Community banks and other smaller financial institutions are graduating to the $10 billion-plus asset level in increasing numbers. How they get there differs, with some enjoying organic growth while others ride the current wave of mergers and acquisitions (M&A). Additionally, some institutions unexpectedly grew over $10 billion in assets because of the record number of CARES Act Paycheck Protection Program (PPP) loans made throughout the pandemic.

Regardless of an institution’s history, crossing the $10 billion threshold is a significant milestone. And, because the compliance and risk management demands for institutions of this size are significant, firms should provide themselves with a long runway to prepare for it. One reason is that an institution’s prudential regulator will have higher expectations for the risk management processes that a firm of increasing size should maintain.

But $10 billion is also the level at which a depository institution faces supervision and enforcement by the Consumer Financial Protection Bureau (CFPB) for the first time. So a transitioning institution must meet heightened consumer protection expectations, especially in such areas as conduct risk, fair lending, and its effort to avoid unfair, deceptive or abusive acts or practices (UDAAPs). And because Congress gave the CFPB jurisdiction over only a specific set of laws and rules, the prudential regulators continue to supervise compliance with the requirements left in their bailiwick.  So the prudential regulators such as the Office of the Comptroller of the Currency (OCC) will, for example, continue to carry out compliance examinations for national banks with assets over $10 billion. These examinations may have a more limited focus, but they typically carry higher expectations for the areas covered.

As this article explains, the quality of an institution’s compliance management system (CMS) is a prime factor in determining whether the consumer protection transition is smooth or rocky—whether compliance risk is managed effectively or rises above an institution’s risk appetite and regulators’ expectations.

Crossing the $10 Billion Line

CFPB oversight is triggered when one depository institution in an enterprise reports assets over $10 billion for four consecutive quarters. As straightforward as that sounds, there are two caveats:

  • It’s not just the large depository that crosses over to heightened supervision, it’s the entire enterprise: the holding company, its subsidiaries —including smaller banks—and any subsidiaries that the banks may hold. Basically, “one in, all in.”
  • In an M&A transaction, regulators will look back at what the combined entity’s value would have been over the past four quarters, as if the merger had already taken place.

The CFPB monitors the pipeline of banks approaching $10 billion. From the quarterly Reports of Condition and Income (“Call Reports”) that institutions submit, CFPB examiners are aware of which institutions are growing toward this size. And once CFPB oversight begins, an institution faces intense consumer protection scrutiny. Even if a bank has met the more limited consumer protection expectations set for smaller institutions by the prudential regulators, it may not be prepared for the end to end consumer-focused reviews that the CFPB conducts.

There’s a lot at stake. The greater the regulatory scrutiny, the higher the risk that issues will be discovered.  If issues are identified, the institution will likely have to carry out its own in-depth review to determine consumer impact and whether consumer refunds are required. It may also face monetary penalties and the reputational damage associated with an enforcement action.  And because the prudential regulators that approve M&A applications will pay attention to the CFPB’s findings, falling short could limit the institution’s ability to grow any further until all issues are addressed.

Timing Is Everything

The $10 billion transition may come gradually or suddenly.  Institutions with a business plan for steady, organic growth have the benefit of more time to incrementally upgrade compliance. Growth through acquisition, on the other hand, can challenge compliance teams to integrate several programs into a cohesive risk management system.

Compliance professionals should stay on top of their institution’s strategic plan, to gain as much time as possible to work with the broader risk management team, the business lines, and the audit function to step up CMS quality.  What are the plan’s growth forecasts? Are acquisitions part of the strategy? Looking over the horizon, some institutions begin enhancing their CMS even as their institutions approach $5 billion in assets.  Why? This advance preparation helps the institution be in a position to take on the growth with the much needed foundation for an effective CMS.

Every step of a CMS development process takes time, including:

  • Carrying out a CMS assessment, including an inventory and analysis of all policies and control processes;
  • Gaining commitment from senior management and the board for needed changes including increased resources;
  • Staffing amid an ongoing skills shortage;
  • Adjusting policies, processes and responsibilities across the institution;
  • Addressing fundamental technological requirements such as systems integration; and
  • Validating the effectiveness of all changes through an internal audit or third-party review.

How much time? Consider the example of staffing. While the head of compliance at many smaller banks may wear various hats, a $10 billion bank requires dedicated teams of subject matter experts. But even after the board approves compliance team expansion (which takes time), smaller banks find it particularly difficult and time-consuming to recruit the right people.

Transitioning banks should also reach out to the CFPB early, to begin establishing a relationship, understand expectations, and demonstrate a commitment to consumer protection. A good time to start would be once initial progress has been made on CMS plans and upgrades. By the time that the CFPB conducts its first examination, transitioning institutions should be prepared to present a candid evaluation of current compliance management capabilities and a solid plan for addressing any gaps in a reasonable time.

Looking Through the CFPB’s Lens

What does the CFPB expect of the firms under its oversight? The bureau focuses on whether an institution’s policies and practices pose risks to consumers, rather than risks to the institution itself. CFPB examiners review policies, programs and procedures surrounding:

  • The nature and structure of products and services;
  • The treatment of vulnerable consumers;
  • The marketing methods used; and
  • The level of customer service.

The CFPB will take deep dives into these four areas. To do so, the bureau may review items such as compensation structures to determine whether they incent front-line staff to offer customers inappropriately high-cost products.

The first CFPB examination will set the baseline for subsequent reviews, so an institution should take both a short-term and long-term view of its new regulator. Current problems must be addressed, but it may be even more important to demonstrate a commitment to managing issues and promptly correcting them in the normal course of business. Keep in mind that the Bureau recognizes that compliance management is a process, not a single goal.


An effective CMS should adequately address consumer protection risks, commensurate with an institution’s size and risk profile. It’s built on three pillars:

  1. Governance—requiring engaged oversight by the board and senior management.
  2. A Compliance program encompassing: Policies, processes, and procedures intended to facilitate regulatory compliance; Training; Monitoring and testing; and Consumer complaint response.
  3. Third-party oversight—to facilitate regulatory compliance by the institution’s service providers.

To be successfully operationalized, CMS responsibility must span all three lines of defense. These encompass the:

  • First line: front-line business units;
  • Second line: compliance and risk management programs; and
  • Third line: independent audit.

CMS Pillars: Governance

Ultimately, the strongest demonstration of governance in compliance is an appropriate investment of time and resources by senior management and the board in an institution’s CMS, including controls related to information technology (IT) that affects bank customers. This means the bank must ensure that the:

  • Program has the right quantity and quality of team members in all three lines of defense;
  • Team has the organizational stature needed to function effectively;
  • Leadership provides clear support for compliance risk management throughout the enterprise; and
  • Senior management and the board must actively engage with the compliance program and interact on plans, issues, and resolutions.

For example, a compliance director role might be upgraded to Chief Compliance Officer, to raise the stature of the position among colleagues. Capable personnel should be hired in all three lines of defense who have the deep experience needed to manage a growing institution’s compliance responsibilities successfully. A more centralized organizational structure should replace the typically siloed approach employed by many banks under $10 billion.

Why centralized? Consider what could happen otherwise. If one business unit identifies an issue, while the compliance department sees a similar problem in a different part of the organization, and the audit team notices it in a third, the bank’s approach to resolving the issue would be fragmented.  Such an approach would be less likely to resolve the issue fully than a systemic strategy. Another example is the bank that utilizes different risk frameworks and rating scales in various parts of the organization, creating inconsistency. Centralizing risk management strengthens risk management. But leadership support from the top of the house is needed to accomplish this kind of change.

Within the compliance department, centralizing means that where subject matter experts may once have been organized by product line, they now are organized into teams that handle broader functions.  For example, a dedicated team would handle testing and monitoring across all products and units. Another might be responsible for advising all business lines on regulatory change. A Fair and Responsible Banking team would address these issues across the whole institution.

Under the three-lines-of-defense model, banks need to clarify compliance roles in the business units, the compliance department, and the audit teams. Often the lines are blurred in smaller banks, with compliance staff working across two or more lines of defense. Resolving these kinds of situations may require re-organization of personnel—an effort that, again, takes time and will require support from the top.

Overall reporting relationships should also change, and one best practice is to establish a compliance reporting line to a centralized risk management function. Moving compliance out of an operational reporting structure or Legal Department reporting line and into the risk management sphere facilitates a risk-based approach.

Importantly, senior management and the board need to set the tone for their bank’s culture of consumer protection and compliance. In smaller institutions, the compliance officer is often the one responsible for compliance—nobody else. But for a bank to meet heightened consumer protection expectations, the first line must own the risk created by its business activities and all three lines must accept that compliance is a shared responsibility. This kind of commitment across the organization is hard to achieve, and bank leadership needs to drive it.

CMS Pillars: Compliance Program

The components of a compliance program are:

  • Policies, programs and procedures: Do they address the risk exhibited by the institution’s products, services and activities, including risks associated with consumer facing IT? Are they current, organized and consistent?
  • Risk management: Does the compliance department report to a risk management officer?
  • Assessment: Does the bank conduct compliance-oriented risk assessments covering entire product cycles and the full range of risk factors?
  • Monitoring, testing and audit: Does this function include risk-based programs carried out by all three lines of defense?
  • Training: Are training programs current and tailored to both institutional risk and staff responsibilities?
  • Complaint response and management: As the first line resolves individual complaints, is it also generating complaint data that is used to identify broader trends and fix their root causes?

Because IT is the enabler of a solid CMS, it’s critical that a bank devote sufficient resources to ensuring that the risk associated with consumer focused IT is managed. This includes close attention to systems integration, particularly during a merger. Ultimately, there should be one compliance-oriented platform used across an organization. Otherwise, it can be extremely challenging to reconcile data reported in different ways by different systems.  The result is a situation where the institution does not get the full benefit of its data, and also faces the risk that it may be overlooking trends that may indicate fair lending or UDAAP issues that may not be apparent from individual file reviews.

CMS Pillars: Third-Party Oversight

Third-party oversight grows in importance daily, as institutions increasingly outsource functions and product delivery to business partners and service providers. In tandem, all of the federal banking regulators—including the CFPB—have intently focused on the risks that could arise. As the saying goes, “You can outsource the function, but not the risk.”

The Bureau assesses whether institutions have developed and implemented appropriate risk management programs to ensure that their service providers comply with federal consumer financial law and avoid consumer harm. They look for several indicators, including:

  • A board-level oversight policy and program;
  • Contractual language that specifies the consequences of non-compliance;
  • Robust due diligence when third parties are retained;
  • Ongoing oversight based on the risk of consumer harm, including monitoring complaints about third-party conduct; and
  • A plan for the termination of relationships that do not meet the bank’s performance standards.

If a transitioning bank’s third-party oversight program is not comprehensive, existing contracts may need to be reviewed to bring them up to CFPB-level expectations.  And going forward, it’s not a good idea to simply sign a contract written by a service provider. At a minimum, tailored language should be inserted that addresses the items noted above. Compliance roles and responsibilities need to be well understood.

Fair and responsible banking expectations

CFPB expectations in these areas are particularly high. Consequently, the CFPB will pay attention to whether an institution’s CMS answers the following questions:

  • Do all of the bank’s CMS pillars encompass fair lending and UDAAP risks?
  • Has clear responsibility been established for day-to-day oversight?
  • Do business units adequately manage fair and responsible banking risk?
  • Do the bank’s operational processes incorporate fair lending/UDAAP protections?
  • Does it monitor and correct related issues?
  • Does it address related complaints?
  • Is it overseeing third parties to avoid fair lending/UDAAP risks?

Assessing CMS Readiness

A CMS readiness assessment is a crucial step in the journey to $10 billion. Carried out thoughtfully, such an assessment can not only guide planning, it can help gain support both up the leadership chain and across the organization for the changes necessary to achieve a CMS that works effectively in a larger institution.  Here are a few items to consider when conducting a readiness assessment:

Do: Assess gaps or weaknesses in your CMS, including process mapping to identify key areas of risk. Consider obtaining an independent perspective to ensure that you’re in step with industry best practices and supervisory expectations.

Do: Evaluate what it will take to make the enhancements needed across the organization, and lay out the optimal department structure you’ll need to execute on your roadmap.

Do: Ensure that your timeline is realistic, including a phased approach if necessary.

Don’t: Underestimate the effort it may take to persuade senior leadership about the need for structural change and the investment required to make them.

Don’t: Underestimate the time you’ll need to design and implement structural changes, such as an effective three-lines-of-defense model.

Don’t: Forget that business and regulatory change are always creating new compliance challenges, requiring a commitment to a CMS that will continue to evolve long after the crossover to $10 billion.

The Takeaway

Heightened compliance expectations come with crossing the threshold to $10 billion in assets, including detailed review of operations that used to draw only limited attention. Welcome to CFPB oversight. This is a moment when compliance risk could spike without a CMS that is up to the new scrutiny. Is your CMS ready?

As Seen in ABA Bank Compliance January / February 2022

This article was co-authored by: Tina Shaver, CRCM, CAMS, is an EVP & Chief Risk Officer at Premier Bank a $7B bank headquartered in Ohio.  Tina previously served as Senior Director with Treliant, a financial and risk consulting firm and a Chief Compliance Officer at a mid-size bank.  She is a financial services executive with over 30 years of experience in risk, compliance, and advisory leadership roles. Reach her at