Support

CDC Best Practices Guidance - Internal Control Policies

This guide discusses best practices for Certified Development Company (CDC) compliance with certain 504 Loan Program Requirements.

About this document and download

This guide discusses best practices for Certified Development Company (CDC) compliance with certain 504 Loan Program Requirements. “504 Loan Program Requirements” include those imposed on CDCs by statute, SBA regulations (including 13 CFR Part 120), any agreement the CDC has executed with SBA, SBA’s Standard Operating Procedures (SOPs) (including 50 10 (Lender and Development Company Loan Programs) and 50 55 (504 Loan Servicing and Liquidation)), official SBA notices and forms, and loan authorizations, as such requirements are issued and revised by SBA from time-to-time. In the event of any conflict between this guide and the 504 Loan Program Requirements, the 504 Loan Program Requirements take precedence. SBA regulations (13 CFR 120.180) require all CDCs to comply and maintain familiarity with all 504 Loan Program Requirements as such requirements are revised from time-to-time.

Overview

A Certified Development Company’s (CDC) Board of Directors is responsible for establishing written internal control policies, and is required to adopt internal control policies that provide adequate direction to the CDC for effective control over and accountability for the CDC’s operations, programs and resources (13 CFR § 120.823(d)(13) and 13 CFR § 120.826(b)). At a minimum, the Board-adopted internal control policies must: (1) direct CDC Management to assign the responsibility for the internal control function (covering financial, credit, credit review, collateral, and administrative matters) to an officer or officers of the CDC; (2) adopt and set forth procedures for maintenance and periodic review of the internal control function; (3) direct the operation of a program to review and assess the CDC’s 504 loans; and (4) address other control requirements as may be established by SBA (13 CFR § 120.826(b)). SOP 50 10 requires that the CDC’s internal control policies must include Board oversight responsibilities under 13 CFR § 120.823, such as oversight for CDC operations, financial oversight, annual reports and certifications. SOP 50 10 also requires the CDC’s internal control policies to include the following, among other things: (1) procedures to ensure satisfactory monitoring and management of the 504 loan portfolio; (2) a list of monthly reports provided by CDC management for Board review to support adequate Board oversight; (3) internal controls for loan making, closing, disbursing, servicing and liquidation; (4) provisions for a risk rating system to risk classify SBA loan assets satisfactory to SBA; (5) provisions to ensure compliance with SBA Loan Program Requirements on eligibility; and (6) documentation demonstrating that the internal controls policies and procedures are fully implemented and followed.

Tab 3 of SBA Form 1253 (CDC Annual Report Guide) requires a CDC with a 504 loan portfolio balance of $20 million dollars or more to include in its annual financial report a copy of an auditor’s letter to management on internal control weaknesses, and evidence of the CDC Board’s acknowledgement of the auditor’s letter. All CDC Annual Reports must include a copy of the written annual certification by each Board member that he or she has read and understands the requirements set forth in 13 CFR § 120.823. Finally, each CDC’s Board must have a director(s) with background and expertise in internal controls (13 CFR § 120.823(a)).

General internal control policies

1: What are “internal control policies” and why do we need them?

Board-adopted internal control policies should: 

  • direct a CDC’s operational objectives and assure that these objectives are efficiently and effectively accomplished:
  • permit a CDC to better direct, monitor, and measure its operations, finances, programs and resources; and
  • establish accountability and guidelines that keep the CDC operating in compliance with SBA Loan Program Requirements.

2: What needs to be included in a CDC’s internal control policies? 

At a minimum, the policies should: 

  • Direct CDC management to assign responsibility for specific internal control functions to an officer or officers of the CDC.

    Internal control functions include financial, credit, credit review, collateral and administrative matters. By assigning the responsibility for each internal control function to a specific officer or officers, the CDC is able to hold each officer accountable for his/her assigned internal control function. The internal control function will be more effective if a named person or position has responsibility for and leads this function.
  • Include procedures for how the CDC will maintain and periodically review the internal control function. 

    A periodic review of each internal control function is essential to ensure compliance with SBA Loan Program Requirements. The review should look at the internal controls currently in place at the CDC and determine whether the existing internal controls continue to ensure compliance.
  • Direct the operation of a program to review and assess the CDC’s 504 loans.

    See, Independent Loan Review Guide for more specific guidance.
  • Must include Board oversight responsibilities under 13 CFR § 120.823, such as oversight for CDC operations, financial oversight, annual reports and certifications.
  • Include a list of monthly reports provided by CDC management for Board review to support adequate Board oversight.
  • Require documentation demonstrating that the internal control policies are fully implemented and followed.
  • Address other control requirements as may be established by SBA.

Internal controls for Board of Director/Committee meetings, reporting, and annual certifications 

1. What should CDCs be recording in the Board/Committee meeting minutes?

A CDC’s Board is required to meet at least quarterly and shall be responsible for the actions of the CDC and any committees established by the Board (13 CFR § 120.823(c)). The Board shall have and exercise all corporate powers and authority and be responsible for all corporate actions and business of the CDC (13 CFR §120.823(d)). A CDC Board is better able to demonstrate transparency and document the decisions of its members when detailed Board records, meeting minutes, and reports are maintained by the CDC. SOP 50 10 requires a CDC to maintain its own financial records including books of account and signed minutes of all meetings of members, directors, executive committees, and other officials. CDC financial reports furnished to SBA must contain complete disclosure of matters relevant to SBA Loan Program Requirements.

Tab 2.A.3. of SBA Form 1253 requires a CDC to include in its Annual Report a list of the following information regarding CDC Board Meetings for the fiscal year covered by the Annual Report: (1) dates of the CDC Board meetings during the fiscal year being reported; (2) names of the Board members present at each meeting, including identifying which of the required areas of expertise the Board member represents; (3) for the present Board members with experience in commercial lending, a list of each member’s name, title, lending institution, and number of years of experience, plus specifying if one is the CDC manager; and (4) a listing of the borrower names (to include loan numbers, if available) of any 504 loans approved during the meeting. Additionally, the CDC is required to provide a complete collection of the Board minutes for each meeting during the reporting period, and the meeting minutes must identify any recusals from voting by any director due to potential or actual conflicts of interest. If the CDC has an Executive Committee or Loan Committee, the same information and all minutes must also be provided.

“Best Practices” for CDC Board of Director and Committee meeting minutes are centered around the accurate and complete recording of the events that take place during these meetings. Meeting minutes should include:

  • The time and date of the meeting;
  • A listing of the members in attendance, absent, and a statement as to whether attendance is in person or on the phone;
  • A detailed description of each of the items of business that are discussed during the meeting;
  • An accounting of motions, votes, and abstentions;
  • An accounting of abstentions for reasons such as a Conflict of Interest with an item pending a vote;

Finally, the Board meeting minutes should be signed and dated by the President and the Secretary of the Board, neither of whom should be an employee of the CDC.

2. What other reports should CDC management be providing to the Board? 

Quarterly, at a minimum, CDC management should present the Board of Directors with:

  • Copies of the required quarterly delinquency reports and quarterly liquidation status reports provided to SBA for the CDC’s 504 loans that are: 60 Days or More Past Due, Delinquent, Deferred, in Catch-up, and in Liquidation (13 CFR § 120.830(f));
  • The CDC’s SBA Lender Portal Report; and
  • Semi-Annual Reports on Portfolio Performance including, but not limited to, reports on Asset Quality (a/k/a “Risk Ratings”) and Industry Concentrations (13 CFR §120.823(d)(8)).

3. What is the CDC Board of Directors Annual Certification?

All members of the CDC’s Board of Directors must annually certify in writing that they have read and understand 13 CFR §120.823, and copies of the certification must be included in the CDC’s Annual Report to SBA.

CDC management must ensure that the certifications included in the CDC’s Annual Report are physically signed by each Board member. Emails are not sufficient evidence of compliance with this requirement.

4. Quorum requirements for Board meetings and for Executive and Loan Committee meetings:

A quorum must be present for a CDC Board to transact business. The quorum shall be set by the CDC but shall be no less than 50% of the voting members of the Board (13 CFR § 120.823(c)(2)).

A quorum of at least 5 voting members must be in attendance for actions of Executive and Loan Committees, if any (13 CFR § 120.823(d)(4)(i) and (ii)).

Best practice components for internal control policy

Board of Directors

  • Responsibilities: C.F.R 120.823
  • Committees (if applicable)
    • Loan
    • Executive
    • Audit
  • Financial audit & independent loan review
  • Executive compensation
  • Budget approval including investment in economic development 

CDC management and officers

  • Responsibility for internal controls
  • Reporting
    • Financial
    • 504 Pipeline
    • Portfolio status
  • Oversight of contractors (LSPs & PSCs)

Policies and procedures

  • Periodic maintenance and review
  • Credit policy (reference)
    • Packaging
    • Underwriting
    • Closing
  • Servicing policy (reference)
    • Regular servicing
    • Intensive servicing/liquidation:
      • Site visits
      • Insurance, collateral, UCC filings, financial statements, property taxes and SBPS scores
  • Loan classification: FFIR (reference)
  • Job creation/retention (reference)
  • Investment in other economic development programs (reference)
Download .pdf
File size: 551KB
Related Programs: Related programs: CDC/504
Last updated November 27, 2017