Skip to Main Content

insightsarticles

How our new friend CECL affects bank and branch acquisitions

10.24.16

By now, pretty much everyone in the banking industry has heard plenty of talk about CECL – the forthcoming “Current Expected Credit Loss” model of accounting for an institution’s allowance for loan losses (ALL). While the previous “Incurred Loss” model has been problematic to implement conceptually, and most of us thought CECL would improve ALL accounting and make it more comparable to how banks account for other debt instruments, it’s beginning to feel a bit like the dog who caught the car – now that we have this model, how the heck do we implement it?

The good news: We have a number of years before CECL’s effective date, and thus have some time to better understand the new rules and how to adapt an institution’s ALL model to reflect them. The bad news – the banking regulators recently announced they want banks to get cracking on this, and will expect to see some progress when they visit during upcoming exams – maybe not immediately, but likely at some point during the 2017 exam cycle.

This is the third in a series of articles addressing various aspects of this complex pronouncement. We hope that they provide you with practical advice that can help you get started on the nuts and bolts of CECL implementation.

Our previous article offered pointers on building the CECL team, brainstorming the process, and starting the data gathering conversation. In this article, we look at how to implement CECL when acquiring another bank, one or more branches of another bank, or simply a loan portfolio, such as a group of auto or credit card loans.

First, let’s remember the basics

The basic premise of CECL is that lifetime expected losses are to be booked at origination (or, in the case of an acquisition, at the acquisition date). You’ve likely heard some gnashing of teeth over the fact that this means losses are recorded “on Day One”, which many of us have some degree of conceptual difficulty with: For example, a higher risk loan will likely carry a higher yield at origination, so booking a higher level of expected losses on Day One (through the ALL) and the offsetting higher yield over the loan term (through interest income) feels like a mismatch between income and expense.

The Financial Accounting Standards Board (FASB) was sympathetic to this point, and spent a lot of time pondering it. Its international equivalent, the International Accounting Standards Board (IASB), which establishes – you guessed it – international accounting standards, actually tackled this issue by precluding Day One losses, unless they were expected to materialize within one year of origination (Day 365 losses?).

This approach, however, has led to a fairly convoluted – and challenging – model, which is already drawing a fair amount of criticism in the international community. In the end, although they had hoped to have a “converged” standard that would result in the same approach for U.S. and international institutions, FASB and the IASB decided to part company and use different models.

The short answer? We have to accept the notion of Day One losses as the price to pay for a less convoluted (but still complex to implement) model. This becomes important to remember as we look at accounting for acquisitions.

Accounting for acquisitions

Whether you’re acquiring a pool of loans, a branch, or an entire institution, the basic accounting under CECL is the same, and it’s the same (with a twist) as the accounting for originated loans: an ALL should be established for the purchase price allocated to the loans, and that ALL should reflect management’s estimate of the lifetime losses in the acquired portfolio.

Before we get into the details of how to do this, let’s take a moment to celebrate. Prior to CECL, it was not permissible to establish an initial ALL for acquired loans. Many bankers – and investors – complained that this made it difficult to compare one bank to another on metrics such as ALL coverage ratios. If one bank had a strategy that included acquisitions, and another didn’t, their ALLs would likely be quite different even if their loan portfolios and estimated incurred losses were similar. Now, with the CECL model, these two banks’ financial statements are much easier to compare.

As noted above, an ALL should be established for these loans under CECL, using the same methodology you would use for originated loans. The twist relates to what to do with the other side of the entry. The solution:

  • For loans with a more-than-insignificant amount of credit deterioration since origination, the offset is to add this amount to the amount originally recorded for the purchase price allocated to the loans.
  • For the rest of the acquired portfolio, the offset is to loan loss expense. That’s right, your provision is increased by the amount of ALL recorded in the transaction, except as noted in the previous bullet.

Why is this so? FASB is apparently assuming that:

  • Buyers adjust the purchase price for the first item above. These loans, which we used to call “purchased – credit impaired (PCI)”, and now will call “purchased – credit deteriorated (PCD)” under CECL, are the loans with hair on them. They probably got some extra scrutiny during due diligence, thus theoretically depressing the purchase price a bit. Therefore, the amount of the purchase price allocated to loans is a lower number, and offsetting the establishment of the ALL by adding that amount to the purchase price assigned to the loans properly “grosses up” the recorded loan balance.
  • Buyers don’t adjust the purchase price for other loans. This is probably true, as the lifetime losses on loans that aren’t PCD are just the cost of doing business for financial institutions. Therefore, as it is with originated loans, a big Day One provision is booked at closing.

It should be noted that the extent to which the definition of PCD loans differs from the previous definition of PCI loans depends on your interpretation of the old PCI definition. It appears clear that the new definition of PCD loans refers to loans that have specific indicators of significant credit deterioration since origination.

Let’s look at an example:

A bank buys three branches from another bank, which have total loans with a principal balance of $20 million and a fair value of $20,100,000. The portfolio includes loans with a principal balance of $1 million, and a fair value of $910,000, that are PCD.

The buyer bank determines the ALL under CECL would be $100,000 for the PCD loans and $475,000 for the rest of the acquired portfolio. Thus, the buyer bank records an ALL of $575,000. What’s the offset? As noted above:

  • For the PCD loans, the offsetting $100,000 will be added to the $910,000 of purchase price allocated to those loans. As a result, these loans will have a gross amount allocated of $910,000 plus $100,000, or $1,010,000, which will then be reduced by an ALL of $100,000 on the balance sheet, for a net reported amount of $910,000 (their fair value). The difference between the gross amount assigned ($1,010,000) and the principal balance ($1 million), or $10,000, represents an implied adjustment to reflect current market interest rates, and is therefore amortized over the expected loan term through interest income.
  • For the rest, the offsetting $475,000 will be an increase to the provision for loan losses, and will thus reduce income.

The last number could be a big one for institutions that do large or frequent acquisitions; thus, their balance sheets may be more comparable to other banks, but their income statements in the year of acquisition won’t be! The good news – like other acquisition costs such as legal fees and conversion expenses, this amount will be separately disclosed, so a reader can adjust for it if they believe it’s appropriate to do so.

Next time, we’ll look at the nuts and bolts of CECL’s concept of “reasonable and supportable” by considering proper documentation and controls over the ALL.

Related Industries

Related Services

Consulting

Business Advisory

Related Professionals

Principals

BerryDunn experts and consultants

Read this if you are working with an auditor.

The standard report an auditor issues on an entity’s financial statements was created in 1988, and has only had minor tweaking since. Amazing when we think about how the world has changed since 1988! Back then:

  • The World Wide Web hadn’t been invented
  • The Simpsons wasn’t yet on TV, and neither was Seinfeld
  • The Berlin Wall was still standing
  • The Single Audit Act celebrated its fourth birthday

The Auditing Standards Board (ASB), an independent board of the American Institute of CPAs (AICPA) that establishes auditing rules for not-for-profit organizations (as well as private company and federal, state, and local governmental entities) has decided it was high time to revisit the auditor’s report, and update it to provide additional information about the audit process that stakeholders have been requesting.

In addition to serving as BerryDunn’s quality assurance principal for the past 23 years, I’ve been serving on the ASB since January 2017, and as chair since May 2020. (And thanks to the pandemic our meetings during my tenure as chair have been conducted from my dining room table.)  We thought you might be interested in a high-level overview of the coming changes to the auditor’s report, which will be effective starting with calendar 2021 audits, from an insider’s perspective.

So what’s changing?

The most significant changes you’ll be seeing, based on feedback from various users of auditor’s reports, are:

  1. Opinion first
    The opinion in an audit report is the auditor’s conclusion as to whether the financial statements are in accordance with the applicable accounting standards, in all material respects. People told us this is the most important part of the report, so we’ve moved it to the first section of the report.
  2. Auditor’s ethical responsibilities
    We’ve pointed out that an auditor is required to be independent of the organization being audited, and to meet certain other ethical responsibilities in the conduct of the audit.
  3. “Going concern” responsibilities
    We describe management’s responsibility, under U.S. generally accepted accounting principles, and the auditor’s responsibility, under the auditing rules, for determining whether “substantial doubt” exists about the organization’s ability to continue in existence for at least one year following the date the financial statements are approved for issuance.
  4. Emphasis on professional judgment and professional skepticism
    We explain how an audit requires the auditor to exercise professional judgment (for example, regarding how much testing to perform), and to maintain professional skepticism, i.e., a questioning mind that is alert to the possibility the financial statements may be materially misstated, whether due to error or fraud.
  5. Communications with the board of directors
    We point out that the auditor is required to communicate certain matters to the board, such as difficulties encountered during the audit, material adjustments identified during the audit process, and which areas the auditor treated as “significant risks” in planning and performing the audit.
  6. Responsibility related to the “annual report”
    If the organization issues an “annual report” containing or referring to the audited financial statements, we explain the auditor is required to review it for consistency with the financial statements, and for any known misstatements of fact.
  7. Discussion of “key audit matters”
    While not required, your organization may request the auditor to discuss how certain “key audit matters” (those most significant to the audit) were addressed as part of the audit process. These are similar to the “critical audit matters” publicly traded company auditor’s reports are now required to include.

Yes, this means the auditor’s report will be longer; however, stakeholders told us inclusion of this information will make it more informative, and useful, for them.

Uniform Guidance standards also changing

Is your organization required to have a compliance audit under the federal Uniform Guidance standards? That report is also changing to reflect the items listed above to the extent they’re relevant.

What should you do?

Some actions to consider as you get ready for the first audit to which the new report applies (calendar 2021, or fiscal years ending in 2022) include:

  1. Ask your auditor what your organization’s auditor’s report will look like
    Your auditor can provide examples of auditor’s reports under the new rules, or even draft a pro forma auditor’s report for your organization (subject, of course, to the results of the audit).
  2. Outline and communicate your process for developing your annual report
    If your organization prepares an annual report, it will be important to coordinate its timing with that of the issuance of the auditor’s report, due to the auditor’s new reporting responsibility related to the annual report.
  3. Discuss with your board whether you would like the auditor to include a discussion of “key audit matters” in the auditor’s report
    While not required for not-for-profits, some organizations may decide to request the auditor include a discussion of such matters in the report, from the standpoint of transparency “best practices.”

If you have any questions about the new auditor’s report or your specific situation, please contact us. We’re here to help.
 

Article
A new auditor's report: Seven changes to know

On June 16th the FASB issued the final standard for credit losses. We’ve analyzed the new standard and pulled together some key items you’ll need to know:

It looks like you should be able to implement CECL without purchasing expensive third-party models, if your institution is able to get adequate historical data from your core system and has the personnel available to crunch the numbers. Following is one approach that should pass muster with regulators (and, hopefully, the PCAOB):

  1. Determine loans for which specific reserves are appropriate, much as you are currently doing. The notion of “impaired” loans goes away; a loan should be evaluated specifically if the institution becomes aware of loan-specific information indicating it has an exposure to loss that differs from other loans it would otherwise be pooled with. In practice, we think that’ll be largely the same loans that are currently being identified as impaired.
  2. For the rest of the portfolio: Group loans by common characteristics – same as you’re doing now.
    1. For each group, create subgroups for each origination year. It looks like current year and previous four years are the critical ones to focus on; anything older than five years could probably be lumped together.
    2. For each subgroup, establish economic and other relevant conditions for the average term of loans in the subgroup. This includes actual conditions from year of origination to the present, forecasted conditions for the near future, and long-term historical conditions for the remaining average loan term
      • Select an historical loss period that best approximates the conditions established in (b) above.
      • Determine average lifetime chargeoffs for that historical loss period for each loan type
      • Adjust that average for any current or expected conditions that you believe are different from this historical data.  Such adjustments should be based on the institution’s chargeoff experience when similar conditions occurred in the past.  An example might be an actual or expected decline in real estate values that you believe is more pronounced than in the historical loss period chosen.

While not specifically mentioned in the guidance, we believe a modest unallocated allowance is still supportable, especially since imprecision is certainly higher when factoring in expected losses in addition to incurred losses.
 

Other points that caught our eye:

  1. The guidance applies to purchased loans with credit deterioration, as well as originated loans. That will create more comparability in terms of the allowance as a % of loans for institutions that have done acquisitions vs. those who haven’t. An interesting twist, though – for acquired loans that have experienced a more-than-insignificant deterioration in credit quality since origination, the allowance established is simply an adjustment to (ultimately) the premium or discount, while for other loans acquired in the transaction, an allowance is established with an offset to loan loss expense at acquisition
  2. The guidance applies to held-to-maturity debt securities, and there’s specific guidance that affects the accounting for available-for-sale debt securities as well. These will likely only come into play for institutions with private-label mortgage-backed securities and/or corporate bonds. However, some of the CECL disclosure requirements apply to securities as well; in particular, the one that caught our eye was the requirement in ASC 326-20-50-5 to disclose credit quality indicators (e.g., S&P ratings) for securities as well as loans.
  3. Surprisingly, you continue to assume no change in future interest rates for purposes of establishing expected credit losses for specific variable rate loans. We think FASB may have missed the boat on this one, as resetting ARMs were one of the factors that led to the 2008 crisis that CECL is intended to be responsive to.
  4. There will obviously be much, much more dialogue about these new rules, and we’ll need to begin the process of helping you understand them and prepare for implementation sooner rather than later.

Please call us if you have any questions.

Article
Current Expected Credit Loss (CECL) final standard: Update

When last we blogged about the Financial Accounting Standards Board’s (FASB) new “current expected credit losses” (CECL) model for estimating an allowance for loan and lease losses (ALLL), we reviewed the process for developing reasonable and supportable forecasts for use in establishing the ALLL. Once you develop those forecasts, how does that information translate into amounts to set aside for loan losses?

A portion of the ALLL will continue to be based on specifically identified loans you’re concerned about. For those loans, you will continue to establish a specific component of the ALLL based on your estimate of the loss ultimately expected on the loans.

The tricky part, of course, is estimating an ALLL for the other 99% of the loan portfolio. This is where the forecasts come in. The new rules do not prescribe a particular methodology, and banking regulators have indicated community banks will likely be able to continue with their current approach, adjusted to use appropriate inputs in a manner that complies with the CECL model. One of the biggest challenges is the expectation in CECL that the ALLL will be estimated using the institution’s historical information, to the extent available and relevant.

Following is just one of many ways  you can approach it. I’ve also included a link at the end of this article to an example illustrating this approach.

Step One: Historical Loss Factors

  1. First, for a given subset of the loan portfolio (e.g., the residential loan pool), you might first break down the portfolio by the number of years remaining until expected payoff (via maturity or refinancing). This is important because, on average, a loan with seven years remaining until expected payoff will have a higher level of remaining lifetime losses than a loan with one year remaining. It therefore generally wouldn’t be appropriate to use the same loss factor for both loans.
     
  2. Next, decide on a set of drivers that tend to correlate with loan losses over time. FASB has indicated it doesn’t expect highly mathematical correlation models will be necessary, especially for community banks. Instead, select factors in your bank’s experience indicative of future losses. These may include:
    • External factors, such as GDP growth, unemployment rates, and housing prices
    • Internal factors such as delinquency rates, classified asset ratios, and the percentage of loans in the portfolio for which certain policy exceptions (e.g., loan-to-value ratio or minimum credit score) were granted
       
  3. Once you select this set of drivers, find an historical loss period — a period of years corresponding to the estimated remaining life of the portfolio in question — where the historical drivers best approximate those you’re expecting in the future, based on your forecasts. For that historical loss period, determine the lifetime remaining loss rates of the loans outstanding at the beginning of that period, broken down by the number of years remaining until payoff. (This may require significant data mining, especially if that historical loss period was quite a few years ago.
     
  4. Apply those loss rates to the breakdown derived in (a) above, by years remaining until maturity.

    Step Two: Adjustments to Historical Loss Rates

    The CECL model requires we adjust historical loss factors for conditions that may not be adequately captured by the historical loss period analysis we’ve just described. Let’s say a particular geographical subset of your market area is significantly affected by the economic fortunes of a large employer in that area.  Based on economic trends or recent developments, you might expect that employer to have a particularly bright – or dim – future over the forecast period; accordingly, you forecast loans to borrowers in that area will have losses that differ significantly from the rest of the portfolio.

    The approach for these loans is the same as in the previous step. However:

    These loans would be segregated from the remainder of the portfolio, which would be subject to the general approach in step one. As you think through this approach, there are myriad variations and many decisions to make, such as:

    Our intent in describing this methodology is to help your CECL implementation team start the dialogue in terms of converting theoretical concepts in the CECL model to actual loans and historical experience.

    To facilitate that discussion, we’ve included a very simple example here that illustrates the steps described above. Analyzing an entire loan portfolio under the CECL model is an exponentially more complex process, but the concepts are the same — forecasting future conditions, and establishing an ALLL based on the bank’s (or, when necessary, peers’) lifetime loan loss experience under similar historical conditions.

    Given the amount of number crunching and analysis necessary, and the potentially significant increase in the ALLL that may result from a lifetime-of-loan loss model, it’s safe to say the time to start is now! If you have any questions about CECL implementation, please contact Tracy Harding or Rob Smalley.

    Other resources
    For more information on CECL, check out our other blogs:

    CECL: Where to Start
    CECL: Bank and Branch Acquisitions
    CECL: Reasonable and Supportable

    To sign up to receive notification of our next CECL update, click here.

    • In substep (c), you would focus on forecasted conditions (such as unemployment rate and changes in real estate values) in the geographical area in which the significant employer is located.
    • You would then select an historical loss period that had actual conditions for that area that best correspond to those you’ve just forecasted.
    • In substep (d), you would determine the lifetime remaining loss rates of loans outstanding at the beginning of that period.
    • In substep (e), you would apply those rates to loans in that geographic area.
    • How to break down the portfolio
    • Which conditions to analyze
    • How to analyze the conditions for correlation with historical loss periods
    • Which resulting loss factors to apply to which loans
Article
CECL implementation: So, you've developed reasonable and supportable forecasts — now what?

The Ramifications of Fraud and How You Can Prevent it

Welcome to part two of our article on nonprofit fraud. If you missed our first installment, you can read it here.

You’ve just become aware of a fraud that has occurred at a nonprofit in your community. As someone who cares about the community and the nonprofit sector, you start to wonder, “What is going to happen to that organization”?

While the ramifications can differ in each case, they probably will include some, if not all, of the following:

  • The board and management will want to understand how the fraud happened, and what management is doing to prevent it from ever happening again.
  • The community is going to look to the board for answers, and wonder why the organization didn’t have controls in place to prevent the fraud.
  • Management will be expected to explain to the board where the breakdown in controls occurred that allowed the employee to steal from the organization.
  • The board knows it has a fiduciary duty to oversee the organization and its internal controls and assets. They aren’t sure what they should have done differently, given that they’re volunteers doing this community service in addition to their “day jobs.”
  • The board and management will want to reach out to donors to assure them that their contributions to the organization are going to be recovered if possible, and that controls are being improved to help safeguard future gifts.

This organization could potentially lose major donors if they believe there are not enough controls in place to ensure their dollars are being spent according to their wishes. If enough donors are negatively affected by this event and choose not to support the organization, its very survival may be at stake, thus impacting those in the community the entity serves.

Management will now have to divert time and other resources not only to implement stronger internal controls to help ensure this does not happen again, but also to reassure the board and the public that the organization is well protected to prevent future fraud.

Fraud can be extremely costly to an organization, not only from a financial perspective, as often the organization will not recover the stolen funds, but also from the loss of an organization’s reputation as a trusted charity. This can be even more devastating. The organization may never recover in the public’s eye, risking their relationships with not only their long-time donors but also new and future donors.

What can you do?

So, what can you do to help prevent fraud from recurring, or to detect it quickly if it does? Here is a simple, yet effective three-step process:

  1. Consider the risks of fraud and determine where it is more likely to occur.
  2. Look closely at the internal controls the organization currently has in place and determine whether they address these risks sufficiently.
  3. Identify gaps where controls are inadequate, and identify controls to be put in place where they are most needed.

Organizations can also consult their auditors to seek advice and guidance on how to implement these very important internal controls. It may be prudent to review previous audits to see if auditors have brought risks to management’s and the board’s attention, and if they provided recommendations on how to improve their current control structure.

The silver lining? The board and management now have a keener sense of the risks of fraud in the nonprofit environment, which should contribute to an engaged dialogue among the board, management and the auditors about how to develop and implement cost-effective controls that protect the organization’s assets.

As part of the audit, the auditors may point out one or more shortcomings in controls that they believe constitute a “material weakness.” While that may sound ominous, it merely means (in auditing jargon) a situation involving a reasonable possibility of a material misstatement of the financial statements. Auditors tend to set the bar low when it comes to classifying deficiencies that create fraud risks as material weaknesses, for the simple fact that users of the financial statements (donors, lenders, other funders) tend to have a lower materiality threshold with respect to misstatements caused by theft.

It is also important to remember that control deficiencies noted in previous audits that may not have been considered material weaknesses in the past may be considered that way today, as expectations of management’s actions regarding fraud prevention and detection go up every time a nonprofit fraud incident hits the media.

Every organization that has more than one person (including board members) associated with it has the opportunity to segregate incompatible duties at some level to help protect assets. At times, organizations don’t have such segregation in place, but instead have implemented compensating controls, such as detailed review of monthly financial statements by the appropriate level of management and/or the board. If this is the case, the organization should ask itself the following questions in order to avoid over-relying on this compensating control:

  • How does this compensating control work? Who reviews the financials, what is their experience level, and how do they document their review to confirm that it’s being done?
  • How often do you question expenditures, and are these questions and their answers evaluated and documented? It is important to remember here that a fraudster would be working hard to escape detection by this compensating control.
  • If the compensating control is a detailed review compared to budget:
    • Who is involved in building the budget?
    • What are the controls that would protect against a fraudster building their theft into budgeted expense line items?

Take a proactive fraud risk assessment and response like the one described here to give you reasonable comfort proper controls are in place to prevent and/or detect fraud. This isn’t about being paranoid – it’s simply a matter of prudently carrying out your fiduciary and management responsibilities to protect the organization you feel so strongly about.

Remember, the one characteristic that every financial theft in history shares—someone was trusted at some point.

Article
The ramifications of fraud and how you can prevent it

It’s Monday morning. You grab a cup of coffee and flip on the local morning news before you get ready for work. The lead story catches your attention “Local Accounts Payable Manager Steals Thousands.” Based on your experience as a board member of a nonprofit organization and the prior fraud you’ve heard about in the community, three things come into your mind:

  1. The fraud involves either a nonprofit organization or local government.
  2. The Board will come out and say how shocked they are – Fred has been here forever, and we trusted him!
  3. The Board will state they have now put in place proper controls to ensure this will never happen again.

And you may be close to the mark. Nonprofits and governmental organizations often have a higher risk of fraudulent behavior and theft due to their limited resources and ability to implement strict fraud prevention controls. What makes these organizations so susceptible?

  • They frequently run on tight or breakeven budgets, which means they have difficulty hiring enough people to implement strict internal controls.
  • They often have a salary structure that is lower than that of for-profit companies, creating incentive for employees to commit theft in order to make ends meet.
  • They are sometimes targeted by unscrupulous individuals who know that they likely lack the resources available to stop them.

In addition, nonprofits often seek to hire people who believe in the mission. While this can lead to tireless, dedicated employees, certain side effects of this approach may come into play and increase the risk of theft. For example:

  • The passion for, and shared commitment to, the mission at many nonprofits give rise to a culture of trust. This culture of trust may cause the organization to be less likely to implement checks and balances critical to sound internal controls.
  • New employees are sometimes drawn to a specific nonprofit organization because they have experienced some of the challenges which the organization was formed to address. Working for the organization may help them in some ways, but it may also create more financial strain for them or family members, increasing the chances of them committing illegal acts.

There are three elements that must be present for fraud to occur. These are the three sides of what is collectively called the fraud triangle: opportunity, incentive, and rationalization.

  • Opportunity: an employee working at a nonprofit may have opportunity if they are a trusted employee and resources are limited, causing the internal controls to be less robust than they should be.
  • Incentive: the incentive is in place when an employee, as mentioned above, has unexpected events happen in their life that may pressure them into committing fraud.
  • Rationalization: the employee rationalizes that they need the money for their family to survive. This often starts as “I’ll just borrow the money until payday”. Unfortunately, payday arrives and the funds aren’t available to be repaid; in fact, they need to “borrow” just a little more.

Let’s be clear, though – many nonprofits, regardless of size, have appropriately designed and implemented controls that properly protect the organization from the risks of fraud.

Soon we’ll look further at the ramifications frauds can have for nonprofits and how any organization—even small nonprofits, can put certain internal controls in place, to reduce the chances they’ll be the next organization in the headline story of the morning news.

Article
Fraud – why it can happen to you and what to know when It does

I have to say, accountants have really been taking some uncalled-for heat for causing the 2008 financial crisis. I understand the need to identify scapegoats, but when people hire mortgage brokers to originate bad loans, sell interests in those bad loans to investors, and insure it all through AIG, is it really the accountants’ fault when those loans go bad? And if the federal bank examiners missed the fact that Fannie Mae and Freddie Mac were engaged in such shenanigans, what hope do we have of being able to adequately apprise investors of such details via financial statement disclosures?

Undaunted, FASB has taken a shot at developing new requirements for banks to report information in their financial statement footnotes about their exposure to liquidity and interest rate risk. I understand the pressure FASB is under, I really do. There’s something called the Group of Twenty, consisting of the top finance officials from the 20 largest industrialized countries, that’s been pressuring FASB to improve accounting rules in a manner that will somehow prevent future financial meltdowns. To me, the Group of Twenty sounds uncomfortably similar to the Gang of Four, which ran China with an iron fist back in the Sixties and Seventies, so, if I were FASB, this group would make me nervous, too.

On the surface, it seems reasonable to expect that more information about liquidity and interest rate risk experienced by banks would be a good thing, as these are probably the two risks you hear about most when banks fail. Dig deeper, though, and two points about these new proposed disclosures become apparent:

  1. Most of this information is already available to users, through SEC and bank regulatory filings.
  2. To the extent it isn’t, that’s because no one uses the information, not even management of the banks!

It would be interesting to look back at some of the banks that failed during the recent recession, identify which of the proposed disclosures weren’t already available to investors and regulators, and decide whether anyone would have reacted differently if they were. Or was it simply the case that bad business decisions were made, and, when that happens, companies go under? And when recessions hit, sometimes banks fail?

I remember a TV interview during the height of the 2008 crisis, in which the focus was on blaming stock analysts (they hadn’t gotten around to accountants yet). The interviewer asked, “How many stock analysts do we have to hang on Wall Street before they all get the message?” The expert he was interviewing said, “Probably just one.” I’m guessing that holds true for accountants, too. There are already rules in place to disclose significant risks, concentrations, obligations of the institution, and the like. If Lehman Brothers and AIG don’t follow them, appropriate sanctions (I’m not advocating hanging, mind you) should follow; we can pass more rules, but if they didn’t comply with the existing rules, what makes us think they’ll follow the new ones?

If you have questions, please reach out to Tyler Butler or Tracy Harding.

Article
The silver bullet for future financial crises–More footnotes!

Read this if you are a financial institution with income tax credit investments.

Financial institutions and other businesses that participate in tax credit investments designed to incentivize projects that produce social, economic, or environmental benefits could benefit from proposed rules that simplify the accounting treatment of such investments and result in a clearer picture of how these investments impact their bottom lines.

FASB proposal

On August 22, 2022, the Financial Accounting Standards Board (FASB), issued a proposal that would broaden the application of the accounting method currently available to account for investments in low-income housing tax credit (LIHTC) programs to other equity investments used to generate income tax credits. The proposal, titled “Investments – Equity Method and Joint Ventures (Topic 323): Accounting for Investments in Tax Credit Structures Using the Proportional Amortization Method”, would expand the eligibility of the proportional amortization method of accounting beyond LIHTC programs to other tax credit structures that meet certain eligibility criteria.  

FASB introduced the option to apply the proportional amortization method to account for investments made primarily for the purpose of receiving income tax credits and other income tax benefits in ASU 2014-01. However, the guidance limited the proportional amortization method to investments in LIHTC structures.

The proportional amortization method is a simplified approach for accounting for LIHTC investments in which the initial cost of the investment is amortized in proportion to the income tax credits and other benefits received (allocable share of depreciation deductions). The cost basis amortization and income tax credits received are presented net on the investor’s income statement as a component of income tax expense (benefit). Under existing guidance, investments in non-LIHTC projects are accounted for using either the equity method or cost method, depending on certain factors. 

The proposal aims to address the concerns that the equity and cost methods do not offer a fair representation of the economic characteristics for investments for which returns are primarily related to federal income tax credits. Supporters of the proposal argue that the accounting method applied should not be determined by the legislative program under which the tax credits are authorized, but instead by the economic intent under which the investment was made. The hope is the FASB proposal will create a heightened sense of uniformity in accounting for investments in income tax credit structures. 

Additional provisions

Other provisions within the proposal would require a reporting entity to “make an accounting policy election to apply the proportional amortization method on a tax-credit-program-by-tax-credit-program basis” and disclose the nature of its tax equity investments and the impact on its financial position and results of operations. 

The significance of this proposal is amplified by the uptick in tax credit programs in recent years, including the New Markets Tax Credit (NMTC), Historic Rehabilitation Tax Credit (HTC), and Renewable Energy Tax Credit (RETC). While the FASB has yet to declare an effective date for the implementation of the proposal, comment letters from stakeholders were due October 6, 2022. 

For more information

To discuss the impact this new accounting pronouncement may have on your financial institution, please contact the BerryDunn Financial Services team. We’re here to help.

Article
FASB proposes changes to accounting for income tax credits

On November 8, 2022, Massachusetts voters approved a constitutional amendment to alter the state’s flat 5% income tax to add a 4% surtax on annual income exceeding $1 million. The so-called “millionaires tax,” also referred to as the “Fair Share Amendment,” is effective for tax years beginning on or after Jan. 1, 2023. The annual income level subject to the surtax would be adjusted yearly to reflect increases in the cost of living.

This measure is expected to bring in revenue of between $1.2 and $2 billion annually. The proceeds from the increased tax collections will support state budgets in the areas of education, roads, bridges, and public transportation. The measure passed with 52% voter support and is the sixth attempt to change the state’s flat income tax rate since 1962. This amendment is expected to affect about 0.6% of the state’s population, or about 20,000 taxpayers.

If you expect your income to exceed $1 million in 2023 and have questions regarding the recent legislation, please contact a member of our state and local tax team.

Article
Massachusetts voters pass "Millionaires tax"

Read this if you are responsible for cybersecurity or are a member of a board of directors.

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to the preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cyber security risk for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.

General

  • What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
  • Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
  • Has the cyber risk management plan been tested?
  • Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
  • Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
  • What percentage of our IT budget is dedicated to cybersecurity?
  • Does that allocation conform to industry standards?
  • Is it adequate based on our threat profile?
  • What are stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
  • What is the interaction model between senior management and the board for communications regarding cybersecurity?
  • Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

  • How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
  • Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
  • Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

  • Does the board play an active part in determining an organization’s cybersecurity strategy?
  • What are the key elements of a good cybersecurity strategy?
  • Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
  • How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
  • How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

  • What are the potential cyber threats to the organization?
  • Who is responsible for management oversight of cyber risk?
  • Has a formal cyber assessment been performed? Does it need to be updated?
  • Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
  • What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
  • Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

  • Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology and are those individuals empowered to carry out those responsibilities?
  • Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
  • Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others with a direct or “dotted line” reporting to the CEO.)
  • Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

  • Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
  • What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
  • How effective are the organization’s risk management activities and controls identified in the assessment?
  • Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
  • Are there controls in place to ensure adequate, accurate and timely reporting of cybersecurity related content?
  • How does the company remain apprised of laws and regulations and ensure compliance?
  • What cloud services does our organization use and how risky are they?
  • How are we protecting sensitive data?

Threat intelligence and collaboration

  • What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
  • Does our organization share threat intelligence with law enforcement?
  • What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
  • What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

  • Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
  • How regularly should a board obtain IT metric information?
  • Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
  • How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

  • How does management validate the type and volume of cyber-attacks?
  • Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
  • How does an incident response and recovery plan fit into the overall cybersecurity strategy?
  • Is the board’s response role clearly defined?
  • Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
  • Is there a culture of cyber awareness and reporting at all levels of the company?
  • Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

  • How does the board remain current on cybersecurity developments in the market and the regulatory environment?
  • Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
  • Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
  • Are directors provided with educational opportunities in this area?
  • Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

  • Has oversight of cybersecurity reporting been defined for management and the board?
  • Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise and its oversight of cybersecurity risk, being included within the financial statement and proxy disclosures?
  • Does the company have a mechanism for timely reporting of material cybersecurity incidents?
  • Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Article
Board oversight of cybersecurity: Questions to ask