Publications & Resources

January/February 2008
Focus: Compliance

Top 10 Compliance Fitness Steps for De Novo Banks

By Len Filppu and Kevin K. Watson

De novo banks, like all banks, are under increasing scrutiny to comply with complex and shifting regulatory expectations regarding a variety of compliance and operational risks. Applying ice to the latest hot topic flare-up or ignoring the pain of developing long-term solutions is not an effective strategy for maintaining ongoing compliance fitness. De novo banks need a sensible, cost-effective routine to follow to get into compliance shape.

Here are 10 steps de novo banks can take to increase compliance fitness, avoid potential compliance pain, utilize valuable resources and earn good marks at regulatory examination time.

10. Hire veterans of de novo banks, and make sure finance and accounting management are experienced with financial reporting.

It’s worth reminding that the unique problems facing de novo banks are best solved by those with prior de novo bank experience. And because the crush of financial reporting can sometimes overwhelm even banks with established systems in place, make sure the finance and accounting team has financial reporting expertise.

9. Formalize and document internal controls in written procedures, including approval and exception guidelines.

This documentation helps ensure employees are working in lock step with management and the board, it reinforces accountability by providing a benchmark against which actions and performance can be judged, and it can serve as training material for the many new employees hired during the start-up process.

8. Assign one person to be the internal audit and examination liaison.

A single point of contact with a wide overview helps ensure the successful meeting of critical deadlines, and can prevent small examination bumps and bruises from becoming chronic, crippling injuries. When examiners or auditors have questions, they’ll know who to contact.

7. Prepare an enterprise-wide risk assessment and related audit plan during the first six months.

Regulators like to see this. It’s the basis for the internal audit strategy and calendar, and is the best way to ensure that appropriate risk management and audit resources are directed toward high risk areas.

6. Implement an audit/exam tracking system with realistic due dates for Board review.

The key here is to be realistic. If you give too tight a deadline, the regulators may ding you if it’s not accomplished on time. On the other hand, too lax and you can get dinged. Most important is to set up a system to avoid the deadly “repeat finding.”

5. Implement an Information Security Program (Gramm-Leach-Bliley Act) and Business Continuity Plan (BCP).

Information technology supports every bank department. With increasing online and website transactions, ever-evolving hacker ingenuity, and the bank’s reputation at risk, data must be secure and systems reliable. The Information Security Program and BCP are similar in that both require a risk assessment, ongoing training and education, and a status report to the board. The Information Security Program requires testing of key controls through annual audits and network penetration tests. The BCP requires testing of disaster recovery plans for critical bank-wide functions.

4. Pay attention to compliance, especially lobby posters, flood insurance, Bank Secrecy Act (BSA), Regulation O and consumer products.

These are areas that continue to draw regulatory attention. It’s fairly easy to comply with lobby poster and flood insurance requirements. Regulation Z disclosures for consumer loans require extra attention even if you will be originating only one owner occupied residential loan. Undergoing an independent BSA audit prior to your first examination will ensure you don’t have major problems in that area. Finally, be sure to obtain independent board approval prior to making any insider transactions. Inappropriate insider transaction procedures can quickly sour a regulatory relationship.

3. Ensure that the pre-opening pipeline of loans and core deposits is substantial.

Regulators will focus keenly on your march to profitability, and of course, the number one issue for a new institution is growth. The pre-opening pipeline of loans and core deposits should be enough to at least reach the break-even point of asset growth. While projected financial statements typically do indicate adequate growth, you are wise to document realistic plans and lists of new business prior to opening your doors.

2. Ensure that the pre-opening pipeline of loans and core deposits is substantial. (This is not a typo. This point is so important, we’ve listed it twice. See above.)

1. Be prudent with credit underwriting.

Resist the urge to loosen underwriting standards for the sake of growth. As we pointed out in #3 and #2 above, growth is critical for a de novo institution. However, bad loans can wipe away hard earned profits overnight.

Len Filppu is executive vice president/director of operations for AuditOne LLC, a San Jose, California-based independent internal audit firm specializing in banks and their service providers. He can be reached at 408-980-8099 or www.audit-one.com. Kevin K. Watson is executive vice president/director of audit services for AuditOne LLC. He can be reached at 562-802-3581 or kevin.watson@audit-one.com .