This article continues the dialog begun during the M&A compliance session at July’s ABA Risk and Compliance Virtual Conference, expanding on critical information the authors shared about the current environment for financial services mergers and acquisitions.
The full effect of the COVID-19 economy on banks is still unknown—including its impact on branch locations, their footprint, and loan losses. However, the fixed costs of regulatory compliance, risk management, and process automation continue to grow as a proportion of a bank’s total costs, increasing the need for scale.
Even though 2020 is not the year we expected, the trends of the last few years continue to drive bank mergers and acquisitions, namely, the adoption and reliance on digital technologies. Banks who apply digital technologies to their own processes are able to support growth, giving them a competitive edge. In essence, digital technology has had an outsized effect on the business of banking.
Artificial intelligence and machine learning technologies help banks automate historically slow and tedious processes, such as underwriting. And, digital technologies provide customers with services they have come to expect, such as those which recommend products, enable conditional approvals, increase transparency and simplify and streamline the loan application process.
Larger banks have more resources to fund acquisitions of, and innovation in, these technologies. Gaining a technological advantage enhances their ability to attract customers and increases their efficiency and effectiveness. It seems digital technology has a multiplier effect on bank M&A; not only are banks acquiring technology companies, the advantages they gain from those acquisitions are pushing banks without digital capabilities to merge to survive.
Community banks may not be in the position to take full advantage of the purchasing power of this growing evolution yet, but more opportunities are being made available to do so. And with the simple fact that the banking world is evolving right along with the rest of the world in the development of technology, this will just be the norm in the future since so much is tech based for banks, no matter what the asset size. We often see smaller tech companies partner with community banks as a starting point while developing a customer base for their services and the bank realizes that the product offered is good enough to invest in directly, creating more efficiency and effectiveness and of course a better ROI for all stakeholders.
While there have been some delays as a result of the pandemic, the conditions are ripe for M&A. And with a number of acquisitions already announced this year, banks would be wise to dust off their compliance procedures before catching deal fever. Issues of consumer compliance can make, delay, or even break a planned acquisition. In particular, acquisitions of FinTechs will require careful consideration. Sound planning will save time and preserve value.
Conducting Due Diligence on Bank Deals
Bank deals are intensely scrutinized by federal financial regulators and, in some cases, by state regulators as well. During the approvals process, the Federal Reserve Board, Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) may all place multiple requests for information about the compliance practices of both buyer and seller. Securing the necessary approvals may take months. In addition, federal regulators typically begin to receive objections from community groups as soon as a planned deal is announced. Most objections center on concerns that there could be disproportionate negative effects on underserved and rural areas.
To make the regulatory approvals process as seamless as possible, acquirers need to be thorough during due diligence. Ensuring the soundness of a target’s compliance practices and financial health is essential—any pending consent order, fair lending issue, or litigation could cost the acquirer both time and money. At the very least, any potential costs should be factored into the deal price. Banks should also be mindful that any products or services they develop as a result of the acquisition, would be subject to regulatory oversight.
There is a lot at stake, because the longer due diligence takes, the less valuable the opportunity may become. Uncertainty surrounding delays can drive away customers and key employees. Company morale may take a hit, as well as operational efficiency and profitability. Time is of the essence—the moment a deal is contemplated, the compliance clock should begin ticking. That’s because banks may only have a small window of time to review the compliance program and performance of a target bank, in addition to other strategic, financial, and operational matters.
Prior to considering an acquisition, banks should review their own compliance practices to make sure they are up to standard. During due diligence, the keys to achieving the (often contrary) goals of speed and precision are robust, off-the-shelf plans. At a minimum, due diligence plans should include the following consumer compliance items (backed up by thorough web searches of publicly available data):
- Compliance risk assessment
- Compliance testing results
- Compliance audit results
- Outstanding compliance matters from exams, audits, or tests
- Integrity of data required by the Community Reinvestment Act (CRA) and Home Mortgage Disclosure Act (HMDA)
- Program for Anti-Money Laundering and Bank Secrecy Act (AML/BSA/OFAC) compliance
- Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) filed along with a high-risk customer list
- Pending/recent compliance litigation
- Packets for corporate compliance committees
- Compliance materials reported to the board of directors
- Compliance organizational chart and staff resumes
- A policy and program for compliance management systems
- Fair lending policy and program
- Policy and program for Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)
- Complaint policy and program
- Compliance training program
The FinTech Difference
Acquisitions of FinTech companies demand unique considerations. Because FinTechs’ business models are very different from those of banks, they require more thoughtful and extensive due diligence. Acquirers should take special care to ensure FinTechs can adhere to the same standards and regulations. Getting due diligence wrong not only carries the risks of regulatory noncompliance, but also the potential for security breaches, criminal activity, reputational threats, and steep fines and penalties. In particular, acquirers should focus on:
- Consumer protection. Banks should have sound processes and procedures to evaluate a target’s level of compliance with a range of consumer protection regulations, from UDAAP to fair lending rules. Thorough due diligence in the area of consumer compliance will not only help banks uncover regulatory issues and mitigate risks, it will help them value targets more accurately.
- AML compliance. Banks should review the controls a target has in place to prevent money laundering and other financial crimes. Specifically, they should focus on detecting potential problem areas or blind spots. They need to identify all of the FinTech’s owners and affiliations, whether the FinTech operates overseas, and to what extent it does. Further, the due diligence process presents an opportunity for acquirers to outline to the target any AML requirements and obligations the target will need to observe.
- Cybersecurity and privacy. Consumer data is an increasingly valuable asset for both banks and FinTechs. Noncompliance with regulations that aim to protect that data can be costly. Banks should thoroughly evaluate a target’s cybersecurity and privacy vulnerabilities, vendor management systems, and internal policies. They should focus on targets’ monitoring and testing procedures, incident response plans, document destruction policies, reporting processes, and encryption. They should also be taking reasonable steps to comply with the requirements of the California Consumer Privacy Act and Gramm-Leach-Bliley Act.
- Culture. Cultural fit is key to the success of any acquisition. Between banks and FinTechs, the potential for cultural differences is vast—much more so than the potential for differences between two merging banks. Differences do not necessarily mean that a target is a bad fit; sometimes, contrasting cultures can reinforce and complement each other’s strengths. The key for banks is to look for targets that share common values and belief systems.
In addition, to prepare for scrutiny during the regulatory approval process, banks would do well to keep in mind the OCC’s view of “responsible innovation,” which it defined in 2016 as “the use of new or improved financial products, services, and processes to meet the evolving needs of consumers, businesses, and communities in a manner that is consistent with sound risk management and aligned with the bank’s overall business strategy.”[i]
The OCC uses eight principles to guide its approach to evaluating innovative financial products and services. Because banks acquire FinTechs mainly for their innovative technologies and potential to innovate further, they should consider reviewing the OCC’s principles before contemplating a FinTech acquisition and keep them in mind during the deal process. Three of the principles mention outreach to regulators, so banks should also consider being as transparent and collaborative with agencies as possible to improve their chances of having a fintech acquisition approved—and to hasten the approval process.
Clearing the Next Hurdle: Integration
Once the papers are signed and the deal receives all the necessary regulatory approvals, integration begins. Banks need to consider the abundance of consumer compliance requirements in the industry and the agencies that enforce them: all the Consumer Financial Protection Bureau’s consumer protection and fair lending requirements, as well as the oversight of the Federal Reserve, OCC, and FDIC. Because regulators could revisit the compliance policies, plans, and procedures of the acquirer or the acquired at any time during integration, acquiring banks should ensure that both companies can comply with all requirements.
The integration plan is a separate document that considers the fact that the day a bank closes a deal it becomes responsible for the bank it acquired, even if that bank continues to operate independently. The to-do list of steps for integration is equally long but even more arduous than the list for due diligence, with steps that need to be divided into buckets of time. To give an example, buyers should be evaluating products and services for compliance even before the deal closes. The project plan should have specific steps, with milestones including the deal (announcement) date, legal closing date/acquisition date, and system conversion date.
However a bank organizes its integration process, it needs to deliver a solid plan to regulators. Its plans should focus on the areas that frequently cause regulatory hitches. Flood insurance, CRA/fair lending, Servicemembers Civil Relief Act (SCRA), and AML are good examples. Regulators also focus heavily on systems integration to make sure coding issues do not lead to losses or inaccuracies of regulatory data. In addition, staffing is always considered as presenting risk.
This integration process has become more difficult due to COVID, as virtual meetings have replaced face-to-face conversations with management and staff to discover differences in operational and compliance processes. What’s more, written documentation including questionnaires often substitute for discussions and on-site visits.
To ensure consumer compliance, banks should make the following areas part of any M&A integration plan:
- Organizational tasks such as staffing evaluations and plans
- Regulatory training
- Review of bank products/disclosures
- Testing of the processes of the acquired bank
- FDIC insurance considerations
- Loans covered by flood insurance
- Loans protected by the SCRA
- Customer communication including change-in-terms notices
- CRA assessment areas
Obviously for non-FinTech acquisitions, the data management, security and technology related issues will be important but not “top of the list,” however, organization culture and talent retention aspects of any merger/acquisition are key considerations to be evaluated. Each organization has a distinct flavor and often a transition seems easier than it ends up, so being able to communicate and translate culture is a desirable and important part of the transition. Additionally, clear communication on expectations is key to obtaining buy-in from incoming stakeholders.
Talent retention is also key. There may be a situation in which an organization needs a fresh start and the new ownership team provides that opportunity, this may re-energize valuable stars in the acquired organization. These stars are not just knowledgeable in the organization’s systems, technology and programs, but also of the customer base, the bank’s community involvement, and other areas that can be helpful with preserving the reputation of the bank in the community. Therefore, those folks need to be identified quickly as they are key resources for the forward movement of the new organization.
Banks should include organizational tasks, regulatory training, reviews of products and disclosures, and process testing in their integration plans for FinTechs as well. Ultimately, the high-level goal of any FinTech acquisition should be to preserve the company’s capabilities for innovation while aligning them to the bank’s controls. However, because of the dramatically different business models of FinTechs and banks, success can be elusive.
When developing integration plans for FinTechs, banks should focus specifically on:
- Integrating the agile, risk-taking culture of a FinTech company with the process-oriented, risk-averse culture of a bank is no easy task. This is why many FinTech companies are allowed to operate independently while leveraging the scale, scope, and resources of the parent. However, if a bank is acquiring a FinTech with the intent of integrating its products and services directly into its business lines, cultural integration will be key. For such acquisitions, acquiring banks should consider identifying the elements of both cultures that are different and the same—then defining the desired culture of the combined company. They should articulate the mindsets, behaviors, and values, they want employees of the combined company to embrace, and incorporate them into a culture change plan that will be measured, refined, and reevaluated over time.
- The information technology department plays an essential role in drafting the integration plan for a FinTech. In the plan, IT should address the current technological state of the acquirer and target, the desired future technological state of the combined company, and a strategy to get from the current state to the end state. It should also address any operational issues and need for new policies. With FinTech acquisitions, IT issues and cultural issues are often one and the same. For instance, while banks tend to have stringent IT security policies, FinTechs may allow their employees to store documents and data in the public cloud, work remotely, and use personal devices for work purposes. Suddenly switching from this more free-wheeling environment to a highly controlled one can leave employees disgruntled and can affect productivity. Such issues should be covered in the culture change plan mentioned above, and allow some flexibility while helping employees adhere to regulatory requirements through education and other means.
- Talent Retention. One of the primary reasons banks target FinTechs is for the technological skills and expertise of their employees. However, retaining acquired FinTech employees can be difficult, considering that people who thrive in an entrepreneurial culture or have notions of changing the world may be less enthusiastic about the prospect of working at a large bank. Moreover, their attitudes toward regulatory compliance, risk management, compensation, rules, and the working environment are likely to differ from those of bank employees. However, for such individuals, banks have much to offer. The pace of technological change is such that, in the future, banks will require people with unique technological skills and capabilities that do not exist today. Given the resources and training budgets of large banks, not to mention banks’ growing appetite for innovation, newly acquired fintech employees should have ample opportunity to develop their skillsets.
- Data management and security. The bank’s IT department will need a plan to integrate FinTech data with bank data so the joint company has an integrated view of the combined entities’ customers. Security will be critical, so acquirers should conduct a thorough security audit during due diligence. Ultimately, the FinTech’s networks, systems, data centers, application architectures, and protocols should be integrated in a manner that is compliant with relevant regulatory requirements.
Acquiring a banking operation or a FinTech means acquiring its compliance program and culture and determining how to integrate them into your own. FinTechs in particular pose unique challenges for which a bank may not be prepared. However, a twist to the familiar adage is the regulator’s perspective, “You bought it, you broke it.” Any problems should be identified during due diligence and addressed in the integration plan for the newly combined company. Regulatory agencies will intensely scrutinize how this is done. Meanwhile, the speed of approval is of the utmost importance to keep both banks’ businesses on track, even as the merger is underway. Advance planning is the key.
(As seen in ABA Bank Compliance Magazine September / October 2020 issue)
Additional Authors Include:
Christopher T. Spellman, CRCM, serves as Senior Vice President and Corporate Compliance Director for Heartland Financial, USA Inc, a diversified financial services company (htlf.com). Chris has been in bank compliance since 1985 and has worked for both small and regional community banks. He is an active participant with the American Bankers Association and currently serves on the boards of the ABA’s Regulatory Compliance Conference (RCC) and Open Compliance Committee. Chris has served as Chairman of ABA’s Compliance Executive Committee, and as a member of the boards of the ABA/ABA Anti-Money Laundering Conference Planning Committee and the Institute of Certified Bankers’ Certified Regulatory Compliance Manager Program. He is a frequent speaker on risk and compliance management and AML programs for the ABA at ABA’s RCC and the ABA Risk Management Conferences, as well as telephone briefings. Chris is the 2013 recipient of the ABA’s Distinguished Service Award. Reach him at email@example.com.
Maureen E. Carollo, CRCM, CAMS, is Senior Vice President and Director of Compliance for Great Plains National Bank in Oklahoma. She has decades of banking experience in deposit operations, loan administration, regulatory compliance management, internal audit, and BSA/AML program management areas.
Maureen is active in the Oklahoma Bankers Association (OBA) and has served for nearly twenty years on the Compliance School Board of Regents as an instructor and former Chairman. She is also an instructor for the OBA’s Operations School, Consumer Lending School and Basic Banking School.
Maureen regularly writes for ABA Bank Compliance, serves on the magazine’s Editorial Advisory Board, and has won the Award for Publication Excellence (APEX) for her article on SARs. She also serves on the ABA Regulatory Compliance Conference Advisory Board, where she is a regular speaker and a former conference co-chair. Maureen graduated from the Southwestern Graduate School of Banking at SMU in Dallas, Texas, with recognition for leadership. Reach her at firstname.lastname@example.org.
[i] “Supporting Responsible Innovation in the Federal Banking System: An OCC Perspective,” Office of the Comptroller of the Currency; https://www.occ.gov/publications-and-resources/publications/banker-education/files/supporting-responsible-innovation-fed-banking-system.html