall consist of this page and the pages identified by the following form numbers:

LSA-282 LSA-623 LSA-617 LSA-603i LSA-605o LSA-607r LSA-618m LSA-634a LSA-655a LSA-461b LSA-652 LSA-523d LSA-649 LSA-538

Schedule F

JPMC IT Risk Management Policy for Outside Services Providers

JPMC Consolidated Risk Management Requirements for Outside Services Providers

This Agreement supersedes all previous agreements between Company and Agency covering the lines of insurance referred to in this Agreement.

Agency is responsible for ensuring that no business is solicited until the effective date of this Agreement.

THIS AGREEMENT MAY BE CANCELED OR MODIFIED BY THE COMPANY AT ANY TIME BY GIVING
THE AGENCY PRIOR WRITTEN NOTICE TO THAT EFFECT


Signature /s/ Laura Pantaleo		/s/ Pat McCormick

(Agency Principal or Authorized Officer)		Pat McCormick
		Senior Vice President
		Symetra Life Insurance Company

Date Signed: 9-26-06
		For Symetra Life Insurance Company

Contracted Agency or Agent Name:
Chase Insurance Agency Inc		Effective Date: 10/9/2006

		(To be filled in by Symetra Personnel)

24-33-9916
Symetra Stat Number
P.O. Box 34920
Seattle, WA 98124-1920

STAT #: 24-33-9916
SSN/TAX ID #: 39-1610807
DOC CODE: AAG
NAME: Agency Agreement
# OF PGS: 18 pgs total

Portions marked [***] have been omitted pursuant to a Confidential Treatment Request by Symetra Financial Corporation, this information has been filed separately with the Securities and Exchange Commission.

LSA-399_JPM 09/2006

Symetra Life Insurance Company
Terms and Conditions

General

1)		Values Statement

		The Company has a history, tradition and reputation for high ethical standards. Agency agrees to adhere to the Values Statement, will avoid conflicts of interest, and will comply with all applicable laws.

		Agency shall:

	a.		Act with integrity, which includes being honest with customers and Company.

	b.		Understand Company’s customers’ financial and insurance objectives and satisfy those objectives with suitable financial and insurance products and first-rate service.

	c.		Provide clear and accurate advertising and sales materials to Company customers.

	d.		Resolve customers’ complaints and disputes fairly and promptly.

	e.		Take appropriate actions, including having adequate supervision, to comply with applicable laws.

	f.		Compete actively and fairly so as to provide customers with needed services and products at reasonable prices. However, it is understood that Agency does not set product pricing.

2)		Confidentiality

		Each party may furnish the other party with personal customer information that is non-public and confidential in nature. Except as required in order to perform its obligations and duties under this Agreement, to perform joint marketing efforts, or as permitted by law, neither party shall use or disclose such non-public or confidential information received from the other party.

		Each party will maintain and enforce safety and physical security procedures with respect to its access and maintenance of personal customer information that provide reasonably appropriate technical and organizational safeguards against accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access. Each party will notify the other of any breach of security and use diligent efforts to remedy any breach of security or unauthorized access in a timely manner. Each party agrees to cooperate with the other’s efforts to remedy any breach of security or unauthorized access.

3)		Company agrees that during the term of this Agreement and following its termination. Company shall not solicit any customer of Agency who purchases any product from the Company under this Agreement for any additional product or service without Agency’s prior written consent; provided, however, that Company may offer additional products or services to any such customers who become a customer of the Company through another agency relationship.

4)		Status and Authority of Agency

	a.		Agency is an independent contractor, not an employee of Company, which has retained its right to exercise exclusive and independent control of its time, energy and skill in the conduct of its business.

	b.		Agency is authorized to solicit applications for those life and health insurance products issued by the Company that are listed on the attached agency agreement pages; and to collect initial policy premiums and account deposits, and such other premiums as may be specifically authorized by the Company.

5)	Agency has no authority to:

	a)	Make, alter or discharge any policy;

	b)	Extend the time for payment of premiums;

	c)	Waive or extend any policy provision;

	d)	Incur any liability or expense on behalf of Company;

	e)	Receive any money due or to become due to Company except initial policy premiums and account deposits and other such premiums as may be specifically authorized by the Company.

6)		Agency shall promptly submit applications and remit premiums and deposits to Company at its Home Office.

		Agency shall be responsible to Company for the fidelity and acts of Agency representatives. Agency is responsible for ensuring that no business is solicited by any representative until that representative is authorized to represent the Company according to the applicable state regulations and after the Agreement effective date. Compensation is earned on premiums received after the Agency is appointed with the Company.

7)		Agency shall not pay or allow, or offer to allow, as an inducement to any person to insure or enroll, any illegal rebate of premium or other consideration due, or any other inducement not specified in the policy; nor make any misrepresentations or incomplete comparison for the purpose of inducing a policyholder in any other company to lapse, forfeit or surrender insurance.



LSA-282_JPM 09/2006		Page 1 of 3

8)		Agency shall not use any sales material, illustrations or advertisement in which Company is identified, unless the written consent of Company is obtained. Company shall not use the name “Chase Insurance Agency, Inc.,” “JPMorganChase,” “JPMorgan,” “Chase” or any derivative thereof, in any manner whatsoever without the prior written consent of Agency, which consent may be withheld in Agency’s sole and absolute discretion.

9)		Agency must notify Company immediately if it becomes aware of any written or verbal complaint involving a Company product. A complaint is any communication primarily expressing a grievance. The distinction between an inquiry and a grievance lies in the language used and a reasonable interpretation of that language.

10)		Without liability to the Agency, the Company may withdraw from doing business in any jurisdiction, and may at its discretion withdraw, substitute, add or change rates on any plan or plans.

11)		Cost of Marketing Material. Company shall be responsible for all costs associated with creating and producing advertising and promotional material as well as for costs associated with providing such materials to Agency.

12)		Contact with Agency’s Representatives. Company, its affiliates and subsidiaries, shall not make any contact with the Agency’s representatives except as permitted under Agency’s guidelines as published by Agency from time to time, unless such contact is in regard to claims or servicing issues related to the products issued by Company.

13)		Service Level Requirements. Company shall maintain disaster recovery and contingency plans and information security policies and procedures acceptable to Agency. Company shall also exercise commercially reasonable efforts to achieve operational and service level requirements as set forth in Schedule attached hereto and as may be amended by Agency from time to time.

Compensation

1.		Compensation will be paid in accordance with the most current Schedule(s) in effect at the time the business is approved by the Company. The right to receive compensation is conditioned on Agency’s satisfactory service to customers and on Agency’s continuing status as servicing agency, as determined by the Company.

2.		The Company may establish a reasonable minimum amount for compensation payments. If the amount due is less than such sum, the balance will be carried forward to the next payment date until the minimum amount is reached.

3.		Undistributed compensation in the hands of Company and its affiliates may be applied at any time to and as an offset on any due and unpaid obligations of Agency to Company and its affiliates. If compensation owed by Agency to Company exceeds compensation payable to Agency, then Agency will immediately repay Company compensation owed to Company.

4.		Neither this Agreement, nor any of the benefits to accrue hereunder, shall be assigned or transferred, either in whole or in part, without prior written consent of the Company with the exception of an assignment or transfer resulting by (a) a consolidation or merger of the Agency or their parent corporation into or with any other entity where the Agency or their parent corporation, or any entity controlled by the Agency or their parent corporation is the surviving entity; or (b) a sale, transfer or other disposition of all, or substantially all, of the assets of Agency or their parent corporation, in a single transaction or series of related transactions, to any person or entity, or group of related persons or entities, controlled by the Agency or their parent corporation, or any entity controlled by the Agency or their parent corporation.

5.		Company at any time, by written notice to Agency may change the compensation allowed under this Agreement as to new business effective on or after the date of such notice.

6.		If Company returns any portion of the premiums on a policy previously issued, Agency will pay to Company the compensation previously received with respect to the returned premiums. In addition, Agency will refund to Company compensation on canceled insurance, and on reductions in premiums, at the same rate as those on which compensation was originally received.



LSA-282_JPM 09/2006		Page 2 of 3

Termination

1.		Commissions, sales fees, service fees and any other compensation payable after this Agreement has been terminated shall be as specified in the applicable schedules, subject to any offset on any due and unpaid obligation to the Company and affiliates. Payment of any compensation will be subject to all terms and conditions of the most current Schedule(s) in effect, regardless of whether such schedule(s) was part of the Agreement at the time of termination.

2.		This Agreement shall terminate immediately and the Agency shall forfeit any and all compensation accruing hereunder, if any of the following acts are committed by the Agency representatives:

	a)		Withholding any property belonging to the Company after demand for its relinquishment has been made by the Company;

	b)		Willfully misappropriating funds belonging to the Company;

	c)		Committing any other fraudulent act against the Company or its policyholders;

	d)		Doing any act which results in having the required license to act as an insurance agent or broker canceled by any state insurance department;

	e)		Encouraging Company customers to replace their Company products through systematic campaigns of replacement evidenced by written memoranda, instructions, sales guides, or incentive compensation designed to encourage such replacement; and

	f)		Making any representation or doing any act injuring the business or reputation of the Company.

THE FAILURE OF THE COMPANY TO ENFORCE ANY PROVISION OF THIS AGREEMENT SHALL NOT
CONSTITUTE A WAIVER BY THE COMPANY OF ANY SUCH PROVISION. THE PAST WAIVER OF A PROVISION
BY THE COMPANY SHALL NOT CONSTITUTE A COURSE OF CONDUCT OR A WAIVER IN THE FUTURE OF THAT
SAME PROVISION.



LSA-282_JPM 09/2006		Page 3 of 3

Symetra Life Insurance Company
Annuity Base Commission Schedule Terms

Terms

1.		Acceptance of Business

		Agency will inform all Agents that no business is to be solicited until the Agent is appointed with Symetra Life Insurance Company (“Company”) according to the applicable state regulations and after the Contract effective date. Commissions are earned on premiums received after the Agent is appointed with the Company.

2.		Commissions

		Base commissions for premiums will be paid in accordance with the most current Schedule(s) in effect at the time the business is approved by the Company. The right to receive commissions is conditioned on Agency’s satisfactory service to Contractholders and on Agency’s continuing status as servicing agency, as determined by the Company.

		Unless pre-approved by the Company, premium is limited to a maximum deposit of $1 million, per product and per policyowner, in any one policy or combination of policies within a 12 month period for the Symetra Annuities products offered in the commission schedule(s). A policy with joint owners is considered to have only one policyowner for purposes of this provision. Company reserves the right to decline any premium submitted without pre-approval. Commission will be paid at the stated commission rate in Payment Schedule, and may be reduced on premium submissions of $1 million or more.

3.		Change of Servicing Agent

		Requests for change of servicing agent may be granted if it appears to be in the best interest of the Contractholder and the Company. A change will transfer the right to receive commissions to the new servicing agent. Contracts, for which an agent cannot be located, within a reasonable amount of time, will be converted to Company accounts.

4.		Termination of Agency Agreement

		If the Agency Agreement is terminated, Company will continue to pay Agency commissions on continuing premiums paid to existing Contracts subject to the following conditions:

	a.		Agency’s satisfactory service, as determined by Company, to Contractholders;

	b.		Agency’s continuing status as servicing Agency, as determined by Company; and

	c.		Agency can be readily located.

	Payment of base commissions will be subject to all terms and conditions of the most current Schedule(s) in effect, regardless of whether such agreement was part of the Agency Agreement at the time of termination.

Definitions

1.		Premiums

		Continuing premiums are ongoing premiums expected to be paid each Contract year. Single sum premiums are premiums which are not ongoing in nature. They may be transfers from another contract or insurance carrier, including trustee-to-trustee transfers, rollovers, and exchanges, but they do not include internal transfers between Company products.

2.		Attained Age

		Attained age is determined as of the date Company receives premium. For products with joint owners, attained age will be determined using the birth date of the older owner. For annuity contracts that are owned by a non-natural person, attained age will be determined using the birth date of the annuitant, or using the birth date of the older annuitant in the case of joint annuitants.

3.		Distribution Charge Period (DCP)

		DCP is the time during which distribution charges apply as described in the Contract

4.		Trail

		Trail commission is compensation based on Contract value. Trail will discontinue when Contract value is zero.

PAYMENT OF BASE COMMISSIONS WILL BE SUBJECT TO ALL TERMS AND CONDITIONS OF THE MOST CURRENT SCHEDULE(S) IN EFFECT, REGARDLESS OF WHETHER SUCH AGREEMENT WAS PART OF THE AGENCY AGREEMENT AT THE TIME OF TERMINATION.



LSA-623 01/2006		Page 1 of 1

Symetra Life Insurance Company
Annuity Trail Commission Terms

Terms

The repayment provisions under Condition A of the Base Schedule will not apply to trail commissions.

Agency will forfeit all future trail commissions on all Company annuity products issued by Company or any of its affiliates, if Agency engages in systematic replacement of inforce Company annuities written by Agency. Company will notify Agency when it is exercising this right. Systematic replacement has occurred under either of the following conditions:

•

Agency encourages any of its representatives to replace Company annuities written by Agency. This encouragement can be shown by written memos, instructions, sales guides, campaigns, or incentive compensation designed to encourage such replacement; or

PAYMENT OF TRAIL COMMISSIONS WILL BE SUBJECT TO ALL TERMS AND CONDITIONS OF THE MOST
CURRENT SCHEDULE(S) IN EFFECT, REGARDLESS OF WHETHER SUCH AGREEMENT WAS PART OF THE
AGENCY AGREEMENT AT THE TIME OF TERMINATION.



LSA-617_JPM 09/2006		Page 1 of 1

Symetra Life Insurance Company
Annuity Base Commission Schedule

Symetra Advantage Income

	•		Qualified and Non-qualified contracts

	•		Single premium, fixed immediate annuity

	•		$10,000 minimum purchase payment

	•		Withdrawals from Symetra Advantage Income are not allowed

Payment Schedule

Subject to the applicable conditions specified below, base commissions as a percentage of premiums will be paid as follows:

All premiums — [***]%

Conditions

A.		Repayment of Commissions

		Agency will repay Company commissions, not to exceed amount paid to Agency, under the following conditions. Repayments under this schedule will be netted against any commissions owed to Agency by Company with respect to other products offered by Company.

		If the commission repayments owed by Agency to Company exceed the commissions payable to Agency, Agency will immediately pay company the commission repayments owed to Company.

	1.		Premiums returned to the Contractholder

			If benefits have been paid, amount returned to Contractholder will be premium minus benefits paid. Commissions to be repaid to Company will be adjusted accordingly.

THIS SCHEDULE MAY BE MODIFIED OR CANCELED BY COMPANY AT ANY TIME BY PROVIDING WRITTEN
NOTICE. THIS SCHEDULE SUPERSEDES ANY PREVIOUS VERSION OF THE LSA-603 SCHEDULE.



LSA-603i 12/2005		Page 1 of 1

Symetra Life Insurance Company
Annuity Base Commission Schedule

Symetra Select Annuity

	•		Qualified and Non-qualified contracts

	•		Modified single premium, fixed deferred annuity

	•		Minimum initial premium of $10,000 with additional optional premiums of $250 within first twelve months of contract

Payment Schedule

Subject to the applicable conditions specified below, base commissions as a percentage of premiums will be paid as follows. Option A will be used unless otherwise specified in writing.

	Option A:		All premiums for individuals age 85 and under —[***]%

	Option B:		All premiums for individuals age 85 and under —[***]% Trail commission will be paid monthly, at an annual rate of 15 basis points beginning immediately.

Conditions

A.		Repayment of Commissions

		Agency will repay Company commissions, not to exceed amount paid to Agency, under the following conditions. Repayments under this schedule will be netted against any commissions owed to Agency by Company with respect to other products offered by Company. For purposes of processing repayments, withdrawals will be considered deducted from the Contract in the following order:

	1.		First from first-year continuing premiums and increases;

	2.		Second from single sum premiums; and

	3.		Third from commissionable transfers and rollovers.

If the commission repayments owed by Agency to Company exceed the commissions payable to Agency, Agency will immediately pay company the commission repayments owed to Company.

	1.		Premiums returned to the Contractholder or Certificateholder

			If premiums are returned to the Contractholder, not including premiums which are considered to be withdrawn as part of a withdrawal or annuitization, Agency will repay commissions paid on the premiums.

	2.		Withdrawals from the Symetra Select Annuity

			If withdrawals are taken during the first Contract year. Agency will repay commissions paid on premiums, where such premiums are equal to the amount withdrawn.

			Provision A.2 will not apply to:

	•		Non-commissionable transfers between Company products;

	•		Withdrawals where no surrender penalties were applied, such as under a free-withdrawal provision (excluding the bailout) or after all withdrawal penalties have expired;

	•		Death benefit payments or hospital and nursing home waiver payments; or

	•		Payments made under a settlement option which are payable for life, or a period of at least five years.

		The repayment provisions under Condition A. will not apply to trail commissions.

B.		Other Transactions

		If a Contractholder discontinues annual premiums to one or more Company annuity products and purchases the Symetra Select Annuity, premiums paid to the new product will generate commissions at the trail commission rate only.

THIS SCHEDULE MAY BE MODIFIED OR CANCELED BY COMPANY AT ANY TIME BY PROVIDING WRITTEN
NOTICE. THIS SCHEDULE SUPERSEDES ANY PREVIOUS VERSION OF THE SELECT ANNUITY SCHEDULE.



LSA-605o 04/2006		Page 1 of 1

Symetra Life Insurance Company
Annuity Base Commission Schedule

Symetra Secure Annuity

	•		Qualified and Non-qualified contracts

	•		Modified single premium, fixed deferred annuity

	•		Minimum initial premium of $10,000 with additional optional premiums of $250 within first twelve months of contract

Payment Schedule

Subject to the applicable conditions specified below, base commissions as a percentage of premiums will be paid as follows:

All premiums for individuals age 85 and under —[***]%

Trail commission will be paid once, at an annual rate of [***] basis points in the 5^th contract year.

Conditions

A.		Repayment of Commissions

		Agency will repay Company commissions, not to exceed amount paid to Agency, under the following conditions. Repayments under this schedule will be netted against any commissions owed to Agency by Company with respect to other products offered by Company. For purposes of processing repayments, withdrawals will be considered deducted from the Contract in the following order:

	1.		First from first-year continuing premiums and increases;

	2.		Second from single sum premiums; and

	3.		Third from commissionable transfers and rollovers.

If the commission repayments owed by Agency to Company exceed the commissions payable to Agency, Agency will immediately pay company the commission repayments owed to Company.

	1.		Premiums returned to the Contractholder or Certificateholder

			If premiums are returned to the Contractholder, not including premiums which are considered to be withdrawn as part of a withdrawal or annuitization, Agency will repay commissions paid on the premiums.

	2.		Withdrawals from the Symetra Secure Annuity

			If withdrawals are taken during the first Contract year, Agency will repay commissions paid on premiums, where such premiums are equal to the amount withdrawn.

			Provision A.2 will not apply to:

	•		Non-commissionable transfers between Company products;

	•		Withdrawals where no surrender penalties were applied, such as under a free-withdrawal provision (excluding the bailout) or after all withdrawal penalties have expired;

	•		Death benefit payments or hospital and nursing home waiver payments; or

	•		Payments made under a settlement option which are payable for life, or a period of at least five years.

		The repayment provisions under Condition A. will not apply to trail commissions.

B.		Other Transactions

		If a Contractholder discontinues annual premiums to one or more Company annuity products and purchases the Symetra Secure Annuity, premiums paid to the new product will generate commissions at the trail commission rate only.

THIS SCHEDULE MAY BE MODIFIED OR CANCELED BY COMPANY AT ANY TIME BY PROVIDING WRITTEN
NOTICE. THIS SCHEDULE SUPERSEDES ANY PREVIOUS VERSION OF THE LSA-607 SCHEDULE.



LSA-607r 12/2005		Page 1 of 1

Symetra Life Insurance Company
Annuity Base Commission Schedule

Symetra Custom Fixed Annuity

	•		Qualified and Non-qualified contracts

	•		Modified single premium, fixed deferred annuity

	•		Minimum initial Premium $10,000 with optional subsequent premium of $1000 within first twelve months of contract

Payment Schedule

Subject to the applicable conditions specified below, base commissions as a percentage of premiums will be paid as follows:

All premiums for individuals age:

85 and under —[***]%

86 through 90 —[***]%

Conditions

A.		Repayment of Commissions

		Agency will repay Company commissions, not to exceed amount paid to Agency, under the following conditions. Repayments under this schedule will be netted against any commissions owed to Agency by Company with respect to other products offered by Company. For purposes of processing repayments, withdrawals will be considered deducted from the Contract in the following order:

	1.		First from first-year continuing premiums and increases;

	2.		Second from single sum premiums; and

	3.		Third from commissionable transfers and rollovers.

If the commission repayments owed by Agency to Company exceed the commissions payable to Agency, Agency will immediately pay company the commission repayments owed to Company.

	1.		Premiums returned to the Contractholder or Certificateholder

			If premiums are returned to the Contractholder, not including premiums which are considered to be withdrawn as part of a withdrawal or annuitization, Agency will repay commissions paid on the premiums.

	2.		Withdrawals from the Symetra Custom Fixed Annuity

			If withdrawals are taken during the first Contract year, Agency will repay commissions paid on premiums, where such premiums are equal to the amount withdrawn.

			Provision A.2 will not apply to:

	•		Non-commissionable transfers between Company products;

	•		Withdrawals where no surrender penalties were applied, such as under a free-withdrawal provision (excluding the bailout) or after all withdrawal penalties have expired;

	•		Death benefit payments or hospital and nursing home waiver payments; or

	•		Payments made under a settlement option which are payable for life, or a period of at least five years.

		The repayment provisions under Condition A. will not apply to trail commissions.

B.		Other Transactions

		If a Contractholder discontinues annual premiums to one or more Company annuity products and purchases the Symetra Custom Fixed Annuity, premiums paid to the new product will generate commissions at the trail commission rate only.

THIS SCHEDULE MAY BE MODIFIED OR CANCELED BY COMPANY AT ANY TIME BY PROVIDING WRITTEN
NOTICE. THIS SCHEDULE SUPERSEDES ANY PREVIOUS VERSION OF THE LSA-618 SCHEDULE.



LSA-618m 10/2005		Page 1 of 1

Symetra Life Insurance Company
Annuity Base Commission Schedule

Payment Schedule

Subject to the applicable conditions specified below, commissions will be paid as follows on internal transfers:

From product is Advantage I, Advantage II, Advantage III, Custom, Mainsail, Preference, Preference FP, QPA I, QPA II, Resource A, Resource B, Secure, Select, Spinnaker Advisor, Spinnaker Choice, Spinnaker Plus, Spinnaker Q/NQ, and Symetra Group Variable Annuity:

Product must be out of CDSC.

To product is Symetra Custom Fixed Annuity, Symetra Secure Fixed Annuity, Symetra Select Fixed Annuity, Symetra Fixed Indexed Annuity, Symetra Flex Premium Plus, or Preference FP:

Trail commission will be paid monthly, at an annual rate of [***] basis points beginning immediately if the “from” product is less than 10 years old.

Trail commission will be paid monthly, at an annual rate of [***] basis points beginning immediately if the “from” product is over than 10 years old.

New product will start a new CDSC schedule. No like for like product transfers are allowed.

From product is American States Annuities, ERA, PAR, Preference EIA, QPA III, QPA III Plus, QPA IV, QPA V, QPA V Plus, QPA VI, Safekey EIA, Safekey I, Safekey II, Safekey III, TAP, and WAMU Annuities:

Product must be out of CDSC.

To product is Symetra Custom Fixed Annuity, Symetra Secure Fixed Annuity, Symetra Select Fixed Annuity, Symetra Fixed Indexed Annuity, Symetra Flex Premium Plus, or Preference FP:

Full compensation will be paid according to the terms and conditions of your current base annuity schedule for that product.

New product will start a new CDSC schedule. No like for like product transfers are allowed.

THIS SCHEDULE MAY BE MODIFIED OR CANCELED BY COMPANY AT ANY TIME BY PROVIDING WRITTEN
NOTICE. THIS SCHEDULE SUPERSEDES ANY PREVIOUS INTERNAL TRANSFER SCHEDULE OR PROVISIONS.



LSA-634a 03/2006		Page 1 of 1

Symetra Life Insurance Company
Annuity Base Commission Schedule

Fixed Annuitization Payment Schedule

Base commissions will be paid on fixed annuitization payouts of fixed and variable contracts, except on annuitization of contracts originally issued by WM Life Insurance Company or American States Life Insurance Company, or on annuitization of Safekey I, II, and III contracts.

Base commissions will be paid as a percentage of the amount applied to an annuity option, as follows:

Contract in force 0 to 5 years — [***]%

Contracts in force over 5 years — [***]%

Repayment of Commissions

Agency will repay Company commissions, not to exceed amount paid to Agency, if the fixed annuitization payout is reversed for any reason. Repayments under this schedule will be netted against any compensation owed to Agency by Company with respect to other products offered by Company.

If the commission repayments owed by Agency to Company exceed the compensation payable to Agency, Agency will immediately pay Company the commission repayments owed to Company.

THIS SCHEDULE MAY BE MODIFIED OR CANCELED BY COMPANY AT ANY TIME BY PROVIDING WRITTEN
NOTICE. THIS SCHEDULE SUPERSEDES ANY PREVIOUS VERSION OF THE FIXED ANNUITIZATION BASE
COMMISSION SCHEDULE.



LSA-655a 03/2006		Page 1 of 1

Symetra Life Insurance Company
Compensation Terms and Agency Conditions Endorsement
Financial Institutions
Individual Life Policies

Terms

1.		Commissions are payable on premiums paid to the Company. Basic and Renewal commissions are vested and constitute full compensation to the designated writing agency. The writing agency will be paid all Basis and Renewal Commissions which are calculated according to the Commission Schedule Individual Life Policies Endorsement Form included in this contract. There may be a maximum of two writing agencies per coverage. Basic and renewal commissions for any increase in coverage are paid to the writing agency of that increase. When the balance due is less than a reasonable minimum sum, established by the Company, payments may be paid only as the minimum amount is reached.

2.		To change the writing agency, written consent from the current writing agency must be submitted to the Company’s Home Office. The Company reserves the right through its Home Office to approve any such request and is not bound by such change until approved by the Company’s Home Office. The new writing agency is subject to the provisions in this agreement. The Company assumes no responsibility for the validity of the change of writing agency and the Company is held harmless with regard to any amount paid by it to the new writing agency. Any change of writing agency must comply with all applicable state laws and regulations. For those policies identified in writing as a part of the change in writing agency, the future compensation and all past, present and future obligations are transferred to the new writing agency.

3.		Service fees are payable on premiums paid to the Company. Such Service Fees constitute full compensation to the designated servicing agency. The service fee is calculated according to the Commission Schedule Individual Life Policies Endorsement Form included in this contract. The servicing agency will be paid all the service fees. During the calendar years in which the Servicing Agency receives a minimum of $1,000.00 in first year commission for Individual Life policies service fees will be paid. When the balance due is less than a reasonable minimum sum, established by the Company, payments may be paid only as the minimum amount is reached.

4.		The servicing agency may be designated by the policyowner or by the writing agency at the time of policy issue. Changing to a new servicing agency requires written consent from the policyowner to be submitted to the Company’s Home Office. The Company reserves the right through its Home Office to approve any such request and is not bound by such change until approved by the Company’s Home Office. If the servicing agency is not specifically designated then the writing agency will be the servicing agency.

5.		The Company reserves the right to reduce compensation when the face amount exceeds the sum of the Company’s retention limit plus automatic reinsurance coverage.

6.		In addition to commission payable, the Company may award to the writing agency Annual First Year Premium (AFYP) production credit. AFYP is a measurement of production that is equal to the required first year premium on an annual payment mode. Net AFYP is the production credit issued by the Company on business written during the calendar year minus the production credited to policies that have lapsed during the year prior to their first renewal.

7.		When a writing agency sells additional insurance riders commissions will be calculated and paid according to the Commission Schedule Individual Life Policies Endorsement Form included in this contract.

8.		If this Agency Agreement is terminated, the commissions payable to the writing agency shall be limited to those payable as first year and renewal commissions at the rate provided in the Commission Schedule Individual Life Policies Endorsement in effect on the date of termination.

9.		No Commissions or service fees will be paid with respect to:

	a.		Premiums which are waived under the terms of a policy;

	b.		Premiums for temporary extra rating for five years or less;

	c.		Premiums for a policy which is a conversion of group life or health insurance coverage; and

	d.		Premium paid by automatic premium loan.



LSA-461b 01/2006		Page 1 of 2

10.

When a conversion privilege is exercised, and the new policy is dated as of a current date, commissions will be calculated in accordance with the rules of the Company in effect at the time of such conversion. If the Company determines a policy replaces a policy previously issued by the Company on the same insured, the commission payable for the first year of insurance for the new policy will be calculated in accordance with the rules of the Company in effect at the time of such replacement.

Conditions

1.		Agency has no authority to deliver any policy unless the applicant therein is, at the time of delivery, in good health and insurable condition.

2.		Notwithstanding any other provision of this agreement, regarding any policy listed in this agreement’s Commission Schedule Individual Life Policy Endorsement, Agency shall not, to induce any person to insure with Company, pay or allow or offer any illegal rebate of premium or other consideration due and not specified in the policy.

THIS ENDORSEMENT MAY BE MODIFIED OR CANCELED BY THE COMPANY AT ANY TIME BY PROVIDING WRITTEN NOTICE.

The provisions of this endorsement supersede any provisions of prior endorsements.

Agency is responsible for ensuring that no business is solicited by any representatives until that representative is authorized to represent the Company and this endorsement is in effect.



LSA-461b 01/2006		Page 2 of 2

Symetra Life Insurance Company
Individual Life Valued Partnership Bonus Endorsement

The purpose of this Schedule is to establish the terms and conditions under which Agency will be paid additional compensation for sales of products issued by Company through its Individual Department:

Monthly Calculation

1.		The company will pay an additional [***]% on total net AFYP for the month.

2.		The AFYP amount used to calculate the monthly bonus is determined as the YTD AFYP amount, less the AFYP used in a previous monthly bonus calculation.

Payment

1.		The bonus will be paid by the end of the month following the month in which it was earned.

2.		A portion of the Agency bonus based upon Variable AFYP will be paid through the Broker Dealer.

3.		Agency bonuses earned with multiple stat numbers will be paid to the supervising stat number.

Definitions

For purposes of this endorsement, Agency production is production from itself and all agencies affiliated with Agency during any period of the calendar year.

THIS AGREEMENT MAY BE CANCELED OR MODIFIED BY THE COMPANY AT ANY TIME BY GIVING THE AGENCY WRITTEN NOTICE.



LSA-523d 09/2004		Page 1 of 1

Symetra Life Insurance Company
Life Commission Schedule Endorsement
Financial Institution
Individual Life Policies

Box checked indicates the products to be distributed through this agreement.

o Symetra Term Life


		Commission
		Percentage
10 Yr Level Term		[***]% of Annual Premium less policy fee
15 Yr Level Term		[***]% of Annual Premium less policy fee
20 Yr Level Term		[***]% of Annual Premium less policy fee
30 Yr Level Term		[***]% of Annual Premium less policy fee

o Symetra Accelerated Universal Life


	Commission Percentage on	Life Expense Allowance
Age	Annual Premium	(if applicable)	Total Payout
First Year
0-80	[***]% premium up to 1^st Annual Target	[***]% of Commission	[***]% up to Target
0-80	[***]% on Premium over Target	[***]% of Commission	[***]% of Premium over Target
Renewal
0-80	[***]% of Premium	[***]% of Commission	[***]% of Premium
Service Fee Period	Percentage of Premium
7^th & subsequent policy years	[***]%	n/a	[***]%


•	Life Expense Allowance (if applicable): Paid on Accelerated UL first year and renewal commissions. Over-ride is equal to [***]% of the base commission.

•	Term Riders on Accelerated Universal Life — First Year & Renewal Commissions 2nd through 6th policy years	Same Rate as Base Policy


SUPPLEMENTAL BENEFITS	Available With	Commission
Accidental Death Benefit	Term Life, Accelerated Universal Life	Same First-Year Rate as Base Policy
Waiver of Premium	Term Life, Accelerated Universal Life	Same First-Year Rate as Base Policy
Insured Children’s Benefit	Term Life, Accelerated Universal Life	50% of premium

Not all products are filed in all states. Contact your local SYMETRA office for further information.

THIS ENDORSEMENT MAY BE MODIFIED OR CANCELED BY THE COMPANY AT ANY TIME BY PROVIDING WRITTEN NOTICE.

Agency is responsible for ensuring that no business is solicited by any representative until that representative is authorized and appointed to represent Company.



LSA-652_JPM 09/2006		Page 1 of 1

Symetra Life Insurance Company
Simplified Issue Life Insurance Commission Schedule Endorsement
Financial Institutions

Basic First-Year Commissions


TERM POLICIES AND RIDERS
Simplified Issue
SYMETRA TERM LIFE INSURANCE
10-Year and 20-Year Level Term	[***]% of Annual premium less policy fees

SUPPLEMENTAL BENEFITS
Accidental Death, and Waiver of Premium	Same First-Year Rate as Base Policy
Insured Children’s Benefit		[***]%

Basic Renewal Commissions 2^nd through 4^th Policy Year

TERM POLICIES


2^nd policy year	[***]	%
3^rd policy year	[***]	%
4^th policy year	[***]	%
5^th and later policy years	[***]	%

Not all products are filed in all states. Contact your local Symetra office for further information.

THIS ENDORSEMENT MAY BE MODIFIED OR CANCELED BY THE COMPANY AT ANY TIME BY PROVIDING WRITTEN NOTICE.

Agency is responsible for ensuring that no business is solicited by any representative until that representative is authorized and appointed to represent Company.



LSA-649 05/2006		Page 1 of 1

Symetra Life Insurance Company
Annualized Commissions Endorsement
For Financial Institutions
Individual Life Policies

Obligation

1.		Agency agrees to pay Company, on demand, the amount of any advances, if applicable, hereunder then remaining unearned by Agency and/or any sub-Agency supervised by Agency.

2.		As security for repayment, Agency grants Company a security interest in each of the following (hereafter collectively referred to as the “collateral”):

rights to all future commissions due from Company and proceeds from the sale or other disposition of the commissions.

		Agency authorizes Company, at any time it deems itself insecure, to receive and retain all such collateral until the advances have been repaid.

3.		Upon termination of Agency Agreement, the commuted value of all future Life and Health commissions, as determined by Company, may at the discretion of Company, be applied to offset advances owned by Agency and/or any sub-Agency supervised by Agency. Upon receiving written notice from Company that such action has been taken, Agency will immediately pay Company the balance of advances remaining unearned by Agency and/or any sub-Agency supervised by Agency.

Exclusions

The following Individual Life policies are not eligible for annualized commission advances:

1.		Symetra’s Flexible Premium Variable Life policies.

2.		Other policies as the Company may designate.

Payment Schedule

Payment

Subject to Company requirements and the requirements of this endorsement, a portion of certain basic first-year commissions may be paid in advance of the date of receipt of premiums on which they are to be computed.

Calculations

The following schedule shall apply in computing the amount of basic first-year commission (including any applicable advances) to be paid for eligible policies:


Mode of Payment of First-Year Premium	Basic First-Year Commission (Including Advances) To Be Paid

Semi-Annual	[***]	Commission on Minimum Semi-Annual Premium
Quarterly	[***]	Commission on Minimum Quarterly Premium
List Bill, Lifeco-Matic, Payroll Deduction, EFT, Credit Card & Direct	[***]	Commission on Minimum Monthly Premium

If applicable, the Company will advance the lesser of the amount annualized according to the mode of payment listed above, or $5,000 of basic first-year commission per eligible policy

THIS ENDORSEMENT MAY BE MODIFIED OR CANCELED BY THE COMPANY OR AGENCY AT ANY TIME BY PROVIDING WRITTEN NOTICE.

The provisions of this endorsement supersede any provisions of prior LSA-114 and LSA-289 endorsements.

Agency is responsible for ensuring that no business is solicited by any representatives until that representative is authorized to represent the Company and this endorsement is in effect.



LSA-538_JPM 09/2006		Page 1 of 1

SCHEDULE F

Service Level Guidelines
CIA Insurance Agency (CIA)

Sec. 1. Sales Distribution Requirements:

	1.		Provide details for website capabilities for operational and agent use.

	2.		Sales ideas and design shall be approved by CISC Distribution and CIA Compliance

	3.		Carrier must allow CIA to perform due diligence on the operational processes of the carrier

Sec. 2. Licensing Requirements

	1.		Identify process and timeline for agent appointments

	2.		Provide details regarding capabilities of on-line access to agent appointments and background checks

	3.		Provide capabilities regarding licensing status website for CIA use

	4.		Explain current availability of continuing education support on-line

	5.		Carrier must accept common agent appointment form

	6.		Carrier will accept a data feed to appoint, renew appointments and effect updates to license expiration updates without copies of licenses (CIA will maintain a copy of each agent’s license or a copy from NIPR Producer Data Base and provide them for audit purposes)

Sec. 3. Operational Service Support and Paperwork Requirements

	1.		Provide details of new business processing timeline and standards

	2.		Carrier must utilize the common Good Order Requirements of CIA.

	3.		Carrier must accept daily transmission of electronic image paperwork through FTP protocol as original documents (only original transfer documents will be provided).

	4.		Carrier must comply with CIA disclosure language and Regulation H requirements by re-printing or modifying materials.

	5.		Carrier must adhere to processing good order new business standards of [*]% within [] and []% within [*]. Hourly standards shall be measured during Business Days.

	6.		Carrier must adhere to good order in-force service request standards (including agent of record changes) of [*]% within [] and []% within [*]. Hourly standards shall be measured during Business Days.

	7.		Carrier must send out any good order cash disbursement within 5 Business Days of receipt.

	8.		Carrier must provide dedicated call center sales support during acceptable and agreed upon business hours with [*]% of calls answered within [] and [**]% of calls answered.

	9.		Carrier must provide dedicated customer call center during acceptable and agreed upon business hours with [*]% of calls answered within [] and [**]% of calls answered.

	10.		Carrier must provide a dedicated Operational Relationship Manager for day-to-day issues and resolution.

	11.		Carrier NIGO items must be communicated within [***] of identification via approved communication method and schedule.

Sec. 4. Premium Collection:

	1.		Carrier must maintain and own reconcilement of a Chase commercial Direct Deposit Account for premium collection in each of our footprint states

	2.		Carrier must support settlement date requirements within CISC and CIA processing standards



Schedule F 09/2006		1

Sec. 5. Requirement for Commission Payments

Carrier to pay up-front commissions and must provide a sample commission statement

Sec. 6. Technology Requirements

Carrier must provide details on capability relating to data sharing

	•		Internet

	•		Remote dial-in

	•		Direct company interface

	2.		Carrier must provide an Internet capability to be available to customers with account information and transaction history

	3.		Carrier to provide description of data interface capabilities to receive transaction data

	•		ACORD standard imports

	•		NAVA/NBfA standard imports

	•		Other

	4.		Carrier must provide an Internet capability for CIA sales support inquiries. The website must provide customer level account information, including rate, balance, titling and transaction history

	5.		Carriers must accept daily transmission of electronic image paperwork through FTP protocol

	6.		Carrier must deliver transaction and account detail information on a daily basis in either the standard NSCC formats or CIA proprietary format as agreed upon by technology support staff

	7.		All data transmissions must be in production status by the first day that products are available within the Chase distribution channel

	8.		Carrier must comply with Chase vendor management guidelines as set forth in the JPMorgan Chase & Co. IT Risk Management Policy for Outside Service Providers (“Risk Management Policy”) and JPMorgan Chase & Co.’s Consolidated IT Risk Management Requirements for Outsider Service Providers (“Risk Management Requirements”) attached hereto and as may be amended by Chase from time to time, evidenced by completion of any applicable bank questionnaire and/or due diligence process. The vendor management requirements have been developed by Chase in order to protect information about its Customers and are security measures and industry best practices aimed at safeguarding such Customer information.



Schedule F 09/2006		2



		IT Risk Management

Information Protection Policy

Information resources must be protected in accordance with all applicable laws and regulations, and in accordance with their value to JPMorgan Chase & Co (“JPMC” or “the firm”).

Protocols must be established, applied, and maintained, that prevent the unauthorized disclosure, modification, or disruption of personal, sensitive, critical, or otherwise privileged information, and that detect and respond to potential information security breaches. The confidentiality, integrity, and availability of personal, sensitive, critical, or otherwise privileged information must be ensured in accordance with this Policy, JPMC’s stated business objectives, the JPMC Consolidated IT Risk Management Requirements for OSPs (the “Consolidated OSP Requirements”), and applicable laws and regulations.

Any and all security features, mechanisms, and controls used to protect information resources must comply with this Policy and the Consolidated OSP Requirements. All use of open source software must be in accordance with requirements and processes set forth by the Open Source Review Board.

Exceptions to these policies and the Consolidated OSP Requirements must be sought and approved in writing from JPMC through JPMC’s designated processes.

1.0		User Related Information Security Policies

		The term “User” is defined as a person or individual who has received authorization to access and use specific JPMC information/data.

1.1

Privacy and Monitoring

		In the ordinary course of business, JPMorgan Chase may monitor or examine, in accordance with applicable laws and regulations, any User’s usage of JPMC’S information resources at any time, for any reason, and without prior notice.

		Users, other than customers, should have no expectation of privacy in using any of JPMorgan Chase’s information resources, subject to applicable laws and regulations. By using JPMorgan Chase’s information resources, Users knowingly consent to their usage being monitored and examined, and acknowledge JPMorgan Chase’s right to conduct such monitoring, including, but not limited to, retrieving, reading, inspecting, and disclosing any information therein.

1.2

User Responsibilities and Conduct

		All Users are expected to exercise reasonable precautions to protect JPMorgan Chase’s information resources.

		Users are expected to use information resources for authorized purposes only in accordance with the JPMC IT Risk Management Technology Usage Policy, Inappropriate Uses of Information Resources, and the Consolidated OSP Requirements.



©JPMorgan Chase & Co. 2005. All Rights Reserved.		Page 2 of 9

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.



		IT Risk Management

Certain references in the Technology Usage Policy are to JPMC internal documents, and, for purposes of the OSP complying with that policy, those references must be interpreted as follows: (a) the “IT Risk Management Policy” means this document; (b) “Code of Conduct” means OSP’s own employee handbook, code and rules, which must be consistent with this document, the Consolidated OSP Requirements and applicable laws, regulations, and governmental policies; (c) “Inappropriate Uses of Information Resources” means the document provided by JPMC and the Technology Usage Policy; (d) “Information and Contracting Standard” means OSP’s own standards for acquiring information and technology for use by OSP for JPMC and its other customers and business partners software, which standards must be commercially reasonable and designed to protect JPMC information and rights; (e) “Cryptographic Standard” means Section 1.3 of the Consolidated OSP Requirements; and (f) “Median Retention and Destruction Standard” means Section 5.4 of the Consolidated OSP Requirements.

1.3

Outsourced Business Activities Documentation

The OSP’s use of any subcontractors must be documented and approved by JPMC. The OSP must conduct due diligence examinations of its subcontractors to ensure compliance with this Policy and with the Consolidated OSP Requirements.

1.4

External Access for OSPs

		All access to the JPMorgan Chase network must terminate in a perimeter Third Party Security Domain. Access forwarded beyond this Security Domain must conform to, adhere to, and remain in accordance with the appropriate controls and requirements defined in the Network Perimeter Security Standard.

		Individual users and systems affiliated with OSPs must be authorized by JPMorgan Chase to access JPMorgan Chase information resources.

		OSP personnel who have been granted access to JPMorgan Chase information resources must have an ID and an identity in the corporate directory.

2.0

Asset Control Policies

2.1

Information Classification

		Information security classifications and detailed criteria for their application, including upgrading, downgrading and removal, must be established to protect against unauthorized disclosure and/or modification of information resources.

		Information security classifications and their criteria for application must meet or exceed requirements or stipulations set forth in applicable laws, regulations, and governmental policies, and must also comply with relevant JPMC policies and the Consolidated OSP Requirements.



©JPMorgan Chase & Co. 2005. All Rights Reserved.		Page 3 of 9

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.



		IT Risk Management

2.2

Asset Management

		Tangible information resources must be accounted for using accepted methods and practices of inventory control.

		Inventory control methods and practices employed must comply with relevant corporate policies, including but not limited to, Section 1.2 of the Consolidated OSP Requirements.

3.0

Personnel Security Policies

3.1

Separation of Duties for Security-Related Functions

		No individual shall be allowed to amass, retain or be granted sufficient security-related information, responsibilities, oversight, knowledge, functionality or access to enable or allow the successful commission of fraudulent, criminal, or otherwise unauthorized functions by that person acting alone.

		Methods and practices employed must comply with Section 5.2 of the Consolidated OSP Requirements.

4.0

Security Awareness Policies

		Information security awareness programs shall be developed to ensure that all Users are provided relevant and timely guidance and awareness information.

		Information security awareness programs shall be presented to all Users, as described above, on a reasonable and timely basis as information security policies, standards, procedures, system build or compliance measurement documents, requirements, or other criteria change, or as applicable laws, regulations or corporate policies dictate.

4.1

Security Acknowledgement Banners

		To prevent inappropriate usage and unauthorized access of any JPMorgan Chase restricted-use system, the User logon routine must include the appearance of an on-screen notification message that requires explicit action on the part of the User prior to being granted access to the system.

		The notification message must inform the User that access to the system is restricted, and that taking the required explicit action to gain access constitutes an acknowledgement and acceptance of the terms of information resource usage expressed in relevant JPMC policies, the Consolidated OSP Requirements, and applicable laws and regulations.



©JPMorgan Chase & Co. 2005. All Rights Reserved.		Page 4 of 9

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.


		IT Risk Management

5.0		Physical and Environmental Information Security Policy

		The physical security of JPMorgan Chase’s tangible information resources must be ensured to the degree possible by applying reasonable means of protection against physical dangers, including but not limited to unauthorized access, damage, or theft by Users and/or other persons.

		The environmental security of JPMorgan Chase’s tangible information resources must be ensured to the degree possible by applying reasonable means of protection against environmental dangers, including but not limited to the introduction of extreme humidity or dryness, static charges, dirt, dust, smoke, or other harmful pollutants or conditions into the resident environment.

		Physical and environmental protection measures must be developed, maintained, operated, and supported within parameters and according to standards established by JPMC, including in the Consolidated OSP Requirements, and applicable laws and regulations.

6.0		Systems Development and Maintenance Policies

6.1

Systems Development and Support

Systems, including infrastructure, business application and user-developed systems, must be developed, maintained, operated, and supported within a structured and documented process, including in compliance with JPMC stated business objectives, Section 4.2 of the Consolidated OSP Requirements, and applicable laws and regulations.

6.2

Change Management

		All changes to systems, including infrastructure, business application and user-developed systems, as well as the introduction of infrastructure technology products, must be controlled through an approved lifecycle methodology consistent with industry best practices. The approved lifecycle methodology must ensure that processing environments are established and maintained using controls that are commensurate with the environment’s criticality, facilitate isolation of production processing environments from each other and from non-production environments, and require changes to controlled environments to be tested and approved.

		Change management controls, processes and procedures must be established, maintained and executed, including in accordance with JPMC stated business objectives, Section 5.3 of the Consolidated OSP Requirements, and applicable laws and regulations.

6.3

Application Security

Applications must be developed, maintained, operated, and supported within parameters and according to industry best practices, JPMC stated business



©JPMorgan Chase & Co. 2005. All Rights Reserved.		Page 5 of 9

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.


		IT Risk Management

		objectives, the Consolidated OSP Requirements, and applicable laws and regulations.

		Application-related services, including but not limited to databases, web servers, and web services, must be implemented, maintained, operated, and supported within parameters and according to industry best practices, JPMC stated business objectives, the Consolidated OSP Requirements, and applicable laws and regulations.

7.0		Communications and Operations Management Policies

7.1

Email and Instant Messaging

		Precautions and protocols must be established to secure and protect text-based information transmitted by email, instant messaging, and other electronic means, and to secure and protect other information resources, including but not limited to systems and hardware, used in the support, storage, transmittal, and/or appropriate destruction of that information.

		Any and all precautions and protocols established to protect, secure, transmit, store, or appropriately destroy electronic, text-based communications and to protect the tangible information resources used in support roles must be in accordance with industry best practices, JPMC stated business objectives, the Consolidated OSP Requirements, and applicable laws and regulations.

7.2

Media Handling and Destruction

		Physical media that contains or formerly contained information belonging to JPMC must be handled, stored, and destroyed as needed or required in accordance with JPMC stated business objectives, Section 5.4 of the Consolidated OSP Requirements, and applicable laws and regulations.

		Only appropriately authorized personnel or Users shall use, handle, store, or destroy physical media that contains or formerly contained information belonging to JPMC.

7.3

Protection Against Malicious Software

		The introduction and proliferation of malicious code, must be defended against through an application or establishment of reasonable and accepted devices, software, protocols, or other means, and the continual maintenance and upkeep of those means.

		With regard to malicious code, any and all means employed to protect and secure JPMorgan Chase information resources must be established, applied, and/or utilized in accordance with JPMC stated business objectives, Sections 4.1, 4.2 and 5.6 of the Consolidated OSP Requirements, and applicable laws and regulations.



©JPMorgan Chase & Co. 2005. All Rights Reserved.		Page 6 of 9

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.


		IT Risk Management

7.4

Authorized Computer Equipment and Storage Media

		Only JPMC approved computer equipment or storage media, or that which is owned by third parties under contractual agreement with JPMorgan Chase, must be used to store, process or transmit non-public JPMorgan Chase information.

		All JPMC approved computer equipment or storage media, or that which is owned by third parties and used under contractual agreement with JPMorgan Chase, must be utilized in accordance with business objectives, IT Risk Management Policies and Standards, and applicable laws and regulations.

7.5

Vulnerability Management

		Historical, existing, and emerging vulnerabilities within or external to networks, systems, and other information resources must be managed and/or monitored to ensure the on-going safety, security, and integrity of the systems and the information they contain and transmit.

		Any and all means of managing and monitoring identified vulnerabilities must be established, applied, and/or utilized in accordance with industry best practices, JPMC stated business objectives, and Section 3.2 of the Consolidated OSP Requirements, and applicable laws and regulations.

7.6

Security Event Management

Security-related events that affect or threaten to affect JPMorgan Chase information resources must be categorized, logged, monitored, and retained in accordance with industry best practices, JPMC stated business objectives, Section 5.7 of the Consolidated OSP Requirements and applicable laws and regulations. Precautions and protocols must be established that ensure the availability and integrity of the monitoring logs.

7.7

Incident Response Management

		An incident response capability must be established that ensures the effective identification, prioritization, escalation, and containment of and recovery from information security incidents.

		All activities established to respond to information security related incidents must be applied and/or utilized in accordance with industry best practices, JPMC stated business objectives, Section 5.7 of the Consolidated OSP Requirements, and applicable laws and regulations.



©JPMorgan Chase & Co. 2005. All Rights Reserved.		Page 7 of 9

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.


		IT Risk Management

8.0

Access Control Policies

8.1

General Access and Use

		External publication, distribution, or dissemination, in any medium, including via electronic media, of JPMorgan Chase-owned information requires prior approval from JPMC.

		Access to JPMorgan Chase’s information resources must be granted to authorized Users only that are authorized in accordance with the Consolidated OSP Requirements and other JPMC documented standards and processes.

		Access to JPMorgan Chase information resources must be commensurate with and aligned to the User’s job function, role, and responsibilities.

		All access to and use of JPMorgan Chase information resources must be for authorized purposes only.

8.2

User Access Management

		User access authorization protocols, processes, and procedures must be defined and documented, and must be established, implemented, and maintained in accordance with JPMC stated business objectives, Section 5.1 of the Consolidated OSP Requirements, and applicable laws and regulations.

		User access authorization protocols, processes, and procedures must be crafted to prevent unauthorized access to JPMorgan Chase information resources and to facilitate security incident detection and response.

8.3

Network Security

		A Network Security capability must be established that ensures and maintains the confidentiality, integrity and availability of the JPMC information network with regard to or in the event of: changes to the network operating systems, applications, configuration, devices, management, or system architecture; component or system failure; inappropriate or unauthorized penetration or use; exploitation of vulnerabilities; theft; physical destruction; or other maintenance or security-related situations, threats, disruptions, or events.

		The Network Security capability must include appropriate deployment, monitoring, assessment, review, maintenance, testing, and approval processes to ensure continued protection of JPMC information resources.

		Network security processes and procedures must be defined and documented, and must be established, implemented and maintained in accordance with JPMC stated business objectives, Section 3.0 of the Consolidated OSP Requirements, and applicable laws and regulations.



©JPMorgan Chase & Co. 2005. All Rights Reserved.		Page 8 of 9

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.


		IT Risk Management

8.4

Operating System Security

		Computer operating systems that exist on or ancillary to any and all JPMC networks must be architecturally approved by JPMC.

		Computer operating systems must be documented, implemented, configured and maintained in accordance with JPMC stated business objectives, Section 2.1 of the Consolidated OSP Requirements, and applicable laws and regulations.

8.5

Cryptographic Controls

		Cryptographic controls must be established to prevent unauthorized disclosure or modification of JPMC information resources.

		The application of cryptographic controls to information resources must be based on information classification and technology risk, as well as applicable laws and regulations.

		Cryptographic controls must be maintained and applied in accordance with Section 1.3 of the Consolidated OSP Requirements.



©JPMorgan Chase & Co. 2005. All Rights Reserved.		Page 9 of 9

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.



		IT Risk Management

Content


INTRODUCTION			3

1.0	INFORMATION CLASSIFICATION AND PROTECTION		4

1.1		Information Classification and Protection	4
1.2		Asset Management	5
1.3		Cryptography	5

2.0	INFRASTRUCTURE SERVICES STANDARDS		5

2.1		Operating Systems	5
2.2		Security Acknowledgement Banner	5

3.0	NETWORKING AND PERIMETER CONTROL		6

3.1		General Network Security	6
3.2		Vulnerability Assessment and Remediation	7
3.3		Remote Access	7
3.4		File Transfer	7
3.5		Intrusion Protection/Detection, Monitoring	7
3.6		Logging	8
3.7		Firewall	9
3.8		Router/Switch	9
3.9		Backups	10

4.0	APPLICATION SECURITY STANDARDS		10

4.1		Web Services	10
4.2		Web and Client/Service Application Development	10
4.3		Database Security	11

5.0	OPERATIONS SECURITY STANDARDS		11

5.1		User Access Management	11
5.1.1		User ID Management	11
5.1.2		Password Controls	12
5.1.3		Authentication Controls	12
5.2		Separation of Duties for Security Related Functions	12
5.3		Change Promotion	13
5.4		Information and Media Retention and Destruction	13
5.5		Physical and Environmental	13
5.6		Malicious Code Prevention	14
5.7		Security Event Management and Incident Response	15

6.0	EMAIL AND INSTANT MESSAGING		16

7.0	BUSINESS RESUMPTION		16



©JPMorgan Chase & Co. 2005. All Rights Reserved.

JPMorgan Chase & Co.’s Consolidated IT Risk Management Requirements for Outside Service Providers • Version 1.2

Introduction

These consolidated requirements are intended to support and provide further detail on how Outside Service Providers (OSPs) must implement the requirements set forth in the JPMorgan Chase (JPMC) IT Risk Management (ITRM) Policy for OSPs. JPMorgan Chase may update these requirements from time to time to be consistent with its internal policies, standards and other requirements. In any event, an OSP is required to meet its obligations under applicable law and any agreements in effect between the OSP and JPMorgan Chase or any affiliate, which agreement may refer to the JPMorgan Chase IT Risk Management Policies for OSPs or these requirements.

These requirements are not intended to be comprehensive statements of how OSPs should implement the JPMorgan Chase IT Risk Management Policies for OSPs, comply with their contractual obligations to JPMorgan Chase and affiliates, or comply with applicable law. A material breach of these requirements and/or the JPMorgan Chase IT Risk Management Policies for OSPs is a material breach of the agreement(s) under which an OSP agrees to comply with JPMorgan Chase Policies and/or Standards. These requirements do not limit the scope of an audit by JPMorgan Chase, since compliance with these requirements will not necessarily be sufficient to protect JPMorgan Chase information resources. Nothing in these requirements or the JPMorgan Chase IT Risk Management Policies for OSPs shall create any rights in OSP or impose any liability on JPMorgan Chase or its affiliates by contract, reliance or otherwise. Any costs of compliance with these requirements and the JPMorgan Chase IT Risk Management Policies for OSPs will be paid by the OSP without additional charge under any agreement OSP may have with JPMorgan Chase or any affiliate.

These requirements support and facilitate compliance with relevant laws and regulations of the countries in which JPMorgan Chase conducts business. JPMC regional IRMs relying in part on and working with appropriate support from JPMC Information Technology (IT) Risk Management, JPMC Legal, JPMC Compliance, and JPMC Government Relations, are responsible for ensuring that additional controls, arising out of laws and regulations in their respective regions not covered by these control requirements, are identified and complied with. Where local laws and regulations require controls that are more restrictive than those identified in these requirements, those more restrictive control requirements must also be complied with. In the event of a conflict, the control requirements of this document overrule the local laws and regulations, unless the local laws and regulations are more restrictive.



Consolidated IT Risk Management Requirements for OSPs		Page 3 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.



		IT Risk Management

1.0

Information Classification and Protection

1.1

Information Classification and Protection

Objective: Outside Service Provider (OSP) has appropriate disclosure risk categories that are assigned to systems, applications, or locations where JPMorgan Chase data is stored or processed.

	1.		Highly Confidential information is defined by JPMorgan Chase as: Information of high value or sensitivity that must be closely controlled and accounted for from creation to destruction.

	2.		Confidential information is defined as: Information that must be protected from unauthorized disclosure to internal and external individuals. Includes Non-public personal information and sensitive personal data as defined in any applicable laws or regulations.

	3.		Personal information must be classified as either Highly confidential or Confidential information, and includes the following types of information:

	•		First name or initial and last name

	•		Physical address

	•		Email Address

	•		Telephone Number

	•		Client Contact Person Name

	•		Family Member Names

	•		National Identifier, including Social Security Number

	•		Tax file number

	•		Driver’s License number

	•		Passport number

	•		Account number

	•		Credit or debit card number

	•		User name or ID in combination with any required security code (including mother’s maiden name), access code, personal identification number) or password that would permit access to an individual’s financial account.

	•		Biometric information, such as fingerprints

	•		Photographs

	4.		JPMorgan Chase must approve the use of personal information in non-production environments, and must be secured using controls commensurate with those of the production environment.

	5.		Suppliers that perform work for JPMorgan Chase or have access to Confidential or Highly Confidential information, or apply for remote access to JPMorgan Chase’s network, are subject to security background checks, including drug testing and fingerprinting, where permitted by law. Results must be evaluated prior to work commencing.

	6.		An OSP must maintain appropriate staffing to support the control environment.

	7.		An OSP must not release JPMorgan Chase information to third parties without JPMorgan Chase approval and a legal agreement with the third party.

	8.		An OSP’s subcontractors, or other third parties, must comply with JPMorgan Chase Standards as the OSP is required to comply. An OSP’s subcontractors may be subject



Consolidated IT Risk Management Requirements for OSPs		• 4 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.
FOR INTERNAL USE ONLY

JPMorgan Chase & Co.’s Consolidated IT Risk Management Requirements for Outside Service Providers • Version 1.2

to JPMorgan Chase’s review at JPMorgan Chase’s discretion. The review may include evidence of financial, technical, and operational controls.

1.2

Asset Management

Objective: Establish control requirements to ensure effective management of information and technology (IT) assets and to ensure that assets are accounted for.

Establish and maintain an inventory of information technology assets. The listing should include:

	a.		All applications, software, databases, network and network security infrastructure devices, access points, circuits and other hardware type assets.

	b.		All User IDs for User’s of the systems

	c.		Physical and logical locations.

	d.		Physical and logical diagrams.

1.3

Cryptography

Objective: Cryptographic controls must be strong enough to protect the data prescribed, and must be deployed to assure the Confidentiality, integrity and availability of JPMorgan Chase information.

	1.		All Highly Confidential and Confidential information must be encrypted, including authentication credentials, while in transit over any network or stored on any device.

	2.		A secure key management process must be employed and comply with local restrictions and regulations.

2.0

Infrastructure Services Standards

2.1

Operating Systems

Objective: Ensure that the operating system(s) is logically protected from unauthorized access and transactions.

	1.		Global Security Settings or parameters must be documented as appropriate to each operating system in use. System standard builds must include these settings.

	2.		Operating systems should be updated to the latest security release.

2.2

Security Acknowledgement Banner

Objective: Discourage inappropriate usage and unauthorized access to JPMorgan Chase related information by providing a basis for action against anyone disregarding the banner’s message.

	1.		OSP should provide a visual banner on workstations and internal networking devices to warn against unauthorized and inappropriate access. It must be displayed to Users prior to system login and remain on the screen until action is taken to acknowledge the message.

	2.		A similar security acknowledgement banner must be displayed to Users accessing publicly accessible interfaces that provide access to internal systems, including the remote access VPN.



Consolidated IT Risk Management Requirements for OSPs		Page 5 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.



		IT Risk Management

3.0

Networking and Perimeter Control

3.1

General Network Security

	A.		Objective: Ensure that network and security infrastructure are configured to prevent unauthorized access to the device(s), and are deployed in a manner which will not place JPMorgan Chase information or assets at risk.

	1.		OSP should have policies and standards that prevent unauthorized infrastructure devices to be added to their network without formal approval.

	2.		All network security monitoring devices, including network intrusion detection sensors, must be deployed in such a manner that a failure of a particular device does not cause an interruption to the monitoring functionality that the device provides.

	3.		Security gateways must fail “closed” such that no unauthorized traffic passes through the security gateway even if the security gateway cannot communicate with an associated management station.

	4.		Networks and control requirements for access between networks must be segregated to ensure appropriate authorized and controlled communications (e.g., create domain classifications).

	5.		Unused network interfaces and physical ports on network and security infrastructure devices must be disabled.

	6.		All network and security infrastructure devices must be configured to prevent unauthorized access (whether in-or out-of-band) to management, administrative, or monitoring functions.

	7.		A Quality Assurance process should be defined to minimize the risk of errors or unauthorized functionality being configured into security gateways.

	8.		All network and security infrastructure devices must have their internal clocks set accurately and be synchronized, directly or indirectly, to an official time source.

	9.		Network and security infrastructure devices must be configured with approved and authorized baselines.

	10.		All authentication, authorization, and audit services used to control and record access to network and security devices must be deployed such that a failure of a particular instance of the service does not cause an interruption to, or reduce the reliability of, authentication, authorization and audit functionality.

	B.		Objective: Prevent activation of unnecessary services.

	1.		The following services must be reviewed and considered for deactivation:

	a.		Simple Network Management Protocol (SNMP)

	b.		Domain Name Service (DNS)

	c.		Dynamic Host Configuration Protocol (DHCP)

	d.		Windows Internet Name Service (WINS)

	e.		Hypertext Transfer Protocol (HTTP)

	f.		File Transfer Protocol (FTP)

	g.		Simple Mail Transfer Protocol (SMTP)

	h.		Simple TCP/IP Services

	i.		Other services such as Gopher, Pop3, IMAP



Consolidated IT Risk Management Requirements for OSPs		• 6 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.
FOR INTERNAL USE ONLY

JPMorgan Chase & Co.’s Consolidated IT Risk Management Requirements for Outside Service Providers • Version 1.2

3.2

Vulnerability Assessment and Remediation

Objective: All network and telecommunication connections must be identified and regularly assessed for vulnerabilities.

	1.		All devices attached to the network, including network and security infrastructure devices and telecommunication connections must be assessed.

	2.		The frequency of assessment must be determined by:

	a.		The security domain in which an application or device is deployed.

	b.		The business criticality of the data being processed.

	c.		The information sensitivity classification of the data being processed.

The minimum frequency of assessment for devices conducting JPMorgan Chase business is 90 days.

3.3

Remote Access

Objective: Ensure that remote access Users use an authorized and approved solution for remote access.

	1.		Remote access through the use of two factor authentication is required for data classified as Confidential or Highly Confidential.

	2.		All remote access Users and devices must be appropriately authorized and authenticated using an approved two-factor authentication mechanism to reliably establish a User’s identity, and to ensure full accountability for all actions performed under that identity.

	3.		All remote access via a shared network must be encrypted.

3.4

File Transfer

Objective: Ensure that file transfer solutions are capable of terminating, validating, and verifying the integrity of the data.

	1.		File transfer devices that send or receive data directly with third parties must terminate communications before passing the file along to other internal devices.

	2.		File transfer solutions must be capable of encrypting communications, both data and command.

	3.		File transfer solutions must provide confirmation of delivery at the final destination.

3.5

Intrusion Protection/Detection, Monitoring

Objective: Ensure that all network and security infrastructure devices are monitored to verify compliance with approved baselines, and that event-monitoring is near real time in frequency.

	1.		Intrusion Detection/Protection (IDS) devices should be placed at all entry and exit points of the security gateways.

	2.		Network IDS devices must have visibility of all traffic within the security domain.

	3.		Compliance monitoring tools must be actively running on or against the device or appliance to inspect the configuration of the operating system.

	4.		All network devices must be running or subjected to an event-monitoring solution.



Consolidated IT Risk Management Requirements for OSPs		Page 7 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.


		IT Risk Management

3.6

Logging

	A.		Objective: A log or audit trail of all management activity, including configuration changes, must be maintained. Logs of successful and unsuccessful connection attempts must be available.

	1.		The Audit trails must be reviewed and all exceptions investigated in accordance with Service Level Agreements.

	2.		Audit trails must be preserved at least 90 days.

	3.		Audit trails must be retrievable for a period of at least one year.

	4.		All infrastructure devices must perform extensive logging and send the details to central log collection solution(s).

	5.		Logging should not be interrupted due to single point of failure.

	B.		Objective: Identify and respond to suspicious connection activity.

	1.		Event alerts must be sent to a central console for review and subsequent response.

	2.		Firewall logging must be at each tier and be protected from unauthorized access, modification, destruction and activation/deactivation.

	3.		Audit logs must be generated to account for the following events: all User logins, Admin logins via privilege management applications such as “su” and “sudo”, Policy and configuration changes, and User account creation and deletion.

	4.		Firewall policy logs must capture: Source and destination ports and IP addresses, Date and Time (including timezone), Session termination, Action — permitted or denied, ID of firewall enforcement device, firewall interface, reference to a specific firewall policy or rule responsible for the action.

	C.		Objective: Ensure that configurable systems log all significant security related events.

	1.		Network devices (e.g., routers and switches) must be configured with logging and auditing features.

	2.		Auditing must be enabled for network, system, and connection sessions.

	3.		Network protocol traffic activities, User system activity, system management, and security management activities should be logged.

	4.		Logs must be reviewed in a periodic and timely manner.

	5.		Logs must be protected from unauthorized access, modification, destruction and activation/deactivation.

	6.		System storage structures, creation, alteration, and deletion of any database must be audited.

	D.		Objective: Log entries must provide sufficient information to facilitate investigation and potential prosecution or civil remedy pursuant to security breaches.

	1.		The following must be audited:

Enabling and disabling of audit functionality.

Any updates and deletion of audit information.

Minimum information to be included in audit trails:

	a.		The User ID associated with the audit record.

	b.		The change that was made, including the command that was issued.

	c.		A timestamp (including date and time zone) of when the command was issued.

	d.		Whether the command was successfully executed or not.



Consolidated IT Risk Management Requirements for OSPs		• 8 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.
FOR INTERNAL USE ONLY

JPMorgan Chase & Co.’s Consolidated IT Risk Management Requirements for Outside Service Providers • Version 1.2

Minimum information to be included in infrastructure device logs:

	a.		Details about the destination device/service that is being accessed.

	b.		Details about the source device that initiated the connection.

	c.		Authentication/authorization details if applicable.

	d.		Timestamp.

	4.		Timestamps must be configured to show time zone and milliseconds to permit the most accurate time stamp to be generated.

	5.		Audit trails must not be stored solely on the device that created the records.

3.7

Firewall

Objective: Protect corporate assets and customer data by standardizing on a proven firewall technology that is scalable, stateful, application-aware, and provides packet-filtering performance.

	1.		Firewall strategies must be multi-tiered, with well-defined functionality for logging, management, and enforcement in each respective layer.

	2.		Firewalls must be capable of stateful packet inspection of OSI layers 3 (Network) and 4 (Transport).

	3.		A resilient firewall infrastructure solution must be used to reduce or eliminate network and operational downtime due to a single point of failure.

	4.		Firewalls must:

	a.		be protected from unnecessary access;

	b.		be set to “deny all” access unless specifically allowed; and

	c.		not provide for any unnecessary functions or services.

	5.		Firewall rule sets and configurations must be recertified on a regular basis.

	6.		Firewall rule sets and strategy should be documented to facilitate recertification and allow consistent enforcement of rules.

	7.		Administration of firewall devices, policy, and configuration changes should be limited to authorized Users and based on necessary job responsibilities.

3.8

Router/Switch

	A.		Objective: Ensure the protection of network router devices by controlling their access.

	1.		Access to routers/switches must be controlled from both a physical and network perspective.

	2.		Roles and responsibilities of Users accessing network devices must be clearly defined. Appropriate permissions must be granted for logging into devices.

	3.		Production routers/switches must be in secure facilities and communications rooms.

	B.		Objective: Provide strong authentication and non-repudiation for Users logging into routers/switches.

	1.		All Users that are involved with router maintenance must have individual User IDs.

	2.		Users must be centrally authenticated.

	C.		Objective: Provide a secure infrastructure for management servers, to minimize the threat of unauthorized access to network devices.



Consolidated IT Risk Management Requirements for OSPs		Page 9 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.



		IT Risk Management

	1.		A separate network should be created for managing network devices.

	2.		All management traffic must pass through a firewall which has filtering and logging enabled.

	3.		Configuration baselines and procedures must be established and documented to verify and certify devices before placement into production environments.

	4.		Network device configuration files must be regularly reviewed to ensure compliance with security Standards, thereby minimizing risk of unauthorized access.

	5.		All routers and switch rule sets must be reviewed once every quarter.

3.9

Backups

Objective: Ensure that information to be archived is moved to an off-premises location.

Backup data must be treated as the original data and have the same reading/copying rights and data protection.

4.0

Application Security Standards

4.1

Web Services

	A.		Objective: Prevent unauthorized access to Web Services.

	1.		All inbound communications to devices must be restricted to the assigned public IP address of the application.

	2.		Services with source address restrictions must not run on the same server as a device that has services open to the Internet.

	3.		All external and network traffic originating from any given security domain (or tier) must terminate in the next security domain (or tier) before being passed on.

	B.		Objective: Ensure that where authentication is required it is performed in an internal device.

	1.		Where no authentication is required, an application must ensure that User sessions are contained within a given security domain.

	2.		Generic proxy usage that forwards traffic beyond the internal network must not be used.

	3.		Payload must be scanned for malicious code prior to relaying the file into the network.

4.2

Web and Client/Service Application Development

Objective: Ensure that application development procedures include appropriate controls to prevent malicious code and unauthorized access.

	1.		All client side data should be inspected (data type, size, and composition), including URL parameters, cookies, and hidden fields before passing to command shells, interpreters, or external programs.

	2.		Scripts must ensure buffer overflow conditions can not be exploited.



Consolidated IT Risk Management Requirements for OSPs		• 10 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.
FOR INTERNAL USE ONLY

JPMorgan Chase & Co.’s Consolidated IT Risk Management Requirements for Outside Service Providers • Version 1.2

	3.		Personal information (such as account number, National or social security number, birth date) should not be fully displayed on a screen.

	4.		Penetration testing should be performed annually for all Internet facing applications.

4.3

Database Security

Objective: Ensure that no one person with information security-related responsibilities can obtain control of information resources, such that the one person could successfully commit fraudulent or otherwise unauthorized functions without collusion with others.

	1.		Databases must have a set of logical roles to perform key responsibilities.

	2.		Network services to databases must be protected using authentication controls.

	3.		Database products must maintain transactional integrity of the database objects.

	4.		Maintain logical separation between JPMorgan Chase information and any other customer’s information.

5.0

Operations Security Standards

5.1

User Access Management

Objective: Prevent unauthorized access by implementing controls to authenticate all Users to JPMorgan Chase systems prior to gaining access.

	5.1.1		User ID Management

	1.		User Access procedures must be documented that identify User roles and their privileges, how access is granted, changed and terminated, and logging/monitoring requirements and mechanisms

	2.		User access should be recertified at least annually.

	3.		An OSP must assign unique User-IDs to each person with access to JPMorgan Chase environments.

	4.		User IDs should be documented such that incidents can be traced to a specific individual.

	5.		Once a User ID is assigned to a User, the User ID may not be reassigned.

	6.		User IDs must be disabled after 90 days of logon inactivity.

	7.		User IDs must be purged after 180 days of logon inactivity.

	8.		User IDs supplied with externally procured software should be changed, documented, and controlled.

	9.		“Least privilege” access rights should be deployed.

	10.		A maximum login period should be established which disconnects remote Users upon expiration.

	11.		Administrator accounts should be renamed (or disabled), and responsibilities assigned to individual IDs.

	12.		Access provisioning processes should require proper signoff, employ appropriate segregation of duties, and be documented.



Consolidated IT Risk Management Requirements for OSPs		Page 11 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.



		IT Risk Management

	5.1.2		Password Controls

	1.		Passwords should incorporate the following characteristics:

	a.		Be at least 8 characters for single factor authentication systems, or be at least 4 characters for both factors in two-factor authentication systems.

	b.		Not be easily guessed words or be the same initial password assigned to multiple IDs.

	c.		Not be the User’s name or their User ID.

	d.		Not be a National Identifier or United States Social Security Number.

	e.		Not be the User’s date of birth, telephone number, mother’s maiden name, etc.

	f.		Be alphanumeric; not contain all letters or all numbers.

	2.		Password confirmation or resets must force re-authentication upon the first logon.

	3.		Application accounts that cannot be required to expire passwords must be documented.

	5.1.3		Authentication Controls

	1.		Error messaging must not reveal authentication information back to a User, a server name, or addressing information.

	2.		Logon credentials must not display on screen.

	3.		Logon credentials must validate only upon completion of all logon credentials.

	4.		All logon attempts must be limited to a maximum of five (5).

	5.		A single User ID must not be permitted to logon to a system or application from more than one physical location at a time, unless the operating platform (for example, the Internet) does not support this control or specifically authorized based on documented business need.

	6.		Authentication credentials that are stored to facilitate a secure logon process must be protected from unauthorized access.

	7.		Managers should validate user access at least every 90 days.

	8.		Users must change their authentication credentials at least once every 90 day period

	9.		Change to authentication credentials must not be the same as the previous five authentication credentials that were used.

	10.		All developer access must follow the same controls and standards as any others who are granted access.

	11.		Workstations and User accounts should invoke validation of the User credentials when inactive for longer than 15 minutes.

	12.		Authentication reset procedures must be documented and implemented.

5.2

Separation of Duties for Security Related Functions

Objective: Ensure that no individual be allowed to accumulate, retain, or be granted information, responsibilities, oversight, knowledge, functionality, or access which would enable or allow the commission of fraudulent, criminal, or otherwise unauthorized functions by that individual acting alone.

A separation of duties must be enforced among individuals who authorize access, individuals who enable access, and individuals who certify that access.



Consolidated IT Risk Management Requirements for OSPs		• 12 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.
FOR INTERNAL USE ONLY

JPMorgan Chase & Co.’s Consolidated IT Risk Management Requirements for Outside Service Providers • Version 1.2

A separation of duties must be enforced among:

	a.		Users who request changes,

	b.		project managers/application developers,

	c.		those that create changes,

	d.		User acceptance testers who test changes,

	e.		production processing operations managers, and

	f.		those who elevate changes into production.

Specifically, application developers must not have on-going update access to production environments.

5.3

Change Promotion

Objective: Ensure all changes to production environments, including the introduction of or changes to technology infrastructure products, are controlled through a standard change promotion process.

	1.		Change control process documentation should include key deliverables, roles, responsibilities, and audit trail documentation.

	2.		Scheduled changes must be tested prior to production.

	3.		Changes should be tracked and approved prior to implementation.

	4.		Changes should be validated to ensure only approved changes are promoted.

	5.		Emergency changes should be controlled through a separate emergency change process.

5.4

Information and Media Retention and Destruction

Objective: Ensure that OSPs return or certify the destruction of all JPMorgan Chase information when it is no longer needed to provide goods or services to the firm.

	1.		All Highly Confidential and Confidential information must be controlled and secured from the time it is created until it is destroyed, including off-site storage locations.

	2.		Any media that is considered “trash” that contains Highly Confidential, or Confidential, data should be placed in locked receptacles and shredded.

	3.		OSPs must label any JPMorgan Chase media with a generic name that does not allow a reader to infer that the media contains JPMorgan Chase information, including customer information.

5.5

Physical and Environmental

Objective: Ensure that locations that house computer systems, servers, voice or data network facilities, workstations, or JPMorgan Chase information are physically and environmentally secure.

Objective: Prevent unauthorized access to information that is physically handled by personnel.

OSP must maintain:

Secure, physical separation between environments used to perform JPMorgan Chase processing and environments used to perform processing for other customers.



Consolidated IT Risk Management Requirements for OSPs		Page 13 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.


		IT Risk Management

	b.		Appropriate physical security measures to ensure that only authorized personnel have access to the environment used to perform JPMorgan Chase processing and computer hardware or other resources that house, access, or process JPMorgan Chase information.

	c.		Access control devices on all entry points of an OSP’s facility, with additional levels of segregation to sensitive areas.

	d.		Generate, and review logs of all access control activities to the facility and to sensitive areas within the facility.

	e.		Use of surveillance equipment, personnel and/or monitoring devices to detect and provide the ability to investigate unauthorized or unusual access. Key areas to include for surveillance are: data centers/control centers, ingress/egress points to the data center/control center, generators or uninterrupted power supply (UPS) storage room.

	2.		Visitors must be registered and sign in and out upon entry.

	3.		Visitors should be escorted at all times.

	4.		Fire controls should provide automatic alerts that go directly to the fire department and have either automatic or manual suppression equipment.

	5.		Water-based fire systems should protect against accidental damage and/or leakage.

	6.		OSP must provide power conditioning for critical processing components.

	7.		OSP must provide for an alternate power source for power irregularities.

	8.		All service contract personnel, such as cleaning services and off-site storage services, should be bonded.

	9.		Paper and computer media containing Highly Confidential or Confidential information must be stored in locked cabinets, rooms, and/or other forms of secured furniture or locations when not in use.

	10.		Policies, Standards and/or Procedures must be in place that instruct employees that Highly Confidential or Confidential data must be removed from printers and fax machines immediately.

5.6

Malicious Code Prevention

	Objective: Ensure controls are in place to prevent malicious code.

	1.		OSPs must have established virus and security patch management processes that include the implementation of all industry-critical security patches within a prescribed timeframe for systems processing or storing JPMorgan Chase information.

	2.		Multiple products should be used to guard against malicious code such that no single vendor inherently is a single point of failure.

	3.		A malicious code program should be established, defining roles and responsibilities as well as events and responses to fully protect assets from damaging effects.



Consolidated IT Risk Management Requirements for OSPs		• 14 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.
FOR INTERNAL USE ONLY


JPMorgan Chase & Co.’s Consolidated IT Risk Management Requirements for Outside Service Providers • Version 1.2

Emergency response procedures must be established and incorporated into overall Security Incident Response procedures.

5.7

Security Event Management and Incident Response

	A.		Objective: Protect the JPMorgan Chase environment by detecting potential security incidents and events and respond in a manner that minimizes impact and, if necessary, enables remedy via legal processes

	1.		Event monitoring controls should be implemented on all configurable systems and devices housing applications, databases, servers, networking gear, and security.

	2.		All network traffic should be subject to event monitoring and analysis processes.

	3.		Applications and databases should provide logging for security events that can only be detected within the application or database.

	4.		Such security events must be documented.

	5.		Security event log thresholds may be defined, as needed, to facilitate effective log reviewing processes.

	6.		The following should be included in the log:

	a.		Event Type.

	b.		Time Stamp

	c.		Address information associated with the originating device (such as terminal ID, port number, network address and/or device name).

	d.		System or information resource accessed in the event.

	e.		Result of event.

	f.		Reason for failure, relative to information protection requirements, as applicable to security event types resulting in failure.

	g.		Old and new values associated with employee or customer relationship profile information, as applicable.

	B.		Objective: Establish and maintain a response capability to react to security incidents.

	1.		Security incident management must:

	a.		Formally define roles and responsibilities.

	b.		Assure minimum exposure to legal liability by preserving evidence associated to an incident.

	c.		Define a communication plan to ensure full participation in incident resolution and full management awareness.

	2.		Alerts should be automatic that notify network managers of high risk or otherwise security related events.

	3.		The incident response policy and procedure should be documented and communicated. It should address:

	a.		Roles and Responsibilities.

	b.		Priority Levels.

	c.		Incident Containment and Recovery.

	d.		Communication.

	e.		Management Reporting.

	f.		Evidence Recovery and Preservation.

	g.		Third Party (including law enforcement) coordination and communication.



Consolidated IT Risk Management Requirements for OSPs		Page 15 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.


		IT Risk Management

6.0

Email and Instant Messaging

	Objective: Ensure that all email and messaging solutions are designed so that a failure of a single element does not put the core internal email or messaging servers at risk.

	1.		The use of electronic mail and instant messaging must be configured to ensure accountability for any JPMorgan Chase business.

	2.		Emails and instant messages must be retained for three years when conducting Security Exchange Commission (SEC) regulated business.

7.0

Business Resumption

	Objective: Ensure recovery of JPMorgan Chase information (including JPMorgan Chase customer information) in case of disaster or business interruption.

	1.		OSPs must adhere to agreed upon contract requirements related to disaster recovery and business resumption plans.

	2.		Resiliency plans for services with a maximum allowable delay of 72 hours or less must be tested to assure business requirements can be met during an event that is disruptive to JPMorgan Chase related services.



Consolidated IT Risk Management Requirements for OSPs		• 16 of 16

CONFIDENTIAL AND PROPRIETARY TO JPMORGAN CHASE & CO.
FOR INTERNAL USE ONLY

COMMISSION SCHEDULE
FOR FIXED ANNUITY PRODUCTS

Effective as of


Product Name	Compensation Rate	Internal LSA Code
Select 5	• [***]% on all purchase payments received by Company through the first Contract year for Attained Ages up to and including 80; or	3010

	• [***]% on all purchase payments received by Company through the first Contract year for Attained Ages 81 to 86;

	• [***]% on all purchase payments received by Company through the first Contract year for Attained Ages 87 to 90.

	• If the contract owner renews the contract to a five year term at any time after the fifth contract year*, Company will pay Agency:

	(a) [***]% of the contract value upon renewal for Attained Ages up to and including 80; or

	(b) [***]% of the contract value upon renewal for Attained Ages 81 to 86;

	(c) [***]% of the contract value upon renewal for Attained Ages 87 to 90.


*		Upon renewal, the Company will issue a new contract to the contract owner.

CHARGEBACKS:

In the event that a contract is surrendered under the “free look” provision, or otherwise rescinded, then charge backs will be made against all compensation paid with respect to such contract.

In the event of a withdrawal within twelve (12) months from a contract’s issue date, Agency will be charged back compensation paid on the amount that exceeds 10% of such contract’s policy value. In the event of a full withdrawal within twelve (12) months from a contract’s issue date, Agency will be charged back all compensation paid with respect to such contract. The chargeback will be waived if the withdrawal:

	•		Does not exceed the amount withdrawn under the 10%-Free Withdrawal provision of the contract;

	•		Is a non-commissionable transfer or rollover between Company products;

	•		Is made after the Owner is deceased or becomes confined in a hospital or nursing home;

	•		Is part of a series of systematic withdrawals pursuant to Internal Revenue Code Section 72(t) or 401(a)(9) for qualified plans and Section 72 (q) or 72 (s) for non-qualified plans;

	•		Is a payout under an annuitization option of the contract.

If the contract owner renews the contract, the chargebacks above will apply during the first twelve (12) months from the new contract’s issue date.

THIS SCHEDULE MAY BE MODIFIED OR CANCELED BY COMPANY AT ANY TIME BY PROVIDING
WRITTEN NOTICE.


		Electronic Data Interchange Addendum		Agent Id: 24-33-9916 SSN/Tax Id: 39-1610807 Doc Code: AAG Name: Chase Insurance Agency Inc # of Pages: 1/4

This Addendum is incorporated into that certain Agency Agreement dated September 26, 2006, by and between Chase Insurance Agency Inc. (“Agency”) and Symetra Life Insurance Company (the “Company”) (the “Agreement”).

WHEREAS, Agency and the Company have entered into the Agreement pursuant to which Agency sells certain fixed annuity contracts (“Contracts”) issued by the Company; and

WHEREAS, Agency and the Company each desire to increase the speed and efficiency with which applications for the Contracts are submitted, and Agency generally will submit such applications electronically pursuant to the electronic interchange available through Depository Trust Clearing Corporation or its affiliates (“DTCC”).

WHEREAS, Chase Investment Services Corporation (“Broker Dealer”) is included as a party to this Addendum solely because Broker Dealer has a contractual relationship and account with the DTCC which will allow Agency to submit said applications electronically through the DTCC. Broker Dealer will not be responsible for any provisions set forth in this Addendum.

NOW THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:

	1.		Agency may submit application information to the Company by electronic transmission (“Electronic Transmission”) in accordance with the terms of this Addendum and any other written policies or procedures concerning electronic transmission of application data that the Company and Agency may agree upon from time to time. The parties agree that Agency will use a mutually agreed upon order entry platform and transmission protocol for the Electronic Transmission of application information. Except as otherwise specifically provided herein, this Addendum applies only to business submitted through the Electronic Transmission process.

	2.		Agency shall be responsible for correctly inputting the client data related to Contracts through the Electronic Transmission process, but shall in no case be responsible for the functionality of such process, unless the order entry platform being used by Agency is a proprietary system of the Agency in which case the Agency will be responsible for the functionality of such platform.

	3.		Because certain states may limit the ability to rely on Electronic Transmission, the Company will provide Agency with written verification of the states in which Electronic Transmission for the Contracts pursuant to this Addendum can be utilized and will notify Agency of any change in the approved states. Agency agrees that it will solicit and submit applications pursuant to this Addendum only in the approved states for which it has received such written verification. For purposes of this Addendum, “written verification” shall include information that the Company specifies in the product profiles via the template used by Agency (e.g. EZ Forms).



LSA-907b				1

	4.		Upon the completion of all good order requirements, the Company shall ensure that the Contract and any other required documentation, which may include some or all of the following, is delivered to the Contract owner: a completed but unexecuted application containing the information obtained in the Electronic Transmission; a data sheet including such information; a form of confirmation for such information.

	5.		To the extent information received from the Contract owner subsequent to the Electronic Transmission conflicts with the information contained in the Electronic Transmission, the information received from the Contract owner shall be considered the correct information to be used in the Contract. The Company agrees to notify Agency of any such information it receives as it relates to contract issuance.

	6.		Agency will forward on each business day to the Company (or deposit on the Company’s behalf) gross premium associated with applications for fixed and variable annuities received in good order and approved by Agency. The Company will send on each business day a single compensation payment to Depository Trust Clearing Corporation (DTCC) or any other mutually agreed upon method of electronic commission processing, which payment shall be net of any chargebacks owed to Company pursuant to the terms of the Agreement. The Company will provide enough descriptive information related to such compensation payments so that Agency can determine whether the appropriate compensation has been paid and which of its agents will be compensated. If DTCC will be utilized, Agency agrees that Broker Dealer has all necessary agreements in place with DTCC to allow DTCC to receive the compensation and forward such compensation to Agency. The provisions of this paragraph will apply to Electronic Transmissions and applications processed through other media.

	7.		Agency shall indemnify and hold harmless the Company, its subsidiaries and affiliates and their respective officers, directors and employees, against any and all losses, claims, damages, liability or expenses to which the Company may become subject that arise out of or are based on the Company’s reliance on Contract owner information transmitted to the Company through Electronic Transmission which is inconsistent with the information received by Agency from the Contract owner.

	8.		The Company shall indemnify and hold harmless Agency, its subsidiaries and affiliates and their respective officers, directors and employees, against any and all losses, claims, damages, liability or expenses to which Agency may become subject that arise out of or are based on the Company’s negligence in connection with the issuance and delivery of Contracts, unless the error is the result of Agency’s inputting of incorrect information.

	9.		The Agency will submit an annual certification by a senior manager of the Agency who, in conjunction with others, has responsibility for (i) overseeing the suitability of annuity sales, (ii) has a reasonable basis on which to make this Certification, and (iii) is authorized to provide this Certification on behalf of the Agency that the Agency has:

established and maintained a system to supervise recommendations to consumers by or through the Agency or its affiliates regarding the purchase or exchange of annuities issued by the Company, which system is reasonably designed to achieve compliance with:



LSA-907b				2

	a.		all state insurance laws or regulations based on the NAIC Suitability in Annuity Transactions Model regulation or otherwise pertaining to annuity sales practices, if and to the extent that such laws and regulations are applicable to the Agency, and

	b.		all NASD Conduct Rules regarding suitability, including but not limited to Rule 2310, if and to the extent that such rules are applicable to the Agency, and

maintained written procedures and conducted periodic reviews of its records to confirm that the Agency was in compliance with applicable laws, rules and regulations referenced above. This will include compliance with:

	a.		determining if any insurance policy will be surrendered or otherwise replaced and if replacement is involved, the sales process will comply with state-specific requirements,

	b.		using state-specific application, disclosure notice, privacy notice, and fraud warning, as required by law, no later than the time of application,

	c.		providing the client with a copy of the these documents no later than the time of application,

	d.		obtaining information necessary to determine the suitability of the product recommendation prior to the sale, and

	e.		maintenance of required records supporting the sale for the period of time specified by state regulation.

If the Agency is unable to maintain records according to state record retention standards, the records will be forwarded to the Company within 30 days.

	10.		Each party acknowledges and agrees that the other party may review its compliance with regard to this Addendum and will make available to the other party any documents, records, emails, or other pertinent material that may be required for audit to verify its compliance.

	11.		Except as otherwise set forth herein, the Agreement remains in full force and effect.

	12.		A party may terminate this Addendum upon thirty (30) days written notice. Such notice of termination shall apply to this Addendum without affecting any other terms of the Agreement, as amended.

	13.		If any provision of this Addendum, as applied to either party or to any circumstances, shall be found by a court of competent jurisdiction to be void, invalid or unenforceable, the same shall in no way affect any other provision of this Addendum, the application of any such provision in any other circumstances, or the validity or enforceability of this Addendum.

	14.		The effective date of this addendum is (“Effective Date”).



LSA-907b				3

ADDENDUM

This Addendum to the Agency Agreement (“Addendum”) is made and entered into by Symetra Life Insurance Company (“Company”) and Chase Insurance Agency Inc. (“Agency”), and is effective as of March 31, 2008 (“Effective Date”).

RECITALS

Company and Agency entered into an Agency Agreement, dated September 26, 2006 (“Agreement”); and

Company and Agency desire to supplement the Agreement as set forth below.

NOW, THEREFORE, in consideration of the mutual covenants and undertakings set forth herein, Company and Agency agree as follows:

1.		As of Effective Date, the attached “Exhibit A — SLA Supplement” is added to the Agreement.

2.		This addendum is an acknowledgement by Company of Agency’s additional service level requirements. It does not constitute an acknowledgement by Company of compliance with all aspects of such additional requirements as of the Effective Date.

3.		All other provisions in the Agreement will remain in effect.

IN WITNESS WHEREOF, the parties hereto have caused this instrument to be duly executed on the date indicated below.


Symetra Life Insurance Company		Chase Insurance Agency Inc.

By:	/s/ Pat McCormick	By:

	Pat McCormick		Print Name:
	Senior Vice President		Title:

Date: March 21, 2008		Date:



LSA-4090		1

Exhibit A — SLA Supplement
Chase Insurance Agency / Chase Investment Services Corp
ANNUITY CARRIER Service Level Requirements

Business Model Requirements:

•

Participation with the NSCC

	•		Send daily COM files

	•		Gross commission NSCC money settlement

	•		Send daily PVF (position and value files) and FAR (financial activity report) feeds

	•		Agent of Record change via ACAT/IFT

	•		Agent Terminations via LNA

	•		Must record, store and make available BIN number as a unique contract identifier in all NSCC feeds

	•		Must accept agent license information from the National Producer Database in lieu of paper license copy

	•		Establish and maintain FTP file connectivity using Chase encryption standards.

	•		Establish and maintain corporate deposit account(s) for accepting premium. Multiple accounts may be required to support multiple deposit account platforms.

	•		Support EZ Forms sales process and release schedule

	•		Provide unlocked pdf versions of all forms

	•		Advanced notification of all product / form changes

	•		Provide experienced testing resources to validate EZ Forms output within the timeframes provided

	•		Support and maintain internal and external wholesaling demonstration efforts

	•		Serve as an accountable project participant in all strategic initiatives (this will include M&A activity, system conversions, automation and efficiency initiatives, etc.)

	•		Create and conduct training sessions in multiple locations, examples include but are not limited to the training of PRD, Operations, Product, etc.

	•		Report monthly performance results for defined Chase service level standards

	•		Adoption of compliance with any Regulation creations or changes

Chase Representative contact requirements:

	•		Adhere to wholesaling rules of engagement

	•		Do not send any communications to the Reps. via US Postal mail, email, fax, etc. (copies of statements, confirms, etc.)

	•		Provide customized website access (all pages must be compliance approved and reflect our current product suite). This website must adhere to Chase authentication standards.

	•		Refer any hold harmless letters, rate negotiations, unapproved product solicitation, or other exception case approvals to the Issue Resolution Team, do not work directly with the reps.

	•		Refer any producer or firm compensation questions to the Area Managers

	•		Do not accept new business directly

	•		Do not contact the Rep. to resolve any NIGO issues. Any new business NIGO issues will be reported to the Chase middle office via the NIGO spreadsheet; Chase will contact the rep for resolution.

	•		Accept inbound servicing calls from any active, licensed Rep. of CIA / CISC, do no limit access of service information to the Agent of Record on the account. Active status is verified by using the ActiveAgent.xls file or carrier system of record minus TermAgent.xls file. Must authenticate rep via acceptable standards.

	•		When responding to an inbound call from a Rep, you must be able to:

•

Articulate Chase specific product requirements

	•		Owner and annuitant must be the same (except for non-natural owners)

	•		Jt. Owners must be spousal

	•		Fixed annuity new business and addition age maximum = 85 (Carriers can accept additions directly from the clients in accordance with the contract)

	•		Variable annuity new business and addition age maximum = 80 (Carriers can accept additions directly from the clients in accordance with the prospectus)

	•		Specific rider restrictions as communicated.

•

High level understanding on Chase sales process

•

Do not facilitate paper kit ordering, direct rep. to utilize EZ Forms system

•

For beneficiary changes, direct rep. to utilize EZ Forms system or assist client directly with modifying their beneficiary information. (effective 2/1/07)



LSA-4090		2

Customer contact requirements:

	•		All issued contracts are delivered directly to the client and will include a copy of the prospectus (where applicable)

	•		Any service transaction NIGO will be resolved by contacting the client directly

	•		When corresponding to customers related to system or operations issue, Chase must be contacted prior to customer communication (where more than 25 clients are impacted)

	•		On an annual basis, communicate the current beneficiary designations (either incorporated on annual statements or an individual client communication)

Chase notification requirements:

	•		Product filing status

	•		Product modifications

	•		Form modifications

	•		Customer market timing activity (warnings and restrictions)

	•		Customer complaints related to sales practice / rep activity

	•		NASD, SEC, DOI inquiries related to sales practice / rep activity

	•		Proactive notification of system or operations issues prior to customer notification. The following information will be provided:

	•		Scope of issue

	•		List of affected clients and reps

	•		Draft of outgoing client communication piece with targeted mail date

	•		Root cause analysis along with corrective action plan

	•		Conservation plan

	•		Defined process to ensure the firm will not receive a chargeback for any cancellations that arise due to this issue

•

Rate Information

	•		[***]

	•		Must maintain and communicate rate and renewal rate history in the Chase format for any product in the Chase block.

	•		Wholesaling activity reports

	•		Sales reports

Operations requirements:

	•		Accept and issue all funded and unfunded business from FTP of faxed documents. The original 1035 Exchange / Trustee Transfer form will be sent via overnight mail to supplement the FTP file for unfunded business.

	•		Accept retirement services and brokerage transfers as funded sales

	•		Do not accept or issue any new business that is not sent through the FTP feeds (directly from the rep)

	•		Process transaction requests within Chase service level standards

	•		Daily exchange and processing of the following reports:

	•		Outstanding Deposit Report (ODR)

	•		New Business NIGO

	•		Funding (for multiple source exchanges only on single premium contracts)

	•		Work with Chase to facilitate customer accommodations/exceptions that are within the boundaries of compliance and legal guidelines. Accept hold harmless letters as the letter of authorization to transact such instructions.

	•		Accept inbound servicing calls from and provide information on any contract in the Chase book of business to Chase middle office Operations team (processing) and Broker Services (call center). Authenticate middle office personnel using an agreed upon password or other acceptable standard.

	•		Provide website access for home office employees to view the entire book of business

	•		Titling information

	•		Account type information

	•		Status

	•		Rate and balance

	•		Transaction history

	•		1035 Exchange status

	•		Commission statements (secured by login for accounting resources only)



LSA-4090		3

Operations requirements (continued):

	•		Accept Agent of Record changes via electronic feed. Appoint reps at the point of an agent of record change, if they do not have an active appointment status.

	•		Accept common forms

	•		Beneficiary Letter of Instruction (2007 development)

	•		ACORD 1035 Exchange / Transfer

	•		NAIC State Replacement

	•		Annuity Service Request (future development)

	•		Senior Personal Consultation

	•		Agent Appointment

Fixed Annuities:

	•		Credit interest as of the date of deposit, not the date of receipt.

	•		Interest rate is determined at the date of deposit

	•		Interest rate lock for unfunded transactions is set by the written date

Variable Annuities:

	•		Follow Chase requirements for money settlement which includes the [***] letter process (allows Chase to work on getting the transaction in good order and suitability approved by Day 10 versus Day 5)

	•		Must delivery quarterly and annual statements on CD / DVD

	•		Do not allow Reps. authority to conduct financial transactions on behalf of the client



LSA-4090		4

COMMISSION SCHEDULE
FOR FIXED ANNUITY PRODUCTS

Effective as of April 21, 2008


Product Name	Compensation Rate	Internal LSA Code
Select 5	• [***]% on all purchase payments received by Company through the first Contract year for Attained Ages up to and including 80; or	3010

	• [***]% on all purchase payments received by Company through the first Contract year for Attained Ages 81 to 86;

	• [***]% on all purchase payments received by Company through the first Contract year for Attained Ages 87 to 90.

	• If the contract owner renews the contract to a five year term at any time after the fifth contract year*, Company will pay Agency:

	(a) [***]% of the contract value upon renewal for Attained Ages up to and including 80; or

	(b) [***]% of the contract value upon renewal for Attained Ages 81 to 86;

	(c) [***]% of the contract value upon renewal for Attained Ages 87 to 90.

	• If the contract owner renews the contract to a new three year term at any time after the fifth contract year, Company will pay Agency [***]% of the contract value upon renewal.


*		Upon renewal, the Company will issue a new contract to the contract owner.

CHARGEBACKS:

In the event that a contract is surrendered under the “free look” provision, or otherwise rescinded, then charge backs will be made against all compensation paid with respect to such contract.

	•		Does not exceed the amount withdrawn under the 10%-Free Withdrawal provision of the contract;

	•		Is a non-commissionable transfer or rollover between Company products;

	•		Is made after the Owner is deceased or becomes confined in a hospital or nursing home;

	•		Is part of a series of systematic withdrawals pursuant to Internal Revenue Code Section 72(t) or 401(a)(9) for qualified plans and Section 72 (q) or 72 (s) for non-qualified plans;

	•		Is a payout under an annuitization option of the contract.

If the contract owner renews the contract, the chargebacks above will apply during the first twelve (12) months from the new contract’s issue date.

THIS SCHEDULE MAY BE MODIFIED OR CANCELED BY COMPANY AT ANY TIME BY PROVIDING
WRITTEN NOTICE.

COMMISSION SCHEDULE
FOR FIXED ANNUITY PRODUCTS

Effective as of April 17, 2008


Product Name	Compensation Rate	Internal LSA Code
Select 3	• [**]% on all purchase payments received by Company through the first contract year for Attained Ages up to and including 85.	2041

	• No immediate trail compensation will apply.

	• If the contract owner renews the contract to a new three year term at any time after the third contract year, Company will pay Agency [***]% of the contract value upon renewal.

	• If the contract owner does not renew the contract at the end of the fourth contract year but keeps a positive contract value, Company will pay Agency an annual trail compensation equal to [*]% of the contract value every year until the contract is surrendered or transferred. This trail compensation will be paid monthly as [*]% times the prior month end contract value.

	• If the contract owner renews the contract to a five year term at any time after the third contract year*, Company will pay Agency:

	(a) [***]% of the contract value upon renewal for Attained Ages up to and including 80; or

	(b) [***]% of the contract value upon renewal for Attained Ages 81 to 86;

	(c) [***]% of the contract value upon renewal for Attained Ages 87 to 90.


*		Minimum initial purchase payment must be at least $50,000.

CHARGEBACKS:

In the event that a contract is surrendered under the “free look” provision, or otherwise rescinded, then charge backs will be made against all compensation paid with respect to such contract.

In the event of a partial withdrawal within twelve (12) months from a contract’s issue date, Agency will be charged back compensation paid on the amount that exceeds 10% of such contract’s policy value. In the event of a full withdrawal within twelve (12) months from a contract’s issue date, Agency will be charged back all compensation paid with respect to such contract. The chargeback will be waived if the withdrawal:

	•		Does not exceed the amount withdrawn under the 10%-Free Withdrawal provision of the contract;

	•		Is a non-commissionable transfer or rollover between Company products;

	•		Is made after the Owner is deceased or becomes confined in a hospital or nursing home;

	•		Is part of a series of systematic withdrawals pursuant to Internal Revenue Code Section 72(t) or 401(a)(9) for qualified plans and Section 72 (q) or 72 (s) for non-qualified plans;

	•		Is a payout under an annuitization option of the contract.

THIS SCHEDULE MAY BE MODIFIED OR CANCELED BY COMPANY AT ANY TIME BY PROVIDING
WRITTEN NOTICE.

COMMISSION SCHEDULE
FOR INTERNAL TRANSFERS OF ANNUITY PRODUCTS

Payment Schedule

Subject to the applicable conditions specified below, commissions will be paid as follows on internal transfers:

From product is Advantage I, Advantage II, Advantage III, Custom, Mainsail, Preference, Preference FP, QPA I, QPA II, Resource A, Resource B, Secure, Select 3, Spinnaker Advisor, Spinnaker Choice, Spinnaker Plus, Spinnaker Q/NQ, and Group Variable Annuity:

		Product must be out of CDSC.

		To product is Symetra Custom Fixed Annuity, Symetra Secure Fixed Annuity, Select 3, Symetra Fixed Indexed Annuity, Symetra Flex Premium Plus, or Preference FP:

Trail commission will be paid monthly, at an annual rate of [***] basis points beginning immediately if the “from” product is less than 10 years old.

Trail commission will be paid monthly, at an annual rate of [***] basis points beginning immediately if the “from” product is over than 10 years old.

New product will start a new CDSC schedule. No like for like product transfers are allowed.

From product is American States Annuities, ERA, PAR, Preference EIA, QPA III, QPA III Plus, QPA IV, QPA V, QPA V Plus, QPA VI, Safekey EIA, Safekey I, Safekey II, Safekey III, and TAP:

		Product must be out of CDSC.

		To product is Symetra Custom Fixed Annuity, Symetra Secure Fixed Annuity, Symetra Select 3 Fixed Annuity, Symetra Fixed Indexed Annuity, Symetra Flex Premium Plus, or Preference FP:

Full compensation will be paid according to the terms and conditions of your current base annuity schedule for that product.

New product will start a new CDSC schedule. No like for like product transfers are allowed.

THIS SCHEDULE MAY BE MODIFIED OR CANCELED BY COMPANY AT ANY TIME BY
PROVIDING WRITTEN NOTICE. THIS SCHEDULE SUPERSEDES ANY PREVIOUS INTERNAL
TRANSFER SCHEDULE OR PROVISIONS.

LSA 2050_11/2007


		JPMorgan Chase & Co.
		IT Risk Management Policy for
		Outside Service Providers

		Last Revised: August 2, 2005
		Version: 1.1


BROKER DEALER
By:	/s/ Kevin L. Martin
	Name:	Kevin L. Martin
	Title:	Executive Vice President
	Date:	5-11-07

INSURANCE AGENCY
By:	/s/ Laura Pantaleo
	Name:	Laura Pantaleo
	Title:	President
	Date:	5-15-07

SYMETRA LIFE INSURANCE COMPANY
By:	/s/ Patrick B. McCormick
	Name:	Patrick B. McCormick
	Title:	SVP-Sales & Distribution
	Date:	3/19/07