Skip Header
U.S. flag

An official website of the United States government

Supervisory Insights

Mergers and Acquisitions: A Compliance Perspective

Last Updated: May 8, 2023

PDF version of this article

Successful execution of mergers and acquisitions among financial institutions requires significant attention to detail, to ensure that the systems of the surviving institution function in a way that is consistent with laws, regulations, and safe-and-sound banking practice. A successful merger results in an integration of systems encompassing risk management, information technology, Bank Secrecy Act/anti-money laundering, and compliance with consumer protection laws and the Community Reinvestment Act.

In this article, we focus on the importance of planning for the surviving institution’s compliance with consumer protection regulations and the Community Reinvestment Act (CRA). Compliance problems can ensue, for example, if management is unfamiliar with the regulatory requirements associated with some of the activities of the surviving institution, or if the surviving institution crosses any of a number of compliance reporting thresholds as a result of the merger. The seriousness that regulators attach to such issues is evidenced by the fact that some mergers are not approved because of concerns about the quality of these compliance systems at one or more of the potential merger partners

Proactively addressing consumer compliance risks will help bank management avoid violations and maintain the institution’s Compliance Management System (CMS), which is the framework through which an institution oversees its compliance responsibilities and incorporates applicable requirements into its business practices. This article reviews how compliance with consumer protection laws and regulations plays a critical role after a merger or acquisition is approved, and identifies issues to consider when planning for a merger or acquisition or when conducting post-merger or acquisition compliance-focused due diligence. The discussion is structured around a sample template for due diligence and a case study of the merger of two hypothetical banks.

The Importance of Effective Due Diligence

Due diligence is the primary responsibility of the Board and senior management. However, the depth and scope require the involvement of key personnel, including the Compliance Officer, auditors, and department supervisors throughout the merger or acquisition process. An effective merger due diligence process helps ensure the surviving institution’s consumer compliance posture is maintained during and after a merger or acquisition, as it gives the Board and senior management the information it needs to allocate personnel resources in compliance and operational areas. The Board and senior management’s ability to establish and maintain the surviving institution’s CMS1 will be evaluated by examiners at the next examination through a risk-focused review and transactional testing. An inadequate CMS can lead to violations and adversely affect the bank’s Consumer Compliance Rating.2

Management should also determine the legal and technological risks associated with mergers or acquisitions. For example, will the surviving institution have the technological infrastructure or framework in place to handle the merger, or has the surviving institution considered all legal risks that may surface from combining products and services?

Regulatory Concerns

Consumer compliance issues, such as those relating to fair lending, Unfair or Deceptive Acts or Practices (UDAP), CRA, or the Servicemembers Civil Relief Act (SCRA), among others, can result in legal and reputational risks for the institution. Understanding early in the transaction how consumer protection rules and regulations apply will strengthen efforts to maintain the integrity of the institution’s operations and the CMS. Table 1 lists due diligence considerations from consumer protection laws, rules, and regulations that may apply to and should be considered during and after a merger or acquisition.

Table 1: Due Diligence Considerations as Part of the Merger and Acquisition-Planning Process
Lending Regulations
Regulation Due Diligence Considerations
Truth in Lending – Regulation Z3
  • Determine whether loan product features will change in a manner that adversely affects consumers, such as revisions to payment processing or payment structure, and provide applicable notices.
  • Continue periodic statements for all open-end products and consider regulatory statement format requirements, particularly when using custom formats.
  • Ensure proper notification for variable-rate adjustments on adjustable-rate mortgages.
  • Determine whether purchased-dwelling-secured loans require notices to affected consumers in accordance with Helping Families Save Their Homes Act of 2009.
  • Determine if the acquired institution had loans subject to the Higher Education Act to ensure proper administration.
  • Determine if the acquired institution offered credit cards to ensure effective processes are in place to maintain credit card functions and characteristics, as prescribed by the Credit CARD Act of 2009.
  • Ensure the integrity of a consumer’s right to rescind applicable transactions. The FDIC’s evaluation of a bank’s CRA performance is adversely affected by evidence of illegal credit practices, including violations regarding a consumer’s right of rescission.
Real Estate Settlement Procedures (RESPA) – Regulation X4
  • Provide the appropriate Servicing Transfer notice.
  • Maintain escrow account administration, including annual analysis and notification(s).
  • Consider any existing secondary market and other referral arrangements.
Flood Insurance5
  • Identify covered loans and ensure adequate insurance coverage.
  • Notify the Federal Emergency Management Agency (FEMA) of change in servicer.
  • Determine if the previous lender required escrow and consider the impact for escrowed loans requiring flood insurance.
  • Notify the third party responsible for life-of-loan monitoring of the new lien holder.
Home Mortgage Disclosure Act (HMDA) – Regulation C6
  • Determine the impact on HMDA reporting for the surviving institution.
Homeowners Protection Act (Private Mortgage Insurance)7
  • Maintain private mortgage insurance administration tasks, including annual notices and other subsequent notification requirements.
Protecting Tenants at Foreclosure Act8
  • Determine if any foreclosure proceedings are in process, or if foreclosure is necessary after the transaction. Provide required notices to “qualified tenants.”
Fair Credit Reporting Act (FCRA)/Fair and Accurate Credit Transactions Act9
  • Provide updated Negative Information notice disclosures, when necessary.
  • Ensure written policies and procedures adhere to all applicable provisions of FCRA and its implementing rules, such as the Affiliate Marketing Rule, Medical Information Rule, and Furnisher Rule.
Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act)10
  • Identify Mortgage Loan Originators.
  • Update employer/employee information in registry within 60 days of change.
Fair Lending Regulations11
  • Conduct a comprehensive Fair Lending review to ensure the acquired loans reflect: consistency in pricing and underwriting; no impermissible redlining or steering practices; fair marketing practices; and a strong CMS as it relates to Fair Lending.
  • Analyze the assessment area and determine if any newly acquired loan(s) could adversely affect the Fair Lending posture of the surviving institution. Any material inconsistency(ies) between the provisions of an acquired loan and the surviving institution’s policies should be identified and monitored to ensure the loan is administered in a manner that is consistent with all applicable Fair Lending laws and regulations.
  • Note the applicability of regulations related to Fair Lending (such as the Equal Credit Opportunity Act, Fair Housing Act, HMDA, and FCRA).
Deposit Regulations
Regulation Due Diligence Considerations
Truth in Savings-Regulation DD12
  • Determine whether terms / features will change and provide applicable Change in Terms notices.
  • Continue to provide periodic statements with accurate customized information (if applicable).
Electronic Fund Transfers-Regulation E13
  • Identify changes in terms and provide notification within regulatory timeframes.
  • Consider overdraft payment opt-in requirements for newly acquired customers.
Expedited Funds Availability Act (EFAA)-Regulation CC14
  • Identify changes in funds availability policies and ensure compliance with Regulation CC.
  • Ensure transaction processing cut-off timeframes are properly disclosed, if different at various branch locations.
Lending Regulations
Regulation Due Diligence Considerations
Community Reinvestment Act (CRA)15
  • Consider the effect of the merger/acquisition on the demarcated CRA assessment area. Should the assessment area be expanded as a result of the transaction?
  • Determine whether the merger will change how the surviving bank is evaluated for CRA. For example: Will an increase in asset size define the bank as an “intermediate small bank” after two consecutive years with assets above the published threshold? Will the merger result in the acquisition of branches in a separate Metropolitan Statistical Area (MSA) or a non-contiguous non-MSA?
  • Ensure the CRA Public File at each office is updated to reflect new loan-to-deposit ratios (for institutions subject to the small bank lending test), updated assessment area(s), products and services, HMDA disclosure statement (if applicable), and branch listing.
  • Ensure branch closing policies adhere to statute and applicable policy.16
  • Consider Interstate Banking and Branching Efficiency Act applicability. Review impacts on how the surviving institution will be evaluated.17
  • Ensure mergers between insured depository institutions (IDI) and an IDI and a noninsured institution satisfy the requirements of the Bank Merger Act and related Interstate Banking and Branching Efficiency Act.18
Deposit Insurance19 
  • Consider the impact on deposit insurance coverage for customers with deposits at both institutions. “Deposits from the assumed bank are separately insured from deposits at the assuming bank for at least six months after the merger. The grace period gives a depositor the opportunity to restructure his or her accounts, if necessary.”20
  • Determine impact on privacy policy provisions, including compliance with the Gramm-LeachBliley Act (GLBA) Privacy of Consumer Financial Information Rule and affiliate-sharing rules issued under FCRA.
  • Provide applicable privacy notices to acquired customers within reasonable time.
Unfair or Deceptive Acts or Practices (UDAP)22
  • Consider the adequacy of disclosures to consumers regarding changes to account terms.
  • Consider the adequacy of policies in both the lending and deposit areas.
  • Consider potential impacts on customer accounts converted to accounts without the same benefits or rewards to identify the content and timing of the notice needed to clearly inform affected customers of all material changes.
  • Determine whether the surviving institution intends and has the capacity to maintain grandfathered products and services.
Non-Deposit Investment23 and Insurance24 Products
  • Determine if either bank sells retail insurance or investment products and ensure staff member licensure and registration is current in accordance with federal and state requirements.
  • Determine if products are offered through a broker via a third-party arrangement.
Fair Debt Collection Practices25
  • Determine if the acquired bank collects debt for third parties and the scope of that function.
Servicemembers Civil Relief Act26 
  • Determine if the acquired institution currently services loans for covered borrowers to ensure the bank maintains and tracks relief under the regulation.

The next section presents a merger case study between Bank 123 and ABC Bank that will give perspective on the regulatory and operational impacts listed in Table 1.

Merger of Bank 123 and ABC Bank

Table 2 outlines a merger scenario between Bank 123 and ABC Bank. Bank 123 will be the surviving institution and is embarking on this merger to grow its deposit and loan base in an MSA and add consumer and residential real estate lending to its portfolio. After the merger, Bank 123 intends to close one ABC Bank branch due to low production activity. Issues identified through due diligence as well as the consumer protection regulatory impacts on Bank 123 are discussed in the section following the table.

Table 2
Merger of Bank 123 and ABC Bank
Institution Characteristics Bank 123 ABC Bank
Assessment Area Several contiguous, non-MSA counties. One large MSA (single county).
Branching Five branches. Two branches.
Assets $275 million. Bank 123 will acquire the vast majority of ABC Bank’s assets and liabilities. $95 million.
Loan Products and Services Commercial, agricultural, and consumer installment loans. Nominal residential real estate lending. Residential real estate (home purchase, refinance, home improvement, reverse mortgages serviced by a third party, and home equity lines of credit (HELOCs)), consumer loans (including installment and personal lines of credit), and commercial loans.
Deposit Products and Services Checking / Demand Deposit Accounts (DDA), Savings, Money Market, and Certificates of Deposit. The bank has an automated overdraft program. Due diligence indicates deposits are held by the same customers at both institutions. Checking / DDAs, Savings, Money Market, Certificates of Deposit, and Individual Retirement Accounts. Deposit accounts include rewards features, some of which are offered and maintained by a third party. These rewards are actively marketed by the bank and the third party. The bank does not have an automated overdraft program.
Affiliates One affiliate institution (finance company), with which the bank shares information to market products and services. No affiliate institutions.

Due Diligence of ABC Bank Products and Services

Due diligence analysis of products and services in the loan and deposit areas revealed similarities in product types between the two institutions. ABC Bank also offers additional loan products that Bank 123 does not, such as reverse mortgages and HELOCs, and offers deposit rewards programs. As a result, Bank 123 must modify its CMS to ensure applicable regulatory provisions relating to these lending and deposit products are maintained. For example, Bank 123 management should understand:

  • how these specialized products function;
  • how existing policies and procedures should be enhanced or revised, including daily product administration and monitoring functions;
  • how operating and platform systems can accommodate product functionality on grandfathered accounts, such as providing consistent information in periodic statements, revisions to payment processing (structure and cut-off times), and disclosure content;
  • the required depth and scope of training for the Board, senior management, and applicable staff;
  • the required depth, scope, and frequency of monitoring controls; and
  • the required depth, scope, and frequency of the audit program, if applicable.

The analysis of products and services also identified third-party risks in the deposit and lending areas. Reverse mortgages and deposit rewards are offered and serviced by third-party vendors. Senior management should perform risk assessments on each vendor, considering reputational, strategic, and compliance risks, and conduct comprehensive reviews of vendor contracts. Adjustments to Bank 123’s policies and procedures, monitoring controls, and training program should be made to accommodate the terms of agreements.

Regulatory Impacts on Bank 123

Bank management should determine how the CMS should be modified and/ or expanded to reflect the risks identified through the due diligence process. For example:

Assessment Area and Branching

The addition of branches in an MSA and the closure of one branch will impact Bank 123.
  • Bank 123 will become a HMDA reporter. With little residential lending experience and without the benefit of familiarity with HMDA reporting, Bank 123 should provide training to staff to ensure data integrity.
  • Bank 123 management should conduct comprehensive reviews of the MSA demographic and economic characteristics to determine the impact on CRA evaluations. For example, management should consider the assessment area’s demographics and how they change the institution’s CRA performance context, and the effect on the institution’s ability to meet the needs of the community. CRA performance evaluations will now include separate conclusions for performance in the MSA and the contiguous non-MSA area. Bank 123’s prior CRA evaluations likely were focused on small-business and small-farm lending. If Bank 123 maintains residential real estate lending in the MSA, this portfolio could become a primary lending product, further changing the institution’s CRA performance profile.
  • Bank 123 will need to post and provide required notices and ensure applicable timelines are allowed to expire before closing the branch.


The increase in assets would change the institution’s CRA profile from a Small Bank to an Intermediate Small Bank (ISB)27 after two consecutive years of assets above published thresholds. The performance evaluation requirements for an ISB incorporate the Community Development Test, which requires the bank to emphasize qualified community development lending, investments, and services that help meet the needs of its community.

Deposit and Loan Products and  Services

The changes in product sets and management’s decision to maintain or grandfather accounts can:

  • Affect and trigger changes-interms notifications under Truth in Savings, Truth in Lending, Electronic Fund Transfers, Expedited Funds Availability, FCRA, and Privacy.
  • Affect the ongoing administration and monitoring of consumer credit. Management should determine loans that were in a flood zone, were in foreclosure (subject to the Protecting Tenants at Foreclosure Act and Fair Lending), had funds in escrow, if any payments were late, or had private mortgage insurance to ensure proper notifications were provided and subsequent analysis and maintenance was maintained. Management also should consider changes to servicer notifications under RESPA.
  • Impact the surviving institution’s product offering. For example, the addition of HELOCs to Bank 123’s product set would require additional policies and procedures, appropriate training and monitoring, and enhanced product administration, such as ensuring customized disclosures and periodic statement formats are maintained after conversion.

Bank 123 did not previously originate a sufficient number of mortgage loans to require the institution and loan officers to register with the national directory as required by the SAFE Act. Management now will need to monitor activities and enforce SAFE Act procedures when necessary.

Bank 123 would need to provide Regulation E opt-in notices to newly acquired customers before charging customers for overdrafts on applicable transactions (i.e., ATM and one-time POS transactions).

Bank 123 will need to review the rewards program. If the rewards program ceases, notification requirements would be triggered. If these accounts are maintained/grandfathered, management should ensure the bank can maintain the program (i.e., provide rewards when applicable), and monitor the activities of the third party to ensure it provides services as disclosed, to prevent potential Unfair or Deceptive Acts or Practices issues. Management also should consider whether to offer the rewards to new and existing depositors to ensure no portion of the financial institution’s community or depositor base is omitted from receiving product benefits.

Bank 123 should provide comprehensive Fair Lending training to newly acquired loan staff that addresses the specifics of the regulations and the bank’s policies and procedures.

Bank 123 should identify and monitor shared deposit customers, as these customers are allowed to restructure deposit accounts for FDIC deposit insurance purposes.


The sharing of information could impact ABC Bank customers from a Privacy Policy perspective. The type of information shared can be restricted by consumers if the affiliate institution will use customer information to market its products and services. Bank management must determine if information-sharing opt-out notices are warranted.


Effective due diligence of consumer compliance issues is critical in every merger or acquisition transaction. This process helps to ensure a smooth transition for the surviving institution and the maintenance of a satisfactory compliance posture. The information presented in this article can be used as a framework for addressing applicable consumer protection laws, rules, and regulations during the due diligence process.

Matthew Z. Zamora
Senior Compliance Examiner
Division of Depositor and Consumer Protection

1 Section II.3-1 of the FDIC Compliance Examination Manual describes the components of the Compliance Management System.

2 Section II.13-1 of the FDIC Compliance Examination Manual outlines the Consumer Compliance Rating System.

3 15 U.S.C. 1601 et seq., Truth in Lending – Regulation Z:

4 4 12 U.S.C. 2601 et seq.; 42 U.S.C. 3535(d), Real Estate Settlement Procedures – HUD’s Regulation X:

5 42 U.S.C. 4012a, 4104a, 4104b, 4106, and 4128, Part 339 of FDIC Rules and Regulations – Loans in Areas Having Special Flood Hazards:

6 12 U.S.C. 2801—2810, Home Mortgage Disclosure Act – Regulation C:

7 12 U.S.C. 4901, Homeowners Protection Act of 1998:

8 12 U.S.C. 5201 and 5220, Protecting Tenants at Foreclosure Act:

9 12 U.S.C. 1818 1819 (Tenth) and 1831p–1; 15 U.S.C. 1681a, 1681b, 1681c, 1681m, 1681s, 1681s–3, 1681t, 1681w, 6801 and 6805, Pub. L. 108–159, 117 Stat. 1952, Part 334 of FDIC Rules and Regulations – Fair Credit Reporting:

10 12 CFR Part 34, 208, 211, et al., SAFE Act:

12 12 U.S.C. 4301 et seq., Truth in Savings – Regulation DD:

13 15 U.S.C. 1693b., Electronic Fund Transfers – Regulation E:

14 12 U.S.C. 4001–4010, 12 U.S.C. 5001–5018, Expedited Funds Availability – Regulation CC:

15 12 U.S.C. 1814–1817, 1819–1820, 1828, 1831u and 2901–2908, 3103–3104, and 3108(a), Part 345 of FDIC Rules and Regulations. Community Reinvestment Act:

16 12 U.S.C. 1831r-1, Section 42 of the Federal Deposit Insurance (FDI) Act: See also Policy Statement of Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision Concerning Branch Closing Notices and Policies, 64 FR 34845 (June 29, 1999):

17 12 U.S.C. 1811, 3104, 1835a, Riegle-Neal Interstate Banking and Branching Efficiency Act of 1994:

18 Section 18(c), 12 USCA 1828 (c) of the Bank Merger Act:, and the Riegle-Neal Interstate Banking and Branching Efficiency Act of 1994 (Section 44, 12 USCA 1831u).

20 FDIC – Your Insured Deposits booklet, Question and Answer No. 5, pp. 20-21.

21 E.g., Gramm-Leach-Bliley Act Privacy of Consumer Financial Information Rule, 12 CFR 1016. See

22 12 U.S.C. 45a, Federal Trade Commission Act, Section 5 – Unfair or Deceptive Acts or Practices: FDIC Compliance Examination Manual.

24 12 U.S.C. 1819, Part 343 of FDIC Rules and Regulations,– Consumer Protection in Sales of Insurance:

25 15 U.S.C. §§ 1601 and 1692: Fair Debt Collection Practices Act:

26 Service Members Civil Relief Act, Pub. L. 108-189 (codified at 50 U.S.C. App. 501 et seq.):

27 Intermediate Small-Bank Procedures: In addition to conducting the Lending Test for Small-Bank performance evaluations (which encompasses analysis of Net Loan-to-Deposit Ratios, Lending Area Concentration, Borrower Profile Distribution, and Geographic Distribution), examiners also conduct the Community Development Test which is comprised of evaluations of the institution’s ability to meet the credit needs of its community through providing services that support Affordable Housing, Community Development, Economic Development, Revitalization and Stabilization, and attentiveness to Abandoned and Foreclosed Homes. These services are evaluated through reviews of qualified Community Development Lending, Investments, and Services.