Financial Services

Surviving and Thriving: Community Banks and the New Regulation

March 2005

By Christopher C. Gallagher*


On a walk along any Florida beach or Carolina golf course, you are likely to bump into an ex-community banker whose bank was the community bank in some location, protectively enfranchised by "convenience and necessity" and "home office protection," while sheltered by regulated interest rates. Chances are some directors who sat on that bank's board live nearby, and still love the guy because he gave them prestige while they served and made them rich when the bank was sold. Those days are long gone.

Today's community banker (as likely to be a "she" as a "he") competes in a financial services world of relentless and limitless competition. Not only is she a survivor, life has been good these past few years. Today's community bank is holding its own against large bank competition; even with their improved predictive models used to underwrite the "low information" loans that once were the exclusive territory of community banks. Today's CEO is ready to do battle with larger Basel II banks even if they gain a capital edge. He has brushed-off the belligerent boasting of credit unions bolstered by tax subsidy steroids. She has fought-off margin compression, waiting for the cost of technology to drop in order to match the efficiencies of electronically based competition from far away places. Life is hectic, but life is still good.

But wait! The community bank business model is about to be tested again; this time by a one-two-three flurry of new regulatory punches, any one of which it can handle, but in combination may have knockout impact. Congressional anxiety over recent, high-profile events involving banks is elevated. New regulatory supervision is actually part of inevitable trends. All of these recent mega-blows are being felt now. The battle to stay standing is underway. It will be won or lost within community banks, within the hearts and minds of their CEOs.

1. "Effective Compliance"

In the summer of 2003, driven in part by the technology and the need to reduce its workforce, the FDIC launched a new examination paradigm based upon analysis of a bank's compliance risk profile and its systemic response. This new program is now in full swing. Any compliance failures, however slight, can constitute "proof" that a bank's "systems" are not working, resulting in lower CAMEL ratings and ugly exit interviews. "Effective compliance" now requires active and knowledgeable involvement at the board level, training and communications systems adequate to ensure meaningful oversight, and deliberate and informed board participation. Significantly, the FDIC's new examination emphasis is featured in the very first issue of its new publication, Supervisory Insights.1

And if you need to know exactly what "effective compliance" means, look to the studies supporting the U.S. Corporate Sentencing Guidelines,2 a key source of federal "group-think" on these issues. "Tone at the top," another new refrain, not only means supervisory involvement by directors, but also the end of single person domination. The OIG at the FDIC has declared that proper governance must include the checks and balances of multiple leadership.3 One-person leadership is no longer acceptable. This new governance model does not describe today's typical community bank, much less the bank of yesteryear. Our retiree beach bums and golfers would be mystified and horrified. But today's community bank has to adapt and adjust, and had better do so quickly.

Among its many effects, this new examination approach begins with examiner analysis of the bank's compliance "systems" rather than more familiar random verification analysis. In the old days, a transactional error or a sporadic compliance "mishap" might be netted out against the plus side of the examination ledger. Now the discovery of any mistake, like a clock's striking thirteen, is a signal that the entire system is "broken." Moreover, wherever compliance problems appear, accounting and asset management issues will draw closer inspection. As Fed Governor Susan Schmidt Bies puts it, "when we find significant control deficiencies, significant asset-quality or financial-reporting problems are generally present."4 The FDIC's pilot-tested Relationship Management Program with its resource regulation may offer relief, some day, but examination's "new paradigm" is here to stay.5 "Tone at the top," "director involvement" and "effective compliance" are today's examination musts if one plans to be here tomorrow.

2. "Sarbox Self-Compliance"

When Sarbanes-Oxley (SarbOx) (Congress's response to Enron, WorldCom, Tyco, et al) passed with overwhelming, bipartisan support, its federal impact moved far beyond its specific applicability. With respect to banks, annual audit and reporting requirements for insured institutions with $500 million or more in total assets are covered by Part 363 of FDIC regulations and FDIC:FIL-17-2003.6 Field reports confirm, however, that institutions with assets below $500 million are also expected to demonstrate and reflect SarbOx changes. (See FDIC:FIL-17-2003, Attachment I.7) For bank regulators (already motivated by the post-FDICIA atmosphere of closer supervision8), SarbOx is widely interpreted as a signal to step-up bank compliance oversight; making it more reliable in areas of high sensitivity so that similar scandals cannot occur in banking. SarbOx has thus added new meaning to "risk-based" regulation; demanding something closer to "risk-free" regulation ensured by costly belt and suspenders type "systems on systems."

Responsibility for these new controls rests equally with senior management and directors, then they must be vetted and verified by external audit. And with new examination emphasis focused on "internal controls" buttressed by external accounting and audit, this failsafe mentality in regulatory compliance has also spread to asset quality and financial accounting analysis. No two community banks are alike. Systems-based preanalysis invites examiner rigidity. Community bankers know one size does not fit all. But to get the right "system" for your bank, the CEO and board must be proactive. Leaving the systems analysis to examiners invites them to impose their own systems template on your bank. It is best, therefore, to act, not wait.

SarbOx Section 404. Sarbanes-Oxley's section 404 requires that annual reports include both an external accountant's and a management-certified statement that a company's internal controls contain no "material weakness." Such "weakness" is present if it is reasonably possible that a material misstatement of financial results would not be prevented or detected by the institution's "internal controls." Whatever its technical applicability, SarbOx financial reporting standards are now being imposed on all community banks, regardless of size. Responding to Congress's overwhelming vote, bank regulators have unleashed a blizzard of bulletins, alerts, letters and guidelines establishing requirements for management responsibility and internal controls. Such regulatory ratcheting is costly. Indeed, when applied to community banking, SarbOx raises compliance costs to levels where these important institutions, whose contribution to their community is their business model, may now become handicapped in their torrid competition with regional and money-center brethren.

In the SarbOx definition of "material weakness," the foreboding reference to "reasonably possible" is intended, no doubt, to intimidate. But for banks, whose job is to assume risk, such words can be constrictive. Imposing systems for regulatory compliance can lead to loss of bank character, imposing undesirable opportunity costs and robbing community banks of their very reason for being. It can discourage the sharing of less-transparent small business risk, curtailing the economic development of Main Street America. For many community banks, increased regulatory demand for "systems" to ensure the accuracy of "systems" may go too far. Many community banks operate at the edge of profitability. Roughly 10% are losing money. Our economy needs these banks. If unwarranted regulatory burden causes them to contract further or to cease operating, Main Street consumers, small business and our nation's economy will feel their pain.

Much of this new emphasis is Congressionally driven. The issues involved are of interest to the general public. Regulators are reacting in turn to Capitol Hill. Indeed, FDIC Vice Chairman John Reich has focused his efforts on community banks to ensure their survival. Recently, he even took a strong public stand against the application of SarbOx to small banks. In a letter to this writer, however, even he seemed to back-pedal a bit, saying,

"There has been some confusion about the application of the Act to small non-publicly traded institutions both among bankers and in some cases among regulators. My recent statements on the subject were designed to clarify that the Act does not apply to nonpublic institutions-regardless of their size. Having said that, I recognize that the Act does contain provisions that may make sense for institutions of all sizes. Certain provisions of the Act actually mirror existing policy guidance related to corporate governance that the FDIC and other banking agencies have issued. These small institutions should realize that (1) although the corporate governance practices set forth in the Act are not mandatory, (2) consideration of these practices should be considered, given their size, complexity and risk profile. However, (3) an institution that reasonably determines that it will not implement these provisions should not be forced to do so. My invitation to contact my office to report any incident to the contrary still stands."9

This sounds like SarbOx's applicability. To act otherwise is to expect the FDIC to apply differing compliance standards to banks depending on their asset level. There is no known program or FDIC examiner-training regimen designed to implement such a distinction. The FDIC encourages SarbOx compliance for all. And (as will be seen later) as a practical matter, such compliance is necessary anyway.

3. Post 9/11 Preemptive Policing

The third blow to the competitive cost structure of community banks is the post-9/11 banking-related effort to "nip terrorism in the bud" by shutting off its financing. "Zero tolerance" is the buzzword here. Riggs is the poster child. Why small banks? If the terrorist Mohammed Atta can enter the air transportation system through Portland, Maine, terrorism financing can penetrate the financial system anywhere; even at small banks. And while our nation's solons seem to have tolerated the failures of CIA and other intelligence agencies to locate and catch terrorists, there appears to be considerably less leeway in Washington for banks. Regulators deny it, but "zero tolerance" is what banks see happening. The Bank Secrecy Act, SARs, expanded CIP programs, Anti-Money Laundering, and USA PATRIOT ACT-driven detection systems impose enormous cost, confusion, and can even interfere with the internal controls SarbOx is supposed to encourage. And while larger banks can absorb this added expense, its disproportionate impact on smaller banks is a genuine threat to their independent viability. Overall compliance, which used to comprise some 12-14% of non-interest costs,10 is now being pushed into the 15-20% range for many.

Worse, as ratios of community bank compliance costs to other non-interest costs continue to worsen, many will avoid offering products and services rendered inefficient by the cost of creating systems to ensure effective compliance. Lost opportunity hurts as much as any other loss. Community banks wishing to stay independent should not have to sell out. But, if these regulatory pressures are not soon brought into balance, more will be lost. As one banker put it to Congress, "the community bank, which has been the cornerstone of economic growth in this country, is in great danger of being regulated right out of business."11 The key question remains, however; can today's community bankers make the adjustments needed to restore that balance?

Is Survival Possible? Offering fewer products, spending more time tailoring services to individual customer needs, while providing "a disproportionately large amount of credit to small business,"12 community banks are now feeling the triple impact of FDIC's new examination focus, SarbOx systems duplication, and 9/11's involuntary "deputization." Although bank regulators clearly want to make the examination process more constructive (see Jackwood), applying the new regulatory paradigm threatens to eliminate community bank management's essentially unquantifiable exper-ience and local know-how merely because it may be unacceptable from a "systems" point of view. Ironically, "low information" and "more opaque" business lending are recognized as community banks' contribution to economic stability by the FDIC in its Future Banking Study released in June 2004;13 the same month Jackwood's article (Ibid) described the new "systems" focus. As regulator emphasis on senior administrative involvement in risk management intensifies, community bank CEOs, whose job is to make the close calls on these low information loans, will thus be required to demonstrate systemic capacity to address issues that in fact have historically been addressed through managerial "art" than "science." Operations that hitherto have resisted quantification, systemization or the application of hard and fast rules may simply cease. So unless community bankers adjust their style of management, their business model is in jeopardy.

"Up to Us." In order to stay independent while continuing to be true community banks, community bankers must change themselves. CEOs (not just compliance professionals) must confront these new requirements, integrating bank compliance programs into their bank's operations. Community bank CEOs must fully commit their vaunted sales sensitivities and creative coping skills to the demands of the new compliance. They must join with their compliance professionals in a new effort to "sell" their business model to Congress, the regulators, and their employees while they emphasize new and collaborative collusion on compliance and management with their employees and directors. Top-down, risk-focused approach to compliance examinations also elevates the importance of directorate and senior management accountability for the bank's compliance risk management system.14 There is thus no alternative. It is time to make a mid-course correction. The community bank must adapt to this new regulatory environment. Every community bank CEO should design and implement a five-point program without delay, then proceed to Part Two of this article to see how to win at this new game.

Starter Steps to Success

1. Step Up to Top Down. Rising fixed cost of compliance and its effect on efficiency ratios means that CEOs, directors and other top managers must elevate their attention, raise its priority and profile, and get involved directly. By developing internal checks and balances, compliance costs can be saved, "tone at the top" can be improved. Then responsive regulators may be persuaded to accept these internal checks as requisite independence and substitutes for some of SarbOx's external audit requirements.

2. Make the Sale. Regulators should be viewed as "customers." Identifying their needs, priorities and regional points of emphasis is more important now than ever. Community banks thus need CRM and "RRM" to which management commits its full attention and sales skills. Community bankers need to direct their personal sales and coping culture to the regulatory process.

3. Know Your Customer. Anticipating regulator needs, priorities and emphasis is now even more critical. Waiting to learn where they are "coming from" through examinations is itself no longer reasonable. Suffice it to say that no examiner wants to have another "Riggs" occur on his or her watch. Work more closely with your compliance professionals, your directors, your operations people, then your regulators. Collaborative, "resource regulation" is in everyone's interest.

4. Customize and Integrate. There is no off-the-shelf, "one-size-fits-all" formula or program. Risk-based compliance is bank-specific. It must be scaled and integrated into the bank's total risk management planning and operation. Indeed, compliance systems that are merely cost-centers rather than a part of line operations will no longer be seen as reliable. It all begins and ends with integrated and effective internal controls (addressed in Part Two).

5. Anything Not Recorded Didn't Happen. Documenting ongoing compliance planning and implementation is now even more critical. With the new systems based regulatory oversight, its absence becomes a material weakness. Mere absence of specific violations is no longer enough; proving that noncompliance did not occur anywhere now requires a demonstration that it could not have occurred. And if it isn't documented, for exam purposes it didn't happen!


Whatever may have happened to Michael Jackson during "March Madness" of 2005, the week of March 12 to March 19 will be long-remembered in financial circles. In just a few days, Citigroup was advised by the Federal Reserve that it could not make any major acquisitions, Maurice "Hank" Greenberg lost his job as CEO of AIG, and Fannie Mae was advised in an OFHEO report that, even after the sacking of its CEO, it still had serious continuing deficiencies in its operations. MCI's Bernie Ebbers was sentenced to prison. While all of this was going on, SEC's enforcement chief, Stephen M. Cutler, was lashing out against critics of Sarbanes-Oxley, reminding them of "the major frauds" that rocked the U.S. markets to their foundations only a few short years ago.15

In all of these cases, the underlying issue was "Internal Controls" — a term of art which only recently has risen from the depths of obscure treatises on corporate compliance to the front page of our morning paper. Whatever the meaning of this formerly arcane term, it is safe to say that "internal controls" have now become critical. Banking compliance professionals recognize the term from changes made years ago in FDICIA. But to many of their CEOs, it is new. The term is not only appearing in the public press, it has metastasized into their bank exams, reducing CAMELS ratings and riling directors. What they are, why they are, and what's to be done about this is no longer a concern of scholars and compliance professionals. Indeed, for all of the reasons that Sarbanes-Oxley, the Bank Secrecy Act and examiner risk-profiling and systems analysis are not going away, "internal controls" must now become as familiar to community bankers as their ROE and ROA!

Sports analogies are deemed "politically incorrect" by some. But continued obstinacy by community bank CEOs calls for "drastic" measures. The combined howls of shock and dismay following their recent bank examinations are beginning to reach stadium volume. Bank senior management and directors have good reason to be concerned, but blaming the regulators is not going to improve their sinking CAMELS. Indeed, to solve this problem, it's time they looked to themselves. And for smaller community banks, forget about whether you're covered by Sarbanes-Oxley. Banks of any size must have an internal controls program that accomplishes the same ends.

Internal Controls

Community banks are designed to attain profitability through community-based financial services directed at their community's total financial needs. They catalyze that area's overall economic progress. Measured for success most often by outputs and impacts, comparisons to peers, and earnings, they are also wholly dependent upon the successful execution of the bank's internal management plan. Properly conceived and executed, that plan tells the bank how to get to where it wants. It has built-in procedures to keep the bank on target. It is the bank's system of "internal controls."

Internal controls are designed to move an enterprise in the right direction with minimum cost, energy and time expenditures while maximizing its strong points. They enable a bank to respond advantageously to internal or external change. They enable flexibility, promote efficiency and reduce the risk of loss. They ensure successful compliance with applicable rules and with applicable financial reporting requirements. Most importantly, however, they contribute to solid earnings and enterprise value. With due apologies to the politically correct, internal controls act like a game plan in football. The bank's game plan and its ongoing execution are designed by its coach (read Directors and CEOs), and of course must adjust under game conditions. The coach makes the plan, but to assume that the coach's job ends when the plan is formulated omits the companion function of ongoing sidelines supervision. The game plan evolves until the final whistle. It is a process. All of its parts must work together into an integrated, dynamic whole.

Incredibly, however, many senior bank managers view internal controls as cost centers, impeding progress rather than contributing to the bottom line. Echoing Bernie Ebbers, who said, "I don't crunch numbers. I let the accountants handle that," some bank CEOs deem internal controls beneath their dignity. But, like a game plan, strong internal controls keep enterprise components efficiently and effectively on task, the very essence of sound management. This Part, therefore, is about Internal Controls, what they are, how they can be made a part of effective management, and how they provide the most reliable method for the "effective compliance" needed to change post-examination howls of dismay to smiles of satisfaction. It also explains why their offensive deployment is the best (and only) defense in this new regulatory era.

The concept of internal controls was examined in great depth by The Treadway Commission's Committee of Sponsoring Organizations (COSO). Its 1992 report, "Internal Control-Integrated Framework" has now become a must read for anyone interested in the new regulatory environment. COSO's framework for internal controls has become a basic standard for all enterprise management, especially banks. Its concepts have been incorporated into FDICIA, were institutionalized with respect to financial controls by Sarbanes-Oxley, and as operational controls for the Bank Secrecy Act and the USA Patriot Act, and of course by the FDIC in its newly-adopted "risk profile" examination process. The COSO framework therefore, is important. It can lead the way to the "effective compliance" now demanded by banking regulators

COSO Up Close

Turning to COSO for a definition, we find "internal control" defined as:16

. . . a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations.

Internal controls are not merely accounting or even internal accounting procedures, although both play a role. Their essentials include traditional management objectives and oversight. They are not an isolated project. They are dynamic and continuing. Board and senior management must be aware, involved, active and committed to its operative components on a continuing basis.

The key concepts of control, as defined by COSO, are:

  • Internal control is a process. It is a means to an end, not an end in itself
  • Internal control is affected by people. It's not merely policy manuals and forms, but people at every level of an organization
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board
  • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

1. Control Environment

This critical component, often referred to as "tone at the top," provides the structure and discipline that supports all the others. Its elements include:

  • The ethics and competence of the people in the organization
  • Management's operating style, and how it assigns authority and responsibility
  • Board involvement and direction, and most important,
  • Board and senior management's continuous commitment to a culture of effective compliance.

2. Risk Assessment

  • Establishment of objectives
  • Identification and analysis of risks that threaten those objectives
  • Analysis of relevant risks created by changing conditions.

3. Control Activities

Policies and procedures established to ensure that identified risks are addressed and management directives are followed through-out the organization, such as verifications, approvals, authorizations, security of assets, etc., including devices to identify and respond to material internal or external change.

4. Information and Communication

  • Identification, capture and communication of pertinent information in a form that enables people to carry out their responsibilities within the necessary time frame, that informs directors and senior management, and that enables informed oversight,
  • Data preparation, retention and security,
  • Training and awareness.

5. Monitoring

Ongoing assessment of system quality controls and their performance.

COSO cannot be the only guide. Indeed, for purposes of this solutions-oriented article, it is not enough. Beyond COSO,17 a well-documented treatise on the subject of internal controls by Steven Root, lays out their early legislative history, beginning with the Foreign Corrupt Practices Act (FCPA) of 1977. Root guides the reader through the real-life liability concerns of the accounting profession to 1998 when Beyond COSO was published. The book's prescience with respect to Sarbanes-Oxley suggests that there will soon be a sequel, but its message-that COSO's framework for internal controls contains significant limitations-is important to bank management. (COSO may be very helpful to external accountants but not as helpful to management.) As will be explained later, the USA Sentencing Guidelines for Organizations and other internal controls frameworks must also be taken into account. In any case, a clearly expressed and executed regime of internal controls has now become a critical component of Board and Senior Management responsibility. Regulators take their guidance from COSO. It is a good place to begin. Understanding and implementing COSO's framework is important. We will next explain what may be added to make it work as well for community bankers as it does for accountants and regulators.

Bank examiners realize that today's compliance measures for small community banks are burdensome. John Reich, vice chair of the FDIC and an ex-community banker himself, has continuously made it very clear that the Corporation values community banking and understands the disproportionate impact of the post-9/11, post-Enron/post-Riggs responsibilities. But let's face it; no examiner wants to be held responsible for missing the flow of funds financing the next terrorist outrage. Indeed, examiners who find nothing wrong may be suspect back at the headquarters. If an examiner finds that a bank has no cohesive plan for execution of bank policy or that, having one, it is not implemented or ignored, they have no choice but to probe deeper. If a bank has no internal controls, the examiner will impose his or her own template of internal controls on that bank. That plan will resemble an off-the-shelf program, which may or may not suit the bank. Focused principally on accounting and compliance, it is likely to underweight operations, the bank's true purpose for existence.

Designing the balanced system for your own bank and your own internal controls puts your bank on the offensive. Such a system not only forces the regulator to react to the bank's customized and home-designed program, it is the best way to ensure critical operational goals as well as financial reporting and compliance objectives. Your internal controls system is your business offense and your way of managing the examination process in a manner that is consistent with policy and operating objectives. Sometimes the best defense is a good offense.

Viewing the role of internal controls from the outside-in, it is easy to see why COSO alone cannot do the trick. It was drafted and is updated by the accounting industry. It supports well their external audits. It reflects their viewpoint-which is financial controls. Its terms are reflected in FDICIA's obligations and again in Sarbanes-Oxley. Its framework is a good starting point. But COSO fails to give enough attention to the operational controls that motivate management. For leaders concerned with profit and loss, functional efficiencies, planning, response to opportunities, asset valuation and leverage ratios, COSO alone comes up short. More must be added to the mix.

Internal controls include governance, risk assessments, internal and external auditing, capital management, planning and recordkeeping. It is another term for the efficient synthesis of sound management practices. Even in the long run, for regulators concerned with compliance in the narrower sense, with laws and regulations, it can become a trap. Measuring noncompliance risk while applying the cost benefit approach to examiner conduct has proven futile in some areas like the Bank Secrecy Act (BSA). Regulators may claim there is no such thing as "zero tolerance," but they appear to be acting that way, explaining that; with BSA the situation is different because BSA contains a statutory mandate that requires the imposition of a compliance program where weaknesses appear (12 CFR 21.21).18

Indeed, when it comes to BSA, traditional balancing notions of size, complexity and exposure seem to matter little. Moreover, the recent regulatory emphasis on "reputation risk" flowing from noncompliance has given examiners room to be subjective. COSO, with its accounting base and bias, assumes calculable metrics. Wherever a bank cannot accurately measure the cost of noncompliance, it is difficult to utilize the COSO cost benefit approach. But such incalculables are what community banks area all about. They are the "art" part of community banking. They are the prerogative of the CEO. Yet they must become part of the plan.

Think of internal controls as a three-legged stool. One leg, reflecting COSO's accounting emphasis, is financial controls. Another is regulatory com-pliance, including BSA and the rest of the compliance alphabet soup. The third leg, however, is the operations plan for attaining the economic objectives for which the bank was founded. This is the leg most cherished by management. All three legs must now equally support the seat. They must work together in integrated efficiency. Seated thereon are your CAMELS, management, and Board of Directors. If any one leg collapses, the entire stool goes with it. Get them working in concert.

COSO, therefore, is merely a starting point for the senior management and board's customized game plan for the bank. It can help a bank comply with FDICIA and Sarbanes-Oxley, but by itself it won't add much to operations or to legal compliance. Indeed, if one views FDICIA/SarbOx as expressing the accounting leg, BSA and the other laws and rules as expressing the regulatory compliance leg, and the mission, balance and income statements as management's leg, the COSO framework's financial, regulatory and operational objectives begin to blend into a coherent and cohesive vision. That blend will not be the same for any two banks. No regulator can create it. It can be fashioned and implemented only by the Board and Senior Management. With its legs working together, and management planning and adjustment processes woven in, the internal controls function becomes a ticket to success and compliance with the new systems based regulation.

Why Not Wait?

Sarbanes-Oxley itself is reliably calculated to have already cost U.S. business almost $40 billion, much of which has been transferred to the accounting profession. The new BSA is said so far to have resulted in fines of $4 billion. There are credible efforts underway to roll these laws back, but until that unlikely event occurs, community banks must find a way to survive and thrive. Internal controls are the answer. It is nothing more than documenting good organization and management anyway.

So, let's get with the program. Your system needn't match the USA Sentencing Guidelines, nor should it match perfectly the COSO framework, but these and other systemic approaches to sound operational management effectively respond to the bank's duty to have a system of internal controls, which in turn can be its basis for "effective compliance."19

An internal controls solution is easier to explain than to execute. Nevertheless, it is the only plausible solution to the regulatory burden now faced by community banks. Board and senior management must grasp and implement a framework of internal controls that successfully integrates bank operating goals and objectives with regulatory compliance and financial accounting requirements. Such integration is the only way to efficiently and thus economically satisfy regulator cravings for credibility and the bank's continuing commitment to the program. They are the only way to support external audits and, most important, they are the outlet for management's need to accomplish all of this while pursuing and attaining enterprise goals and objectives in creating value for shareholders and other stakeholders. Such integration, therefore, is required both for compliance and for economic efficiency. That, coupled with the continued watchfulness of Board and Senior Management, will make it "effective." Driven by the politics of public concern and the perceived "inevitability" of another terrorist incident, the regulators are doing the best they can; keeping the system up and running, responding to Congressional pressure, while bringing their objectives into step with sound management, which (like sound coaching) requires the deployment of internal controls.

CEOs alarmed by these recent developments but pressed for time can quickly get to the heart of this issue by reviewing the OCC's Internal Control portion of its Comptroller's Handbook. It was published prior to SarbOx and 9/11. Coupled with exam experience since then, it provides a useful outline of CEO Do's and Don'ts. Bank compliance specialists have read this. Now CEOs must read it.20

Consolidation in banking is inevitable. There is nothing wrong with selling out. There is something wrong, however, with being forced to sell, especially if it results from CEO inaction. So if CEOs and Directors want to change today's post-examination chorus from howls of protest to the satisfying sighs of surviving and thriving tomorrow, they must get more involved in the internal controls process — its creation and its execution. Many have, but too many have not. There is still time to act . . . but not much.


1 John M. Jackwood, "Compliance Examinations: A Change in Focus," Supervisory Insights 1, No. 1 (Summer 2004), Federal Deposit Insurance Corporation, p. 16.

2 Available at:

3 Audit Report No. 04-033, September 8, 2004, Office of Inspector General, Federal Deposit Insurance Corporation.

4 Remarks by Governor Susan Schmidt Bies at the Financial Managers Society Finance and Accounting Forum for Financial Institutions, Washington, D.C., June 22, 2004, p. 4.

5 As will be pointed out in the second part of this article, none of these issues are truly new. The Committee of Sponsoring Organizations of the Treadway Commission's (COSO) report on Internal Controls and their Interpretation pushed these concepts to the fore back in 1992. FDICIA took them further. Sarbanes-Oxley and the Bank Secrecy Act have made them mission critical. However startling, the new regulation is really a matter of new emphasis, not new thinking.

6 Available at:

7 Available at:

8 Financial institutions with total assets of $500 million or more have been subject to Section 112 of FDICIA for more than ten years.

9 Reich, John M., Letter to the Author, September 15, 2004. As recently as March 9, 2005, Vice Chairman Reich reiterated his position that under $500 million bankers are not required to comply with Sarbanes-Oxley but went on to say that such banks will bear the burden of showing why they are not doing so.

10 See "The Cost of Bank Regulation: A Review of the Evidence," by Gregory Elliehausen. 1998. Staff Study No. 171. Board of Governors of the Federal Reserve System.

11 "Testimony of Bradley E. Rock on behalf of the American Bankers Association before the U.S. Senate Committee on Banking, Housing and Urban Affairs," June 22, 2004, p. 1.

12 Tim Critchfield et al., "Community Banks: Their Recent Past, Current Performance, and Future Prospects," FDIC Paper FOB-2004-3.1, Executive Summary, p. 1.

13 Critchfield et al., p. 7.

14 Jackwood, p. 17.

15 Remarks by Stephen M. Cutler before the Directors' Education Institute at Duke University: Staying the Course, Durham, NC, March 18, 2005.

16 Available at:

17 Steven Root, Beyond COSO: Internal Control to Enhance Corporate Governance (New York: John Wiley & Sons, Inc., 1998)

18 OCC Bulletin 2004-50 on "Enforcement Guidance for BSA/AML Program Deficiencies."

19 As outlined in detail in Beyond COSO: Internal Control to Enhance Corporate Governance (New York: John Wiley & Sons, Inc., 1998), there are better sources for the integrated and effective management controls sought by management. They include: Canada's Criteria of Control Committee (CoCo) and Malcolm Baldrige National Quality Award (MBNQA).

20 Comptroller of the Currency, Comptroller's Handbook: Internal Control, January 2001.

* Christopher Gallagher is admitted in New Hampshire.

Return to Financial Services articles
Return to Resources index

You may contact
the author at