Breaching the $10 billion asset threshold represents the most significant regulatory cliff in banking, fundamentally changing compliance obligations. These changes can require substantial infrastructure investments, costing tens of millions of dollars annually.
These compliance changes are very broad, covering everything from interchange to cyber security expectations, Community Reinvestment Act reporting to liquidity management frameworks, and complaint data reporting to vendor management.
While recent changes to federal supervision have reduced examination frequency and intensity, the underlying compliance requirements remain in place, and banks approaching $10 billion in assets still need to comply with these underlying requirements.
And remember, all of this needs to be in place before you cross $10 billion in assets.
Over the next couple of weeks we’ll be diving into 3 areas of change that we think are particularly interesting:
Today we’re jumping into the first of those, so to understand what governance and risk management changes you have to comply with as you breach the $10B asset threshold, keep reading.
When a bank crosses $10 billion in assets, regulators stop accepting the "we handle risk management in our regular operations" approach. Instead, they expect a formal, enterprise-wide risk management framework, complete with dedicated staff, documented processes, and regular board reporting.
Below $10 billion, risk management responsibilities are often distributed across departments. Your lending team handles credit risk, operations handles operational risk, and maybe your CFO pulls it all together for the board once a quarter.
At $10 billion, regulators expect you to identify, measure, monitor, and control all material risks across your organization through a formal framework. This means dedicated risk management staff, regular enterprise-wide risk assessments, comprehensive risk reporting systems, and clear reporting lines straight to senior management and the board.
In practice, banks typically need to hire a Chief Risk Officer and build out a risk management team. You're looking at risk officers for major areas like credit, market, operational, and compliance risk, plus support staff to manage risk data and reporting. For many institutions, this represents 5-10 new positions.
If you're a bank holding company, Regulation YY requires you to establish a board-level risk committee (yes, in addition to the audit committee) specifically responsible for enterprise-wide risk oversight.
The risk committee must meet at least quarterly, include independent directors, and report regularly to the full board. It needs its own charter, agenda, and focus separate from other board committees.
At least one risk committee member must have genuine risk management expertise appropriate to your institution's complexity and risk profile. This isn't satisfied by "our board member ran a manufacturing company and understands business risk." Regulators want financial risk management expertise, which means someone who understands capital adequacy, stress testing, liquidity risk, model risk, and enterprise risk frameworks in a banking context.
The governance infrastructure required at $10 billion in assets takes 12-18 months to build properly. Banks that wait until they're at $9.5 billion find themselves scrambling. In our next post, we'll explore the Operational Requirements that compound this challenge.
The Benefits of an Automated Risk AssessmentBreaching the $10 billion asset threshold represents the most significant regulatory cliff in banking, fundamentally changing compliance obligations. These changes can require substantial infrastructure investments, costing tens of millions of dollars annually.
These compliance changes are very broad, covering everything from interchange to cyber security expectations, Community Reinvestment Act reporting to liquidity management frameworks, and complaint data reporting to vendor management.
While recent changes to federal supervision have reduced examination frequency and intensity, the underlying compliance requirements remain in place, and banks approaching $10 billion in assets still need to comply with these underlying requirements.
And remember, all of this needs to be in place before you cross $10 billion in assets.
Over the next couple of weeks we’ll be diving into 3 areas of change that we think are particularly interesting:
Today we’re jumping into the first of those, so to understand what governance and risk management changes you have to comply with as you breach the $10B asset threshold, keep reading.
When a bank crosses $10 billion in assets, regulators stop accepting the "we handle risk management in our regular operations" approach. Instead, they expect a formal, enterprise-wide risk management framework, complete with dedicated staff, documented processes, and regular board reporting.
Below $10 billion, risk management responsibilities are often distributed across departments. Your lending team handles credit risk, operations handles operational risk, and maybe your CFO pulls it all together for the board once a quarter.
At $10 billion, regulators expect you to identify, measure, monitor, and control all material risks across your organization through a formal framework. This means dedicated risk management staff, regular enterprise-wide risk assessments, comprehensive risk reporting systems, and clear reporting lines straight to senior management and the board.
In practice, banks typically need to hire a Chief Risk Officer and build out a risk management team. You're looking at risk officers for major areas like credit, market, operational, and compliance risk, plus support staff to manage risk data and reporting. For many institutions, this represents 5-10 new positions.
If you're a bank holding company, Regulation YY requires you to establish a board-level risk committee (yes, in addition to the audit committee) specifically responsible for enterprise-wide risk oversight.
The risk committee must meet at least quarterly, include independent directors, and report regularly to the full board. It needs its own charter, agenda, and focus separate from other board committees.
At least one risk committee member must have genuine risk management expertise appropriate to your institution's complexity and risk profile. This isn't satisfied by "our board member ran a manufacturing company and understands business risk." Regulators want financial risk management expertise, which means someone who understands capital adequacy, stress testing, liquidity risk, model risk, and enterprise risk frameworks in a banking context.
The governance infrastructure required at $10 billion in assets takes 12-18 months to build properly. Banks that wait until they're at $9.5 billion find themselves scrambling. In our next post, we'll explore the Operational Requirements that compound this challenge.
