As your community bank approaches the milestone of $1 billion in assets, it faces greater regulatory scrutiny as outlined in the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA). Consequently, your leadership team must take proactive steps to ensure a smooth transition to a newer level of regulatory compliance and responsibility. This guide will outline five key steps your community bank should consider when preparing for this significant milestone. From evaluating compliance frameworks to enhancing risk management practices, these steps will help position your bank for success as it reaches $1 billion in assets.
1. Develop a Timeline
FDICIA regulations state the measurement date for the new $1 billion in assets milestone is at the beginning of the fiscal year. For example, your community bank hits the $1 billion mark on February 16, but your new fiscal year doesn’t start until July 1. The expanded FDICIA regulatory framework begins on July 1.
At the $1 billion in assets milestone, not only will the external independent auditor issue an opinion on the institution’s financial statements, but they will also issue an opinion over the effectiveness of the institution’s internal control over financial reporting (ICOFR). Management must also attest to the effectiveness of ICOFR.
Taking a proactive approach to having internal controls designed and operating effectively while at the same time developing a timeline for reaching this milestone will allow your bank to make a successful adoption. Consideration should be given to certain events that could trigger reaching this milestone sooner than expected such as increases in borrowings to fund loan growth or a merger/acquisition. Events such as these may cause the balance sheet to expand rapidly, which is why the elements needed for a smooth transition should be in place well before you reach $1 billion.
The Whitlock Co. highly recommends starting this process 18 to 24 months before the fiscal year deadline or when your community bank reaches $850 million in assets, whichever comes first.
2. Evaluate and Strengthen Your Internal Control Framework
At $500 million in assets, your bank had to establish an audit committee consisting primarily of outside directors. When exceeding $1 billion in assets, your audit committee must be composed of independent members entirely outside of the bank’s leadership structure. You may have to change the current members of your audit committee.
You must also develop an overall ICOFR methodology to support management’s assertion regarding the effectiveness of internal controls over financial reporting. The methodology outlines the internal control framework your community bank uses for guidance when implementing controls across the organization. You cannot assume your existing internal auditing procedures will comply with FDICIA rules. It requires your leadership team to have sufficient knowledge and skills to report on the new controls your community bank needs when exceeding $1 billion in assets.
The most widely used internal control framework comes from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This particular framework consists of five internal control components and 17 principles that describe the elements of an effective system of internal controls. The Whitlock Co. suggests you become familiar with this framework at the start of evaluating your internal controls.
3. Enhance Enterprisewide Risk Management Practices
You’ll need to devote more time to enterprisewide risk management (ERM) if you don’t already have these dedicated functions. Smaller community banks usually have ERM functions on a local level. At the $1 billion threshold, a more structured process for addressing and accessing risks across all departments is necessary.
ERM goes beyond ensuring the vault is secure or cash drawers stay locked. ERMs as your bank approaches $1 billion in assets grow to include ensuring regulatory compliance, developing long-term risk management strategies, and balancing risks versus rewards when it comes to growth opportunities.
A leadership role is essential here. Think about appointing a chief risk officer or high-level executive (VP or higher) to oversee the ERM program. This person will take the reins and responsibility to ensure a robust ERM is in place and that managers and employees are aware of what needs to be done to implement it.
Risk awareness throughout the organization is an important facet of your ERM. Educate and train your staff at all levels on risk management principles. Encourage open communication about potential risks. By embedding risk management into the organizational culture, your bank can more effectively anticipate and respond to challenges as it grows.
4. Identify and Document Key Financial Reporting Controls
At the $1 billion in asset threshold, given that management must attest to the effectiveness of internal controls over financial reporting and that the independent auditor must opine on the institution’s internal control effectiveness, it is necessary for management to identify and document these controls. Establishing a point person, such as the chief risk officer, to lead this process generally results in continued progress and efficiency.
Besides naming a point person, the establishment of an FDICIA Committee with representation from all facets of the institution also proves to be of value as controls are identified and narratives documenting control designs are developed. With the sharing of knowledge within the Committee, documentation of controls is facilitated, and the identification of potential efficiencies may be discovered whereby processes could be centralized. At the same time, important issues and gaps may be identified. The most common difficulties identified during this process include:
- Lack of knowledge from the team
- Insufficient personnel
- Assuming internal controls are already FDICIA-compliant
- Lack of reporting
- Lack of audit trails
- Failing to perform audits throughout the year
- Having insufficient time to prepare for new reporting requirements
Because gaps will undoubtedly be discovered during the process, having sufficient time to correct these before reaching the $1 billion milestone becomes extremely important.
5. Test Key Financial Controls
During the process of identifying key financial controls and after documentation, coordination and communication are not only necessary between bank staff, the chief risk officer, and internal auditors but also with the bank’s external independent auditor. It is the external auditor who will be providing an opinion on the design and operating effectiveness of the internal controls over financial reporting. Therefore, it is important that the bank maintain open communication with the external auditor throughout the implementation process and before testing the controls.
Prior to crossing the $1 billion threshold, testing the controls for effectiveness will help identify any controls that are failing and will allow time for the bank to make corrections. Once your bank is subject to the $1 billion FDICIA requirements, all material weaknesses in internal control over financial reporting must be disclosed in both management’s assessment and the independent public accountant’s report. Therefore, testing the effectiveness of controls prior to crossing the $1 billion threshold will help identify any controls that are failing and will allow time for the bank to make corrections. Also, knowing the proper sample sizes and other testing protocols is essential when determining the effectiveness of key financial controls. This is why communication with the external auditor is vitally important.
Contact The Whitlock Co. to Partner With an Independent Auditor
The community banking and cybersecurity experts at The Whitlock Co. can help you manage the growth of your community bank as it approaches $1 billion in assets. Contact The Whitlock Co. to request a consultation today.
