Skip to Main Content

insightsarticles

Incident recovery: Cybersecurity playbook for management #8

11.07.18

All teams experience losing streaks, and all franchise dynasties lose some luster. Nevertheless, the game must go on. What can coaches do? The answer: be prepared, be patient, and be PR savvy. Business managers should keep these three P’s in mind as they read Chapter 8 in BerryDunn’s Cybersecurity Playbook for Management, which highlights how organizations can recover from incidents.

In the last chapter, we discussed incident response. What’s the difference between incident response and incident recovery?

RG: Incident response refers to detecting and identifying an incident—and hopefully eradicating the source or cause of the incident, such as malware. Incident recovery refers to getting things back to normal after an incident. They are different sides of the same resiliency coin.

I know you feel strongly that organizations should have incident response plans. Should organizations also have incident recovery plans?

RG: Absolutely. Have a recovery plan for each type of possible incident. Otherwise, how will your organization know if it has truly recovered from an incident? Having incident recovery plans will also help prevent knee-jerk decisions or reactions that could unintentionally cover up or destroy an incident’s forensic evidence.

In the last chapter, you stated managers and their teams can reference or re-purpose National Institute of Standards and Technology (NIST) special publications when creating incident response plans. Is it safe to assume you also suggest referencing or re-purposing NIST special publications when creating incident recovery plans?

RG: Yes. But keep in mind that incident recovery plans should also mesh with, or reflect, any business impact analyses developed by your organization. This way, you will help ensure that your incident recovery plans prioritize what needs to be recovered first—your organization’s most valuable assets.

That said, I should mention that cybersecurity attacks don’t always target an organization’s most valuable assets. Sometimes, cybersecurity attacks simply raise the “misery index” for a business or group by disrupting a process or knocking a network offline.

Besides having incident recovery plans, what else can managers do to support incident recovery?

RG: Similar to what we discussed in the last chapter, managers should make sure that internal and external communications about the incident and the resulting recovery are consistent, accurate, and within the legal requirements for your business or industry. Thus, having a good incident recovery communication plan is crucial. 

When should managers think about bringing in a third party to help with incident recovery?

RG: That’s a great question. I think this decision really comes down to the confidence you have in your team’s skills and experience. An outside vendor can give you a lot of different perspectives but your internal team knows the business. I think this is one area that it doesn’t hurt to have an outside perspective because it is so important and we often don’t perceive ourselves as the outside world does. 

This decision also depends on the scale of the incident. If your organization is trying to recover from a pretty significant or high-impact breach or outage, you shouldn’t hesitate to call someone. Also, check to see if your organization has cybersecurity insurance. If your organization has cybersecurity insurance, then your insurance company is likely going to tell you whether or not you need to bring in an outside team. Your insurance company will also likely help coordinate outside resources, such as law enforcement and incident recovery teams.

Do you think most organizations should have cybersecurity insurance? 

RG: In this day and age? Yes. But organizations need to understand that, once they sign up for cybersecurity insurance, they’re going to be scrutinized by the insurance company—under the microscope, so to speak—and that they’ll need to take their “cybersecurity health” very seriously.

Organizations need to really pay attention to what they’re paying for. My understanding is that many different types of cybersecurity insurance have very high premiums and deductibles. So, in theory, you could have a $1 million insurance policy, but a $250,000 deductible. And keep in mind that even a simple incident can cost more than $1 million in damages. Not surprisingly, I know of many organizations signing up for $10 million insurance policies. 

How can managers improve internal morale and external reputation during the recovery process?

RG: Well, leadership sets the tone. It’s like in sports—if a coach starts screaming and yelling, then it is likely that the players will start screaming and yelling. So set expectations for measured responses and reactions. 

Check in on a regular basis with your internal security team, or whoever is conducting incident recovery within your organization. Are team members holding up under pressure? Are they tired? Have you pushed them to the point where they are fatigued and making mistakes? The morale of these team members will, in part, dictate the morale of others in the organization.

Another element that can affect morale is—for lack of a better word—idleness resulting from an incident. If you have a department that can’t work due to an incident, and you know that it’s going to take several days to get things back to normal, you may not want department members coming into work and just sitting around. Think about it. At some point, these idle department members are going to grumble and bicker, and eventually affect the wider morale. 

As for improving external reputation?I don’t think it really matters, honestly, because I don’t think most people really, truly care. Why? Because everyone is vulnerable, and attacks happen all the time. At this point in time, cyberattacks seem to be part of the normal course and rhythm of business. Look at all the major breaches that have occurred over the past couple of years. There’s always some of immediate, short-term fallout, but there’s been very little long-term fallout. Now, that being said, it is possible for organizations to suffer a prolonged PR crisis after an incident. How do you avoid this? Keep communication consistent—and limit interactions between employees and the general public. One of the worst things that can happen after an incident is for a CEO to say, “Well, we’re not sure what happened,” and then for an employee to tweet exactly what happened. Mixed messages are PR death knells. 

Let’s add some context. Can you identify a business or group that, in your opinion, has handled the incident recovery process well?

RG: You know, I can’t, and for a very good reason. If a business or group does a really good job at incident recovery, then the public quickly forgets about the incident—or doesn’t even hear about it in the first place. Conversely, I can identify many businesses or groups that have handled the incident recovery process poorly, typically from a PR perspective.

Any final thoughts about resiliency?

RG: Yes. As you know, over the course of this blog series, I have repeated the idea that IT is not the same as security. These are two different concepts that should be tackled by two different teams—or approached in their appropriate context. Similarly, managers need to remember that resiliency is not an IT process—it’s a business process. You can’t just shove off resiliency responsibilities onto your IT team. As managers, you need to get directly involved with resiliency, just as you need to get directly involved with maturity, capacity, and discovery. 

So, we’ve reached the end of this blog series. Above all else, what do you hope managers will gain from it? 

RG: First, the perspective that to understand your organization’s cybersecurity, is to truly understand your organization and its business. And I predict that some managers will be able to immediately improve business processes once they better grasp the cybersecurity environment. Second, the perspective that cybersecurity is ultimately the responsibility of everyone within an organization. Sure, having a dedicated security team is great, but everyone—from the CEO to the intern—plays a part. Third, the perspective that effective cybersecurity is effective communication. A siloed, closed-door approach will not work. And finally, the perspective that cybersecurity is always changing, so that it’s a best practice to keep reading and learning about it. Anyone with questions should feel free to reach out to me directly.

Related Services

Assurance

Consulting

Cybersecurity is the responsibility of all employees and managers: it takes a team

When a breach occurs, people tend to focus on what goes wrong at the technical level and often fail to see that cybersecurity begins at the strategic level. 

BerryDunn’s cybersecurity playbook outlines the activities managers need to take to properly oversee cybersecurity. Read the full series:

  1. Maturity modeling
  2. Selecting and implementing a maturity model
  3. Tapping your internal capacity for better results
  4. External capacity
  5. Discovery
  6. The workflow
  7. Incident response
  8. Incident recovery
Cybersecurity playbook
Access the full series

Read this if you file taxes with the IRS for yourself or other individuals.

To protect yourself from identity thieves filing fraudulent tax returns in your name, the IRS recommends using Identity Protection PINs. Available to anyone who can verify their identity online, by phone, or in person, these PINs provide extra security against tax fraud related to stolen social security numbers of Tax ID numbers.

According to the Security Summit—a group of experts from the IRS, state tax agencies, and the US tax industry—the IP PIN is the number one security tool currently available to taxpayers from the IRS.

The simplest way to obtain a PIN is on the IRS website’s Get an IP PIN page. There, you can create an account or log in to your existing IRS account and verify your identity by uploading an identity document such as a driver’s license, state ID, or passport. Then, you must take a “selfie” with your phone or your computer’s webcam as the final step in the verification process.

Important things to know about the IRS IP PIN:

  • You must set up the IP PIN yourself; your tax professional cannot set one up on your behalf.
  • Once set up, you should only share the PIN with your trusted tax prep provider.
  • The IP PIN is valid for one calendar year; you must obtain a new IP PIN each year.
  • The IRS will never call, email or text a request for the IP PIN.
  • The 6-digit IP PIN should be entered onto your electronic tax return when prompted by the software product or onto a paper return next to the signature line.

If you cannot verify your identity online, you have options:

  • Taxpayers with an income of $72,000 or less who are unable to verify their identity online can obtain an IP PIN for the next filing season by filing Form 15227. The IRS will validate the taxpayer’s identity through a phone call.
  • Those with an income more than $72,000, or any taxpayer who cannot verify their identity online or by phone, can make an appointment at a Taxpayer Assistance Center and bring a photo ID and an additional identity document to validate their identity. They’ll then receive the IP PIN by US mail within three weeks.
  • For more information about IRS Identity Protection PINs and to get your IP PIN online, visit the IRS website.

If you have questions about your specific situation, please contact our Tax Consulting and Compliance team. We’re here to help.

Article
The IRS Identity Protection PIN: What is it and why do you need one?

Read this if you are at a financial institution with employees working remotely.

Working remotely is not a new concept. Over the past 20 years, technology enhancements have increased the ability for employees to connect remotely and perform many job functions without ever leaving their homes. When the COVID-19 pandemic began in early 2020, working remotely became a necessity for essential businesses like financial institutions to provide safe environments for both employees and customers and remain open.

One of the benefits of an increase in working from home during the pandemic is that it provided financial institutions and other businesses an opportunity to learn how to perform essential job functions and manage teams from a distance. In addition, many organizations experienced indirect benefits, including a more flexible work environment, higher job satisfaction, increased productivity, and improved employee retention. Now that employees are being asked to return to the office, many financial institutions are considering if a permanent work-from-home arrangement is possible. 

What you need to know

For starters, financial institutions need to know where their employees are providing services. Is it across state lines or across the country? What if you have two or more employees who want to work out of state—and they are all different states? What are the tax implications? Are there legal concerns?

Nexus

Nexus is the connection that taxpayers have with a state that permits the state to assess various types of taxes, including income tax. Nexus rules vary from state to state, but generally a business with nexus in a state is required to register with the Secretary of State/Department of Revenue, file tax returns, and pay various taxes to the state. 

Employees working in a "different state" (a state which income tax returns are not already being filed) may create nexus to that state for tax purposes. Even if your financial institution has only one employee working in a state and otherwise has no other connection to the state, there may be tax implications. Some states have established nexus waivers because of the pandemic, providing relief to some businesses and employees who have temporary work-from-home arrangements. These waivers, however, will soon expire or have expired already. 

The following details should be considered before offering out-of-state remote employee work arrangements.

State income tax filing requirements

  • If your financial institution has an employee working remotely from a different state, the financial institution has created physical presence nexus in that state. Once nexus has been established, the financial institution may be subject to state and local income taxes, gross receipts taxes, unique taxes specific to financial institution, or franchise taxes. When it comes to taxing a financial institution, not all states assess tax in the same manner. 
  • After nexus has been established, your financial institution will also need to understand how the state apportions wages in determining income tax liability to the state. One example is a factor approach: Total payroll paid to employees working in the state divided by total payroll paid to all employees. In a simplified example, the fraction would be multiplied by taxable income resulting in amount of taxable income in that state. One employee in a state is not likely to create a significant income tax liability to the state, however, many states have minimum tax liabilities and other fees—some more significant than others—which should also be considered along with additional administrative costs. 

State tax withholding

  • Employees will need to pay personal state income tax based on their primary state of residence as well as the state in which they work. If your financial institution's remote employee is performing most of their work from home in a different state than the financial institution, and travels to the financial institution for occasional meetings or in-person days, this could result in the employee having a personal state income tax liability in both states. It may be necessary for your financial institution to track the employee’s location and properly withhold state income taxes from the employee’s pay based on the state that the employee is providing services. 
  • Failure to properly withhold state income taxes could create a liability for both the employee and the employer including penalties and interest. Proper policies should be in place regarding the responsibility of tracking where employees are performing their work may mitigate these concerns. You should encourage your employees to work with their individual tax advisors on state tax issues as each employee's tax filing position is unique (we generally advise against providing tax advice to your employees). 

Unemployment taxes and workers’ compensation

  • Unemployment is typically paid to the state in which an employee has their permanent place of work. Your financial institution should review the state’s unemployment rules to determine if the financial institution is required to collect and remit unemployment tax to a state that it has employees. If your employee is working in a different state on a temporary basis or due to the pandemic, we believe there is no need for unemployment to change from the state where the financial institution is located.
  • Workers’ compensation is also typically paid to the state in which the employee is permanently assigned. If the out-of-state work arrangement is temporary, we do not feel you need to change your workers’ compensation. However, if the out-of-state arrangement from home becomes permanent, you may need to change your policy. Some states require employers to have a minimum number of employees in the state before requiring a workers’ compensation policy in that state. We recommend working with BerryDunn’s employee benefits experts on state rules and discussing with your insurance carrier.

Personal property and other taxes

  • Employees working from home are often provided furniture and equipment for their remote office set up. Financial institutions should consider whether they want to provide these items without retaining ownership to the property, as owning property in another state could result in the financial institution needing to file and remit personal property taxes to the state. It also would be considered a best practice to develop a policy that provides consistency among all remote employees, regardless of their location. 
  • Sales and use tax implications and other special or unique state and local taxes should be researched and understood prior to entering any state to determine the impact on existing products and services which may be offered to out of state customers who reside or relocate out of state. We will provide more information about the state tax issues related to providing services in a future installment of this state tax series. 

Other considerations

  • We recommend you discuss with your financial institution's attorney regarding the need to file a business license or update the financial institution's charter as these are legal matters. Here are some topics to consider as you have these discussions:
    • Your financial institution may be required to register with the state department of revenue/taxation
    • Registering as a foreign corporation is often necessary to access the legal system
    • Your financial institution may want to consider whether other regulatory licenses may be needed, such as insurance broker or license for trust services
  • Health insurance and other employee benefit plans should be reviewed to ensure that a remote employee eligible to receive benefits still qualifies and receives the same level of coverage that is available to in-state employees. 

In summary, even one employee working out of state could create additional compliance costs and exposure to a state’s laws and regulations. You may be wondering how risky it is to have only one employee located in a state, and how likely is it that the state would make the connection to your out-of-state financial institution.

While  the risk may seem low, states are always looking to generate additional tax revenue, and many have the ability to cross check internal systems. Withholding and remitting state income taxes on behalf of an employee is likely going to require your financial institution to register with a state's income tax withholding agency. The state will then be aware of your financial institution’s connection to its state as the financial institution’s EIN will be in the system for payroll purposes. While the exposure may still be low, the state may start looking for an income tax filing and at least payment of minimum tax. Failure to file in a state means that the statute of limitations for the financial institution’s exposure to that state will not start.

The risks shouldn’t necessarily prevent your financial institution from allowing employees to work from home, and as many financial institutions want to offer more flexible work arrangements given what has been learned in recent years, it is possible to minimize tax risk and remain compliant with proper planning and awareness. 

For more information

To discuss your specific tax situation and state compliance risks, please contact the BerryDunn Financial Services team. We’re here to help.

Article
State tax issues impacting your financial institution part one: Remote employees

Read this if you are a Chief Financial Officer or Controller at a financial institution.

Back in April, we wrote about recently released Accounting Standards Update (ASU) No. 2022-02, Financial Instruments – Credit Losses (Topic 326). Here, we are going to look at the standard in more depth. 

One of the most notable items this ASU addresses, is that it eliminates the often tedious troubled debt restructuring (TDR) accounting and disclosure requirements. Accounting for loan modifications will now be maintained under extant US generally accepted accounting principles, specifically Accounting Standards Codification (ASC) 310-20-35-9 through 35-11. However, rather than eliminate loan modification disclosure requirements altogether, the Financial Accounting Standards Board (FASB) created some new requirements, inspired by voluntary disclosures many financial institutions made during the coronavirus pandemic. 

Rather than disclosing information on TDRs, financial institutions will now be required to disclose information on loan modifications that were in the form of principal forgiveness, an interest rate reduction, an other-than-insignificant payment delay, or a term extension (or a combination thereof) made to debtors experiencing financial difficulty. These disclosures must be made regardless of whether a modification to a debtor experiencing financial difficulty results in a new loan or not. 

ASC 310-10-50-42 through 50-44 establishes these new disclosure requirements, and ASC 310-10-55-12A provides an example of the required disclosures. 

New Loan Modification Disclosure Requirements

Financial institutions have long had internal controls surrounding the determination of TDRs given the impact such restructurings can have on the allowance for credit losses and financial statement disclosures. Banks may find they are able to leverage those controls to satisfy the new modification disclosures, with only minor adjustments. Similar to previous TDR determinations, the above disclosures are only required for modifications to debtors experiencing financial difficulty. Therefore, financial institutions will need to have a process —or defined set of parameters—in place to determine debtor “financial difficulty”, thus triggering the need for modification disclosure. Banks may also find that the specific data gathered for preparation of these new disclosures will change, but should be readily available, with (hopefully) only minor manipulation required.

ASU No. 2022-02 is effective for fiscal years beginning after December 15, 2022, including interim periods within those fiscal years—the same effective date for those who have not yet adopted ASU No. 2016-13, more commonly referred to as CECL (Current Expected Credit Loss). As always, if you have any questions as to how this new ASU may impact your financial institution, please reach out to BerryDunn’s Financial Services team or submit a question via our Ask the Advisor feature.

Article
New loan modification disclosure requirements: A deeper dive

Read this if you are a depository institution.

Environmental, Social, and Governance (ESG) matters are all the rage right now. From new disclosures to personal, professional, investor, and social media pressures, ESG presents itself as a vast topic, encompassing many facets of an organization. It can be daunting to even know where to begin ESG efforts. 

ESG issues seem pervasive and may be best thought of as residing on a spectrum, with some industries further along this spectrum than others. However, each industry can make its own mark, with initiatives that can propel it along the ESG spectrum. Even within one industry, individual organizations may have their own initiatives and areas of focus. Equal importance does not need be given to the E, the S, and the G, and some industries may be better equipped to address one of these pillars over the others. We would like to share what we believe to be four areas of opportunity for banks as they think about ESG, their customers, and their employees.

Credit decisions

Many financial institutions currently base credit decisions on an array of financial metrics of the prospective borrower. Their reviews include financial forecasts, historical financial results, collateral values, etc., all with the intent of predicting if the prospective borrower will be able to repay the credit. Given the increasing regulatory and social pressure regarding ESG, bankers should be aware of how ESG requirements and industry initiatives could impact a borrower’s financial condition. For instance, consider the following:

  • Where does the prospective borrower reside on the ESG spectrum, collectively and individually (the separate E, the S, and the G spectrums)? 
  • If they are a carbon-intensive company, what additional risks does that pose to the relationship, if any? (E)
    • Are there pending regulations (or fines) that could significantly impact their operations?
    • Although their finances may be strong currently, are there alternative products or services that are seen as “greener” that may jeopardize future profits and cash flows?
    • If the company plans to become less carbon-intensive, either voluntarily or out of necessity, are there significant costs anticipated to be incurred during this transition?
  • Do they have, or anticipate, community investment initiatives? (S)
  • Are they viewed as a reputable company in their respective communities? (S)
  • Is there adequate Board and execute management oversight? (G)

ESG-specific products

Financial institutions can reward borrowers for their stewardship. This concept is not new, as “green bonds” have been around for years to incentivize climate and environmental projects. Some financial institutions, such as TD Bank and Barclays, offer preferred interest rates to ESG-conscious borrowers, such as those that purchase houses that meet certain energy efficiency ratings. Financial institutions could further expand on this idea and offer loans earmarked for certain ESG-related purposes, such as development of low-carbon manufacturing techniques or investment in the company’s workforce. Such products can be a great way to position your financial institution as an ESG leader in the community and assist borrowers on their ESG journey. 

Financial institutions can act as a connector for like-minded parties

Financial institutions are in a unique position, as aside from the borrower themselves, a financial institution likely knows the most about the borrower’s business. Financial institutions may become aware of customers further along their ESG journeys and could help connect those resources to other customers who may want to know and learn more. Customers are increasingly looking for more from their financial institution outside of traditional banking services. Given their unique position, financial institutions are best equipped to act as a connector for like-minded parties. 

Customers and employees may want their supply chain/employer to be ESG conscious

Customers, whether they be individuals or businesses, and employees are increasingly considering the actions of potential vendors and employers before partnering with them. Likely a result of their own ESG mission, customers are starting to realize that, even if they feel as if they are ESG conscious, it is their responsibility to also hold their vendors accountable. Therefore, customers may elect to go to another financial institution that is more ESG conscious even if your financial institution offers a better product. Employees are also factoring this into employment decisions. Employees want to feel as if they are part of a larger mission. Focusing on ESG could give your financial institution a competitive advantage.

When considering ESG matters, some believe they are faced with two mutually exclusive decisions: (1) what makes the most sense financially, and (2) what will propel our organization further along the ESG spectrum? What some leading companies have found, however, is that by focusing first on where they lie on the ESG spectrum and defining where they want to be in the future helps clarify future decision-making so that cost and ESG progress are aligned rather than opposing forces. As always, BerryDunn’s Financial Services team is here to help.

Article
Propelling along the ESG spectrum: Four considerations for your financial institution

What the C-Suite should know about CECL and change management

Read this if you are at a financial institution. 

Some institutions are managing CECL implementation as a significant enterprise project, while others have assigned it to just one or two people. While these approaches may yield technical compliance, leadership may find they fail to realize any strategic benefits. In this article, Dan Vogt, Principal in BerryDunn’s Management and IT Consulting Practice, and Susan Weber, Senior Manager and CECL expert in BerryDunn’s Financial Services Practice, outline key actions leaders can take now to ensure CECL adoption success.  

Call it empathy, or just the need to take a break from the tactical and check in on the human experience, but on a recent call, I paused the typical readiness questions to ask, “How’s the mood around CECL adoption – what’s it been like getting others in the organization involved?” The three-word reply was simple, but powerful: “Kicking and screaming.”  

Earlier this year, by a vote of 5-2, the FASB (Financial Accounting Standards Board) closed the door to any further delays to CECL adoption, citing an overarching need to unify the industry under one standard. FASB’s decision also mercifully ended the on-again off-again cycle that has characterized CECL preparation efforts since early 2020. One might think the decision would have resulted in relief. But with so much change in the world over the past few years, is it any wonder institutions are instead feeling change-saturated?  

Organizational change

CECL has been heralded as the most significant change to bank accounting ever, replacing 40+ years of accounting and regulatory oversight practices. But the new standard does much more than that. Implementing CECL has an effect on everything from executive and board strategic discussions to interdepartmental workflows, systems, and controls. The introduction of new methods, data elements, and financial assets has helped usher in new software, processes, and responsibilities that directly affect the work of many people in the organization. CECL isn’t just accounting—it’s organizational change. 

Change management

Change management best practices often focus on leading from optimism—typically leadership and an executive sponsor talk about opportunities and the business reasons for change. Some examples of what this might sound like as it relates to CECL might include, by converting to lifetime loss expectations, the institution will be better prepared to weather economic downturns; or, by evolving data and modeling precision, an institution’s understanding and measure of credit risk is enhanced, resulting in more strategic growth, pricing, and risk management. 

But leading from optimism is sometimes hard to do because it isn’t always motivating—especially when the change is mandated rather than chosen.  

Perhaps a more judiciously used tactic is to focus on the risk, or potential penalty, of not changing. In the case of CECL, examples might include, your external auditor not being able to sign-off on your financials (or significant delays in doing so), regulatory criticism, inefficient/ineffective processes, control issues, tired and frustrated staff. These examples expose the institution to all kinds of key risks: compliance, operational, strategic, and reputational, among them.

CECL success and change management

With so much riding on CECL implementation and adoption going well, some organizations may be at heightened risk simply because the effort is being compartmentalized—isolated within a department, or assigned to only one or two people. How effectively leadership connects CECL implementation with tenets of change management, how quickly they understand, then together embrace, promote, and facilitate the related changes affecting people and their work, may prove to be the key factor in achieving success beyond compliance.  

One important step leaders can take is to perform an impact assessment to understand who in the organization is being affected by the transition to CECL, and how. An example of this is below. Identifying the departments and functions that will need to be changed or updated with CECL adoption might expose critical overlaps and reveal important new or enhanced collaborations. Adding in the number of people represented by each group gives leaders insight into the extent of the impact across the institution. By better understanding how these different groups are affected, leaders can work together to more effectively prioritize, identify and remove roadblocks, and support peoples’ efforts longer term.           

 
No matter where your institution is currently in its CECL implementation journey, it is not too late to course-correct. Leadership—unified in priority, message, and understanding—can achieve the type of success that produces efficient sustainable practices, and increases employee resilience and engagement.

For more information, visit the CECL page on our website. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions. For more tips on documenting your CECL adoption, stay tuned for our next article in the series, revisit past articles, or tune in to our CECL Radio podcast. You can also follow Susan Weber on LinkedIn.

Article
Implementing CECL: Kicking and screaming

Read this if you are a community bank.

The Federal Deposit Insurance Corporation (FDIC) recently issued its first quarter 2022 Quarterly Banking Profile. The report provides financial information based on Call Reports filed by 4,796 FDIC-insured commercial banks and savings institutions. The report also contains a section specific to community bank performance. In first quarter 2022, this section included the financial information of 4,353 FDIC-insured community banks. BerryDunn’s key takeaways from the report are as follows:

Community banks continue to feel the impact of shrinking net interest margins and inflation.

Community bank quarterly net income dropped to $7 billion in first quarter 2022, down $1.1 billion from a year ago. Lower net gains on loan sales and higher noninterest expenses offset growth in net interest income and lower provisions. Net income declined $581.3 million, or 7.7 percent from fourth quarter 2021 primarily because of lower noninterest income and higher noninterest expense.

Loan and lease balances continue to grow in first quarter 2022

Community banks saw a $21.5 billion increase in loan and lease balances from fourth quarter 2021. All major loan categories except commercial & industrial and agricultural production grew year over year, and 55.3 percent of community banks recorded annual loan growth. Total loan and lease balances increased $35.1 billion, or 2.1 percent, from one year ago. Excluding Paycheck Protection Program loans, annual total loan growth would have been 10.2 percent.

Community bank net interest margin (NIM) dropped to 3.11 percent due to strong earning asset growth.

Community bank NIM fell 15 basis points from the year-ago quarter and 10 basis points from fourth quarter 2021. Net interest income growth trailed the pace of earning asset growth. The yield on earning assets fell 28 basis points while the cost of funding earning assets fell 13 basis points from the year-ago quarter. The 0.24 percent average cost of funds was the lowest level on record since Quarterly Banking Profile data collection began in first quarter 1984. 

Community bank allowance for credit losses (ACL) to total loans remained higher than the pre-pandemic level at 1.28 percent, despite declining 4 basis points from the year-ago quarter.


NOTE: The above graph is for all FDIC-Insured Institutions, not just community banks.

The ACL as a percentage of loans 90 days or more past due or in nonaccrual status (coverage ratio) increased to a record high of 236.7 percent. The decline in noncurrent loan balances outpaced the decline in ACL, with the coverage ratio for community banks emerging 57.9 percentage points above the coverage ratio for noncommunity banks. 

The banking landscape continues to be one that is ever-evolving. With interest rates on the rise, banks will find their margins in flux once again. During this transition, banks should look for opportunities to increase loan growth and protect and enhance customer relationships. Inflation has also caused concern not only for banks but also for their customers. This is an opportune time for banks to work with their customers to navigate the current economic environment. Community banks, with their in-depth knowledge of their customers’ financial situations and the local economies served, are in a perfect position to build upon the trust that has already been developed with customers.

As always, please don’t hesitate to reach out to BerryDunn’s Financial Services team if you have any questions.

Article
FDIC issues its First Quarter 2022 Quarterly Banking Profile

Read this if you are interested in GASB updates. 

The Governmental Accounting Standards Board (GASB) issued GASB Statement No. 99, Omnibus 2022 on May 9, 2022. The statement enhances comparability in accounting and financial reporting and improves the consistency of authoritative literature by addressing (1) practice issues that have been identified in previous GASB Statements, and (2) adding guidance on accounting and financial reporting for financial guarantees.

We’ve reviewed the statement in its entirety, and broken down key components for you to know. Here are the highlights.  

Accounting and financial reporting for exchange or exchange-like financial guarantees

Financial guarantees is a guarantee of an obligation of a legally separate entity or individual, including a blended or discretely presented component unit, that requires the guarantor to indemnify a third-part obligation holder under specified conditions, in an exchange or exchange-like transactions. 

An entity that extends an exchange or exchange-like financial guarantee should recognize a liability and expense related to the guarantee when qualitative factors and historical data indicate that is it more than likely not a government will be required to make a payment related to the guarantee.

Statement 99 excludes guarantees related to special assessment debt, financial guarantee contracts within the scope of Statement 53, or guarantees related to conduit debt obligations. 

Certain derivative instruments that are neither hedging derivative instruments nor investment derivative instruments

Derivative instruments that are within the scope of Statement 53, but do not meet the definition of an investment derivative instrument or the definition of a hedging derivative instrument are considered other derivative instruments. These “other derivative instruments” should now be accounted for as follows:

  1. Changes in fair value should be reported on the “resource flows statement” separately from the investment revenue classification.
  2. Information should be disclosed in the notes to financial statements separately from hedging instruments and investment derivative instruments.
  3. Governments should disclose the fair values of derivative instruments that were reclassified from hedging derivative instruments to other derivative instruments. 

Leases

If your entity has leases please review the following as Statement 99 clarifies numerous issues from Statement 87, specifically:

  • Lease terms as it relates to options to terminate and option to purchase the underlying assets, in paragraph 12 of Statement 87 has been clarified;
  • Short-term leases in paragraph 12 of Statement 87 has been clarified as it relates to an option to terminate the lease;
  • Lessee and lessor recognition and measurement for leases other than short-term leases that transfer ownership has been clarified, and
  • Lease incentives in paragraph 61 of Statement 87 has been further defined.

Public Private and Public-Public Partnerships (PPPs)

If your entity has PPPs, Statement 99 clarifies the following: 

  • PPP terms
  • Receivable for installment payments (transferor recognition)
  • Receivable for the underlying PP Asset (transferor recognition)
  • Liability for installment payments (operator recognition)
  • Deferred outflow of resources (operator recognition)

Subscription-Based Information Technology Arrangements (SBITAs)

Subscription terms and definitions have been clarified, specifically as it relates with options to terminate, short-term SBITAs, and measurement of subscription liabilities.

If your entity has SBITAs, review the provisions of each SBITA to ensure compliance with Statement 99 paragraphs 23–25.

Replacement of LIBOR

Check with your banking institutions to confirm when they have phased out of LIBOR. Confirm with your banking institutions what specifically has replaced LIBOR and update Financial Statement disclosures as needed. 

SNAP

State governments should recognize distributions of benefits from Supplemental Nutrition Assistance Program (SNAP) as a nonexchange transaction. Review Financial Statement disclosure and determine if a disclosure is needed. 

Disclosure of Nonmonetary Transactions

If you engage in one or more nonmonetary transactions during the fiscal year, you will need to disclose those transactions in the notes to the financial statements the measurement of attribute(s) applied to the assets transferred, rather than basis of accounting for those assets.

Pledges of future revenues when resources are not received by the pledging government

When blending the financial statement of a debt-issuing component unit into the financial statements of a primary government pledging revenue for the component unit’s debt, the primary government should reclassify an amount due to the component as an interfund payable and an interfund transfer out simultaneously with the recognition of the revenues that are pledged.

Focus of the government-wide financial statement

Statement 99 reiterates that there should be a total overall government-wide column within the MD&A, Statement of Net Position, and Statement of Activities. This column should exclude all fiduciary activities, including custodial funds. 

Terminology updates

No action is needed. Terminology has been updated in previous pronouncements, for terminology as it relates to Statements 63 and 53. 


Effective dates

The requirements related to the extension of the use of LIBOR, accounting for SNAP distributions, disclosures of nonmonetary transactions, pledges of future revenues by pledging governments, clarification of certain provisions in Statement 34 and terminology updates related to GASB 53 and 63 are effective upon issuance.

The requirements related to leases, PPPs, and SBITAs, are effective for fiscal years beginning after June 15, 2022.

The requirements related to financial guarantees and the classification and reporting of derivative instruments within the scope of Statement 53 are effective for fiscal years beginning after June 15, 2023.

Earlier application is encouraged and permitted for all.

If you would like more information regarding Statement 99, please contact our Audits of Governmental Component Units team. We’re here to help.

Article
Key considerations from GASB Statement No. 99 

Read this if you use QuickBooks Online.

With gas prices so high, you need to track your travel costs as closely as possible. Consider getting a tax deduction for your business mileage.

If you drive even a little for business, it’s easy to let mileage costs slide. After all, it’s a pain to keep track of your tax-deductible mileage in a little notebook and do all the calculations required. If you do rack up a lot of business miles, you probably forget to track some trips and end up losing money.

QuickBooks Online offers a much better way. Its Mileage tools include simple fill-in-the-blank records that allow you to document individual trips. You can either enter the starting point and destination and let the site calculate your mileage and deduction or enter the number of miles yourself.

If you use QuickBooks Online’s mobile app, it can track your miles automatically as you drive (as long as you have the correct settings turned on). Here’s a look at how all of this works.

Setting up 

To get started, click the Mileage link in QuickBooks Online’s toolbar. The screen that opens will eventually display a table that contains information about your trips, but you need to do a little setup first. Click the down arrow next to Add Trip in the upper right corner and select Manage vehicles. A panel will slide out from the right. Click Add vehicle.

 
You’ll need to supply information about your vehicles before you can start entering trips.

You’ll need to supply the vehicle’s year, make, and model. Do you own or lease it, and on what date was the vehicle purchased or leased and put into service? Do you want to have your annual mileage calculated by entering odometer readings or have QuickBooks Online track your business miles driven automatically? When you’re done making your selections and entering data, click Save.

Entering trip data

You can download trips as CSV files or import them from Mile IQ, but you’re probably more likely to enter them manually. Click Add Trip in the upper right corner. In the pane that opens, you’ll enter the date of the trip and either the total miles or start and end point. You’ll select the business purpose and vehicle and indicate whether it was a round trip. When you’re done, click Save. The trip will appear in the table on the opening screen, and your current possible total deduction will be in the upper left corner, along with your total business miles and total miles.

If you want to designate a trip as personal, click the box in front of the trip in that table. In the black horizontal box that appears, click the icon that looks like a little person, then click Apply. Now, the trip will appear in the Personal column and will not count toward your business tax-deductible mileage. 

When you select a trip in the Mileage table, you can mark it as personal so it’s not included in your business tax-deductible miles.

Personal trips can count, too

If you use your vehicle(s) for personal as well as business purposes, tracking some of those miles can also mean a tax deduction. For tax year 2022, you can deduct 18 cents per mile for your travel to and from medical appointments. Note: Medical mileage is only deductible if medical exceeds a certain percent of AGI. Be sure to check with the IRS yearly tax code, as they update the mileage amounts annually.

And if you do volunteer work for a qualified charitable organization, the miles you drive in service of it can be deducted at the rate of 14 cents per mile. You can also claim the cost of parking and tolls, as long as you weren’t reimbursed for any of these expenses. Obviously, the IRS wants you to keep careful records of your charitable mileage, and QuickBooks Online can provide them.

QuickBooks Online doesn’t track these deductions, but you’ll at least have a record of the miles driven.

Auto-track your miles

The easiest way to track your mileage in QuickBooks Online is by using its mobile app. You can launch this and have it record your mileage automatically as you’re driving. Versions are available for both Android and iOS, and they’re different from each other. They also have more features than the browser-based version of QuickBooks Online, like maps, rules, and easier designation of trips as business or personal.

 
The iOS version of Mileage in the QuickBooks Online app

In both versions, you’ll need to click the menu in the lower right corner after you’ve opened the QuickBooks Online app and select Mileage. Make sure Auto-Tracking is turned on. Your phone’s location services tool must be turned on, too. There are other settings that vary between the two operating systems. You can search the help system of either app to make sure you get your settings correct if the onscreen instructions aren’t clear enough.

Of course, you won’t see the fruits of your mileage deductions until you file your 2022 taxes. But you can factor these savings in as you’re doing your tax planning during the year. Please contact the Outsourced Accounting team if you’re having any trouble with QuickBooks Online’s Mileage tools, or if you have questions with other elements of the site.

Article
How QuickBooks Online helps you track mileage