Compliance

FFIEC Supports De Novo Formation: Audit and Compliance Readiness Takeaways for Financial Institutions

Learn what the FFIEC’s de novo formation statement means for compliance, audit readiness, regulator coordination, and new institution planning.

The FFIEC’s June 2026 statement signals strong interagency support for new depository institution formation, but it also reinforces the need for organizers to approach formation as a coordinated regulatory, compliance, operational, and audit-readiness effort. 

NETBankAudit experts have over 25 years of experience supporting financial institution audits, risk assessments, and regulatory compliance needs. If you have questions after reading this guide, please reach out to our team.

What the FFIEC De Novo Formation Statement Says

The Federal Financial Institutions Examination Council statement reaffirms support for the formation of new depository institutions, which are often referred to as de novos, because they can strengthen competition, innovation, access to credit, and the diversity of the financial system.

The statement was issued on behalf of the FFIEC member entities. The FFIEC includes representation from the Federal Reserve, FDIC, NCUA, OCC, CFPB, and State Liaison Committee. 

The FFIEC member entities also encouraged ongoing communication and coordination among regulators. That point matters because de novo formation can involve multiple agencies, multiple supervisory perspectives, and, in some cases, federal and state chartering considerations.

The agencies are responding to a long-term decline in institution count

The statement notes that the number of U.S. depository institutions has fallen steadily over the past three decades. At the same time, the overall banking system has grown significantly in asset size.

The FFIEC also observed that de novo formations have stagnated since the 2008 financial crisis. In the agencies’ view, that stagnation contributes to the declining number of depository institutions.

For compliance professionals, this background is important. Regulators are not simply discussing charter applications in isolation. They are connecting de novo formation to broader supervisory goals, including competition, access, resilience, and risk dispersion across markets, business models, and institution sizes.

Why De Novo Depository Institutions Matter to Compliance Strategy

Why De Novo Depository Institutions Matter to Compliance Strategy

The FFIEC statement describes de novos as important to maintaining a healthy financial system. That framing should shape how organizers and compliance leaders approach the earliest design decisions for governance, controls, staffing, and regulatory reporting.

New institutions may enter the market with different products, services, delivery channels, and community goals. Those choices can support innovation and consumer access, but they also create specific compliance obligations that must be understood before operations begin.

Competition and innovation still require disciplined control design

The statement says de novos help maintain competition in the banking sector and foster innovation in products and services. Compliance teams should not read that as permission to delay control design until after launch.

Innovation should be tied to policies, procedures, monitoring, training, and independent review. When new products or services are introduced during formation, the compliance function should document the associated consumer compliance, BSA/AML, operational, technology, and vendor management considerations.

Access to local credit increases the importance of fair and consistent practices

The FFIEC statement emphasizes that de novo formation is particularly important for local communities and small businesses. That focus increases the need for clear lending standards, fair lending controls, complaint monitoring, and consistent documentation.

A new institution that is formed to serve a defined community must be able to show that its policies and practices support that mission in a safe, sound, and compliant manner. Compliance professionals should make sure the institution’s public goals, credit policies, underwriting practices, and monitoring routines are aligned.

Resilience depends on more than capital and business planning

The statement also links de novo formation to resilience and diversity in the financial system. It notes that de novos can help spread risk across different markets, business models, and institution sizes while preventing excessive concentration.

That supervisory theme has practical consequences. A de novo institution should be ready to demonstrate that its risk management structure fits its proposed activities. The compliance program should not be a generic template. It should reflect the specific markets, products, delivery channels, and control environment planned by the organizers.

Application Process Improvements Highlight What Applicants Should Prepare

The FFIEC member entities stated that they have been pursuing and implementing process improvements. They also committed to continue enhancing coordination between relevant regulators on de novo applications. That is a positive signal, but it does not eliminate the need for strong preparation by applicants.

The statement specifically references streamlining the application process within applicable statutory requirements. It also references greater transparency to applicants on expectations and timelines. Those phrases should prompt organizers to prepare documentation that is clear, consistent, and responsive to regulator questions.

Compliance professionals should use the statement as a planning tool. The agencies are indicating support, but they are also signaling that applicants need to understand which regulator resources apply to their proposed charter, deposit insurance path, services access, and state or federal supervisory structure.

  • Coordinate early with the right regulators. The announcement encourages applicants to reach out to key contacts in member entities’ regions, districts, or states. Organizers should identify those contacts before application materials are finalized.
  • Document expectations and timelines. Because the agencies emphasized transparency on expectations and timelines, applicants should maintain an internal tracker for regulator communications, open questions, requested materials, and decision points.
  • Reduce avoidable unpredictability. The FFIEC statement acknowledges industry feedback that unnecessary delays, costs, or unpredictability may discourage organizers. Clear ownership of application content, compliance program design, and supporting documentation can reduce avoidable friction.
  • Align the application with the operating model. The compliance program should match the proposed products, services, customers, delivery channels, and geographic focus. Mismatches between strategy and controls can create follow-up questions.
  • Build audit readiness into formation planning. A new institution should be prepared to show how policies, procedures, risk assessments, training, and monitoring will be tested after opening.

Regulator Resources Applicants Should Map Before Filing

The announcement provides a resource table for applicants. It identifies resources from the FDIC, Federal Reserve, OCC, NCUA, and State Liaison Committee. Compliance professionals should treat that table as a starting point for application planning, not as a substitute for institution-specific analysis.

The right path depends on the type of institution being organized. A proposed bank, national bank, state bank, federal credit union, or state-chartered credit union may need different contacts and resource sets. The announcement also recognizes that applicants may need to communicate with regional, district, or state contacts.

Before an application is filed, the compliance team should map each resource category to the institution’s proposed structure. That mapping should identify which agency materials govern deposit insurance, chartering, filing contacts, Federal Reserve services access, credit union formation, and state regulator coordination.

  • FDIC resources support deposit insurance planning. The announcement lists FDIC resources such as the Interagency Charter and Federal Deposit Insurance Application, Application for Deposit Insurance, and Decisions on Bank Applications. Organizers should use FDIC deposit insurance resources to frame the insurance component of the formation process.
  • Federal Reserve resources support filings and services access. The announcement identifies Federal Reserve filing information, filing contacts, setup services or access, and an overview of financial services offerings. Institutions that expect to interact with Reserve Bank services should connect Federal Reserve filing contacts to their project plan before launch.
  • OCC resources support national charter planning. The announcement lists the OCC Licensing Manual for Charters and OCC licensing forms. Organizers pursuing a national bank path should align OCC chartering resources with governance, compliance, and operational documentation.
  • NCUA resources support federal credit union formation. The announcement includes NCUA resources for starting a new federal credit union and a charter application guide. Credit union organizers should use NCUA charter guidance to connect field of membership, governance, and compliance planning.
  • State Liaison Committee resources support state coordination. The announcement also points applicants to state bank regulatory agencies, state credit union regulators, and state credit union de novo formation resources. State coordination should be part of the application calendar when a state charter or state supervisory relationship is involved.

Compliance Program Areas De Novo Applicants Should Build Early

A de novo institution cannot wait until opening day to design its compliance program. The FFIEC statement emphasizes support for formation, but it also references applicable statutory requirements. That means applicants still need a control environment that is ready for supervisory review and practical operation.

Compliance leaders should begin with the institution’s actual business model. The program for a branch-based community bank may differ from the program for an institution emphasizing digital channels, commercial lending, consumer deposits, small business credit, or specialized markets.

Governance should connect board oversight to daily compliance execution

Board and management oversight should be built into the formation plan. Policies, procedures, reporting routines, risk assessments, and escalation protocols should identify who owns each compliance function and how issues will reach senior management or the board.

NETBankAudit’s audit approach is based on objective evaluation, testing, and documentation. For a de novo, that means the compliance function should be capable of producing evidence, not just policies.

Consumer compliance should reflect the products that will be offered

Deposit compliance may involve Truth-in-Savings, funds availability, electronic funds transfers, withdrawal limitations, and unlawful internet gambling controls, depending on the institution’s activities. Loan compliance may involve Truth-in-Lending, RESPA, homeownership counseling, flood, fair lending, and related requirements when those products are offered.

Privacy and consumer information controls should also be designed before customer data is collected. A new institution should define how it will manage privacy notices, identity theft red flags, credit reporting, marketing communications, and consumer information requirements that apply to its activities.

BSA/AML controls need to be operational, not theoretical

A de novo institution should design BSA/AML controls that fit its customer base, products, services, entities, and geographies. Customer identification, customer due diligence, suspicious activity monitoring, currency transaction reporting, exemptions, OFAC considerations, and training should be connected to real workflows.

Independent testing should evaluate whether the written program is adequate and whether controls are operating as intended. The audit trail should show scope, procedures performed, transaction testing, findings, and corrective action tracking.

Technology and vendor controls should match the delivery model

Many de novo business plans depend on core processing, digital banking, payments, remote deposit capture, wire transfer, ACH, and third-party service providers. Those activities require governance, access controls, information security, business continuity, incident response, vendor management, and monitoring.

Technology controls should not be handled separately from compliance planning. If a product, system, or vendor creates customer-facing obligations, operational risk, or data security responsibilities, it should be included in the formation control inventory.

How Existing Financial Institutions Should Read the FFIEC Statement

The announcement is directed at promoting new depository institution formation, but existing institutions should still pay attention. The agencies are reaffirming the value of competition, innovation, access, local community service, and a diversified financial system.

Those themes are relevant to strategic planning and compliance oversight at established banks and credit unions. A regulator focus on de novo formation may also increase attention on how institutions serve local communities, support small businesses, manage innovation, and demonstrate strong controls across changing business models.

Compliance officers at existing institutions can use the statement as a prompt to revisit several questions. Are current policies aligned with the institution’s strategy? Are new products supported by risk assessments and monitoring? Are audit results and workpapers strong enough to support the examination process?

Practical Next Steps for De Novo Compliance Readiness

The FFIEC’s statement is supportive, but a supportive environment still requires disciplined preparation. Applicants should approach formation as a coordinated regulatory, operational, compliance, and audit readiness project.

A clear readiness plan can reduce confusion and help organizers respond to regulator expectations. It should also create a record of how the institution designed its controls before accepting deposits, extending credit, serving members, or launching customer-facing channels.

Use the following steps to organize the compliance workstream before application discussions become active. These steps are not a replacement for regulator communication. They are a practical way to make those communications more productive.

  • Define the proposed operating model. Identify the products, services, customers, delivery channels, markets, and technology dependencies that will shape the compliance program.
  • Map regulator resources and contacts. Use the announcement’s resource categories to identify which federal and state materials apply to the proposed charter and supervisory path.
  • Create a compliance control inventory. Tie each applicable compliance area to policies, procedures, responsible owners, monitoring routines, training, reporting, and evidence.
  • Build a documentation calendar. Track application materials, regulator questions, board approvals, policy drafts, risk assessments, vendor materials, and testing plans.
  • Plan independent audit coverage early. Determine how the institution will obtain objective testing and documented results for compliance, BSA/AML, IT, cybersecurity, and operational controls.

How NETBankAudit Supports De Novo and Community Financial Institution Readiness

NETBankAudit was designed to support complex regulatory and technical audit and assessment needs for financial institutions. We only work with financial institutions, specialize in regulatory audits and assessments, and act as an independent internal audit source rather than a product vendor.

For de novo organizers, that independence can be especially valuable. Formation planning requires practical control design, clear documentation, and audit-ready evidence across compliance, BSA/AML, IT, cybersecurity, vendor management, payments, deposits, lending, privacy, and CRA-related considerations.

NETBankAudit has served over 750 financial institutions in over 37 states, with auditors and engineers who bring financial institution, security engineering, regulatory, and certification experience. If your institution is forming, evaluating a new charter strategy, or strengthening audit readiness in response to the FFIEC’s de novo formation focus, contact NETBankAudit to discuss how our audit and assessment services can support your next step.

THE GOLD STANDARD IN
Cybersecurity and Regulatory Compliance

 
class SampleComponent extends React.Component { 
  // using the experimental public class field syntax below. We can also attach  
  // the contextType to the current class 
  static contextType = ColorContext; 
  render() { 
    return <Button color={this.color} /> 
  } 
} 

Mitigate Risks with Comprehensive Audits & Assessments

Request For Proposal
NEWS & ARTICLES

Explore Our Learning Center

Ask a Question
Thank you! We will email you the answer to your question shortly!
Oops! Something went wrong while submitting the form.