Menu

New Coordinates Articles Details

M&A Compliance: Beating the Clock and Passing Go - Tina M. Shaver


Tina M. Shaver
New Coordinates
Summer 2018

Time is of the essence in banking mergers and acquisitions (M&A). And often, the compliance clock ticks loudest, as buyers race through due diligence and integration hurdles to complete deals.



Consumer compliance issues can make, delay, or even break a planned acquisition. It is a fact of doing business, learned the hard way by banks whose M&A transactions have gotten snagged in compliance reviews.

Financial regulators, whether the Federal Reserve (Fed), Office of the Comptroller of the Currency (OCC), or Federal Deposit Insurance Corporation (FDIC), intensely scrutinize bank deals before giving approval. State regulators and consumer advocacy groups are also keenly interested in M&A transactions. All of this scrutiny can lead to months-long rounds of requests for information from buyers and sellers about compliance with the Community Reinvestment Act (CRA), Home Mortgage Disclosure Act (HMDA), and other regulations.

As time marches on, the uncertainty surrounding any deal can begin to drive away key bank employees and even customers. Company morale may take a hit—and so may operational efficiency and profitability. Deal completion may even be threatened if the bank begins to lose staff—whether in the Compliance Department or in front-line business and operational areas.

It is far better to have solid procedures ready well in advance of an acquisition. Buyers should keep a due diligence plan on the shelf, to ensure the compliance of any targeted bank—or at least to factor the costs of any regulatory issues into the price of the deal. At the same time, buyers should keep their own compliance programs watertight, because they will be equally scrutinized by regulators amid planning to integrate buyer and seller.

Solid compliance planning can save not only time but millions of dollars in any banking M&A. Consumer compliance steps described below must also be repeated in other critical areas, such as financial crimes compliance and data privacy and security.

Due Diligence Plan
Banks conducting due diligence must act fast before announcing planned acquisitions, due to business considerations. The window may be as short as a few weeks. A lot of ground must be covered in that time, including the target bank’s compliance program and performance as well as all the other strategic, financial, and operational matters.

Even though the process of due diligence may go fast, the regulatory approvals process that then kicks in can take up to several months or longer. Many banks find themselves unprepared for the scrutiny.

Protests by community groups and others are practically a fixture of the banking M&A market. Once a planned merger is announced, objections are often registered at the Fed, employing data that is publicly available under the CRA and HMDA. For example, a group might complain that community needs have gone unmet by the target bank—or by the buyer, so that the new market it is entering might not be adequately served. The Fed must investigate the complaints to its satisfaction. To keep the approvals processes as short as possible, it’s essential to know both your own compliance program and the program of the bank you are buying.

Keep in mind, as well, that any pending or outstanding consent order, fair lending issue, or litigation at a target bank could carry millions of dollars in costs. At the very least, these costs should be factored into the value of the deal.

Ideally, banks would have due diligence plans prepared in advance for any opportunity that may arise, though many do not. The following consumer compliance items should be incorporated for review in a ready-to-go due diligence plan:

  • Compliance management system policy and program
  • Compliance structure
  • Compliance risk assessments
  • Compliance testing program including testing schedule and testing results
  • Internal audit or third-party compliance testing results
  • CRA/HMDA data integrity reviews
  • Pending/recent compliance litigation
  • Corporate compliance committee packets
  • Compliance reports to the board of directors
  • Fair lending policy and program
  • Policy and program for Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)
  • Complaint policy and program as well as complaint data of the target bank
  • Conduct risk policy
  • Sales practices policy
  • Compliance training program
  • Third-party compliance oversight program
  • Line-of-defense program
At a minimum, these are the items that should be requested of any acquisition target. Extensive web searches of publicly available data should also be conducted. The information is then shared and discussed—whether on site at the bank, at a law firm, or over an online portal—among the few key executives who are privy to the confidential due diligence negotiations.

Integration Plan
Think about the abundance of consumer compliance requirements in the banking industry by the many agencies that enforce them: the Consumer Financial Protection Bureau (now known as the Bureau of Consumer Financial Protection), state regulators, the Fed, OCC, and FDIC. All these compliance requirements must be completely covered by in-place policies, plans, and procedures for compliance by the buyer as well as the seller, because any aspect could be singled out for review or questioning during the M&A integration.

An integration plan also needs to take into account the fact that the day you close the deal, you become responsible for the target bank—even if it continues operating under its current systems, processes, and staff. The to-do list here is equally long and arguably more arduous than the plan for due diligence, with steps that need to be divided into buckets of time. For instance, evaluating products and services for compliance might need to be done as soon as the deal closes—and perhaps even before. Then one or more additional sets of steps are needed, such as compliance training, procedural changes, and disclosure review.

However you organize the job ahead, you need to deliver a solid plan to regulators—overlooking nothing. For example, flood insurance is one of those areas that can cause regulatory hitches. Agencies also focus on systems integration, to make sure that coding issues do not damage any regulatory or customer data. Staffing is always a risk, while merging two banks with two systems.

The following steps to ensure consumer compliance should be part of any banking M&A integration plan:

  • Staffing evaluation and plan
  • Organizational tasks
  • Regulatory training
  • Review of bank products/disclosures
  • Testing of acquired bank processes
  • FDIC insurance considerations
  • Loans covered by flood insurance
  • Loans protected by the Servicemembers Civil Relief Act (SCRA)
  • Change-in-terms notices
Each one of these steps could be the subject of its own article. Yet another article could be devoted to establishing an integrated culture of compliance. Suffice it to say here, again, that all of the areas above must work effectively to adequately manage compliance risk.

The Takeaway
Acquiring a bank means acquiring its compliance program and culture and integrating it into your own. From regulators’ perspective, to put a new twist on an old saying: “You bought it, you broke it.” Any problems must be identified during due diligence and addressed in the integration plan for the combined companies. Regulatory agencies will intensely scrutinize how well this is done. Speed-to-approval is of the utmost importance to keep both banks’ businesses on track, even as the merger is underway. Advance planning is the key.

View as PDF

Treliant, LLC, Compliance, Risk Management, and Strategic Advisors to the Financial Services Industry and Consumer-Oriented Businesses, brings to you New Coordinates, a quarterly newsletter offering insights and information regarding pertinent issues affecting the financial services industry. This article appeared in its entirety in the Spring 2018 issue. To subscribe to our quarterly newsletter, please Contact Us.