M&A: Getting a Handle on Risk and Compliance During the Acquisition Process

Whether your institution is looking to acquire or be acquired, it’s important to have a good handle on risk.

From the value of your institution to the likelihood regulators will approve of a merger or acquisition, understanding your institution’s risk is an essential first step when considering a merger or acquisition. Every institution should have a thorough knowledge of its own performance and culture.

The Role of Risk Management in M&A

While it’s always been important for institutions to thoroughly assess and analyze potential M&As, today’s pre-merger activity is particularly focused on risk management. From IT infrastructure and mobile banking to the rise of fintech and increased outsourcing to third-party providers, financial institutions are operating in an increasingly risky environment. Regulators have stepped up to stem this risk and protect both consumers and the economy. This has translated into an increased focus on due diligence throughout the M&A process—from the letter of intent to approval. Acquiring institutions are expected to demonstrate detailed and accurate knowledge of the risk culture of both the acquiring and target institution with an eye towards possible pitfalls.

Risk management is about having a full 360-degree view of the institution from its values to its goals. An institution needs to assess whether it’s developed a strong internal risk culture—one that proactively identifies and remediates potential risks, deals with current risks, and learns from and avoids repeating past mistakes.

This self-examination is more than an enterprise risk management exercise. It helps identify institutional problems that could prevent a successful merger. Consider cultural fit—a seemingly simple issue that can actually kill an otherwise attractive deal. Understanding management’s communication or leadership style can help an institution determine whether a potential target’s risk management approach will mesh well with its own, making it easy to co-exist and effectively blend cultures.

Another important issue is staffing requirements and the institution’s skill base. M&A is a demanding process, and it’s important to have the necessary talent to conduct thorough due diligence. A good self-examination will make clear what resources are available and whether an institution will need to supplement weak areas, either through hiring or consulting. This can include strong, capable senior management, legal and financial professionals, or other consultants.

Let’s take at some other key areas of risk:

Compliance Risk

When you join with another financial institution, its compliance problems will become your compliance problems and vice versa. You're combining two previously distinct financial institutions, each with their own unique policies, procedures, and practices. The most basic risk is that inefficiencies and lack of oversight let some things fall through the cracks. One of the most important risks is that consumers can be harmed in the process.

Related: Can ChatGPT Help Your Compliance Department? Not Yet.

Why do you need to care about compliance risk? Three reasons:

1. Compliance risk can slow or halt M&A activity. Unchecked compliance risk can derail a merger or acquisition, and result in a less healthy joint institution than either of the individual banks.

Meanwhile, the federal banking regulators have to approve every merger or acquisition. The Federal Reserve and your primary federal regulator (if they're different) must both approve the merger or acquisition. If you're a state bank, your state regulators will also need to approve the transaction.

These are lengthy processes and can be even more drawn out—or stop the process entirely—if one of the institutions has compliance deficiencies.

2. Compliance risk can draw public and media scrutiny. Avoiding consumer harm is a top concern for financial regulators. If an institution has a history of harming consumers or if public consumer protection data suggests an institution isn’t protecting consumers, a merger or acquisition can draw the attention of investigative journalists, watchdog groups, and community action groups.

The public gets a chance to comment on every merger, and the regulators take those comments seriously. Negative feedback or protests to a merger or acquisition will be investigated and can delay or prevent a merger or acquisition.

3. Compliance risk can impact valuation. Target institutions want to sell for top dollar. If compliance problems are uncovered during negotiations or the approval process, it can result in a lower valuation. Conversely, going into conversations with a strong compliance program can result in a higher valuation or result in a speedy approval.

Acquiring institutions want to be attractive partners. A strong compliance program can help make the case.

Related: Is Your Bank Considering a Merger or Acquisition? Here's How Compliance Risk Can Impact the Deal

Fair Lending

Financial institutions involved in mergers or acquisitions need to pay particular attention to their CRA, fair lending, and redlining compliance - both before and after and merger.

A merger or acquisition often leads to changes in MSA or market area definitions, which can change your demographics and elevate your risk profile for CRA and Fair Lending. It’s also likely to change your branch network and delivery channels, meaning that you need to reconsider the best ways to serve your communities for both compliance and future success.

Having this information about your institution and the institution you may combine with can help chart a course to future success—and stem criticism.

Related: Fair Lending Risks Stall Bank Mergers & Acquisitions 

Vendor Management

Whether you’re an acquirer or a target, it’s important to have a strong handle on vendor management. Combining institutions results in having two sets of vendors—and strategic decisions need to be made about which vendors to keep.

Managing vendor risk involves asking important questions such as:

Appropriateness. Will its product continue to align with your institution’s planned initiatives such as new products and services, M&A, or growth?

Termination. Are the termination costs or penalties on a contract a significant barrier to early termination? Are there exclusivity provisions forbidding the institution from utilizing another vendor—even to provide short-term continuation of service for the target?

Growth. Is the vendor able to service a larger institution? What would growth in the asset base mean for the cost of doing business with existing vendors? Can additional locations be added? If so, at what cost?

In order to answer these questions, you need to know what’s in your vendor contracts. You don’t want to be caught off guard and deal with an unexpected expense.

Investigating vendor management practices as well as vendor obligations, limitations, and opportunities for both the acquiring and the target institution is an enlightening task. It gives the acquiring institution—and regulators—a more complete picture of the combined institution’s potential bottom line and how much existing policies, procedures, and approaches will complement or clash. It also helps the acquiring institution manage vendors and contracts throughout the M&A period, preventing pitfalls ranging from legal and compliance risk to culture clashes to hidden liabilities and costs.

Want more insights into M&A? Download our whitepaper Mergers & Acquisitions: The Critical Role of Vendor Management.