Skip to Main Content

insightsarticles

Tapping your internal capacity for better results: Cybersecurity playbook for management #3

01.31.18

It may be hard to believe some seasons, but every professional sports team currently has the necessary resources — talent, plays, and equipment — to win. The challenge is to identify and leverage them for maximum benefit. And every organization has the necessary resources to improve its cybersecurity. Chapter 3 in BerryDunn’s Cybersecurity Playbook for Management looks at how managers can best identify and leverage these resources, known collectively as internal capacity.

The previous two chapters focused on using maturity models to improve an organization’s cybersecurity. The next two are about capacity. What is the difference, and connection, between maturity and capacity, and why is it important? 
RG: Maturity refers to the “as is” state of an organization’s cybersecurity program compared to its desired “to be” state. Capacity refers to the resources an organization can use to reach the “to be” state. There are two categories of capacity: external and internal. External capacity refers to outside resources — people, processes, and tools — you can hire or purchase to improve maturity. (We’ll discuss external capacity more in our next installment.) Internal capacity refers to in-house people, processes, and tools you can leverage to improve maturity. 

Managers often have an unclear picture of how to use resources to improve cybersecurity. This is mainly because of the many demands found in today's business environments. I recommend managers conduct internal capacity planning. In other words, they need to assess the internal capacity needed to increase cybersecurity maturity. Internal capacity planning can answer three important questions:

1. What are the capabilities of our people?
2. What processes do we need to improve?
3. What tools do we have that can help improve processes and strengthen staff capability?

What does the internal capacity planning process look like?
RG
: Internal capacity planning is pretty easy to conduct, but there’s no standard model. It’s not a noun, like a formal report. It’s a verb — an act of reflection. It’s a subjective assessment of your team members’ abilities and their capacity to perform a set of required tasks to mature the cybersecurity program. These are not easy questions to ask, and the answers can be equally difficult to obtain. This is why you should be honest in your assessment and urge your people to be honest with themselves as well. Without this candor, your organization will spin its wheels reaching its desired “to be” state.

Let’s start with the “people” part of internal capacity. How can managers assess staff?RG: It’s all about communication. Talk to your staff, listen to them, and get a sense of who has the ability and desire for improving cybersecurity maturity in certain subject areas or domains, like Risk Management or Event and Incident Response. If you work at a small organization,  start by talking to your IT manager or director. This person may not have a lot of cybersecurity experience, but he or she will have a lot of operational risk experience. IT managers and directors tend to gravitate toward security because it’s a part of their overall responsibilities. It also ensures they have a voice in the maturing process.

In the end, you need to match staff expertise and skillsets to the maturity subject areas or domains you want to improve. While an effective manager already has a sense of staff expertise and skillsets, you can add a SWOT analysis to clarify staff strengths, weaknesses, opportunities, and threats.

The good news: In my experience, most organizations have staff who will take to new maturity tasks pretty quickly, so you don’t need to hire a bunch of new people.

What’s the best way to assess processes?
RG
: Again, it’s all about communication. Talk to the people currently performing the processes, listen to them, and confirm they are giving you honest feedback. You can have all the talent in the world, and all the tools in the world — but if your processes are terrible, your talent and tools won’t connect. I’ve seen organizations with millions of dollars’ worth of tools without the right people to use the tools, and vice versa. In both situations, processes suffer. They are the connective tissue between people and tools. And keep in mind, even if your current ones are good, most  tend to grow stale. Once you assess, you probably need to develop some new processes or improve the ones in place.

How should managers and staff develop new processes?
RG
: Developing new ones can be difficult  we’re talking change, right? As a manager, you have to make sure the staff tasked with developing them are savvy enough to make sure the processes improve your organization’s maturity. Just developing a new one, with little or no connection to maturity, is a waste of time and money. Just because measuring maturity is iterative, doesn’t mean your approach to maturing cybersecurity has to be. You need to take a holistic approach across a wide range of cybersecurity domains or subject areas. Avoid any quick, one-and-done processes. New ones should be functional, repeatable, and sustainable; if not, you’ll overburden your team. And remember, it takes time to develop new ones. If you have an IT staff that’s already struggling to keep up with their operational responsibilities, and you ask them to develop a new process, you’re going to get a lot of pushback. You and the IT staff may need to get creative — or look toward outside resources, which we’ll discuss in chapter 4.

What’s the best way to assess tools?
RG
: Many organizations buy many tools, rarely maximize their potential. And on occasion, organizations buy tools but never install them. The best way to assess tools is to select staff to first measure the organization’s inventory of tools, and then analyze them to see how they can help improve maturity for a certain domain or subject area. Ask questions: Are we really getting the maximum outputs those tools offer? Are they being used as intended?

I’ll give you an example. There’s a company called SolarWinds that creates excellent IT management tools. I have found many organizations use SolarWinds tools in very specific, but narrow, ways. If your organization has SolarWinds tools, I suggest reaching out to your IT staff to see if the organization is leveraging the tools to the greatest extent possible. SolarWinds can do so much that many organizations rarely leverage all its valuable feature.

What are some pitfalls to avoid when conducting internal capacity planning?
RG
: Don’t assign maturity tasks to people who have been with the organization for a really long time and are very set in their ways, because they may be reluctant to change. As improving maturity is a disruptive process, you want to assign tasks to staff eager to implement change. If you are delegating the supervision of the maturity project, don’t delegate it to a technology-oriented person. Instead, use a business-oriented person. This person doesn’t need to know a lot about cybersecurity — but they need to know, from a business perspective, why you need to implement the changes. Otherwise, your changes will be more technical in nature than strategic. Finally, don’t delegate the project to someone who is already fully engaged on other projects. You want to make sure this person has time to supervise the project.

Is there ever a danger of receiving incorrect information about resource capacity?
RG
: Yes, but you’ll know really quickly if a certain resource doesn’t help improve your maturity. It will be obvious, especially when you run the maturity model again. Additionally, there is a danger of staff advocating for the purchase of expensive tools your organization may not really need to manage the maturity process. Managers should insist that staff strongly and clearly make the case for such tools, illustrating how they will close specific maturity gaps.

When purchasing tools a good rule of thumb is: are you going to get three times the return on investment? Will it decrease cost or time by three times, or quantifiably reduce risk by three times? This ties in to the larger idea that cybersecurity is ultimately a function of business, not a function of IT. It also conveniently ties in with external capacity, the topic for chapter four.

Read our next cybersecurity playbook article, External capacity: Cybersecurity playbook for management #4here.

Related Services

Assurance

Consulting

Cybersecurity is the responsibility of all employees and managers: it takes a team

When a breach occurs, people tend to focus on what goes wrong at the technical level and often fail to see that cybersecurity begins at the strategic level. 

BerryDunn’s cybersecurity playbook outlines the activities managers need to take to properly oversee cybersecurity. Read the full series:

  1. Maturity modeling
  2. Selecting and implementing a maturity model
  3. Tapping your internal capacity for better results
  4. External capacity
  5. Discovery
  6. The workflow
  7. Incident response
  8. Incident recovery
Cybersecurity playbook
Access the full series

Read this if you file taxes with the IRS for yourself or other individuals.

To protect yourself from identity thieves filing fraudulent tax returns in your name, the IRS recommends using Identity Protection PINs. Available to anyone who can verify their identity online, by phone, or in person, these PINs provide extra security against tax fraud related to stolen social security numbers of Tax ID numbers.

According to the Security Summit—a group of experts from the IRS, state tax agencies, and the US tax industry—the IP PIN is the number one security tool currently available to taxpayers from the IRS.

The simplest way to obtain a PIN is on the IRS website’s Get an IP PIN page. There, you can create an account or log in to your existing IRS account and verify your identity by uploading an identity document such as a driver’s license, state ID, or passport. Then, you must take a “selfie” with your phone or your computer’s webcam as the final step in the verification process.

Important things to know about the IRS IP PIN:

  • You must set up the IP PIN yourself; your tax professional cannot set one up on your behalf.
  • Once set up, you should only share the PIN with your trusted tax prep provider.
  • The IP PIN is valid for one calendar year; you must obtain a new IP PIN each year.
  • The IRS will never call, email or text a request for the IP PIN.
  • The 6-digit IP PIN should be entered onto your electronic tax return when prompted by the software product or onto a paper return next to the signature line.

If you cannot verify your identity online, you have options:

  • Taxpayers with an income of $72,000 or less who are unable to verify their identity online can obtain an IP PIN for the next filing season by filing Form 15227. The IRS will validate the taxpayer’s identity through a phone call.
  • Those with an income more than $72,000, or any taxpayer who cannot verify their identity online or by phone, can make an appointment at a Taxpayer Assistance Center and bring a photo ID and an additional identity document to validate their identity. They’ll then receive the IP PIN by US mail within three weeks.
  • For more information about IRS Identity Protection PINs and to get your IP PIN online, visit the IRS website.

If you have questions about your specific situation, please contact our Tax Consulting and Compliance team. We’re here to help.

Article
The IRS Identity Protection PIN: What is it and why do you need one?

Read this if you are at a financial institution with employees working remotely.

Working remotely is not a new concept. Over the past 20 years, technology enhancements have increased the ability for employees to connect remotely and perform many job functions without ever leaving their homes. When the COVID-19 pandemic began in early 2020, working remotely became a necessity for essential businesses like financial institutions to provide safe environments for both employees and customers and remain open.

One of the benefits of an increase in working from home during the pandemic is that it provided financial institutions and other businesses an opportunity to learn how to perform essential job functions and manage teams from a distance. In addition, many organizations experienced indirect benefits, including a more flexible work environment, higher job satisfaction, increased productivity, and improved employee retention. Now that employees are being asked to return to the office, many financial institutions are considering if a permanent work-from-home arrangement is possible. 

What you need to know

For starters, financial institutions need to know where their employees are providing services. Is it across state lines or across the country? What if you have two or more employees who want to work out of state—and they are all different states? What are the tax implications? Are there legal concerns?

Nexus

Nexus is the connection that taxpayers have with a state that permits the state to assess various types of taxes, including income tax. Nexus rules vary from state to state, but generally a business with nexus in a state is required to register with the Secretary of State/Department of Revenue, file tax returns, and pay various taxes to the state. 

Employees working in a "different state" (a state which income tax returns are not already being filed) may create nexus to that state for tax purposes. Even if your financial institution has only one employee working in a state and otherwise has no other connection to the state, there may be tax implications. Some states have established nexus waivers because of the pandemic, providing relief to some businesses and employees who have temporary work-from-home arrangements. These waivers, however, will soon expire or have expired already. 

The following details should be considered before offering out-of-state remote employee work arrangements.

State income tax filing requirements

  • If your financial institution has an employee working remotely from a different state, the financial institution has created physical presence nexus in that state. Once nexus has been established, the financial institution may be subject to state and local income taxes, gross receipts taxes, unique taxes specific to financial institution, or franchise taxes. When it comes to taxing a financial institution, not all states assess tax in the same manner. 
  • After nexus has been established, your financial institution will also need to understand how the state apportions wages in determining income tax liability to the state. One example is a factor approach: Total payroll paid to employees working in the state divided by total payroll paid to all employees. In a simplified example, the fraction would be multiplied by taxable income resulting in amount of taxable income in that state. One employee in a state is not likely to create a significant income tax liability to the state, however, many states have minimum tax liabilities and other fees—some more significant than others—which should also be considered along with additional administrative costs. 

State tax withholding

  • Employees will need to pay personal state income tax based on their primary state of residence as well as the state in which they work. If your financial institution's remote employee is performing most of their work from home in a different state than the financial institution, and travels to the financial institution for occasional meetings or in-person days, this could result in the employee having a personal state income tax liability in both states. It may be necessary for your financial institution to track the employee’s location and properly withhold state income taxes from the employee’s pay based on the state that the employee is providing services. 
  • Failure to properly withhold state income taxes could create a liability for both the employee and the employer including penalties and interest. Proper policies should be in place regarding the responsibility of tracking where employees are performing their work may mitigate these concerns. You should encourage your employees to work with their individual tax advisors on state tax issues as each employee's tax filing position is unique (we generally advise against providing tax advice to your employees). 

Unemployment taxes and workers’ compensation

  • Unemployment is typically paid to the state in which an employee has their permanent place of work. Your financial institution should review the state’s unemployment rules to determine if the financial institution is required to collect and remit unemployment tax to a state that it has employees. If your employee is working in a different state on a temporary basis or due to the pandemic, we believe there is no need for unemployment to change from the state where the financial institution is located.
  • Workers’ compensation is also typically paid to the state in which the employee is permanently assigned. If the out-of-state work arrangement is temporary, we do not feel you need to change your workers’ compensation. However, if the out-of-state arrangement from home becomes permanent, you may need to change your policy. Some states require employers to have a minimum number of employees in the state before requiring a workers’ compensation policy in that state. We recommend working with BerryDunn’s employee benefits experts on state rules and discussing with your insurance carrier.

Personal property and other taxes

  • Employees working from home are often provided furniture and equipment for their remote office set up. Financial institutions should consider whether they want to provide these items without retaining ownership to the property, as owning property in another state could result in the financial institution needing to file and remit personal property taxes to the state. It also would be considered a best practice to develop a policy that provides consistency among all remote employees, regardless of their location. 
  • Sales and use tax implications and other special or unique state and local taxes should be researched and understood prior to entering any state to determine the impact on existing products and services which may be offered to out of state customers who reside or relocate out of state. We will provide more information about the state tax issues related to providing services in a future installment of this state tax series. 

Other considerations

  • We recommend you discuss with your financial institution's attorney regarding the need to file a business license or update the financial institution's charter as these are legal matters. Here are some topics to consider as you have these discussions:
    • Your financial institution may be required to register with the state department of revenue/taxation
    • Registering as a foreign corporation is often necessary to access the legal system
    • Your financial institution may want to consider whether other regulatory licenses may be needed, such as insurance broker or license for trust services
  • Health insurance and other employee benefit plans should be reviewed to ensure that a remote employee eligible to receive benefits still qualifies and receives the same level of coverage that is available to in-state employees. 

In summary, even one employee working out of state could create additional compliance costs and exposure to a state’s laws and regulations. You may be wondering how risky it is to have only one employee located in a state, and how likely is it that the state would make the connection to your out-of-state financial institution.

While  the risk may seem low, states are always looking to generate additional tax revenue, and many have the ability to cross check internal systems. Withholding and remitting state income taxes on behalf of an employee is likely going to require your financial institution to register with a state's income tax withholding agency. The state will then be aware of your financial institution’s connection to its state as the financial institution’s EIN will be in the system for payroll purposes. While the exposure may still be low, the state may start looking for an income tax filing and at least payment of minimum tax. Failure to file in a state means that the statute of limitations for the financial institution’s exposure to that state will not start.

The risks shouldn’t necessarily prevent your financial institution from allowing employees to work from home, and as many financial institutions want to offer more flexible work arrangements given what has been learned in recent years, it is possible to minimize tax risk and remain compliant with proper planning and awareness. 

For more information

To discuss your specific tax situation and state compliance risks, please contact the BerryDunn Financial Services team. We’re here to help.

Article
State tax issues impacting your financial institution part one: Remote employees

Read this if you are a Chief Financial Officer or Controller at a financial institution.

Back in April, we wrote about recently released Accounting Standards Update (ASU) No. 2022-02, Financial Instruments – Credit Losses (Topic 326). Here, we are going to look at the standard in more depth. 

One of the most notable items this ASU addresses, is that it eliminates the often tedious troubled debt restructuring (TDR) accounting and disclosure requirements. Accounting for loan modifications will now be maintained under extant US generally accepted accounting principles, specifically Accounting Standards Codification (ASC) 310-20-35-9 through 35-11. However, rather than eliminate loan modification disclosure requirements altogether, the Financial Accounting Standards Board (FASB) created some new requirements, inspired by voluntary disclosures many financial institutions made during the coronavirus pandemic. 

Rather than disclosing information on TDRs, financial institutions will now be required to disclose information on loan modifications that were in the form of principal forgiveness, an interest rate reduction, an other-than-insignificant payment delay, or a term extension (or a combination thereof) made to debtors experiencing financial difficulty. These disclosures must be made regardless of whether a modification to a debtor experiencing financial difficulty results in a new loan or not. 

ASC 310-10-50-42 through 50-44 establishes these new disclosure requirements, and ASC 310-10-55-12A provides an example of the required disclosures. 

New Loan Modification Disclosure Requirements

Financial institutions have long had internal controls surrounding the determination of TDRs given the impact such restructurings can have on the allowance for credit losses and financial statement disclosures. Banks may find they are able to leverage those controls to satisfy the new modification disclosures, with only minor adjustments. Similar to previous TDR determinations, the above disclosures are only required for modifications to debtors experiencing financial difficulty. Therefore, financial institutions will need to have a process —or defined set of parameters—in place to determine debtor “financial difficulty”, thus triggering the need for modification disclosure. Banks may also find that the specific data gathered for preparation of these new disclosures will change, but should be readily available, with (hopefully) only minor manipulation required.

ASU No. 2022-02 is effective for fiscal years beginning after December 15, 2022, including interim periods within those fiscal years—the same effective date for those who have not yet adopted ASU No. 2016-13, more commonly referred to as CECL (Current Expected Credit Loss). As always, if you have any questions as to how this new ASU may impact your financial institution, please reach out to BerryDunn’s Financial Services team or submit a question via our Ask the Advisor feature.

Article
New loan modification disclosure requirements: A deeper dive

Read this if you are a depository institution.

Environmental, Social, and Governance (ESG) matters are all the rage right now. From new disclosures to personal, professional, investor, and social media pressures, ESG presents itself as a vast topic, encompassing many facets of an organization. It can be daunting to even know where to begin ESG efforts. 

ESG issues seem pervasive and may be best thought of as residing on a spectrum, with some industries further along this spectrum than others. However, each industry can make its own mark, with initiatives that can propel it along the ESG spectrum. Even within one industry, individual organizations may have their own initiatives and areas of focus. Equal importance does not need be given to the E, the S, and the G, and some industries may be better equipped to address one of these pillars over the others. We would like to share what we believe to be four areas of opportunity for banks as they think about ESG, their customers, and their employees.

Credit decisions

Many financial institutions currently base credit decisions on an array of financial metrics of the prospective borrower. Their reviews include financial forecasts, historical financial results, collateral values, etc., all with the intent of predicting if the prospective borrower will be able to repay the credit. Given the increasing regulatory and social pressure regarding ESG, bankers should be aware of how ESG requirements and industry initiatives could impact a borrower’s financial condition. For instance, consider the following:

  • Where does the prospective borrower reside on the ESG spectrum, collectively and individually (the separate E, the S, and the G spectrums)? 
  • If they are a carbon-intensive company, what additional risks does that pose to the relationship, if any? (E)
    • Are there pending regulations (or fines) that could significantly impact their operations?
    • Although their finances may be strong currently, are there alternative products or services that are seen as “greener” that may jeopardize future profits and cash flows?
    • If the company plans to become less carbon-intensive, either voluntarily or out of necessity, are there significant costs anticipated to be incurred during this transition?
  • Do they have, or anticipate, community investment initiatives? (S)
  • Are they viewed as a reputable company in their respective communities? (S)
  • Is there adequate Board and execute management oversight? (G)

ESG-specific products

Financial institutions can reward borrowers for their stewardship. This concept is not new, as “green bonds” have been around for years to incentivize climate and environmental projects. Some financial institutions, such as TD Bank and Barclays, offer preferred interest rates to ESG-conscious borrowers, such as those that purchase houses that meet certain energy efficiency ratings. Financial institutions could further expand on this idea and offer loans earmarked for certain ESG-related purposes, such as development of low-carbon manufacturing techniques or investment in the company’s workforce. Such products can be a great way to position your financial institution as an ESG leader in the community and assist borrowers on their ESG journey. 

Financial institutions can act as a connector for like-minded parties

Financial institutions are in a unique position, as aside from the borrower themselves, a financial institution likely knows the most about the borrower’s business. Financial institutions may become aware of customers further along their ESG journeys and could help connect those resources to other customers who may want to know and learn more. Customers are increasingly looking for more from their financial institution outside of traditional banking services. Given their unique position, financial institutions are best equipped to act as a connector for like-minded parties. 

Customers and employees may want their supply chain/employer to be ESG conscious

Customers, whether they be individuals or businesses, and employees are increasingly considering the actions of potential vendors and employers before partnering with them. Likely a result of their own ESG mission, customers are starting to realize that, even if they feel as if they are ESG conscious, it is their responsibility to also hold their vendors accountable. Therefore, customers may elect to go to another financial institution that is more ESG conscious even if your financial institution offers a better product. Employees are also factoring this into employment decisions. Employees want to feel as if they are part of a larger mission. Focusing on ESG could give your financial institution a competitive advantage.

When considering ESG matters, some believe they are faced with two mutually exclusive decisions: (1) what makes the most sense financially, and (2) what will propel our organization further along the ESG spectrum? What some leading companies have found, however, is that by focusing first on where they lie on the ESG spectrum and defining where they want to be in the future helps clarify future decision-making so that cost and ESG progress are aligned rather than opposing forces. As always, BerryDunn’s Financial Services team is here to help.

Article
Propelling along the ESG spectrum: Four considerations for your financial institution

What the C-Suite should know about CECL and change management

Read this if you are at a financial institution. 

Some institutions are managing CECL implementation as a significant enterprise project, while others have assigned it to just one or two people. While these approaches may yield technical compliance, leadership may find they fail to realize any strategic benefits. In this article, Dan Vogt, Principal in BerryDunn’s Management and IT Consulting Practice, and Susan Weber, Senior Manager and CECL expert in BerryDunn’s Financial Services Practice, outline key actions leaders can take now to ensure CECL adoption success.  

Call it empathy, or just the need to take a break from the tactical and check in on the human experience, but on a recent call, I paused the typical readiness questions to ask, “How’s the mood around CECL adoption – what’s it been like getting others in the organization involved?” The three-word reply was simple, but powerful: “Kicking and screaming.”  

Earlier this year, by a vote of 5-2, the FASB (Financial Accounting Standards Board) closed the door to any further delays to CECL adoption, citing an overarching need to unify the industry under one standard. FASB’s decision also mercifully ended the on-again off-again cycle that has characterized CECL preparation efforts since early 2020. One might think the decision would have resulted in relief. But with so much change in the world over the past few years, is it any wonder institutions are instead feeling change-saturated?  

Organizational change

CECL has been heralded as the most significant change to bank accounting ever, replacing 40+ years of accounting and regulatory oversight practices. But the new standard does much more than that. Implementing CECL has an effect on everything from executive and board strategic discussions to interdepartmental workflows, systems, and controls. The introduction of new methods, data elements, and financial assets has helped usher in new software, processes, and responsibilities that directly affect the work of many people in the organization. CECL isn’t just accounting—it’s organizational change. 

Change management

Change management best practices often focus on leading from optimism—typically leadership and an executive sponsor talk about opportunities and the business reasons for change. Some examples of what this might sound like as it relates to CECL might include, by converting to lifetime loss expectations, the institution will be better prepared to weather economic downturns; or, by evolving data and modeling precision, an institution’s understanding and measure of credit risk is enhanced, resulting in more strategic growth, pricing, and risk management. 

But leading from optimism is sometimes hard to do because it isn’t always motivating—especially when the change is mandated rather than chosen.  

Perhaps a more judiciously used tactic is to focus on the risk, or potential penalty, of not changing. In the case of CECL, examples might include, your external auditor not being able to sign-off on your financials (or significant delays in doing so), regulatory criticism, inefficient/ineffective processes, control issues, tired and frustrated staff. These examples expose the institution to all kinds of key risks: compliance, operational, strategic, and reputational, among them.

CECL success and change management

With so much riding on CECL implementation and adoption going well, some organizations may be at heightened risk simply because the effort is being compartmentalized—isolated within a department, or assigned to only one or two people. How effectively leadership connects CECL implementation with tenets of change management, how quickly they understand, then together embrace, promote, and facilitate the related changes affecting people and their work, may prove to be the key factor in achieving success beyond compliance.  

One important step leaders can take is to perform an impact assessment to understand who in the organization is being affected by the transition to CECL, and how. An example of this is below. Identifying the departments and functions that will need to be changed or updated with CECL adoption might expose critical overlaps and reveal important new or enhanced collaborations. Adding in the number of people represented by each group gives leaders insight into the extent of the impact across the institution. By better understanding how these different groups are affected, leaders can work together to more effectively prioritize, identify and remove roadblocks, and support peoples’ efforts longer term.           

 
No matter where your institution is currently in its CECL implementation journey, it is not too late to course-correct. Leadership—unified in priority, message, and understanding—can achieve the type of success that produces efficient sustainable practices, and increases employee resilience and engagement.

For more information, visit the CECL page on our website. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions. For more tips on documenting your CECL adoption, stay tuned for our next article in the series, revisit past articles, or tune in to our CECL Radio podcast. You can also follow Susan Weber on LinkedIn.

Article
Implementing CECL: Kicking and screaming

Read this if you are a community bank.

The Federal Deposit Insurance Corporation (FDIC) recently issued its first quarter 2022 Quarterly Banking Profile. The report provides financial information based on Call Reports filed by 4,796 FDIC-insured commercial banks and savings institutions. The report also contains a section specific to community bank performance. In first quarter 2022, this section included the financial information of 4,353 FDIC-insured community banks. BerryDunn’s key takeaways from the report are as follows:

Community banks continue to feel the impact of shrinking net interest margins and inflation.

Community bank quarterly net income dropped to $7 billion in first quarter 2022, down $1.1 billion from a year ago. Lower net gains on loan sales and higher noninterest expenses offset growth in net interest income and lower provisions. Net income declined $581.3 million, or 7.7 percent from fourth quarter 2021 primarily because of lower noninterest income and higher noninterest expense.

Loan and lease balances continue to grow in first quarter 2022

Community banks saw a $21.5 billion increase in loan and lease balances from fourth quarter 2021. All major loan categories except commercial & industrial and agricultural production grew year over year, and 55.3 percent of community banks recorded annual loan growth. Total loan and lease balances increased $35.1 billion, or 2.1 percent, from one year ago. Excluding Paycheck Protection Program loans, annual total loan growth would have been 10.2 percent.

Community bank net interest margin (NIM) dropped to 3.11 percent due to strong earning asset growth.

Community bank NIM fell 15 basis points from the year-ago quarter and 10 basis points from fourth quarter 2021. Net interest income growth trailed the pace of earning asset growth. The yield on earning assets fell 28 basis points while the cost of funding earning assets fell 13 basis points from the year-ago quarter. The 0.24 percent average cost of funds was the lowest level on record since Quarterly Banking Profile data collection began in first quarter 1984. 

Community bank allowance for credit losses (ACL) to total loans remained higher than the pre-pandemic level at 1.28 percent, despite declining 4 basis points from the year-ago quarter.


NOTE: The above graph is for all FDIC-Insured Institutions, not just community banks.

The ACL as a percentage of loans 90 days or more past due or in nonaccrual status (coverage ratio) increased to a record high of 236.7 percent. The decline in noncurrent loan balances outpaced the decline in ACL, with the coverage ratio for community banks emerging 57.9 percentage points above the coverage ratio for noncommunity banks. 

The banking landscape continues to be one that is ever-evolving. With interest rates on the rise, banks will find their margins in flux once again. During this transition, banks should look for opportunities to increase loan growth and protect and enhance customer relationships. Inflation has also caused concern not only for banks but also for their customers. This is an opportune time for banks to work with their customers to navigate the current economic environment. Community banks, with their in-depth knowledge of their customers’ financial situations and the local economies served, are in a perfect position to build upon the trust that has already been developed with customers.

As always, please don’t hesitate to reach out to BerryDunn’s Financial Services team if you have any questions.

Article
FDIC issues its First Quarter 2022 Quarterly Banking Profile

Read this if you are interested in GASB updates. 

The Governmental Accounting Standards Board (GASB) issued GASB Statement No. 99, Omnibus 2022 on May 9, 2022. The statement enhances comparability in accounting and financial reporting and improves the consistency of authoritative literature by addressing (1) practice issues that have been identified in previous GASB Statements, and (2) adding guidance on accounting and financial reporting for financial guarantees.

We’ve reviewed the statement in its entirety, and broken down key components for you to know. Here are the highlights.  

Accounting and financial reporting for exchange or exchange-like financial guarantees

Financial guarantees is a guarantee of an obligation of a legally separate entity or individual, including a blended or discretely presented component unit, that requires the guarantor to indemnify a third-part obligation holder under specified conditions, in an exchange or exchange-like transactions. 

An entity that extends an exchange or exchange-like financial guarantee should recognize a liability and expense related to the guarantee when qualitative factors and historical data indicate that is it more than likely not a government will be required to make a payment related to the guarantee.

Statement 99 excludes guarantees related to special assessment debt, financial guarantee contracts within the scope of Statement 53, or guarantees related to conduit debt obligations. 

Certain derivative instruments that are neither hedging derivative instruments nor investment derivative instruments

Derivative instruments that are within the scope of Statement 53, but do not meet the definition of an investment derivative instrument or the definition of a hedging derivative instrument are considered other derivative instruments. These “other derivative instruments” should now be accounted for as follows:

  1. Changes in fair value should be reported on the “resource flows statement” separately from the investment revenue classification.
  2. Information should be disclosed in the notes to financial statements separately from hedging instruments and investment derivative instruments.
  3. Governments should disclose the fair values of derivative instruments that were reclassified from hedging derivative instruments to other derivative instruments. 

Leases

If your entity has leases please review the following as Statement 99 clarifies numerous issues from Statement 87, specifically:

  • Lease terms as it relates to options to terminate and option to purchase the underlying assets, in paragraph 12 of Statement 87 has been clarified;
  • Short-term leases in paragraph 12 of Statement 87 has been clarified as it relates to an option to terminate the lease;
  • Lessee and lessor recognition and measurement for leases other than short-term leases that transfer ownership has been clarified, and
  • Lease incentives in paragraph 61 of Statement 87 has been further defined.

Public Private and Public-Public Partnerships (PPPs)

If your entity has PPPs, Statement 99 clarifies the following: 

  • PPP terms
  • Receivable for installment payments (transferor recognition)
  • Receivable for the underlying PP Asset (transferor recognition)
  • Liability for installment payments (operator recognition)
  • Deferred outflow of resources (operator recognition)

Subscription-Based Information Technology Arrangements (SBITAs)

Subscription terms and definitions have been clarified, specifically as it relates with options to terminate, short-term SBITAs, and measurement of subscription liabilities.

If your entity has SBITAs, review the provisions of each SBITA to ensure compliance with Statement 99 paragraphs 23–25.

Replacement of LIBOR

Check with your banking institutions to confirm when they have phased out of LIBOR. Confirm with your banking institutions what specifically has replaced LIBOR and update Financial Statement disclosures as needed. 

SNAP

State governments should recognize distributions of benefits from Supplemental Nutrition Assistance Program (SNAP) as a nonexchange transaction. Review Financial Statement disclosure and determine if a disclosure is needed. 

Disclosure of Nonmonetary Transactions

If you engage in one or more nonmonetary transactions during the fiscal year, you will need to disclose those transactions in the notes to the financial statements the measurement of attribute(s) applied to the assets transferred, rather than basis of accounting for those assets.

Pledges of future revenues when resources are not received by the pledging government

When blending the financial statement of a debt-issuing component unit into the financial statements of a primary government pledging revenue for the component unit’s debt, the primary government should reclassify an amount due to the component as an interfund payable and an interfund transfer out simultaneously with the recognition of the revenues that are pledged.

Focus of the government-wide financial statement

Statement 99 reiterates that there should be a total overall government-wide column within the MD&A, Statement of Net Position, and Statement of Activities. This column should exclude all fiduciary activities, including custodial funds. 

Terminology updates

No action is needed. Terminology has been updated in previous pronouncements, for terminology as it relates to Statements 63 and 53. 


Effective dates

The requirements related to the extension of the use of LIBOR, accounting for SNAP distributions, disclosures of nonmonetary transactions, pledges of future revenues by pledging governments, clarification of certain provisions in Statement 34 and terminology updates related to GASB 53 and 63 are effective upon issuance.

The requirements related to leases, PPPs, and SBITAs, are effective for fiscal years beginning after June 15, 2022.

The requirements related to financial guarantees and the classification and reporting of derivative instruments within the scope of Statement 53 are effective for fiscal years beginning after June 15, 2023.

Earlier application is encouraged and permitted for all.

If you would like more information regarding Statement 99, please contact our Audits of Governmental Component Units team. We’re here to help.

Article
Key considerations from GASB Statement No. 99 

Read this if you use QuickBooks Online.

With gas prices so high, you need to track your travel costs as closely as possible. Consider getting a tax deduction for your business mileage.

If you drive even a little for business, it’s easy to let mileage costs slide. After all, it’s a pain to keep track of your tax-deductible mileage in a little notebook and do all the calculations required. If you do rack up a lot of business miles, you probably forget to track some trips and end up losing money.

QuickBooks Online offers a much better way. Its Mileage tools include simple fill-in-the-blank records that allow you to document individual trips. You can either enter the starting point and destination and let the site calculate your mileage and deduction or enter the number of miles yourself.

If you use QuickBooks Online’s mobile app, it can track your miles automatically as you drive (as long as you have the correct settings turned on). Here’s a look at how all of this works.

Setting up 

To get started, click the Mileage link in QuickBooks Online’s toolbar. The screen that opens will eventually display a table that contains information about your trips, but you need to do a little setup first. Click the down arrow next to Add Trip in the upper right corner and select Manage vehicles. A panel will slide out from the right. Click Add vehicle.

 
You’ll need to supply information about your vehicles before you can start entering trips.

You’ll need to supply the vehicle’s year, make, and model. Do you own or lease it, and on what date was the vehicle purchased or leased and put into service? Do you want to have your annual mileage calculated by entering odometer readings or have QuickBooks Online track your business miles driven automatically? When you’re done making your selections and entering data, click Save.

Entering trip data

You can download trips as CSV files or import them from Mile IQ, but you’re probably more likely to enter them manually. Click Add Trip in the upper right corner. In the pane that opens, you’ll enter the date of the trip and either the total miles or start and end point. You’ll select the business purpose and vehicle and indicate whether it was a round trip. When you’re done, click Save. The trip will appear in the table on the opening screen, and your current possible total deduction will be in the upper left corner, along with your total business miles and total miles.

If you want to designate a trip as personal, click the box in front of the trip in that table. In the black horizontal box that appears, click the icon that looks like a little person, then click Apply. Now, the trip will appear in the Personal column and will not count toward your business tax-deductible mileage. 

When you select a trip in the Mileage table, you can mark it as personal so it’s not included in your business tax-deductible miles.

Personal trips can count, too

If you use your vehicle(s) for personal as well as business purposes, tracking some of those miles can also mean a tax deduction. For tax year 2022, you can deduct 18 cents per mile for your travel to and from medical appointments. Note: Medical mileage is only deductible if medical exceeds a certain percent of AGI. Be sure to check with the IRS yearly tax code, as they update the mileage amounts annually.

And if you do volunteer work for a qualified charitable organization, the miles you drive in service of it can be deducted at the rate of 14 cents per mile. You can also claim the cost of parking and tolls, as long as you weren’t reimbursed for any of these expenses. Obviously, the IRS wants you to keep careful records of your charitable mileage, and QuickBooks Online can provide them.

QuickBooks Online doesn’t track these deductions, but you’ll at least have a record of the miles driven.

Auto-track your miles

The easiest way to track your mileage in QuickBooks Online is by using its mobile app. You can launch this and have it record your mileage automatically as you’re driving. Versions are available for both Android and iOS, and they’re different from each other. They also have more features than the browser-based version of QuickBooks Online, like maps, rules, and easier designation of trips as business or personal.

 
The iOS version of Mileage in the QuickBooks Online app

In both versions, you’ll need to click the menu in the lower right corner after you’ve opened the QuickBooks Online app and select Mileage. Make sure Auto-Tracking is turned on. Your phone’s location services tool must be turned on, too. There are other settings that vary between the two operating systems. You can search the help system of either app to make sure you get your settings correct if the onscreen instructions aren’t clear enough.

Of course, you won’t see the fruits of your mileage deductions until you file your 2022 taxes. But you can factor these savings in as you’re doing your tax planning during the year. Please contact the Outsourced Accounting team if you’re having any trouble with QuickBooks Online’s Mileage tools, or if you have questions with other elements of the site.

Article
How QuickBooks Online helps you track mileage