Industry

Community banks.

Examined by the OCC, the FDIC, or state regulators. Capital, credit, BSA/AML, IT, and operational risk under continuous scrutiny.

The sector

Community banks — typically under $10 billion in assets — operate inside the same regulatory perimeter as their largest peers, with a fraction of the headcount to meet it. The BSA officer is also the compliance officer. The IT risk officer is also the CISO. The internal audit function is one person, two if the bank is lucky, and the examination cycle never pauses long enough to catch up.

Our practice is built for the institution that needs senior judgment without a senior headcount line item. We co-source or fully outsource the functions that benefit from specialization — internal audit, IT audit, model validation, AML — we run examination-readiness work on a cadence that matches the regulator's, and we write findings for the audit committee in language that does not require a translator.

The math of community banking is unforgiving. A finding in October is a budget conversation in November and a personnel decision in January. We come in early so the conversation in January is about something else.

Regulators in the room

Regulator	Authority
OCC · FDIC	Primary federal — examination cycle 12–18 months
State banking dept.	State regulator for state-chartered banks
FinCEN	BSA / AML — SAR / CTR filings
Basel III · CBLR	Capital — leverage and risk-based capital
CFPB · state AG	Consumer compliance — UDAAP, fair lending, Reg B/Z/E
FFIEC	IT / cyber examinations

What we do for this sector

Internal audit — Co-sourced or fully outsourced, calibrated to a community bank examination cycle.
IT audit — FFIEC-aligned IT controls testing, with a focus on the gaps examiners cite.
AML & sanctions — BSA program reviews, transaction monitoring tuning, sanctions screening.
Board reporting — Reporting that gives a one-person audit function the voice of a function of ten.

A representative engagement

ProfileCommunity bank, $1.8B assets, OCC-chartered, single state.

TriggerMRA following BSA exam — TM tuning inadequate.

Duration14 weeks, partner-led

Practice areas AML · IT audit · Board reporting

The bank's BSA examination produced a Matter Requiring Attention for inadequate tuning of its transaction monitoring system. The MRA cited a 2017 calibration that had never been refreshed, a below-the-line testing program that had stopped running, and an alert-to-SAR conversion rate that the examiner found inconsistent with the institution's risk profile. Edgar led the engagement.

What the audit committee saw

Finding 01 Tuning study completed; thresholds adjusted across 12 rule sets; new typologies added for fintech-rail layering.
Finding 02 BTL / ATL testing program rebuilt, with quarterly cadence and committee reporting.
Finding 03 MRA closed at next examination; alert-to-SAR conversion within examiner's expected range.

Other sectors we serve

← All industries