How banks can mitigate regulatory risk post acquisition

Dickie Heathcott, Partner, Crowe Horwath LLP

For banks involved in acquisitions, a changing regulatory landscape poses some potential pitfalls. The Dodd-Frank Wall Street Reform and Consumer Protection Act, enacted in the wake of the recent economic downturn, stepped up regulatory oversight of banks and created a new federal regulator, the Consumer Financial Protection Bureau (CFPB), to protect consumers from financial fraud.
Together, the CFPB and other federal regulators are actively enforcing a wide range of safety and soundness rules, anti-money laundering regulations and consumer rules at financial institutions.
“As consolidation continues, more banks are struggling to combine regulatory risk methodologies,” says Dickie Heathcott, partner with Crowe Horwath LLP.
“When banks combine through a merger, acquisition, or joint venture, the target bank is incorporated into a larger organization, which then assumes the combined regulatory risks, both known and unknown,” he says. The process is further complicated by the task of bringing together two separate cultures, governance structures, risk environments and control environments. In addition, the regulatory risk of the acquiring bank increases along with the range of products, services, customers and locations.
“Acquiring a customer base that is more cash intensive, conducts more international activity or that is geographically dispersed can increase the newly combined entity’s risk related to money laundering,” Heathcott says.
Smart Business spoke with Heathcott about how banks can meet the challenges of assessing regulatory risk in a combined entity by merging methodologies and establishing a foundation for regulatory risk assessments.
What processes should be combined in order to increase regulatory risk assessment efficiency?
Compliance executives need to establish a shared language by explicitly defining risk and risk tolerance levels. Doing so will establish a definition of terms such as ‘moderate risk’ so they are better understood by process owners in individual business units. Consistency should be established for categorizing or rating risk so the combined organization uses a single rating system to indicate its severity.
As part of restructuring the newly combined company, people and financial resources should be aligned with governance and oversight to synchronize responsibility and reporting for regulatory compliance requirements.
How can a newly merged entity keep abreast of its post-acquisition risk?
A comprehensive regulatory risk assessment conducted immediately following the combination establishes an institutional baseline for identifying and measuring regulatory risk consistently in the future. This helps the acquiring bank better understand the nature of the risks it has taken on and establishes a framework for an ongoing regulatory compliance program. A post-acquisition risk assessment should define the scope of risk. Each new customer type, territory, product and service gained through the acquisition represents new risk that must be recognized and managed. Identifying the spectrum of actual and potential exposure is necessary in order to ramp up compliance in new areas of business.
In fair lending regulators look at data that spans counties and ZIP codes to make sure institutions are investing credit dollars appropriately and are not engaging in predatory lending or redlining. If the acquired organization has been operating in underserved areas, the combined entity might have to build additional branches or expand community outreach initiatives in order to meet the requirements of the Community Reinvestment Act.
Also, the acquiring bank can create a comprehensive regulatory risk inventory that documents the defensible universe of risk that the organization faces. Banks can define and prioritize the subsets of risk in the inventory document that apply to the combined organization and that may need to be assessed, managed and monitored. Once an inventory is compiled, the controls that are in place to mitigate exposures can be assessed and scored for effectiveness using the common language of the combined entity.
Furthermore, regulatory risk assessments should be documented and shared across the organization to make enterprisewide risk transparent. The results can be distributed widely, including to the highest levels, to support strategic decisions. They can also be distributed to the business-unit owners and areas, such as the risk, compliance or legal function, that can best manage the risk.
What are the critical areas for which action plans need to be developed?
Now that the newly combined organization has isolated its residual risk — the exposure that exists after establishing mitigating controls — by conducting a regulatory risk assessment, plans can be developed to close control gaps and strengthen regulatory compliance focus and clarity on the highest risk priorities.
The regulatory risk of a lending product, for example, offered by an acquired bank in a limited geographic area, should be assessed for Community Reinvestment Act compliance by quantifying the number of loans affected and the total dollar value of the loans to determine the residual risk of the loan product. If this assessment determines that 400 customers representing $14 million in assets of an acquired money services operation presents too high a residual risk, the newly combined financial institution could divest those customer relationships. Conversely, if the relative risk of maintaining those customers is low, the financial institution might consider a plan for extending those relationships.
In developing a process for assessing regulatory risk, an acquiring financial institution builds the foundation for a sustainable and transparent regulatory risk management program that is able to overcome the differences between entities and straddle the complexities of combining them. Once in place, the risk assessment methodology can be used repeatedly and consistently to assess enterprisewide regulatory risk in a way that is useful to process owners and defensible to regulators and the board of directors.
Dickie Heathcott is a partner with Crowe Horwath LLP in the Dallas office. Reach him at [email protected] or (214) 574-1000.
Insights Accounting is brought to you by Crowe Horwath LLP