Skip to Main Content

insightsarticles

Trusting privileged accounts in the age of data breaches

05.21.19

Who has the time or resources to keep tabs on everything that everyone in an organization does? No one. Therefore, you naturally need to trust (at least on a certain level) the actions and motives of various personnel. At the top of your “trust level” are privileged users—such as system and network administrators and developers—who keep vital systems, applications, and hardware up and running. Yet, according to the 2019 Centrify Privileged Access Management in the Modern Threatscape survey, 74% of data breaches occurred using privileged accounts. The survey also revealed that of the organizations responding:

  • 52% do not use password vaulting—password vaulting can help privileged users keep track of long, complex passwords for multiple accounts in an encrypted storage vault.
  • 65% still share the use of root and other privileged access—when the use of root accounts is required, users should invoke commands to inherent the privileges of the account (SUDO) without actually using the account. This ensures “who” used the account can be tracked.
  • Only 21% have implemented multi-factor authentication—the obvious benefit of multi-factor authentication is to enhance the security of authenticating users, but also in many sectors it is becoming a compliance requirement.
  • Only 47% have implemented complete auditing and monitoring—thorough auditing and monitoring is vital to securing privileged accounts.

So how does one even begin to trust privileged accounts in today’s environment? 

1. Start with an inventory

To best manage and monitor your privileged accounts, start by finding and cataloguing all assets (servers, applications, databases, network devices, etc.) within the organization. This will be beneficial in all areas of information security such as asset management, change control and software inventory tracking. Next, inventory all users of each asset and ensure that privileged user accounts:

  • Require privileges granted be based on roles and responsibilities
  • Require strong and complex passwords (exceeding those of normal users)
  • Have passwords that expire often (30 days recommended)
  • Implement multi-factor authentication
  • Are not shared with others and are not used for normal activity (the user of the privileged account should have a separate account for non-privileged or non-administrative activities)

If the account is only required for a service or application, disable the account’s ability to login from the server console and from across the network

2. Monitor—then monitor some more

The next step is to monitor the use of the identified privileged accounts. Enable event logging on all systems and aggregate to a log monitoring system or a Security Information and Event Management (SIEM) system that alerts in real time when privileged accounts are active. Configure the system to alert you when privileged accounts access sensitive data or alter database structure. Report any changes to device configurations, file structure, code, and executable programs. If these changes do not correlate to an approved change request, treat them as incidents and investigate.  

Consider software that analyzes user behavior and identifies deviations from normal activity. Privileged accounts that are accessing data or systems not part of their normal routine could be the indication of malicious activity or a database attack from a compromised privileged account. 

3. Secure the event logs

Finally, ensure that none of your privileged accounts have access to the logs being used for monitoring, nor have the ability to alter or delete those logs. In addition to real time monitoring and alerting, the log management system should have the ability to produce reports for periodic review by information security staff. The reports should also be archived for forensic purposes in the event of a breach or compromise.

Gain further assistance (and peace of mind) 

BerryDunn understands how privileged accounts should be monitored and audited. We can help your organization assess your current event management process and make recommendations if improvements are needed. Contact our team.

Related Industries

Related Professionals

Principals

BerryDunn experts and consultants

Read this if you are at a financial institution that uses FedLine® Solutions.

In response to an evolving security threat landscape, the Federal Reserve Bank has implemented a Security and Resiliency Assurance Program (“Assurance Program”). Financial institutions that use FedLine® Solutions will need to take action before year-end to comply with Assurance Program requirements. Here’s what you need to know.

Required assessment to be completed annually

Financial institutions are already required to implement, maintain, and assess technical and procedural security controls to safeguard their FedLine® connections. Starting in 2021, financial institutions must conduct an assessment of their compliance with the Federal Reserve Bank's FedLine® security requirements and submit an attestation that they have completed the assessment. The deadline for submitting the first attestation is December 31, 2021. Moving forward, this assessment and attestation must be completed annually.

This assessment can be performed internally by an independent internal department/function such as an internal audit or compliance department. The Federal Reserve Bank may, in its discretion, require the assessment be conducted or reviewed by an independent third party. End User Authorization Contacts (EUAC) for each organization were sent an Assurance Program kick-off packet with requirements and instructions in January 2021 to assist with the process. 

Immediate action 

Evaluate the requirements for your financial institution’s Assurance Program assessment as soon as possible. Planning for the 2021 assessment should be well underway. If you would like to discuss the Assurance Program requirements or you’ve been notified that your financial institution needs an independent third party review, contact us today.

Article
The Federal Reserve's FedLine® Solutions Security and Resiliency Assurance Program

Read this if you are a timber harvester, hauler, or timberland owner.

The USDA recently announced its Pandemic Assistance for Timber Harvesters and Haulers (PATHH) initiative to provide financial assistance to timber harvesting and hauling businesses as a result of the pandemic. Businesses may be eligible for up to $125,000 in financial assistance through this initiative. 

Who qualifies for the assistance?

To qualify for assistance under PATHH, the business must have experienced a loss of at least 10% of gross revenue from January, 1, 2020 through December 1, 2020 as compared to the same period in 2019. Also, individuals or legal entities must be a timber harvesting or timber hauling businesses where 50% or more of its revenue is derived from one of the following:

  • Cutting timber
  • Transporting timber
  • Processing wood on-site on the forest land

What is the timeline for applying for the assistance?

Timber harvesting or timber hauling businesses can apply for financial assistance through the USDA from July 22, 2021 through October 15, 2021

Visit the USDA website for more information on the program, requirements, and how to apply.
If you have any questions about your specific situation, please contact our Natural Resources team. We’re here to help. 

Article
Temporary USDA assistance program for timber harvesters and haulers

Read this if you are working with an auditor.

The standard report an auditor issues on an entity’s financial statements was created in 1988, and has only had minor tweaking since. Amazing when we think about how the world has changed since 1988! Back then:

  • The World Wide Web hadn’t been invented
  • The Simpsons wasn’t yet on TV, and neither was Seinfeld
  • The Berlin Wall was still standing
  • The Single Audit Act celebrated its fourth birthday

The Auditing Standards Board (ASB), an independent board of the American Institute of CPAs (AICPA) that establishes auditing rules for not-for-profit organizations (as well as private company and federal, state, and local governmental entities) has decided it was high time to revisit the auditor’s report, and update it to provide additional information about the audit process that stakeholders have been requesting.

In addition to serving as BerryDunn’s quality assurance principal for the past 23 years, I’ve been serving on the ASB since January 2017, and as chair since May 2020. (And thanks to the pandemic our meetings during my tenure as chair have been conducted from my dining room table.)  We thought you might be interested in a high-level overview of the coming changes to the auditor’s report, which will be effective starting with calendar 2021 audits, from an insider’s perspective.

So what’s changing?

The most significant changes you’ll be seeing, based on feedback from various users of auditor’s reports, are:

  1. Opinion first
    The opinion in an audit report is the auditor’s conclusion as to whether the financial statements are in accordance with the applicable accounting standards, in all material respects. People told us this is the most important part of the report, so we’ve moved it to the first section of the report.
  2. Auditor’s ethical responsibilities
    We’ve pointed out that an auditor is required to be independent of the organization being audited, and to meet certain other ethical responsibilities in the conduct of the audit.
  3. “Going concern” responsibilities
    We describe management’s responsibility, under U.S. generally accepted accounting principles, and the auditor’s responsibility, under the auditing rules, for determining whether “substantial doubt” exists about the organization’s ability to continue in existence for at least one year following the date the financial statements are approved for issuance.
  4. Emphasis on professional judgment and professional skepticism
    We explain how an audit requires the auditor to exercise professional judgment (for example, regarding how much testing to perform), and to maintain professional skepticism, i.e., a questioning mind that is alert to the possibility the financial statements may be materially misstated, whether due to error or fraud.
  5. Communications with the board of directors
    We point out that the auditor is required to communicate certain matters to the board, such as difficulties encountered during the audit, material adjustments identified during the audit process, and which areas the auditor treated as “significant risks” in planning and performing the audit.
  6. Responsibility related to the “annual report”
    If the organization issues an “annual report” containing or referring to the audited financial statements, we explain the auditor is required to review it for consistency with the financial statements, and for any known misstatements of fact.
  7. Discussion of “key audit matters”
    While not required, your organization may request the auditor to discuss how certain “key audit matters” (those most significant to the audit) were addressed as part of the audit process. These are similar to the “critical audit matters” publicly traded company auditor’s reports are now required to include.

Yes, this means the auditor’s report will be longer; however, stakeholders told us inclusion of this information will make it more informative, and useful, for them.

Uniform Guidance standards also changing

Is your organization required to have a compliance audit under the federal Uniform Guidance standards? That report is also changing to reflect the items listed above to the extent they’re relevant.

What should you do?

Some actions to consider as you get ready for the first audit to which the new report applies (calendar 2021, or fiscal years ending in 2022) include:

  1. Ask your auditor what your organization’s auditor’s report will look like
    Your auditor can provide examples of auditor’s reports under the new rules, or even draft a pro forma auditor’s report for your organization (subject, of course, to the results of the audit).
  2. Outline and communicate your process for developing your annual report
    If your organization prepares an annual report, it will be important to coordinate its timing with that of the issuance of the auditor’s report, due to the auditor’s new reporting responsibility related to the annual report.
  3. Discuss with your board whether you would like the auditor to include a discussion of “key audit matters” in the auditor’s report
    While not required for not-for-profits, some organizations may decide to request the auditor include a discussion of such matters in the report, from the standpoint of transparency “best practices.”

If you have any questions about the new auditor’s report or your specific situation, please contact us. We’re here to help.
 

Article
A new auditor's report: Seven changes to know

Read this if your facility or organization has received Provider Relief Funds.

The rules over the use of the HHS Provider Relief Funds (PRF) have been in a constant state of flux and interpretation since the funds started to show up in your bank accounts back in April. Here is a summary of where we are as of June 14, 2021 on HHS’ reporting requirements. Key highlights:

These requirements apply to:

  • PRF General and Targeted Distributions
  • the Skilled Nursing Facilities (SNF) and Nursing Home Infection Control Distribution
  • and exclude:
    • the Rural Health Clinic COVID-19 Testing Program
    • claims reimbursements from HRSA COVID-19 Uninsured Program and the HRSA COVID-19 Coverage Assistance Fund (CAF)

This notice supersedes the January 15, 2021 reporting requirements.
Deadline for Use of Funds:

Payment Received Period

Deadline to Use Funds

Reporting Time Period

Period 1

4/10/20-6/30/20

6/30/21

7/1/21-9/30/21

Period 2

7/1/20-12/31/20

12/31/21

1/1/22-3/31/22

Period 3

1/1/21-6/30/21

6/30/22

7/1/22-9/30/22

Period 4

7/1/21-12/31/21

12/31/22

1/1/21-3/31/23

Recipients who received one or more payments exceeding $10,000 in the aggregate during each Payment Received Period above (rather than the previous $10,000 cumulative across all PRF payments) are subject to the above reporting requirements 

Responsibility for reporting:

  • The Reporting Entity is the entity that registers its Tax Identification Number (TIN) and reports payments received by that TIN and its subsidiary TINs.
  • For Targeted Distributions, the Reporting Entity is always the original recipient; a parent entity cannot report on the subsidiary’s behalf and regardless of transfer of payment.

Steps for reporting use of funds:

  1. Interest earned on PRF payments
  2. Other assistance received
  3. Use of SNF and Nursing Home Control Distribution Payments if applicable (any interest earned reported here instead), with expenses by CY quarter
  4. Use of General and Other Targeted Distribution Payments, with expenses by CY quarter
  5. Net unreimbursed expenses attributable to Coronavirus, net after other assistance and PRF payments by quarter
  6. Lost revenues reimbursement (not applicable to PRF recipients that received only SNF and Nursing Home Infection Control Distribution payments)

PORTAL WILL OPEN ON JULY 1, 2021!

Access the full update from HHS: Provider Post-Payment Notice of Reporting Requirements.

Article
Provider Relief Funds: HHS Post-Payment Notice of Reporting Requirements

Read this is you are at a financial institution and concerned about fraud.

The numbers tell a story: Financial fraud 

Back in 2016, BerryDunn’s Todd Desjardins wrote about occupational fraud at financial institutions. This article mainly cited information from a 2016 Report to the Nations (2016 Report) published by the Association of Certified Fraud Examiners (ACFE). Fast forward to 2021, and ACFE’s 2020 Report to the Nations: Banking and Financial Services Edition (2020 Report) displays that occupational fraud continues to be a concern.

Financial institutions account for 19% of all occupational fraud worldwide, up from 16.8% in the 2016 Report. These fraud causes have a median loss of $100,000 per case—down from $192,000 per case in the 2016 Report. Cases had risen slightly from the 2016 Report to 386—up from 368 cases.

What does a fraudster look like, and how do they commit their crimes? How do you prevent fraud from happening at your organization? And, how can you strengthen an already robust anti-fraud program? These questions, raised in Todd’s 2016 article, remain relevant today. 

A profile in fraud: Who can it be? 

One of the most difficult tasks any organization faces is identifying and preventing potential cases of fraud. This is especially challenging because the majority of employees who commit fraud are first-time offenders with no record of criminal activity, or even termination at a previous employer.

The 2020 Report reveals a few commonalities between fraudsters. The amounts from the 2016 Report are shown in parentheses for comparison purposes:

  • 3% of fraudsters had no criminal background (3%)
  • Men committed 71% of frauds and women committed 29% (69%, 31%)
  • 56% of fraudsters were an employee, 27% worked as a manager, and 14% operated at the executive/owner level (3%, 31%, 20%)
  • The median loss for fraudsters who had been with their organizations for more than five years was $150,000 compared to $86,000 for fraudsters who had been with their organizations for five years or less ($230,000, $74,500)

Employees who committed fraud displayed certain behaviors during their schemes. The ACFE reported these top red flags in its 2020 Report:

  • Living beyond means: 42% (45.8%)
  • Financial difficulties: 33% (30%)
  • Unusually close association with vendor/customer: 15% (20.1%)
  • Divorce/family problems: 14% (13.4%)

These figures give us a general sense of who commits fraud and why. But in all cases, the most pressing question remains: how do you prevent the fraud from happening?

Preventing fraud: A commonsense approach that works

As a proactive plan for preventing fraud, we recommend focusing time and energy on two distinct facets of your operations: leadership tone and internal controls.

It all starts at the top: Leadership

The Board of Directors and senior management are in a powerful position to prevent fraud. By fostering a top-down culture of zero-tolerance for fraud, you can diminish opportunity for employees to consider, and attempt, fraud.

It is crucial to start at the top. Not only does this send a message to the rest of the company, but frauds committed at the executive level had a median loss of $1,265,000 per case, compared to a median loss of $77,000 when an employee perpetrated the fraud. This is compared to a median loss of $500,000 and $54,000 per case, respectively, in the 2016 Report.

Improving your internal control culture

Every financial institution uses internal controls in its daily operations. Override of existing internal controls, lack of internal controls, and lack of management review were all cited in the 2020 Report as the most common internal control weaknesses that contribute to occupational fraud in the banking and financial services industry.

The importance of internal controls cannot be overstated. Every organization should closely examine its internal controls and determine where they can be strengthened—even financial institutions with strong anti-fraud measures in place.

We have created a checklist of the top 10 controls for financial institutions, available in our white paper on preventing fraud. This is a list that we encourage every financial leader to read. By strengthening your foundation, your company will be in a powerful place to prevent fraud. 

Get the keys to prevent fraud—free fraud prevention white paper

Employees are your greatest strength and number one resource. Taking a proactive, positive approach to fraud prevention maintains the value employees bring to a financial institution, while focusing on realistic measures to discourage fraud.

In our white paper on preventing financial institution fraud, we take a deeper look at how to successfully implement a strong anti-fraud plan.

Commit to strengthening fraud prevention and you will instill confidence in your Board, employees, customers, and the general public. It’s a good investment for any financial institution. If you have any questions, please contact our team. We’re here to help. 
 

Article
In 2021, an anti-fraud plan is the best investment your financial institution can make

Read this if you work in an alcohol control capacity for state government.

The COVID-19 outbreak has changed the alcoholic beverage industry significantly over the last 14 months. Restrictions forced people to stay at home, limiting their travel to restaurants, bars, and even some stores to purchase their favorite spirits. In at least 32 states, new legislation allowed consumers the option to buy to-go cocktails as a way to help these establishments stay in business. As a result, consumers took advantage of alcohol delivery services. 

There were two large shifts in consumer purchasing for the alcoholic beverage industry in 2020. The first was a shift from on-premise to off-premise purchasing (for example, more takeaway beverages from bars, breweries, and other establishments). The second was the explosion of e-commerce sales for curbside pickup and home delivery. A study by IWSR, an alcoholic beverage market research firm, stated that alcohol e-commerce sales grew 42% in 2020. The head of consumer insights for the online alcoholic beverage delivery service, Drizly, attributes this growth to the “increased consumer awareness of alcohol delivery as a legal option, as well as an overall shift in consumer purchasing behavior toward online ordering and delivery”. 

How state agencies responded

The move to an e-commerce model has impacted state agencies who regulate the distribution and/or sale of alcohol. States such as Oklahoma, Alabama, and Georgia recently passed legislation allowing alcohol delivery to consumers’ homes. In alcoholic beverage control states, where the state controls the sale of alcohol at the wholesale level, curbside pickup programs (New Hampshire) were implemented, while others started online home delivery services (Pennsylvania). 

In a fluid legislative environment, states agencies are working to meet consumer needs in a very competitive marketplace, while fulfilling their regulatory obligation to the health and safety of their constituents.

How alcoholic beverage control states can adapt

Now is an opportune time for control state agencies to keep pace with consumer demand for more flexible purchasing options, such as buying online with home delivery, or some form of curbside and/or in-store pickup programs. Every one of the 17 alcoholic beverage control states has passed legislation to allow the delivery of either beer, wine, and/or distilled spirits in some form, with some limitations.

While for some the COVID-19 outbreak has necessitated these more distant shopping experiences, the option of these sales channels has brought consumers flexibility they will expect going forward. This calls for control state agencies to act on this changing consumer demand. By prioritizing investing in and taking ownership of new sales channels, such as e-commerce and curbside pickup, control state agencies’ technology and logistics teams can develop strategies and tools to effectively adapt to this new demand. 

Adapting technology and logistics

Through technology, control state agencies can take advantage of e-commerce and curbside pickup sales channels, to drive more revenue. We recommend control states consider the following: 

Define the current capabilities to support an online sales strategy

An important first step is to define how to address constituents’ evolving needs as compared to the current e-commerce capabilities control state agencies can support. Considerations include:

  • Are current staff capable of developing and supporting new website capabilities to meet the increased demand on the website?  
  • How will the current customer support team(s) expand to support concerns from the new channels?
  • How will new e-commerce order volume be fulfilled for home delivery (including order errors, breakage, returns, etc.)?   

Control state agencies should complete current and future state assessments in each area above to confirm what capabilities they have today and which they would like to have in the future; which will allow for an accurate gap analysis and comparison to their future state needs. Once the current state assessment, future state strategy, and gap analysis are complete, control state agencies can define the projects required to support the future state requirements. 

Reevaluate existing fulfillment, inventory, and distribution processes

Each control state has existing product fulfillment, inventory and distribution processes, and information technology (IT) tools for delivering alcohol, to their own or licensed retail stores and businesses. These current processes and IT systems should be assessed as part of the current state capabilities assessment mentioned above, to help define the level of change needed to support the control state agency’s future needs in the e-commerce channel. Key assessment questions control state agencies should ask themselves include: 

  • Can the current IT systems (e.g., inventory management, customer relationship management [CRM], customer support/call center, financial, point of sale [POS], and website infrastructure) support required upgrades?
  • Can retail teams and today’s infrastructure support order taking, inventory, fulfillment, and buy online pickup in store programs?
  • How will warehouse and retail stores track and manage the e-commerce shipments and returns related to this channel?
  • If home delivery is part of the strategy, define how the delivery logistics will be met through state or vendor resources.
  • What staffing model and skill sets will support future business needs?
  • What is the total cost of ownership for these new e-commerce capabilities so that the short and long-term costs and profits can be accurately estimated? 

The answers to these questions will help to inform a future e-commerce strategy and accommodate the cost and staff impacts. 

Bring in online retail expertise

It is important to ensure that the control state agency has website and mobile capabilities to support today’s consumer needs. This includes the ability to order a wide range of products online for either home delivery or buy online pickup in store. The design of the website and mobile transactional capabilities is critically important to the success of this channel, the true growth in revenues. Being marketing focused (e.g., allowing consumers to view and order products, save items for later, and see similar products) will help drive traffic and sales on this upgraded channel. 

For control state agencies with a more static product website, consider purchasing a commercial off-the-shelf (COTS) e-commerce product with existing retail-focused website features, or contract with a vendor to build a website that meets more unique needs. The control state agency should bring in at least one online retail subject matter expert vendor to help set the direction, design the upgrades or new site, manage the project(s) needed to implement the online capabilities, and potentially manage the operational support of the website and mobile solution.

BerryDunn provides state alcoholic beverage control boards and commissions with many services along the IT system acquisition lifecycle, including planning, needs assessment, business process analysis, request for proposal (RFP) development, requirements development, technology contract development, and project management services. 

For the full list of steps to consider and to learn more about how you can successfully position your control state agency to adapt to the changing alcoholic beverage landscape, contact us.
 

Article
COVID-19 and the e-commerce explosion

Read this if your organization has to comply with HIPAA.

We have been monitoring HHS Office for Civil Rights (OCR) settlements as part of the HIPAA Right of Access Initiative (16 settlements and counting) and want to dispel some myths about HIPAA enforcement. Myths can be scary. It would be pretty frightening to run into Bigfoot while taking a stroll through the woods, but sometimes myths have the opposite effect, and we become complacent, thinking Bigfoot will never sneak up behind us. He’s just a myth, right?

As we offer our top five HIPAA myths, we invite you to decide whether to address gaps in compliance now, or wait until you are in the middle of the woods, facing Bigfoot, and wondering what to do next.

Myth #1: OCR doesn’t target organizations like mine.

The prevailing wisdom has been that the Office for Civil Rights only pursues settlements with large organizations. As we review the types of organizations that have been targeted in the recent past, we find that they include social services/behavioral health organizations, more than one primary care practice, a psychiatric medical group practice, and a few hospital/health systems. With settlements ranging from $10,000 to $200,000 plus up to two years of monitoring by the OCR, can you really afford to take a chance?

Myth #2: I have privacy policies, procedures, and training protocols documented, so I’m all set if OCR comes calling.

Are you really all set? When did you last review your policies and procedures? Are you sure what your staff actually does is HIPAA compliant? If you don’t regularly review your policies and procedures and train your staff, can you really say you’re all set?

Myth #3: HIPAA gives me 30 days to respond to a patient request, so it’s ok to wait to respond.

Did you try to ship a package during the 2020 holiday season? If so, do you remember checking your tracking number daily to see if your gift was any closer to its destination? Now imagine it was your health records you were waiting for. Frustration builds, goodwill wanes, and you start looking for a higher authority to get involved. 

And beware: if proposed Privacy Rule changes to HIPAA are finalized, the period of time covered entities will have to fulfill patient requests will be reduced from 30 to 15 days.

Myth #4: If I ignore the problem, it will go away.

Right of Access settlement #10 dispels this myth: A medical group was approached by OCR to resolve a complaint in March 2019. Then again in April 2019. This issue was not resolved until October 2020. Now, in addition to a monetary settlement, the group’s Corrective Action Plan (CAP) will be monitored by the OCR for two years. That’s a lot of time, energy, and money that could have been better spent if they worked to resolve the complaint quickly.

Myth #5: OCR will give me a “get out of jail free” card during the pandemic.

As one of our co-workers said, “Just because they are looking aside does not mean they are looking away.” The most recent settlement we have seen to OCR’s Right of Access Initiative was announced February 10, 2021, showing that the initiative is still a priority despite the pandemic.

Are you ready to assess or improve your compliance with HIPAA Right of Access rules now? Contact me and I will help you keep OCR settlements at bay. 

Article
Debunking the myths of HIPAA: Five steps to better compliance

Read this if you are a business owner. 

Now that the Democrats have control of the Presidency, House of Representatives, and Senate, many in Washington, DC and around the country are asking “What is going to happen with business taxes?” 

While candidate Biden expressed interest in raising taxes on corporations and wealthy individuals, it is best to think of that as a framework for where the new administration intends to go, rather than a set-in-stone inevitability. We know his administration is likely to favor a paring back of some of the tax cuts made by the 2017 Tax Cuts and Jobs Act (TCJA). Biden has indicated his administration may consider changes to the corporate tax rate, capital gains rate, individual income tax rates, and the estate and gift tax exemption amount.

Procedurally, it is unclear how tax legislation would be formulated under the Biden administration. A tax package could be included as part of another COVID-19 relief bill. The TCJA could be modified, repealed, or replaced. It is also unclear how any package would proceed through Congress. Under current Senate rules, the legislative filibuster can limit the Senate’s ability to pass standalone tax legislation, thus leaving any such legislation to the budget reconciliation process, as was the case in 2017. It also remains unclear if the two parties will come together to work on any bill. Finally, it will be important to note who fills key Treasury tax positions in the Biden administration, as these individuals will have a strategic role in the development of administration priorities and the negotiation with Congress of any tax bill. Here are three ways tax changes could take shape:

  1. Part of a COVID-19 relief package
    With the Biden administration eager to provide immediate relief to individuals and small- and medium-sized businesses affected by the coronavirus pandemic, some tax changes could be included as part of an additional relief bill on which the administration is likely to seek bipartisan support. Such changes could take the form of tax cuts for some businesses and individuals, tax credits, expanded retirement contributions, and/or other measures. If attached to a COVID-19 relief bill, these changes would likely go into effect immediately and would provide rapid relief to businesses and individuals that have been particularly hard hit during the pandemic and economic downturn.
  2. Repeal and replace TCJA
    Another possibility is for Biden to pursue a full rollback of the TCJA and replace it with his own tax bill. This would be a challenge since the Democrats only have a slim majority in the Senate, meaning that Republicans could filibuster the bill unless Senate Democrats take steps to repeal the filibuster.

    Given that the Biden administration’s immediate priorities will be delivering financial assistance to individuals and businesses, ensuring the rollout of COVID-19 vaccines, and flattening the curve of cases, a repeal and replacement of the TCJA might not be voted on until at least late 2021 and likely would not go into effect until 2022 at the earliest.
  3. Pare back or modify the TCJA
    An overall theme of Biden’s campaign was not sweeping, radical change but making incremental shifts that he views as improvements. This theme may come into play in Biden’s approach to tax legislation. He may choose not to repeal the TCJA completely (prompting a return to 2016 taxation levels), but instead pare back some of the tax changes enacted in 2017. In practice, this could mean raising the corporate tax rate by a few percentage points, which could garner bipartisan support. Again, this likely would not be a legislative priority until after the country has passed through the worst of the COVID-19 pandemic.

Factors that will influence potential tax changes

Senate legislative filibuster

Currently, the minority party in the Senate can delay a vote on an issue if fewer than 60 senators support bringing a measure to a vote. Thus, Republicans would be likely to filibuster any bill that contains more ambitious tax rate increases. The uptick in the use of the filibuster in recent decades is perhaps a symptom of congressional deadlock, and there are calls from many Democrats to eliminate the filibuster in order to pass more ambitious legislation without bipartisan support (in fact, in recent years, the filibuster has been removed for appointments and confirmations). While President Biden and Senate Majority Leader Chuck Schumer may be open to ending or further limiting the filibuster, every Democratic senator would have to agree. West Virginia Senator Joe Manchin has said repeatedly that he will not vote to end the legislative filibuster.

If the filibuster remains in place as it appears it will, tax legislation would likely be passed as part of the budget reconciliation process, which only requires a simple majority to pass. However, the tradeoff is that any changes generally would have to expire at the end of the budget window, which typically is 10 years. This is how both the 2001 Economic Growth and Tax Relief Reconciliation Act and the TCJA were passed.

Appetite for bipartisanship

President Biden has signaled that he wants to work for all Americans and seek to heal the partisan divides in the country. He may be looking to reach across the aisle on certain legislation and seek bipartisan support, even if such support is not necessary to pass a bill. Biden stated during his campaign that he wants to increase the corporate tax rate—not to the 2017 rate of 35%—but to 28%. Achieving this middle ground rate might be viewed as a compromise approach.

As the new government takes office, it remains to be seen how much bipartisanship is desired, or even possible.

What this may mean for your business

It is important to note that sweeping tax changes probably are not an immediate priority for the incoming Biden administration. The new administration’s immediate focus likely will be on addressing the current fragmented approach to COVID-19 vaccinations, accelerating the distribution of the vaccines, taking steps to bring the spread of COVID-19 under control, and providing much needed economic relief. As noted above, there could be some tax changes and impacts resulting from future COVID-19 relief bills.

Those will be the bills to watch for any early tax changes, including cuts or credits, that businesses may be able to take advantage of. Larger scale tax changes, particularly any tax increases, may not go into effect until 2022 at the earliest. Here are some of the current rules and how Biden is proposing to deal with them.

If you have questions about your particular situation, please contact our team. We’re here to help. 

Article
Biden's tax plan: Tax reform details remain unclear

Read this if you are a hospital or healthcare organization that has received Provider Relief Funds. 

The long-awaited Provider Relief Fund (PRF) Reporting Portal (the Portal) opened to providers on January 15, 2021. Unfortunately, the Portal is currently only open for the registration of providers. The home page for the Portal has information on what documentation is needed for registration as well as other frequently asked questions.

We recommend taking the time to review what is needed and register as soon as possible. Health Resources & Services Administration (HRSA) has suggested the registration process will take approximately 20 minutes and must be completed in one session. The good news is providers will not need to keep checking the Portal to see when additional data can be entered as the Portal home page states that registered providers will be notified when they should re-enter the portal to report on the use of PRF funds.

Access the portal

The Provider Relief Fund (PRF) Reporting Portal is only compatible with the most current stable version of Edge, Chrome and Mozilla Firefox.

Article
Provider Relief Fund (PRF) reporting portal