Heidi Wier
Managing Director

As published in ABA Bank Compliance (now ABA Risk and Compliance), November/December 2018

Mergers and acquisitions (“M&As”) continue to increase, and compliance personnel play an important role in the process. Since you typically only have a couple of days to perform a due diligence review, a strong roadmap to cover as many high-risk areas as possible is imperative to protect your institution from overpaying, costly regulatory delays, or even fines and penalties after the fact.

Compliance personnel should help management understand the state of compliance at the target institution and factor in any lingering risks the acquisition target brings with it. Unlike an audit or compliance monitoring, the focus of an M&A due diligence review is not to make enhancements or recommendations to the target’s policies, procedures, or controls, but instead, the goal is to determine how mature the institution’s policies and procedure are, how much reliance can be placed on the results of internal monitoring and board reporting, and ultimately the level of compliance risk the institution presents.

Providing an advanced list of documents to review will increase the efficiency of the process. Here are some key documents to request and what to look for:

1. Compliance Management System (“CMS”) Program, Policies, and Procedures: Once you understand the products and services the target offers, one of the next items to assess is the company’s CMS. Understanding the CMS will lay the groundwork for understanding the compliance risk of the target. An effective CMS is typically comprised of Board and Management Oversight and a Compliance Program consisting of effective policies and procedures, training, monitoring and/or audit, a consumer complaint response process, and vendor management. Evaluating each of these will provide some valuable insight into the target’s compliance culture and risk. A quick review of the compliance program, policies, and procedures will give you an idea of the formality of the program and the depth and detail of the guidance provided to personnel for their day-to-day activities. Although robust programs, policies, and procures do not always mean they were implemented properly, they do typically provide some indication of the level of management oversight and risk appetite. Well established, consistent policies and procedures typically signal lower risk.
2. Board, Audit Committee, and Compliance Committee Meeting Minutes: Determine if the compliance officer presents periodic reports (generally monthly or quarterly depending on the size of the institution) to the Board or Board Audit Committee on topics such as: audit and monitoring results, preparation for new or changing regulations, upcoming training, changes to policies and procedures, complaints, and AML/BSA related items such as suspicious activity reporting, etc. Ongoing communication between compliance and the Board is often indicative of more proactive management, a strong tone from the top, and a more robust compliance culture at the organization. When reviewing meeting minutes, take particular note if any specific ongoing compliance issues or remediation activities are discussed that should be considered for reexamination.
3. Various Compliance Management Reports: These should include: examination reports, risk assessments, internal audit reports, compliance monitoring results, quality assurance performed within the business line, quality control (“QC”) reports, and outstanding audit/exam issue status reports. Reviewing recent compliance exams, audits, and monitoring reports will provide the scope and depth of the review, as well as the nature of any findings and corrective actions. If exam reports are not available for review, determine if there are any Matters Requiring Attention (MRAs) or other outcomes from exams that should be evaluated. When reviewing these items, consider whether there were any high-risk issues noted that may present future risk. Issues around fair lending, Regulation Z violations, Real Estate Settlement Procedures Act (“RESPA”), Bank Secrecy Act/Anti-money Laundering (“BSA/AML”), and Unfair, Deceptive, Abusive, Acts or Practices (“UDAAP”) would be particularly concerning. If high-risk items have already been identified in examination or audit reports, fully understanding the status of these “known” issues is critical to determine whether they have been fully remediated, or continue to pose future risk. Ascertain: the current status of any issues, whether expanded internal reviews were completed to determine the full scope of the issues, whether any remediation steps were taken, such as providing reimbursements to customers, and/or the nature of any corrective action taken to prevent recurrence.
4. Complaint Logs and Social Media: At a minimum, check the CFPB complaint database to see what type of formal complaints have been made against the target. Review internal complaint logs and perform a targeted search on Facebook, Twitter, and Instagram to see what people say about the institution in general. Complaints and informal feedback about the customer experience with the institution can provide important insights into potential future issues. Complaints resulting in customer reimbursements or claims of fair lending or UDAAP issues should be reviewed to determine if they are isolated and adequately resolved, or indicative of underlying issues that may expand after the purchase.
5. Fair Lending Performance Analysis and Home Mortgage Disclosure Act (“HMDA”) Data: Review the target’s most recent Community Reinvestment Act (“CRA”) and fair lending performance analysis to determine what fair lending and CRA risk exists. Determine the extent the institution reviews its HMDA data for accuracy as inaccurate HMDA data can lead to a costly file review and resubmission.
6. Resumés of Compliance Personnel: Understanding the experience and background of compliance personnel may provide some comfort regarding the state of compliance. Strong experience, and credentials such as Certified Regulatory Compliance Manager (CRCM) and Certified AML and Fraud Professional (CAFP) designations indicate commitment to a strong compliance program.

Higher Risk Regulations and Products

Certain regulatory requirements pose more risk to an acquiring institution than others. Consumer protection laws, fair lending regulations, UDAAP, BSA/AML, and Regulation E are certainly at the top of that list. It is important to understand the level of compliance with as many of these higher risk regulations as time allows. Consider and prioritize the following based on the size and nature of the target institution.

1. Regulation Z: Review a sample of loan files for compliance with Regulation Z. For mortgage loans, review the Loan Estimate and Closing Disclosure to ensure interest rates and fees are properly disclosed, and changes in fees from the initial Loan Estimate are supported by valid changes in circumstance. If Adjustable Rate Mortgage (“ARM”) loans are offered, be sure ARM adjustments are calculated properly. For Home Equity Lines of Credit ensure the fees disclosed match the fees actually charged, and finance charges paid from the first draw are itemized on the first statement. Failing to provide proper loan disclosures could result in regulatory tolerance violations and customer reimbursements, and even regulatory penalties or fines if identified later.
2. RESPA: If there is a mortgage lending operation, inquire about how lenders source their applicants. Who are those parties providing leads to the Mortgage Loan Originators (“MLOs”)? What sort of training do MLOs receive so they know what can and can’t be done to obtain mortgage applicant leads? How are lenders compensated and what sort of budget do they have for marketing? And, how are those funds monitored and managed to ensure there are no disallowed referral payments?
3. Add-on Products: Add-on products, such as debt cancellation products and credit monitoring services, are high-risk for regulatory scrutiny and UDAAP violations. Be sure to review and understand what addon products are being offered, and that consumers are actually receiving the benefits that are marketed with the products offered.
4. BSA/AML: Suspicious Activity Reports, Currency Transaction Reports, customer due diligence, money laundering, and model validation are all high-risk topics with regulators. Determine if a BSA system is used and whether it is periodically validated. Review the institution’s BSA/AML risk assessment, and procedures for identifying and reporting suspicious activity and large cash transactions, to determine whether procedures are appropriate to detect money laundering risk.
5. Regulation E: Regulatory focus on error resolution and improper handling of disputed activity claims has resulted in expensive customer reimbursements and fines. Depending on the size and services offered by the target institution, review the company’s related policies, procedures, audit/monitoring results, and any complaints received to determine the risk of future claims.
6. Overdraft: Determine if there is a formal overdraft program and whether it is managed internally or by a third party. Issues around overdrafts can result in Regulation E violations as well as UDAAP concerns.
7. Servicing Risks: While accounting and lending personnel will review loan portfolio risks including credit quality, defaults, and foreclosures, compliance should consider the compliance risks included in servicing a loan portfolio. Transfers of servicing can cause a host of compliance and UDAAP risk related to loss mitigation, dual tracking, etc. Flood hazard rule requirements including tracking what loans require flood insurance, and ensuring proper insurance coverage is maintained, along with implications from the Servicemembers Civil Relief Act should also be reviewed as they could become quite expensive for an acquiring institution if not properly identified. Assessing escrow administration procedures, including mortgage insurance (PMI) processing, should be considered due to an increased regulatory focus in this area.

As with most due diligence exercises, the list of items to review will be longer than the time allotted, so a targeted, risk-based approach is imperative. It will be important to coordinate with the M&A team, to ensure other high-risk areas such as information security, credit quality, etc. are appropriately addressed. Effective compliance due diligence is an important piece of every merger or acquisition transaction. It can provide valuable information to management regarding potential problems that may need remediation, and it can allow management to factor in those costs and needs into the pricing of the merger/acquisition transaction.