While there is much in the Dodd-Frank Act that doesn’t apply to banks under $10 billion in assets, directors at smaller banks should still be worried about other things—like how they’re viewed by their regulators, how they approach risk and how they discharge their responsibilities.
That was the message coming out of a regulatory panel at Bank Director’s Bank Audit Committee Conference last month in Chicago.
A supervisor at the Federal Reserve’s Division of Bank Supervision and Regulation, Pamela Martin, told the crowd that Dodd-Frank isn’t geared toward institutions below $10 billion in assets. As an example, she said that the Federal Reserve has no intention of requiring stress tests to community banks.
Dodd-Frank mandates that banks above $10 billion in assets establish a board level risk committee, and banks above $50 billion in assets must have both a risk committee and a chief risk officer.
“I would doubt we would be more stringent than what we’ve already proposed,’’ Martin said.
However, the newly created Consumer Financial Protection Bureau (CFPB), which was authorized by Dodd-Frank, will take complaints from consumers and businesses about all banks, not just big banks.
Charles Vice, the commissioner of the Kentucky Department of Financial Institutions, who also spoke on the panel, said some rulemaking by the CFPB will impact banks of all sizes, but he didn’t see the agency “having time to go after community banks” specifically.
During the panel discussion, the regulators talked about the importance of enterprise risk management, and of taking a thorough approach to analyzing the bank’s risks and trying to anticipate future scenarios that could impact the bank.
“It doesn’t have to be these complex diagrams that consultants publish,’’ Martin said. “You need to understand the risks you’re taking and do something about it.”
Vice said that a small bank doesn’t necessarily need a chief risk officer. “Even if you don’t have a dedicated employee, at least your senior management and board should be looking at your risk and how to mitigate it and manage it,’’ he said.
Innovation and Risk
One potential area of risk is new business and investments.
Martin said she was concerned that banks had a lot of cash on their balance sheets and might invest in risky ways. She also is concerned whether banks understand new business lines or new geographic areas they might expand into.
“Why are you going into this market, or how are you going to make money and do you have the capital to support this new activity?” she said. “We’re paying attention to the fact that you’re in a low profitability environment. That’s not going to change anytime soon. Understand the risk you’re taking and how you will support the risk you’re taking.”
One of the ways that regulators assess the job that the board is doing is by reading committee minutes. Vice said his department’s pre-exam work includes reading audit committee minutes and reports. His department will change the focus of the exam depending on the examiners’ comfort level with audit committee work, he said.
Regulators also look at the scope of the external audit. If it doesn’t look like internal or external audit work is robust enough, they’ll take a deeper look at the audit and whether the audit committee discussed results and had a game plan to deal with audit recommendations, Vice said.
Martin concurred that the Federal Reserve likes to see lots of discussion reflected in the audit committee minutes.
She said the bank isn’t downgraded for not having lots of discussion included in the minutes, but a robust discussion is an plus. If there are any issues uncovered in the audit, those ought to be addressed.
“We want the bank to identify the problems,’’ she said. “You don’t have to solve them immediately. You don’t necessarily have to solve them the next time the exam comes around, but we want to see progress.”