thought it was more of the same. A lender, $3.5 billion-asset Roslyn (N.Y.) Savings Bank, paid a large settlement, $3 million, in a fair-lending case. The major new item was that the action was brought by New York State, not the Department of Justice. As in other fair-lending actions, the bank was found to be violating the fair-lending laws by disparately applying overages to minority loans. (The case is remarkably similar to the fair-lending overage cases at Huntington, Fleet, and Long Beach.) We should not have to rehash why a lender needs to control overages. Bankers should have learned that lesson two or three Justice Department actions ago. However, there is another lesson in the Roslyn case: That lenders need compliance due diligence before an acquisition, compliance integration and monitoring afterward. Roslyn Savings Bank acquired its mortgage company, Residential First Inc., in October 1995. The date is important because New York built its case on statistical data provided by Roslyn and Residential First. The data ran from August 1995 to the time of the examination in December 1996 - so New York held Roslyn accountable for actions that Residential First took even before Roslyn bought it. This emphasizes that acquirers must understand a target's compliance culture before the date of acquisition. In other words, compliance due diligence is critical. This is especially true when federally regulated institutions buy finance companies and mortgage companies that have not experienced a heavily regulated environment. And the lack of lead time means that Roslyn should have implemented an overage monitoring program immediately. The largest regulatory mistake a due diligence team can make is not to understand the risks of the target entity. Too often the team will apply the acquiring institution's risk parameters. Rather it should assess the target's regulatory risk on the basis of the target's business. For example, a compliance risk manager from a traditional commercial bank may miss the real regulatory risks of a mortgage company. Another frequent mistake is to assign regulatory risks to only one member of the team. The entire due diligence team should have regulatory risk points to explore. Making each team member accountable for assessing regulatory risk as part of the review will make for a more efficient due diligence process. The assessment should examine: First, the compliance management function. Has regulatory risk been managed? Are employees aware - through training, policies, and procedures - of their accountability? This work is broad in scope but should give the team members a reading of how deep they need to dig to assess regulatory issues. Second, regulatory risk monitoring. Is the monitoring reliable? Can we trust the output from the monitoring? Generally, the target will provide work papers and reports detailing the monitoring activities. Don't forget to ask for third-party regulatory reports, such as information from state regulatory agencies, audit and consulting firms, and complaint resolution files. If the monitoring is deemed reliable, additional testing will be minimal. Third, high-risk areas. Due diligence projects must often be completed fast. As a result, low-risk issues should receive only a glance, even if problems are readily apparent. The team should probe areas where risk assessment reveals potential pitfalls. Fair-lending, Bank Secrecy Act compliance, and Home Mortgage Disclosure Act compliance are three that come to mind. After the acquisition is approved and complete, compliance integration must start immediately. The due diligence team's risk assessment will provide a good place to start. Cease any activities that the team found to be too risky. For example, if a product offered by the entity was not in compliance, remove it from the sales force immediately. Next, implement compliance monitoring and controls in high-risk areas. Your monitoring programs should immediately start assessing compliance performance of high-risk areas, because new employees may not understand the rules. Further, train new employees on expectations; they need to understand that your institution values regulatory risk control, and that they are accountable for compliance. I am not suggesting that Roslyn did not attempt regulatory compliance integration; the agreement and the press release do not discuss its efforts to monitor and control regulatory risk at Residential First. I am just saying that an acquiring institution assumes accountability for compliance immediately. The most important point is not to wait. At a minimum, your compliance liability begins at acquisition; in fact, in many cases it begins before the acquisition. However, understanding your target's risk, implementing your culture, and monitoring the new entity's performance will greatly mitigate these risks. Mr. Schriner is senior manager and director of regulatory risk services for Minneapolis-based McGladrey & Pullen, an accounting and consulting firm.
Save $400 off your subscription. Special offer ends April 30, 2017.
No credit card required. Complete access to articles, breaking news and industry data.
Have an account? Sign In