As the primary federal regulator for most community banks, the FDIC appreciates the challenges these institutions face as they often have limited staff and resources. Community banks, particularly those with tight profit margins, need to be certain that every dollar is well spent. Accordingly, as part of its Community Banking Initiative, the FDIC recently shared an Information Package1 with its supervised institutions that provides details about resources and technical assistance that the FDIC offers on a variety of supervisory matters. This article furthers these efforts to support community banks by highlighting the resources made available by the FDIC and how they may assist institutions in understanding and fulfilling regulatory expectations without seeking outside help from consulting services. The FDIC is committed to open communication with its supervised institutions and encourages bankers to check with their FDIC contact (case manager, field supervisor, or onsite examinerin-charge) to clarify regulatory expectations first to avoid potentially unnecessary consultant expenses.
Multiple Factors Influence the Decision to Work with Consultants
According to insights provided by community bankers, factors prompting institutions to hire consultants vary. For some banks, hiring consultants is a proactive strategy to obtain specific expertise to address new or complex areas for which the bank lacks depth or proficiency. Consultants may be particularly helpful in managing risks and regulatory compliance in more technical and evolving areas such as IT. Bankers also may believe contracting periodically for certain services with an outside firm is more cost effective than hiring and training additional full-time equivalent staff, or there may be a lack of qualified, affordable resources in a small or rural bank’s employment market.
Bankers also face a large volume of marketing solicitations from vendors offering services to ensure institutions keep pace with regulatory expectations. When there is a question as to whether a vendor’s proposed product and service is consistent with regulatory expectations, institutions are encouraged to discuss the proposal with their FDIC regional or field office contacts.
Understanding Regulatory Expectations
As an example of the importance of understanding regulatory expectations before committing to a significant consulting expenditure, consider this scenario. A state nonmember bank is approached by a vendor who is attempting to market a comprehensive enterprise risk management model. The vendor suggests to the bank that “this is what your regulator is going to expect,” perhaps at the next examination, and certainly at some point in the future.
As related by bankers to FDIC officials, this scenario is becoming increasingly common. It is therefore important for bankers to know that the FDIC does not have this expectation, nor does it impose a one-size-fits-all supervisory process on large and small banks. The FDIC’s expectations for the safe and sound operation of a community bank can be found in the Risk Management Manual of Examination Policies, Compliance Examination Manual, and related supervisory guidance available on the FDIC website (www.fdic.gov). Additionally, bankers are encouraged to contact their field or regional offices to clarify regulatory expectations before buying a service or product that is marketed as being required to meet regulatory expectations.
Technical Assistance Available from the FDIC
FDIC-produced technical assistance videos address a variety of issues that community banks face as part of regulatory and examination processes. They range in length from several minutes to over an hour (broken into sections), depending upon the complexity of the material and the depth of treatment provided in each video. The training provided in these videos may help institutions economize on the need for consultants or other contractors as personnel learn to perform the functions themselves. The videos in the program are grouped into sections as follows:2
- Virtual Technical Assistance Program: These videos provide technical training for bank officers and employees on a range of regulatory issues, including Interest Rate Risk, the Allowance for Loan and Lease Losses, Troubled Debt Restructurings, Flood Insurance, Managing Fair Lending Risk, Appraisals and Evaluations and Evaluation of Municipal Securities.
- Rulemaking Videos: These videos provide an overview of complex rulemakings, including the “Regulatory Capital Interim Final Rule.”
- New Director Education Videos: These videos provide information to new bank directors about their fiduciary role and responsibilities as well as an overview of the FDIC’s risk management and compliance examination processes.
- Virtual Directors’ College Program: These videos are a virtual version of the Directors’ College Program that FDIC regional offices deliver to bank directors and executive officers throughout the year.
The videos are a relatively new resource first introduced in the spring of 2013. The FDIC has received positive feedback from members of its Advisory Committee on Community Banking.3 Members described the videos as a good resource for training bank directors and management, and noted the informational value of receiving detailed presentations of regulatory and supervisory expectations directly from the FDIC.4
Independent Reviews
It is important to distinguish the use of third-party consultants as described above with independent reviews of processes that are part of a sound risk management framework. Some FDIC and interagency policies and guidance do require such reviews. For example,5 an independent review is a critical component of the control processes for BSA/AML, interest rate risk (IRR) and liquidity risk management, and ALLL methodology. Also, the FDIC Compliance Examination Manual6 requires banks to conduct compliance audits, which are independent reviews of institutions’ compliance with consumer protection laws and regulations and adherence to internal policies and procedures. The FDIC’s expectations for independent reviews are not new; most have been in place for many years.
FDIC and interagency policies and guidance state that independent reviews will vary substantially in form and scope for institutions depending on business model and complexity of operations, and generally may be conducted by any of the following: an institution’s staff or board member, so long as the individual is qualified and independent of the function under review; the institution’s internal audit section, as applicable; or a third party such as the institution external audit firm. For example, guidance regarding BSA/AML compliance indicates “Independent testing of the BSA/AML Compliance Program7 should be conducted by the internal audit department, outside auditors, consultants, or other qualified persons that are independent of the BSA/AML function.” As discussed previously, smaller community banks often face resource constraints and may not have sufficient qualified and independent staff to conduct independent reviews. In such cases, bankers and examiners should discuss regulatory expectations for independent reviews so institutions can assess their options and potentially avoid contracting for costly and unnecessary services.
Communication Between Bankers and Examiners Regarding Independent Reviews
As described in the Summer 2012 Supervisory Insights article “The Risk Management Examination and Your Community Bank,” the FDIC is committed to open communication with community banks, recognizing this is critical to administering an effective supervisory process.8 A key component of this communication is ensuring bankers understand examination procedures and regulatory expectations.
Examiners and bankers often share and discuss emerging issues and industry practices during examinations. Common questions involve bankers asking examiners “how can my bank do better?” and “what general trends are you seeing in other banks and in the market?” In such discussions, it is possible that an examiner might cite the use of a third party to perform certain functions as a tool some other banks have found helpful. This sharing of a particular practice should not be misinterpreted as a regulatory requirement. Explicit requirements and directions from the FDIC to banks are provided in the FDIC Report of Examination and written correspondence between the bank and the FDIC. Bankers are encouraged to follow up with their examiner-in-charge, field supervisor or assistant regional director before hiring consultants, if they have any questions or concerns about FDIC expectations.
Conducting Independent Reviews with Internal Resources
Every bank is unique, and there is no one-size-fits-all set of internal review procedures. To be effective, individuals directing or performing the independent reviews must not be responsible for managing or operating the functions or controls under review. Applying basic internal control principles, such as segregation of duties, can help smaller, non-complex institutions to ensure the independence of internal reviews. For example:
- Appraisal reviews may be done by an outside board member with expertise in real estate development or valuation as long as the individual does not participate directly in the institution’s real estate lending or appraisal function.
- One or more outside directors or staff independent of the loan function may perform loan reviews if they do not participate directly in the credit approval process.
- An accounting or finance officer could review and validate the ALLL methodology if they are independent of the credit approval and ALLL estimation process.
- An outside board member could audit compliance with HMDA regulations if the director does not participate in the lending function under review.
- Independent testing for BSA/AML compliance may be conducted by internal audit or a qualified staff person or director not involved in the BSA/AML compliance program.
- Lending staff may review liquidity risk management, or interest rate risk measurement and reporting (including back testing), in institutions with non-complex balance sheets.
FDIC Guidance on Banks’ Use of Consultants
The FDIC only requires institutions it supervises to hire consultants in certain, limited circumstances, for example as part of an enforcement action or to address a severe operational deficiency. In these cases, which amounted to fewer than two percent of all risk and consumer protection/CRA examinations in 2013, the FDIC incorporated provisions into formal and informal enforcement actions requiring institutions to obtain independent third-party reviews where significant violations or operational deficiencies existed, or to verify that restitution had been paid to consumers. Examinations that result in this type of enforcement action provision are uncommon. When such a provision is used, the FDIC reviews the consultant’s engagement letter to ensure the appropriateness of the proposed scope of the work and the final work product to ensure the completeness of the response and that it has sufficiently addressed the noted deficiency. The FDIC provides written guidance to examiners relative to requiring the hiring of a consultant as part of an enforcement action in the FDIC’s Risk Management Manual of Examination Policies.9 Such a recommendation requires multiple levels of review before approval.
Conclusion
Some community banks note a growing use of consultants associated with regulatory compliance requirements. This may be due, in part, to a misunderstanding of regulatory expectations. There are often cost-effective alternatives to working with consultants, including drawing on the expertise of board or staff members who possess the requisite skills and independence. The FDIC believes that its supervised institutions can frequently manage regulatory and compliance responsibilities using internal resources, and continues to develop resources to assist institutions in understanding FDIC’s regulatory and supervisory expectations. Bankers are encouraged to access technical assistance and clarification by FDIC field and regional office staff to determine whether internal or external resources are necessary to maintain a sound and compliant risk management framework.
Laura Brix
Senior Examination Specialist
RMS
lbrix@fdic.gov
Kristopher Rengert
Senior Consumer Researcher
DCP
krengert@fdic.gov
2 The Technical Assistance Videos can be found on the Directors’ Resource Center webpage at http://www.fdic.gov/regulations/resources/director/video.html. They are also available on the FDIC’s YouTube channel.
3 The FDIC Board of Directors approved establishing the FDIC Advisory Committee on Community Banking in 2009 to provide the FDIC with advice and guidance on a broad range of important policy issues impacting small community banks throughout the country, as well as the local communities they serve, with a focus on rural areas. The 15-member board generally meets three times per year.
4 Minutes from the Advisory Committee on Community Banking meeting on July 25, 2013 and April 9, 2014, accessed at http://www.fdic.gov/communitybanking/.
5 See, for example, “Interagency Policy Statement on Allowance for Loan and Lease Losses” (Interagency Policy Statement on the Allowance for Loan and Lease Losses (2006));”Financial Institution Management of Interest Rate Risk” (Financial Institution Management of Interest Rate Risk (FIL-22010)); “Bank Secrecy Act: Provision for Independent Testing for BSA/AML” (Bank Secrecy Act Provision for Independent Testing for BSA/AML Compliance (FIL-38-2008)). This is not an exhaustive list of risk management guidance that address independent reviews, but rather examples that reflect FDIC’s expectations in this area.
7 Supra, footnote 7, “Bank Secrecy Act: Provision for Independent Testing for BSA/AML Compliance.
8 See https://www.fdic.gov/regulations/examinations/supervisory/insights/sisum12/sisummer12-article1.pdf.
9 See “Formal Enforcement Actions” (Section 15.1), “Management” (Section 4.1) and “Internal Routine and Controls” (Section 4.2). See https://www.fdic.gov/regulations/safety/manual/.