Compliance implications of crossing the $10 billion asset threshold

Since the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act), super-community and small regional banks have been forced to consider the implications of their growth strategies as their balance sheets inch closer to the $10 billion in assets threshold, a game-changing milestone that brings new and sometimes burdensome compliance requirements.

After nearly a decade of ambiguity around the regulatory environment in the financial services sector, banks are finally gaining clarity around the multiple rules and regulations that have been finalized over the past few years. The finalized rules continue to highlight the increasing cost of post-financial crisis compliance, encouraging management teams to consider alternative operating models across the industry. The resulting implications affect growth strategies and M&A activities, and present unique challenges that vary by institution type and size. Among small-tier banks, organic growth challenges, the need for scale, and increased regulatory scrutiny are spurring M&A and driving smaller banks to consolidate, accelerating the impact of these compliance challenges.

Whether banks approach the $10 billion mark through organic growth or M&A, institutions must understand the new compliance playing field, especially the increased regulatory scrutiny and the need for robust and well-documented compliance risk management and reporting programs. Many institutions face increased regulatory scrutiny and experience more frequent examinations from and discussions with their regulators. Significant changes to an institution’s operations are necessitated by new regulatory requirements when reaching the $10 billion mark, and as a result, banks must analyze the longterm repercussions of crossing the threshold and the possible impacts on bottom-line profitability. Proper preparation well in advance of this milestone will help ensure that institutions are well-equipped to manage these regulatory risks.

CFPB supervision Perhaps most significantly, the $10 billion mark introduces supervision under a new, powerful regulator. The Dodd-Frank Act’s creation of the Consumer Financial Protection Bureau (CFPB) signaled an intensified focus on consumer protection that has resulted in a heavy volume of enforcement actions in the five years since the CFPB’s launch. With 19 consumer financial protection rules and regulations under its rule-making authority1, the CFPB brings a new perspective to banking regulation, one narrowly focused on protecting the financial well-being of consumers.

Most common among the recently issued enforcement actions is the CFPB’s use of the unfair, deceptive or abusive acts or practices (UDAAP) standard in examining banks and other financial institutions. Introduced by the Dodd-Frank Act and building on Section 5 of the Federal Trade Commission Act’s definition of unfair or deceptive acts or practices, UDAAP provides the CFPB with the regulatory authority to levy fines and penalties if an institution is found to have engaged in or committed an “unfair, deceptive, or abusive act or practice … in connection with any transaction with a consumer for a consumer financial product or service.2” Such language provides the CFPB with broad authority over examining consumer treatment, which the Bureau used as the basis for approximately 50 enforcement actions totaling more than $2.5 billion in penalties and restitution in 2014 alone.3 Common unfair, deceptive or abusive acts and practices that have resulted in fines include charging hidden fees for products and services, engaging in unlawful overdraft practices, making false statements or claims about products, and inappropriately billing customers.

As a result of the CFPB’s customer protection focus and the application of broad and sometimes vague UDAAP standards, banks approaching the $10 billion in assets threshold must assess their compliance functions to determine if the appropriate infrastructure is in place to manage new requirements and added regulatory scrutiny from the CFPB. Banks should examine their entire consumer compliance program — beginning with robust risk assessment and identification processes and carrying through compliance testing — to ensure that each function operates efficiently and effectively. Compliance testing should be executed across all consumer products offered by the bank to assess for UDAAP risk and other regulatory violations, such as those pertaining to fair lending.

While reviewing the bank’s compliance program, an institution should examine other functions within the bank that have high levels of customer interaction to ensure that the monitoring of these functions is built into the compliance program. These areas also carry regulatory risk and the burden of compliance. For example, the CFPB relies heavily on customer complaints to direct its focus during examinations. Therefore, banks must have an effective complaints management program in place in order to monitor for trends or patterns indicative of compliance risks. A strong complaints management program allows the bank, and its compliance function to identify areas of risk and to improve or implement controls and testing. Further, marketing practices and advertising strategies should be re-evaluated to validate that the bank’s products and services are offered to all qualified individuals, regardless of prohibited bases. Other examination focus areas for the CFPB include overdraft payment programs, loan officer compensation programs, credit card add-on products, and mortgage product redlining and steering. Banks should review these areas and enhance controls and procedures to ensure compliance.

Continuous supervision approach When banks cross the $10 billion mark, they are no longer considered community banks, but rather midsized institutions — a designation that introduces an enhanced supervisory approach from regulators. Banks can expect a larger and more frequent examination presence from regulators, featuring fullscope, point-in-time examinations combined with regular, targeted reviews that include a variety of off-site monitoring activities (i.e., monthly conference calls, frequent on-site reviews, etc.). Additionally, many banks crossing the threshold are appointed a designated resident examiner who maintains a constant physical presence at the institution’s offices. Therefore, banks must ensure that sufficient resources are allocated to compliance — from business units and the compliance department to senior management and the board of directors — so that the enhanced demands of regulators are met, and more importantly, so that the bank can continually review the strengths, weaknesses and gaps in its compliance program.

Durbin Amendment Another significant impact of the $10 billion mark is the applicability of the Durbin Amendment. Passed in 2011 under the Dodd-Frank Act, the amendment limits the interchange fees paid by merchants to banks when their debit cards are used as payment. For banks close to hitting the $10 billion threshold, the effects of the Durbin Amendment could drastically reduce fee income. Intended to lower costs for consumers by lowering the financial burden on merchants, the Durbin Amendment caps debit card interchange fees — commonly known as swipe fees — at $0.21 plus an additional 0.05%. Prior to the passage of the Durbin Amendment, the average swipe fee generated $0.44 per transaction for banks,4 and as a result of the amendment’s implementation under the Dodd-Frank Act, the revenue streams for banks that rely heavily on fee income will be affected.

Since community banks are exempt from the provisions of the Durbin Amendment, banks should strongly consider the repercussions of the new interchange fee requirements imposed as a result of reaching the $10 billion mark. Since the Durbin Amendment came into effect, some banks have adjusted their business practices to make up for the anticipated loss in income through various means, including the implementation of new checking account fees, higher minimum balance requirements, and scaling back debit card rewards programs. Some banks may even choose to delay their growth to devise a strategy to mitigate the expected reduction in fee income, while others may decide to accelerate their growth to more rapidly gain scale and minimize the amendment’s impact. In taking these steps to maintain revenue, banks crossing the $10 billion threshold must carefully manage any new product offerings, adjustments to existing products, and price and fee increases to ensure that they are not considered unfair, deceptive or abusive. Banks should enhance new product review controls and ensure that representatives from the compliance and legal departments review all new product offerings and changes to existing products to limit regulatory
compliance risk.

Enhanced Prudential Standards Recent rule-making, such as the Enhanced Prudential Standards (EPS), represents some of the most onerous requirements facing banks in the risk and compliance space. The final rule, issued in February 2014 by the Board of Governors of the Federal Reserve, adopts a tiered approach for applying the Dodd-Frank Act’s EPS to both domestic and foreign bank holding companies (BHCs).5 The final rule requires publicly traded BHCs with more than $10 billion in total consolidated assets to establish a risk committee of the board of directors. The risk committee is charged with oversight of the bank’s risk management framework and performs company-run stress tests in addition to enhancing the data infrastructure. Therefore, banks approaching the $10 billion asset mark must consider the governance implications to make certain that the infrastructure is in place, or capable of being put in place, prior to surpassing the threshold.

Risk committee requirements
As stated, any public midsized BHC with at least $10 billion in assets must maintain an enterprise-wide risk committee of the board of directors that approves and, as appropriate, periodically reviews the BHC’s risk management policies and procedures, in addition to the operation of its risk management framework. Each BHC is required to establish a risk management framework commensurate with the company’s structure, risk profile, complexity, activities and size. The risk management framework must include policies and procedures for the establishment of risk management governance and risk control infrastructure of the company’s operations. In addition, the risk management framework must include processes and systems for identifying and reporting risk management deficiencies in an effective and timely manner; establish managerial and employee responsibilities for risk management; ensure the independence of the risk management function; and integrate risk management and associated controls with management goals and with the compensation structure for the operations of the company.

While the requirements around the risk management framework and establishment of a risk committee may seem mundane, the practical implementation often proves cumbersome. For banks growing toward the $10 billion mark, self-evaluation of the risk management program and assessment of its compliance capabilities relative to EPS are imperative, as the rule affects activities and operations of the entire organization. Banks have also experienced multiple trickle-down effects, such as a change in talent and compensation strategies, the availability of data, and required enhancements to reporting capabilities.

Company-run stress tests
EPS reiterates the stress-testing requirements set forth by the Dodd-Frank Act for certain financial companies. Under those rules, banks with between $10 billion and $50 billion in total consolidated assets must assess the potential impact of a minimum of three macroeconomic scenarios (e.g., baseline, adverse and severely adverse) on their consolidated losses, revenues, balance sheet (including risk-weighted assets) and capital. Companies subject to the Dodd-Frank Act stress-testing requirements are required to publicly disclose the test results on an annual basis.

As a result, coordination between the risk, finance and treasury functions is increasingly becoming a necessity. In addition to the quantitative components of stress testing, governance and controls related to stress testing are subject to regulatory scrutiny as regulators examine end-to-end processes. Even if stress-testing capabilities are in place, banks should still expect EPS-related implementation costs to remain high. As banks approach $10 billion in assets, a deep look into the interdependencies of the organization and its ability to share information must be conducted to assess readiness for these new regulatory requirements.

Conclusion Banks must consider the implications of growth as they approach the $10 billion mark. Banks can enhance their control environments by undertaking specific action steps.
  • Perform gap analysis and identification. Banks should conduct gap assessments to gauge compliance with the broad scope of additional rules and regulations. The gap assessment must identify and prepare for the enhanced data production, storage, transformation, and reporting requirements. The gap between current capabilities and regulatory expectations must be identified and addressed. In light of any gaps, the institution must define remedial actions around regulatory requirements, with an emphasis on those capabilities that currently exist and can be leveraged.
  • Create actionable plans. Following the gap assessments and the development of a clearer picture of the bank’s current-state compliance capabilities, banks must create actionable plans, which should include steps to execute identified initiatives such as the sequencing, deliverables, and estimated resource and timing needs.
  • Keep in close contact with applicable regulators. Banks should maintain open communication with their federal banking regulators and remain proactive in initiating discussions with their regulators regarding new supervisory expectations and interpretations.
  • Reach out to professionals for help and clarification. If the regulations or regulators’ expectations appear too complex or timeconsuming for your organization’s internal resources, reach out to your legal or accounting firms to provide additional guidance and resources. Further, banks should not be afraid to contact industry peers to gain insight into the process from organizations facing the same challenges.

Download the PDF.

Contact Tariq Mirza
National Managing Principal
Regulatory Center of Excellence
T +1 202 251 8677

1 Consumer Financial Protection Bureau. Visit for more information.
2 Dodd-Frank Wall Street Reform and Consumer Protection Act, Subtitle C, Section 1031.
3 Law360. “A Close Look at Recent UDAAP Actions: Part 1,” March 3, 2015.
4 Morran, Chris. “Appeals Court Resurrects Fed’s Debit Card Swipe Fee Limits,”, March 21, 2014.
Visit for the full story.
5 MBoard of Governors of the Federal Reserve. “Enhanced Prudential Standards for Bank Holding Companies and Foreign Banking Organizations; Final Rule,” Federal Register, Vol. 79, No. 59, March 27, 2014. See for details.