Related Knowledge

Most Viewed Knowledge

Managing Risk: De Novos

WP 04.01.2008

Follow this checklist to make sure you’re addressing your most critical risk management needs.

Establishing a new bank is a daunting task. De novo bank management can feel that it is in a juggling exercise — with several balls in the air. The charter application has to be filed, investors lined up, management recruited, staff hired, locations found and branches established. In the middle of all this activity, bank management must incorporate sound risk management principles into its new operations.

The following is a checklist of the most pressing risk management responsibilities on which de novo bank owners should concentrate. This list is not exhaustive, but it provides a framework for a risk management program at a newly formed depository institution.

Policies: First and foremost, the management of a new bank should invest in the purchase of policy templates or create their own policies and procedures. In most cases regulatory agencies require these to be in place before approving the bank’s charter application. Some regulators issue a list of the minimum policies they expect for de novo banks to have when they open. Regulatory compliance, internal audit, and credit policies should be written and ready for approval by the bank’s board of directors once the charter is approved. If the bank purchases generic policies, they will need to be tailored to the bank’s specific operations. Bank management should be aware that, because de novo banks also grow fast, policies and procedures will need to change fairly rapidly over the first 24 – 36 months after the bank opens for business. A common error is to write the policies and leave them static for too long — failing to adapt them to the bank’s actual level of business and customer base.

BSA/AML Program: The regulatory agencies generally require a written BSA program prior to the opening of the bank. The BSA/AML program should include a written CIP program. Bank management should undertake to develop a BSA/AML risk assessment for the new institution. Risk assessments should be based upon the products the bank plans to offer, the customers it expects and the geographies where its branches will be located. As with general policies, bank management should realize the BSA/AML policies, procedures and risk assessments will need to be updated at least annually (and maybe more often) during the first three years of the bank’s operation. Since banks often add products and services during their early years as well as attract customers that were not anticipated, the program and policies must change to adapt to actual circumstances.

OFAC Compliance Program: The bank should also develop an OFAC risk assessment and written program to include all types of automatic and manual transactions. The bank should immediately determine how its CIF/ customer base will be scanned for OFAC on an ongoing basis. If the bank’s core processor does not provide this service, the bank should find a reliable third-party vendor. Keep in mind that certain manual transactions will need to be checked against the OFAC SDN list, such as over-the-counter check cashing for non-customers, checking payees on cashier’s checks sold to customers and checking vendors used by the bank. The OFAC program should allow these processes to be monitored in the most efficient way possible.

Information Security Program: A comprehensive information security program is also an essential part of the risk management program. The program should include an IT risk assessment, an Information Security risk assessment and a provision for independent testing of all systems. The risk assessments should anticipate the bank’s expected volume of transactions, types of products and services and customer base during the first years of the bank’s operations.

Lobby Notices and Posters: Bank management must order and post all required signs and notices required by state and federal law. The bank must post a CRA notice in the lobby. Regulation CC notices should be posted near where deposits are taken. FDIC signs should be posted by each teller station within 21 days of opening. If the bank gives its USA PATRIOT Act notice by posting it, these should be in all new accounts areas, including where new loans are closed. A fair housing lending poster should be in the area where the bank takes home loan applications. The bank will not need a HMDA notice on its first day, but once it reaches the HMDA threshold (currently $37 million in assets) this notice will need to be placed in the bank’s lobby. State laws vary, but some require the consumer complaint notice. Finally, as the bank adds ATM machines, certain Regulation E and Regulation CC notices are also required at the machine level.

Insider Transactions: At the time the bank opens, it should have clear policies and procedures related to insider transactions. A Regulation O lending policy is important. It should state whether the bank lends to insiders, the terms and conditions of such lending and how reporting requirements will be implemented and monitored. A related policy is the Bank Code of Ethics, which is needed to comply with the Bank Bribery Act. The Code of Ethics should set forth the bank’s stance on receiving gifts and things of value from third parties — setting the limits and reporting requirements for these. It should also address other types of conflicts of interest such as conflicting employment, types of bank accounts that are available to employees and such issues as lending to family members.

Choosing a Platform System for Disclosures: One of the most important decisions the bank will make for risk management purposes is choosing a platform system to generate deposit and loan disclosures. The bank should carefully consider all of the products it will offer both currently and into the foreseeable future and select a system that will allow the bank to expand and offer more complex products. The bank should also choose a reputable company that will update the system to meet regulatory changes. Initial customization of the platform templates is very important as the disclosures should fully describe products and services sold to customers.

Regulatory Compliance Training: The bank should implement regulatory compliance training (particularly BSA/AML training) as soon as staff is hired — even before it opens its doors. The compliance training should cover all areas of deposit, lending and operational compliance and it should be tailored for the employee’s position. Using Web-based training is a good option for fairly generic training, but training on specific bank policies is also important. Don’t forget to document the training that is provided to staff even before opening day. The bank should get credit for any and all efforts made in the staff training area. In a small staff environment, training on policy and procedures may take place informally, but is still valid. Outside training for the compliance and BSA/AML officer should also be documented.

Suspicious Activity Monitoring: From the beginning bank management should determine how the bank will monitor transactions for suspicious activity. The bank’s core processing system may offer enough appropriate reports to accomplish this satisfactorily through daily generated reports. However, if the bank expects to be involved with high-risk activities or customers, management should consider a separate automated monitoring system from the beginning, whether it comes as a separate module of the core processing system or as an add-on system.

Board Involvement: From the beginning of a bank’s operation, it is important to regularly communicate with the board of directors on risk management issues. The board should approve all policies related to risk management. Reports of audits, monitoring and risk assessments should be reported to the directors on a regular basis. Board training on risk issues is also important, especially in the areas of BSA and Fair Lending.

Loan Review: Hiring or outsourcing the loan review function is important as well. The bank shouldn’t wait until it builds up a portfolio to begin this process. As soon as there are loans of a substantial size on the books, it should have a loan review function in place and report its findings to the board. This action sets the tone for good underwriting and approval processes. It also assists with the establishment of Allowance for Loan and Lease Losses (ALLL).

Internal Controls Reviews: Since bank management will be pressed to perform all required operational and lending duties within the bank, it is easy for internal controls to be ignored. Regularly scheduled internal controls reviews will provide management with feedback and reminders on important risk factors that can affect their operations. A good internal review process will also help management take risk-based action steps toward managing those risks inherent in all bank operations. While a de novo may be able to hire an auditor full time, these reviews can be outsourced easily.

There are competing priorities at a de novo financial institution. Management must make decisions on a daily basis that affect its growth and risk profile. Being mindful of these risk management areas can prove to be effective at mitigating the risk in an inherently risky environment that most de novo banks face.

[This article first appeared in the April 2008 Supplement to Community Banker]