The billion-dollar question: How banks can stay compliant when assets hit ten digits
Many bankers know the significance of crossing the $1 billion asset threshold, whether through organic growth or merger/acquisition. It means a host of new opportunities—but also introduces another issue. That is: meeting the requirements of Section 36 of the Federal Deposit Insurance Corporation Improvement Act (FDICIA).
Though increasingly relevant in today’s market, FDICIA rules are hardly new; the act passed in 1991 to stabilize the industry after the savings and loan crisis. Among other things, it improved supervision and regulation of FDIC-insured financial institutions.
The number of banks with more than $1 billion in assets is growing, not just from M&As but also with purchases of failing institutions during the Great Recession. From 2006 to 2016, the number of FDIC-insured banks decreased by more than 30 percent and more than 280 M&As occurred in 2016 alone.
Remaining compliant during $1 billion transition requires a more sophisticated risk management structure—bolstered with appropriate personnel as well as accurate, effective processes and procedures. Without this, FDICIA compliance is tough to achieve. Unfortunately, many bankers find themselves hitting the asset threshold only to discover they are woefully unprepared.
Prep prevents poor performance
Lack of adequate preparation for FDICIA compliance often results from a bank’s limited understanding of the process. But it must be on their radar well before $1 billion. Once banks reach that mark, FDICIA rules go into effect on Jan. 1 of the following year.
FDICIA readiness should begin with noting key internal financial reporting controls in place and analysis against key financial reporting controls typical for a bank of similar size and complexity. Banks should also:
- identify documented policies and procedures–and their sufficiency
- coordinate with the external auditor and know what they expect, and
- determine preparation to either manage the process internally or consult a third party.
Many banks will have processes and procedures in place. But FDICIA compliance more concerns internal controls—and whether they reflect proper design and effective operation. Smaller community banks with rapid growth tend to maintain the same operational mindset and often fail to consider or clearly understand what this requires. A $1 billion tally typically means 80 to 100 key controls that impact financial reporting. Even if a bank has controls place, it might lack a paper trail to test their effectiveness. Having a point person or team in place to survey the bank’s controls is critical.
FDICIA intricacies: Too many cooks spoil the bank
Following the economic downturn bankers have pushed to reduce efficiency ratios. Going back to the importance of a survey, some financial reporting controls also typically show up within internal audit test scripts. By integrating FDICIA compliance with its internal audit function, banks eliminate inefficiencies and cut costs. Smaller banks with fewer in-house resources commonly outsource the internal audit and FDICIA compliance; larger banks commonly make co-sourced arrangements. This teams in-house audit departments with outsourced third parties to tackle full-scope FDICIA implementation, and specific internal audit procedures such as with IT.
Regardless of size, banks must understand the intricacies connected to FDICIA compliance. For example, investment securities can comprise 25-30 percent of assets on a bank’s balance sheet—but which internal controls ensure their safeguarding? Payroll—typically the most significant non-interest expense component on income statements—raises other questions: Who processes it and which key controls apply to those who make changes in those systems? Consider spreadsheet applications; banks use hundreds of spreadsheets to compile reports used to prepare financial statements and footnote disclosures. Which controls govern those spreadsheets to keep unauthorized persons from accessing and altering them?
Many community banks lack internally developed systems, so they rely on key vendors for many applications, including those that impact financial reporting. Among other processes, IT auditors scrutinize system access and change management to guarantee that data used for compiling financial statements is reliable from a systems standpoint. Those searching for third parties to strengthen FDICIA readiness might find it helpful to identify a party with financial reporting control testing experience and strong IT skill sets. This will improve project efficiency and avoid “too many cooks in the kitchen.”
Support your report
In general, the FDIC requires every bank with more than $500 million in assets to provide audited, comparative annual financial statements; an independent public accountant’s report on the statements; and a comprehensive management report that includes:
- management’s responsibilities in preparing annual financial statements
- an adequate internal control structure for financial reporting
- compliance with laws and regulations relating to safety and soundness as designated by the FDIC and federal banking agencies; and
- an assessment of the institution’s compliance during that fiscal year.
The management report for banks with assets passing $1 billion must also furnish:
- an assessment of the internal control structure that governs the bank’s financial reporting
- a statement that identifies the internal framework used to assess the control structure’s effectiveness
- confirmation that the assessment included controls over the preparation of regulatory financial reports in accordance with relevant regulatory guidelines, and
- the independent public accountant’s report on the effectiveness of internal control structures.
Putting it all together: From complex to success
If all this sounds thorny, take heart: FDICIA reporting is complex and frankly impossible to summarize in a 1000-word article. Yet SEC-registered banks that prepare financial reporting under Section 404 of the Sarbanes-Oxley Act (SOX 404) by and large already comply with the FDICIA internal controls requirement. The transition is much different for privately-held financial institutions; reporting becomes more complex and a litany of new steps must be taken. Management assessment processes on the front end streamline reporting on the back end.
The past few years have seen a decrease in financial institutions with less than $1 billion—while those with more than $1 billion have significantly increased. For this reason, banks need a plan that gives management teams a collective understanding of FDICIA and helps them work cohesively toward a common goal.
Thus banks at the $1 billion threshold have two distinct choices: an awkward position in the face of complicated compliance … or the ideal position for ten-digit success.
Want more Banking Strategies? Sign up for our free newsletter!
Sonny MacArthur is Risk Advisory Partner of Porter Keadle Moore (PKM), an Atlanta-based accounting and advisory firm serving public and private organizations in the financial services, insurance and technology industries, as well as entrepreneurial small business clients.