Bank Merger Compliance Risks: Are You Prepared?

Allison Spagnolo CIPP January 17, 2023

Bank mergers and acquisitions are becoming a regular part of life in the banking industry, especially for smaller and medium-sized organizations. They provide significant opportunities for institutions to expand their customer base, enhance capital for lending and investments, and grow geographically to capture new customers and new products. But they can also disrupt existing compliance programs and controls. For example, the acquiring institution must set aside sufficient resources to identify and address potential compliance gaps before the merger is completed to avoid costly enforcements for the merged entity right out of the gate. Compliance with financial-related regulations is critical to the merged entity’s success.

Although 2022 saw several large bank mergers (for instance, the Washington Federal acquisition of Luther Burbank Corp. for $654 million), the majority of recent mergers and acquisitions have been between small and medium-sized financial institutions, community banks and credit unions:

  • Savanna-Thomson State Bank in Savanna, Illinois, agreed in early November 2022 to acquire Fidelity Bank in West Des Moines, Iowa. The deal would create a nearly $200 million-asset bank.
  • People’s United Bank in Connecticut was acquired by Buffalo, New York-based M-and-T Bank in April 2022.
  • On November 21, 2022, First Commonwealth Bank announced it had received all regulatory approvals to complete its acquisition of Centric Bank.
  • Houston-based Prosperity Bank publicized its plans in October 2022 to acquire two small Texas community banks (FirstCapital Bank of Texas and Lone Star State Bank of West Texas) in separate deals worth about $570 million total.

A bank merger or acquisition can provide numerous benefits to both parties involved in the transaction. Operations can be scaled up quickly and new customers or service offerings can be added to the bank portfolio. Meanwhile, after a merger, bank infrastructure can be streamlined through accounting, IT, risk management, and human resource efficiencies.

However, many financial crime compliance risks and issues are commonly overlooked. Blue Ridge Bank in Charlottesville, Virginia, for instance, has executed an agreement with the Office of the Comptroller of the Currency (“OCC”) to enhance its anti-money laundering program (including suspicious activity reporting) and improve its oversight of fintech partners after the OCC raised concerns during a previously planned merger with another bank (which has since been scrapped).

To avoid costly consequences, have a plan to resolve the following inherent issues:

 1. Lack of Systems Integration

At the very least, it is likely the two financial institutions involved in a merger or acquisition will use different tools and systems for sanctions screening, Know Your Customer (“KYC”) document repositories, and transaction Anti-Money Laundering (“AML”) monitoring. More often, at least one of the organizations is using a “home-grown” system that was developed in-house and does not integrate with the systems and tools used by the other organization.

Failure to fully integrate systems can create compliance gaps leaving the resulting merged entity vulnerable to regulatory penalties. For instance, if Bank A’s sanctions screening tool is unable to ingest all of the customer and transaction data from Bank B’s client base, Bank A as the merged entity will run afoul of sanctions screening regulations and expectations.

Conducting independent testing from a reliable third party is essential to identify potential blind spots and gaps in systems integration. An independent expert can recommend remedial measures and perform updated testing to ensure all tools and systems have been fully integrated.

2. Failure to Perform Integrated Risk Assessment/Internal Audit

As soon as possible, the merged entity should conduct an integrated risk assessment and/or audit to consider the features and characteristics of the merged institutions. The risk assessment or audit can quickly show senior leadership where compliance efforts need to be enhanced and can reassure regulators that the entity is prioritizing compliance.

Having an external independent third party perform the risk assessment or conduct the audit is preferable. With newly merged functions and departments, employees can still feel (sometimes, overly) loyal to their original employer and may not be unbiased or disinterested enough to accurately capture the gaps and vulnerabilities of the merged entity. An independent party can cut through those issues and identify the enhancements that must be taken by the resulting merged entity in order to make it fully compliant with relevant regulations.

3. Overlooking the Importance of Consolidating and Blending Risk Ratings

Chances are that the two parties to a merger have different approaches to risk rating their clients. Not only is it likely the institutions use different categorizations (i.e., High/Medium/Low vs. Significant/Moderate/Negligible) and different quantities of categories (i.e., High/Medium/Low vs. Significant/High/Moderate/Low), but the risk rating methodology applied to customers will differ. For instance, one institution may weight the products/services used by the client more than the other, or one institution may have a lower risk tolerance than the other, thereby rating clients residing in less transparent jurisdictions higher risk.

It is critical to identify a common set of risk rating criteria and methodology to be applied to all customers within the newly merged entity. The methodology has to be uniformly applied so the merged entity can be consistent in its approach and treatment of all the customers it services (regardless of where those customers banked prior to the merger).

Employing an external party to perform a risk rating methodology diagnostic can be valuable. The methodologies will be compared, gaps and differentiators identified, and recommendations made for a new, holistic customer risk rating framework.

4. Neglecting Consumer Protections

Failing to properly identify and resolve consumer protection obligations can put the financial institution in jeopardy of running afoul of legal and regulatory requirements. For instance, if the merged entity will have to revise payment processing or payment structures of loans, certain notices must be given to consumers before those terms change. Similarly, the Real Estate Settlement Procedures (RESPA) require a Servicing Transfer notice and the Truth in Savings regulations (Regulation DD) require a Change in Terms notice if certain terms or features of depository accounts will change.

The above examples are just a few of the situations that financial institutions can encounter when merging. Obtaining an external assessment of will give the merged entity peace of mind that it is complying with all applicable consumer protection regulations and expectations.

Alison Spangolo with curly hair is wearing a black jacket and a plaid shirt

Allison Spagnolo CIPP

Chief Privacy Officer, Senior Managing Director

Allison Spagnolo, a managing director in the Financial Crime Consulting practice, has worked on numerous engagements involving government contracting and financial institution matters. This includes reviewing anti-money laundering and sanctions issues for global banks and multi-national companies, as well as advising on financial crime compliance issues specific to cryptocurrency exchanges and Fintech companies. She has traveled extensively in Europe and Asia for the purpose of leading and conducting on-site inspections and reviews related to monitorships and other compliance matters.