Opening a new bank means building a compliance program from scratch under heightened regulatory scrutiny. The FDIC considers newly chartered institutions to be higher risk by default, you haven't proven your risk management capabilities yet, your staff is new, your systems are untested, and your business model is unproven in practice. That assumption translates to a supervision period with more frequent examinations, stricter reporting requirements, and zero tolerance for compliance program gaps that might be forgiven as works-in-progress at an established institution.
Key Takeaways:
- The FDIC enhanced supervision period for de novo banks typically lasts 3 years (reduced from 7 years under FDIC FIL-50-2019), with possible extension
- Your compliance program must be fully operational before the bank opens, not built incrementally after charter approval
- Expect your first full-scope examination within 12 months of opening, not 18
- Business plan deviations trigger additional supervisory scrutiny, including compliance implications
The FDIC De Novo Supervision Period
Under FDIC FIL-50-2019, the FDIC reduced the enhanced supervision period for newly insured depository institutions from seven years to three years. During this period, the bank operates under heightened oversight that differs from the supervision of established institutions in several significant ways.
Examination frequency. De novo banks are examined on-site within the first 12 months of operations. The standard 18-month cycle available to well-rated banks under $1 billion (per 12 U.S.C. § 1820(d)) does not apply during the de novo period. Expect annual examinations at minimum, and targeted reviews or visitations between formal exams are common. The FDIC's regional offices monitor de novo institutions more actively through call report analysis, financial performance tracking, and periodic discussions with management.
Prior approval requirements. During the de novo period, the FDIC requires prior approval for certain activities that established banks can undertake with simple notice: significant changes to the business plan, expansion of products or services, branch openings, changes in senior management, and dividend payments. Each of these activities has compliance implications, a new product line means new regulatory obligations, new disclosures, and potentially new BSA/AML monitoring requirements.
Capital maintenance requirements. De novo banks must maintain higher capital ratios than established institutions, typically specified in the approval order. While capital adequacy is primarily a safety-and-soundness concern, it interacts with compliance: a bank under capital pressure may be tempted to cut compliance spending, which examiners will identify immediately.
Business plan monitoring. The FDIC evaluates whether the bank is operating within the parameters of its approved business plan. Significant deviations, particularly those that change the risk profile, require prior FDIC approval and may trigger additional examination activity. If your approved business plan described a community-focused commercial lending operation and you pivot to fintech partnerships within year one, expect questions.
Compliance Program Expectations from Day One
Examiners arriving for your first examination expect to find a fully functioning compliance management system, not one that's "being developed." The three components of the FFIEC Compliance Management System framework, board/management oversight, compliance program, and audit, must all be in place when the bank opens.
Policies and Procedures
Every regulatory area relevant to your business plan must have approved policies and procedures before the first customer transaction. This includes:
- BSA/AML policy covering the five pillars: internal controls, independent testing, BSA officer designation, training program, and customer due diligence/enhanced due diligence procedures per 31 CFR § 1020.210
- Consumer compliance policies for every product offered: Regulation B (ECOA), Regulation Z (TILA), Regulation E (electronic funds transfers), Regulation DD (truth in savings), Regulation CC (funds availability), and any others applicable to your product set
- Fair lending program including monitoring methodology, even if your initial lending volume is low
- CRA program appropriate to your charter type and assessment area
- Information security program meeting GLBA requirements under the FFIEC Information Security Handbook
- Vendor management framework addressing the 2023 interagency third-party risk management guidance
- Complaint management procedures with tracking and resolution documentation
Policies must be board-approved with documented approval dates. Generic template policies purchased from a compliance vendor are a starting point, but examiners expect them to be customized to your institution's specific products, services, risk profile, and organizational structure. A $200 million de novo community bank and a $50 million de novo fintech bank need meaningfully different compliance frameworks.
Staffing and Expertise
The compliance program must be appropriately staffed. For most de novo community banks, this means at least a designated compliance officer (often combined with BSA officer responsibilities) and access to compliance expertise, whether through internal staff, external consultants, or a combination.
Examiners evaluate whether compliance staffing matches the risk profile. A de novo bank launching with commercial lending, residential mortgage lending, consumer deposit products, and digital banking needs more compliance depth than one offering only commercial deposit accounts and business lending.
The designated BSA officer must have documented qualifications and adequate authority to implement the BSA/AML program, including the ability to file SARs without management override. This is a specific regulatory requirement under 31 CFR § 1010.230 and a common de novo finding when the BSA officer role is treated as a secondary responsibility.
Board Oversight
De novo bank boards tend to be composed of organizers and investors who may not have banking regulatory experience. Examiners expect board members to receive compliance training and demonstrate engagement with compliance topics through documented board minutes.
At minimum, the board should:
- Approve all compliance policies before the bank opens
- Receive and discuss regular compliance reports (quarterly at minimum)
- Review and discuss suspicious activity reporting trends (aggregate data, not individual SARs)
- Approve the BSA/AML risk assessment
- Document discussions and decisions in board minutes
Heightened Reporting During the De Novo Period
Beyond standard regulatory reporting, de novo banks must submit additional information to the FDIC during the enhanced supervision period.
Quarterly reporting. Many de novo approval orders include conditions requiring quarterly reporting to the FDIC regional office. These reports typically cover financial performance versus the approved business plan, capital adequacy, asset quality trends, management changes, and operational developments. While the format varies by approval order, the expectation is consistent: the FDIC wants to see that the bank is operating as described in its application.
Business plan deviation notifications. If your actual operations differ materially from the approved business plan, the FDIC expects prompt notification. Material deviations include changes in lending concentrations, new product lines, geographic expansion beyond the original assessment area, significant management departures, and technology platform changes.
Compliance event reporting. Any significant compliance event, a regulatory complaint, a potential BSA violation, a fair lending concern, or a data breach, should be reported to your FDIC regional office promptly. De novo banks don't have the institutional track record to absorb compliance events silently. Proactive reporting builds regulatory credibility; examiners discovering unreported compliance events at your first exam does the opposite.
Common De Novo Examination Findings
First examinations at de novo banks produce predictable categories of findings. Knowing these patterns lets you address them proactively.
BSA/AML program deficiencies. The BSA/AML program is the most scrutinized area at a de novo examination. Common findings include: BSA risk assessment that doesn't reflect actual customer types and product usage (because it was written before the bank opened and never updated), CDD procedures that work on paper but aren't consistently applied in practice, and independent testing that hasn't been conducted because "the bank hasn't been open long enough." The BSA independent testing requirement applies from day one, the 12-18 month testing cycle starts when the bank opens, not when examiners first visit. Review your BSA/AML compliance checklist against actual operations, not the original business plan.
Policies not matching operations. Template policies approved before opening often don't match how the bank actually operates. A lending policy might describe underwriting procedures that differ from what loan officers actually do. A BSA policy might reference a monitoring system the bank decided not to implement. Examiners test policies against reality and cite the disconnect.
Insufficient training documentation. De novo banks hire staff rapidly during the startup phase, and compliance training sometimes falls behind the hiring timeline. Examiners expect documented evidence that all relevant employees completed required training (BSA/AML, fair lending, privacy, information security) before engaging in activities related to those regulatory areas. Retroactive training certifications don't satisfy this requirement.
Weak vendor oversight. De novo banks are heavily dependent on third-party vendors for core processing, digital banking, BSA monitoring, and other critical functions. The 2023 interagency third-party risk management guidance requires documented due diligence, risk assessment, contract provisions, and ongoing monitoring for critical vendors. Banks that signed contracts during the startup phase without formal due diligence documentation face findings at the first exam.
Business plan deviations without documentation. Nearly every de novo bank deviates from its original business plan to some degree, different lending mix, different growth trajectory, different product emphasis. The deviations themselves aren't necessarily problematic. Undocumented, unapproved deviations are. Examiners compare actual operations to the approved business plan and look for evidence that material deviations were reported to the FDIC and approved.
Building Exam Readiness from the Start
The most effective de novo compliance programs build examination readiness into their operations from the first day, rather than trying to reconstruct evidence before the first exam.
Map obligations before opening. Based on your approved business plan and product set, create a complete inventory of regulatory obligations, federal and state. Every obligation should link to a policy, a procedure, a responsible person, and an evidence trail. This becomes your compliance management system foundation.
Capture evidence at execution. When a BSA officer reviews a high-risk account, that review should be documented in the moment. When a loan officer collects adverse action notices, the delivery evidence should be captured at the time. When the board discusses a compliance report, the minutes should reflect the substance of the discussion. Your first exam preparation should require exporting existing evidence, not creating it.
Update policies within 90 days of opening. The policies approved before opening were based on projections. Within 90 days of actual operations, review every policy against reality and update any that don't match. Document the updates and board approval. This demonstrates to examiners that your compliance program is responsive, not static.
Schedule independent testing early. Don't wait until month 11 to arrange BSA independent testing. Schedule your first testing engagement within the first 6 months. The testing may find issues, that's the point. Issues identified and corrected through internal testing demonstrate a functioning compliance management system. Learning about your exam preparation requirements early gives your team the right framework.
How Canarie Helps De Novo Banks Build Compliance from Day One
De novo banks face a unique challenge: building institutional compliance infrastructure from scratch while simultaneously launching a business under heightened regulatory scrutiny. There's no existing evidence archive to draw from, no prior exam experience to reference, and no margin for error at the first examination.
Canarie provides the compliance execution framework de novo banks need, mapping regulatory obligations to tasks, capturing evidence at the point of work, and maintaining continuous exam readiness from the moment the bank opens. Instead of building compliance documentation retroactively for your first exam, your team documents compliance work as it happens. See how Canarie works for banks.
Frequently Asked Questions
How long is the FDIC de novo supervision period?
Under FDIC FIL-50-2019, the enhanced supervision period for newly insured depository institutions is three years from the date the bank opens. The FDIC reduced this from seven years in 2019. However, the FDIC can extend the de novo period if the institution has supervisory concerns, significant examination findings, or is not operating within its approved business plan. During this period, the bank faces more frequent examinations, prior approval requirements for certain activities, and heightened reporting obligations.
When does the first examination happen for a de novo bank?
De novo banks receive their first full-scope, on-site examination within 12 months of opening. The 18-month extended examination cycle available to well-rated banks under $1 billion does not apply during the de novo period. Additionally, the FDIC may conduct interim visitations or targeted reviews between formal examinations to monitor specific concerns identified during the approval process or early operations.
What compliance staff does a de novo bank need before opening?
At minimum, a de novo bank needs a designated compliance officer and a designated BSA officer (these can be the same person at smaller institutions, though the FDIC evaluates whether combining roles is appropriate given the bank's complexity). Both positions must be filled and the individuals must complete relevant training before the bank begins operations. The FDIC evaluates whether compliance staffing is proportionate to the bank's risk profile, product complexity, and anticipated transaction volume.
Can a de novo bank change its business plan during the supervision period?
Material changes to the approved business plan require prior FDIC approval during the de novo period. This includes changes in lending concentrations, new product offerings, geographic expansion, significant management changes, and technology platform switches. The FDIC evaluates whether the proposed change is consistent with safe and sound banking practices and whether the bank's compliance infrastructure can support the change. Unapproved business plan deviations are a common finding at de novo examinations.