Banks under $1 billion in assets operate under a different examination rhythm than their larger counterparts. If your institution qualifies for the extended 18-month examination cycle, you have more time between exams, but that doesn't mean less scrutiny when examiners arrive. Understanding the specific process, scope, and expectations for smaller institutions helps you allocate limited compliance resources where they matter most.
Key Takeaways:
- Qualifying banks under $1B may be examined on an 18-month cycle instead of 12 months under the Federal Deposit Insurance Act § 10(d)
- Smaller bank exams are typically shorter in duration but cover the same core regulatory areas
- The most common findings at banks this size relate to BSA/AML documentation gaps and policy staleness
- Resource constraints are understood by examiners, but they don't lower the compliance bar
The 18-Month Examination Cycle: Who Qualifies
Under 12 U.S.C. § 1820(d), the Federal Deposit Insurance Act § 10(d), insured depository institutions must receive a full-scope, on-site examination at least once during each 12-month period. However, Congress created an exception for smaller, well-managed institutions.
Banks that meet all of the following criteria may qualify for an 18-month examination cycle:
- Total assets of less than $1 billion (the threshold was raised from $500 million by the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018)
- Composite CAMELS rating of 1 or 2 at the most recent examination
- Well-capitalized under prompt corrective action standards
- Not subject to a formal enforcement action
- No material change in management since the last examination
The FDIC communicates examination scheduling through its regional offices. If your bank falls out of eligibility, say a CAMELS downgrade to 3, you return to the standard 12-month cycle immediately.
The 18-month cycle is not automatic. The FDIC retains discretion to examine any institution at any time based on risk indicators, complaints, financial trends, or emerging concerns. A qualifying bank might still see examiners at 14 months if its call report data raises questions.
What Differs from Larger Bank Exams
The FDIC doesn't apply a materially different examination framework for banks under $1 billion. Examiners follow the same FDIC Risk Management Manual of Examination Policies and the same FFIEC interagency procedures. But the practical execution differs in several ways.
Examination team size. A bank under $1 billion will typically see a team of 3-6 examiners, compared to 10-20+ at a larger institution. The lead examiner, the Examiner-in-Charge (EIC), often handles multiple areas personally rather than delegating to specialists.
On-site duration. Smaller bank exams typically last 2-4 weeks on-site, compared to 4-8+ weeks for larger institutions. Some straightforward exams at well-rated community banks conclude in under two weeks.
Scope focus. While all areas are theoretically in scope, examiners at smaller banks tend to concentrate on a few risk areas identified during pre-examination planning. If your loan portfolio is 70% commercial real estate and you have minimal international activity, don't expect deep OFAC testing, expect heavy CRE concentration analysis.
Transaction testing samples. Sample sizes are proportional. At a $300 million bank, BSA transaction testing might pull 30-50 CTR and SAR samples. At a $15 billion bank, that number could be 200+. But the quality expectations for each sampled item remain identical.
Off-site work. The FDIC increasingly conducts pre-examination analysis off-site using call report data, prior exam workpapers, and industry comparisons. For smaller banks, this means examiners arrive with preliminary conclusions that the on-site work will confirm or challenge. The first day matters, your opening conference and initial document production shape whether examiners dig deeper or stay targeted.
Common Findings at Banks Under $1B
Certain examination findings appear disproportionately at smaller institutions, driven by resource constraints and the operational reality of running compliance with a small team. Based on recent FDIC examination trends, the most frequent findings include:
BSA/AML program gaps. The Bank Secrecy Act requires the same five pillars regardless of institution size: internal controls, independent testing, designated BSA officer, training, and customer due diligence. Small banks frequently receive findings for insufficient independent testing (using the same auditor for BSA and financial statement audit without adequate BSA expertise), delayed SAR filings beyond the 30-day deadline, and incomplete beneficial ownership records under 31 CFR § 1010.230. Review your BSA/AML compliance checklist to identify gaps before examiners do.
Stale policies and procedures. At larger banks, dedicated compliance staff update policies when regulations change. At a $400 million bank where the compliance officer also manages vendor oversight, HR training, and CRA, policies often lag 12-24 months behind regulatory updates. Examiners check policy dates and compare them against recent regulatory changes, a BSA/AML policy that doesn't reflect the 2024 beneficial ownership reporting amendments under the Corporate Transparency Act is an immediate finding.
Vendor management weaknesses. As community banks increasingly rely on third-party service providers for core processing, digital banking, BSA monitoring, and lending platforms, the OCC/FDIC interagency guidance on third-party relationships (2023) requires documented risk assessments, due diligence, and ongoing monitoring. Small banks often have vendor contracts but lack the documented oversight framework. This is covered in our third-party risk management exam preparation guide.
Incomplete board reporting. Examiners review board and committee minutes to verify management is keeping the board informed of compliance risks, exam findings, and program changes. Generic compliance reports that say "no issues noted" every quarter don't satisfy this requirement. Examiners want to see evidence that the board discussed specific compliance risks, approved policy changes, and reviewed suspicious activity reporting trends.
IT and information security gaps. Even small banks hold sensitive customer data. Examiners evaluate whether your information security program meets the requirements of the Gramm-Leach-Bliley Act (GLBA) and the FFIEC Information Security Handbook. Outdated penetration testing, missing business continuity plan updates, and lack of multi-factor authentication are recurring findings.
Resource Allocation for Small Bank Exam Readiness
With a compliance team of one to three people, you can't prepare for every regulatory topic in equal depth. Strategic resource allocation matters. Here's how to prioritize.
Focus on what examiners told you last time. Prior examination findings (MRAs (Matters Requiring Attention) or violations) are the first thing the EIC reviews during pre-examination planning. If your last exam had three BSA findings and one CRA finding, examiners will verify those are corrected and test whether the fixes stuck. Dedicate 40% of your preparation time to demonstrating remediation of prior findings.
Review your risk assessment. If your institution's compliance risk assessment doesn't match reality, the exam starts on the wrong foot. A bank with significant mortgage lending that rates fair lending risk as "low" will face questions. Update your risk assessment at least annually and ensure it reflects actual product offerings, customer base, and geographic footprint.
Prepare your evidence inventory before the document request list arrives. Don't wait for the DRL. Based on your bank's risk profile and prior exam scope, you can predict 80% of what examiners will request. Assemble standing document packages for board minutes, training records, policy approvals, audit reports, and complaint logs. The detail on what happens during a bank examination covers exactly what examiners request and when.
Designate exam coordinators early. Even at a small bank, one person shouldn't field every examiner question. Assign subject matter contacts for lending, operations, IT, and BSA before examiners arrive. Brief each contact on what examiners might ask and where the evidence lives.
Conduct a pre-exam self-assessment. Pull your own samples. Test your own CTR and SAR filings. Review your own CDD files. If you find problems, you can fix them before examiners arrive and demonstrate to examiners that your monitoring and self-assessment processes work. A bank that identifies and corrects its own issues earns examiner confidence.
How Canarie Helps Small Banks Stay Exam-Ready
For compliance teams of one to three people, the challenge isn't knowing what to do, it's having the capacity to do it, document it, and prove it happened. Small bank compliance officers manage BSA, fair lending, CRA, vendor oversight, training coordination, and exam preparation simultaneously.
Canarie maps your compliance obligations to executable tasks with built-in evidence capture. When your BSA officer completes a high-risk customer review, the evidence is captured at that moment, not reconstructed three weeks before an exam. When your board reviews a compliance report, the approval and discussion are documented in the same workflow.
The result: exam preparation becomes an export exercise instead of a research project. Your institution can see how exam readiness works in practice.
Frequently Asked Questions
How often does the FDIC examine banks under $1 billion in assets?
Qualifying banks under $1 billion may be examined on an 18-month cycle instead of the standard 12-month cycle. Qualification requires a CAMELS composite rating of 1 or 2, well-capitalized status, no formal enforcement actions, and no material management changes since the last exam, per 12 U.S.C. § 1820(d). The FDIC can still examine any institution at any time regardless of cycle eligibility if risk factors warrant it.
What is the typical duration of an FDIC exam for a small bank?
On-site examination duration for banks under $1 billion typically ranges from 2-4 weeks, depending on the bank's risk profile, complexity, and whether the exam is a full-scope review or a targeted follow-up. Pre-examination off-site work by FDIC staff usually begins 2-4 weeks before the on-site visit, and examiners arrive with preliminary analysis already completed.
What are the most common FDIC exam findings for community banks?
The most frequent findings involve BSA/AML program deficiencies (insufficient independent testing, late SAR filings, incomplete CDD records), stale policies that haven't been updated to reflect regulatory changes, inadequate vendor management documentation, and weak board reporting. IT and information security gaps related to GLBA requirements are also increasingly common.
Can a bank under $1 billion lose its 18-month exam cycle eligibility?
Yes. If your CAMELS composite rating drops below 2, you become subject to a formal enforcement action, or there's a material change in management, the bank reverts to the 12-month examination cycle immediately. The change takes effect at the time of the triggering event, the FDIC does not wait until the next scheduled exam to make this determination.