Members at the teller counter of a community bank, mid-morning.
Home/ Industries/Community banks
01 / 05 · Sector
Industry · 01/05

Community banks.

Examined by the OCC, the FDIC, or state regulators. Capital, credit, BSA/AML, IT, and operational risk under continuous scrutiny.

01

The sector

The institutions that hold their towns together.

A community bank's examination cycle does not pause.

Community banks — typically under $10 billion in assets — operate inside the same regulatory perimeter as their largest peers, with a fraction of the headcount to meet it. The BSA officer is also the compliance officer. The IT risk officer is also the CISO. The internal audit function is one person, two if the bank is lucky, and the examination cycle never pauses long enough to catch up.

Our practice is built for the institution that needs senior judgment without a senior headcount line item. We co-source or fully outsource the functions that benefit from specialization (internal audit, IT audit, model validation, AML), we run examination-readiness work on a cadence that matches the regulator's, and we write findings for the audit committee in language that does not require a translator.

The math of community banking is unforgiving. A finding in October is a budget conversation in November and a personnel decision in January. We come in early so the conversation in January is about something else.

02

The regulators in the room

Who reads the workpapers.

Primary federal regulator
OCC · FDICexamination cycle 12–18 months
State regulator
State banking dept.for state-chartered banks
BSA / AML
FinCENSAR / CTR filings, BSA examinations
Capital
Basel III · CBLRleverage and risk-based capital
Consumer compliance
CFPB · state AGUDAAP, fair lending, Reg B/Z/E
IT / cyber
FFIECFFIEC IT examinations

03

What we do for this sector

The practice areas that show up most often.

Practice area Internal audit

Co-sourced or fully outsourced — calibrated to a community bank examination cycle.

 Practice area IT audit

FFIEC-aligned IT controls testing, with a focus on the gaps examiners cite.

 Practice area AML & sanctions

BSA program reviews, transaction monitoring tuning, sanctions screening.

 Practice area Board reporting

Reporting that gives a one-person audit function the voice of a function of ten.

04

A representative engagement

Anonymized, but the shape is real.

Institution profile Community bank, $1.8B assets, OCC-chartered, single state.
Trigger MRA following BSA exam — TM tuning inadequate.
Duration 14 weeks, partner-led
Practice areas AML · IT audit · Board reporting

From MRA to remediation, in one examination cycle.

The bank's BSA examination produced a Matter Requiring Attention for inadequate tuning of its transaction monitoring system. The MRA cited a 2017 calibration that had never been refreshed, a below-the-line testing program that had stopped running, and an alert-to-SAR conversion rate that the examiner found 'inconsistent with the institution's risk profile.' We were brought in by the CRO three weeks after the exit conference. Edgar led the engagement.

What the audit committee saw
FINDING 01 Tuning study completed; thresholds adjusted across 12 rule sets; new typologies added for fintech-rail layering.
FINDING 02 BTL / ATL testing program rebuilt, with quarterly cadence and committee reporting.
FINDING 03 MRA closed at next examination; alert-to-SAR conversion within examiner's expected range.

05

Adjacent sectors

Who lives next door.

Industry Regional banks Industry Credit unions Industry Non-bank lenders
Start an engagement

Bring the partners to the table.

Request a consultation Download the capabilities deck