Merger Lessons Learned
Mergers and acquisitions (M&A) are a crucial test of an institution’s compliance management system (CMS). Although M&A is common in the banking industry, it is rare that everything goes exactly to plan. Perfection is not expected: Even the most effective CMS and the most talented management team cannot foresee all consumer compliance risk in complex acquisitions. A critical aspect of an effective CMS is the ability to reasonably anticipate compliance risks, allocate resources to mitigate these issues, promptly identify compliance breakdowns, and provide timely restitution to any impacted customers.
This article is intended to assist compliance professionals and enhance consumer protection by providing a glimpse into compliance risks1 resulting from M&A activity. This brief horizontal perspective provides insight into real-world challenges, allowing readers to think through these situations in anticipation of their own future M&A activity.
Federal Reserve staff have identified five themes of consumer compliance risk in recent acquisitions. Each of these themes is broadly applicable to M&A activities, whether the reader is engaged with money center, regional, or community banks.
Geographic Considerations
Consumer compliance risk arises from the geographies in which the acquirer and acquiree have their trade area for operation and their assessment area for Community Reinvestment Act (CRA) purposes. An acquirer must understand this geography, such as considering if there will be significant increases in loans requiring flood insurance coverage. An acquirer should also meaningfully consider other ways geography may impact consumer compliance. Here are some examples of this risk:
- A bank extends its geographic footprint into a part of the United States with a significant Spanish-language speaking population, and the acquiring bank chooses to retain its own call centers postacquisition. After Legal Day One, when all calls are routed to the acquirer, the number of call center representatives who can speak Spanish is limited. This leads to extended hold times and call abandonment for Spanish speakers, indicating customer dissatisfaction.
- An acquirer has a significant overlap in its branch network and assessment areas with the acquiree. Both banks operate in many of the same cities and towns, often with branches in close proximity. Consequently, bank staff are unprepared for the volume of low- and moderate-income and majority-minority census tract analysis necessary for all stakeholders to complete the acquisition. This makes it burdensome for compliance personnel to remain effective in their core work during this increased workload.
- An acquiring bank does not have a strategy to maintain a Satisfactory CRA rating in the acquired bank’s geographies. The acquisition occurs midcycle of a CRA performance evaluation of the acquiree, and the acquirer does not meaningfully prepare for this expansion of its geographic reach. The omission leads to poor performance in the acquiree’s assessment areas postacquisition, and bank management regrets not devising a CRA strategy alongside other integration efforts.
- A bank’s branching strategy is predominantly determined by merger and acquisition activity. The bank grows by acquiring another institution in the same geography and delineates its assessment area in part based on existing and acquired branch locations. This strategy introduces additional fair lending risk in the bank’s branching pattern and assessment area delineation. The risk of redlining may be elevated when a bank acquires branch locations based on opportunities presented without sufficiently considering fair lending risk. In some situations, a bank may end up with a series of branch locations that exclude majority‒minority census tracts or that form a donut hole around predominantly majority areas or another notable visual pattern.
Compliance Considerations
The disclosure of previously unknown regulatory issues by an acquiree on Legal Day One is not uncommon. By law, neither regulators nor acquiree banks can exchange confidential supervisory information with an acquirer until Legal Day One. The disclosure of nonpublic supervisory actions, such as Matters Requiring Immediate Attention (MRIAs), Matters Requiring Attention (MRAs), nonpublic consent orders, or other regulatory actions can strain acquirer resources. Additional compliance risk exists if an acquirer’s due diligence did not uncover nonsupervisory weaknesses at an acquiree bank, such as internal compliance findings in the lines of business, second line of defense, or internal audit. Here are some examples of this risk:
- Nonpublic regulatory MRAs surprise bankers on Legal Day One in an acquisition; more legal and compliance work is required than planned at the acquiring bank to address these MRAs. A chief compliance officer fails to alert the board and other senior management prior to Legal Day One that there may be compliance surprises on Legal Day One that will require resources and time to perfect.
- After Legal Day One, regulators request materials from the acquirer bank about internally identified consumer affairs issues at the acquiree. The purpose of these requests is to assess the acquiree bank’s compliance capabilities and determine if any issues continued postacquisition. Time passes without the regulators receiving these materials, despite multiple requests. This leads regulators to question the quality of compliance due diligence efforts performed by the acquirer. Regulators then consider a nonpublic supervisory action to compel the acquirer to produce these materials and conclude these issues were not adequately considered by the acquirer during due diligence or post Legal Day One.
- The size of the combined consumer auto portfolio after an acquisition leads an acquirer to conclude that it does not have enough current staff devoted to fair lending monitoring. Federal regulators support the expansion of monitoring capability; self-identification of gaps is an important component of an effective CMS.
- A nonpublic consent order at an acquired bank, revealed to the acquirer on Legal Day One, requires expanded unfair or deceptive acts or practices coverage. The bank’s internal audit, upon evaluating the second line’s response to the consent order, concludes that the current program is not insufficient for the bank’s new size and complexity. Regulators concur but do not take additional supervisory action because the issue was self-identified and an adequate bank-developed action plan was presented.
- A bank is unprepared for a significant increase in call volume and complaints immediately after a conversion event. There is insufficient staffing, leading to extended hold times from customer call centers and a material increase in regulatory complaints. Acquiring banks may consider staffing levels prior to conversion to address potential increases in both customer and regulator feedback.
Operational Considerations
Significant consumer compliance risk often arises from integrating differing core systems. Despite modeling and testing performed prior to conversion, it is not uncommon for consumer harm to still occur. Here are some examples of this risk:
- With one login, the acquired bank allows business owners to view both business and personal accounts, but logins are coded so the personal account viewed is individualized. However, upon system conversion, the acquiring bank’s coding errantly allows broader access, allowing personal information to be viewed by unauthorized parties. Upon the discovery, only swift action by the bank’s compliance staff would limit the number of actual breaches, and free credit monitoring for impacted consumers would be included in the restitution effort.
- Divestiture of some branches is required to consummate an acquisition. Information on the customers at these divested branches may not be delivered timely to the acquirer’s marketing team. The marketing team prepares to send divested customers material as if they were customers, and reputational harm is only averted by timely intervention from the second line.
Staffing Considerations
M&A activity often results in the risk of knowledge gaps resulting from the transfer of duties and personnel, often at the acquiree bank. Regulators are seeing elevated compliance talent turnover in the post-COVID-19 return-to-office, and this instability can harm the CMS. Here are some examples of this risk:
- Staff turnover at an acquired bank leads to a delay in ordering replacement debit cards; debit cards are unavailable to some customers of the acquired bank after Legal Day One, leading to elevated complaints.
- Retaining the chief compliance officer at an acquiree bank is very attractive to the acquirer, and the acquirer makes an above-market offer to stay if the officer accepts a slightly junior role. The offer is declined because of the reduction in title.
- Public comments regarding an acquisition or banks with a proposal subject to public comment are both situations that require additional application processing time for regulators. Heightened turnover is often seen, particularly at the acquiree bank, during this evaluation period.
- Insufficient bench strength after a major acquisition requires a senior compliance professional to serve as lead for a quasi-independent monitoring and testing function within her department for an extended time until a suitable candidate could be found.
- Despite retention bonuses put in place to reduce acquiree staff runoff after an acquisition, a key senior compliance professional at the acquirer announces early retirement, and a suitable replacement is not available. Senior management underestimated its ability to maintain continuity of consumer compliance talent.
Culture Considerations
Postacquisition compliance talent is often a blend of acquirer and acquiree employees. It can be difficult to preserve a compliance culture, or worse, to create a compliance culture that previously did not exist. Here are some examples of this risk:
- A bank acquires a fintech. Bank staff finds it difficult to acclimatize fintech staff to adopt a compliance culture suitable for a bank. Structural and pervasive CMS problems result, requiring regulatory intervention.
- Compliance risk management is housed across different departments with little coordination. This siloed approach to compliance risk is amplified after some key acquisitions, making it difficult for bankers to mitigate significant compliance issues as they arise and leads to heightened regulator interest.
A final theme, although not solely confined to consumer compliance risk, is termination risk. Not all M&A activity ultimately results in a transaction. Shareholder votes may fail, due diligence may reveal material adverse information, share prices may materially change, or myriad other circumstances may abruptly terminate a proposed acquisition. Occasionally, bankers will request informal guidance from the Federal Reserve on consumer compliance monitoring, testing, and audit efforts during a potential acquisition.
For example, a banker might ask a Reserve Bank if a planned mortgage servicing review should be postponed because of a pending acquisition of a large mortgage servicer. In this case, the Reserve Bank’s response may be to continue with all scheduled internal efforts until an acquisition clears all potential obstacles for approval.
Federal Reserve staff have shared this information to help bank compliance professionals avoid common M&A pitfalls that may impact consumers.
1 These hypothetical scenarios are inspired by supervisory work.