Skip to Main Content

insightsarticles

Was your
COVID-
19 essential worker hazard pay FLSA-compliant?

By:

Colin is a Senior Consultant in BerryDunn’s Government Consulting Group with experience in communicating and executing strategic plans, coordinating membership development for various groups, and managing finance activities. He has worked on a wide range of projects with a focus on programmatic audit, forensic audit, financial process improvement, invoice review, and data analysis. He is a Certified Associate in Project Management and is currently working toward his Project Management Professional® certification.

Colin Buttarazzi
12.23.21

Read this if you used COVID-19 relief funds to pay essential workers.

The Coronavirus Aid, Relief, and Economic Security (CARES) and American Rescue Plan (ARPA) Acts allowed states and local governments to use COVID-19 relief funds to provide premium pay to essential workers. Many states took advantage of this opportunity, giving stipends or hourly rate increases to government and other frontline employees who worked during the pandemic, such as healthcare workers, teachers, correctional officers, and police officers.

States’ initial focus was to get the money to the essential workers as quickly as possible, but these decisions may cause them to be out of compliance with the Fair Labor Standards Act (FLSA), which sets standards for minimum wage, overtime pay, and recordkeeping. As a result, states should review how the funds were disbursed and if payroll adjustments are necessary. The amount, form, and recipients of the pay varied widely from state to state, making determining whether states are compliant with FLSA and calculating any discrepancies an immensely complex task. 

For example, states that disbursed one-time payments to essential workers will likely be able to treat those payments like standard one-time bonuses, while recurring stipends or hourly rate increases should be included in employee’s regular rate when calculating overtime pay. Because this is an unprecedented situation for both states and the federal government, clear guidance is not yet available from the Department of Labor. 

Fortunately, BerryDunn is already working with clients to review their use of the COVID-19 relief funds to help ensure essential workers were paid fairly. Our team is qualified to guide you through your unique situation and help you remain in compliance with FLSA guidelines.

If you have questions about your particular circumstances, please call our Compliance and Risk Management consulting team. We are here to help and happy to discuss options to pay for these services using federal funds.

Related Services

Related Professionals

Principals

BerryDunn experts and consultants

Editor’s note: Please read this if you are a not-for-profit board member, CFO, or any other decision maker within a not-for-profit.

In a time where not-for-profit (NFP) organizations struggle with limited resources and a small back office, it is important not to overlook internal audit procedures. Over the years, internal audit departments have been one of the first to be cut when budgets are tight. However, limited resources make these procedures all the more important in safeguarding the organization’s assets. Taking the time to perform strategic internal audit procedures can identify fraud, promote ethical behavior, help to monitor compliance, and identify inefficiencies. All of these lead to a more sustainable, ethical, and efficient organization. 

Internal audit approaches

The internal audit function can take on many different forms, depending on the size of the organization. There are options between the dedicated internal audit department and doing nothing whatsoever. For example:

  • A hybrid approach, where specific procedures are performed by an internal team, with other procedures outsourced. 
  • An ad hoc approach, where the board or management directs the work of a staff member.

The hybrid approach will allow the organization to hire specialists for more technical tasks, such as an in-depth financial analysis or IT risk assessment. It also recognizes internal staff may be best suited to handle certain internal audit functions within their scope of work or breadth of knowledge. This may add costs but allows you to perform these functions otherwise outside of your capacity without adding significant burden to staff. 

The ad hoc approach allows you to begin the work of internal audit, even on a small scale, without the startup time required in outsourcing the work. This approach utilizes internal staff for all functions directed by the board or management. This leads to the ad-hoc approach being more budget friendly as external consultants don’t need to be hired, though you will have to be wary of over burdening your staff.

With proper objectivity and oversight, you can perform these functions internally. To bring the process to your organization, first find a champion for the project (CFO, controller, compliance officer, etc.) to free up staff time and resources in order to perform these tasks and to see the work through to the end. Other steps to take include:

  1. Get the audit/finance committee on board to help communicate the value of the internal audit and review results of the work
  2. Identify specific times of year when these processes are less intrusive and won’t tax staff 
  3. Get involved in the risk management process to help identify where internal audit can best address the most significant risks at the organization
  4. Leverage others who have had success with these processes to improve process and implementation
  5. Create a timeline and maintain accountability for reporting and follow up of corrective actions

Once you have taken these steps, the next thing to look at (for your internal audit process) is a thoughtful and thorough risk assessment. This is key, as the risk assessment will help guide and focus the internal audit work of the organization in regard to what functions to prioritize. Even a targeted risk assessment can help, and an organization of any size can walk through a few transaction cycles (gift receipts or payroll, for example) and identify a step or two in the process that can be strengthened to prevent fraud, waste, and abuse.  

Here are a few examples of internal audit projects we have helped clients with:

  • Payroll analysis—in-depth process mapping of the payroll cycle to identify areas for improvement
  • Health and education facilities performance audit—analysis of various program policies and procedures to optimize for compliance
  • Agreed upon procedures engagement—contract and invoice/timesheet information review to ensure proper contractor selection and compliant billing and invoicing procedures 

Internal audits for companies of all sizes

Regardless of size, your organization can benefit from internal audit functions. Embracing internal audit will help increase organizational resilience and the ability to adapt to change, whether your organization performs internal audit functions internally, outsources them, or a combination of the two. For more information about how your company can benefit from an internal audit, or if you have questions, contact us

Article
Internal audit potential for not-for-profit organizations

Read this if your organization offers health insurance through a health insurance exchange.

When the Affordable Care Act (ACA) was passed in 2010, it contained a known gap which made healthcare premiums unaffordable for some families covered under Medicare or employer-sponsored health insurance plans. The gap in the law, commonly referred to as the family glitch, was formalized in 2013 as the result of a Final Rule issued by the IRS. 

The “family glitch” calculates the affordability of an employer-sponsored health insurance plan based on the cost for the employee, not additional family members. An article published in April 2022 on healthinsurance.org estimated that the cost of health insurance for a family covered by an employer-sponsored plan could end up being 25% or more of the household’s income, even if the plan was considered affordable (less than 9.61% of the household’s income) for the employee alone. Almost half of the people impacted by the family glitch are children.

The family glitch was allowed to stand in 2013 partly because of concerns that resolving the issue could push more people off employer-sponsored plans and onto marketplace qualified health plans, ultimately raising the cost of subsidies. Since then, several attempts have been made to fix the issue, which affects around five million Americans. The most recent attempt was an executive order issued by President Biden soon after taking office in January 2021. The Office of Management and Budget has been reviewing regulatory changes proposed by the Treasury Department and IRS, details of which were published in April 2022. 

These regulatory changes would alter the way health insurance exchanges calculate a family’s eligibility for subsidies when the family has access to an employer-sponsored health insurance plan. If the changes go into effect in 2023 as proposed, audits of the 2023 fiscal year will need to account for the new regulations and potentially conduct different testing protocols for different parts of the year. 

Our team is closely following these proposed changes to help ensure our clients are prepared to follow the new regulations. Earlier this week, we attended a public hearing held by the Treasury Department, where representatives of various groups spoke in support of, or in opposition to the proposed regulatory change. Supporters noted that families with plans that offer expensive coverage for dependents would benefit from this change through reduced costs and more coverage options, including provider networks that may more closely align with the family members’ needs. Those in favor of the change anticipate that families with children would see the most benefit. 

Those opposed to the change expressed that due to the way the law is currently written, they do not see the regulatory flexibility for the administration to make this change through administrative action. Additionally, concerns were raised that families covered by multiple health insurance plans could be faced with higher out-of-pocket-costs due to having separate deductibles that must be met on an annual basis. Lastly, not all families that have unaffordable insurance would see financial relief under this proposal. 

The Treasury Department is expected to announce its decision in time for open enrollment for plan year 2023 which is scheduled to begin on November 1, 2022. Our team will continue to monitor the situation closely and provide updates on how the changes may impact our clients. 

For more information

If you have more questions or have a specific question about your situation, please reach out to us. There is more information to consider when evaluating the effects these changes will have on the landscape of healthcare access and affordability, and we’re here to help.

Article
Fixing the "family glitch": How a proposed change to the ACA will affect healthcare subsidies 

Read this if you are a financial institution.

Choosing a method for estimating lifetime expected losses is a commitment. A commitment that signals, in spite of any other option, you’re certain this method is the right one for you—your segment, portfolio, and institution. While you might be able to support a change in method later, it is much more likely you’ll be living with this decision a good long while. So, how exactly does one know which method is the right one? Let’s take a few minutes to answer some frequently asked questions about selecting methods for CECL.

How many CECL methods are there?

This depends on who you ask. Section 326-20-30-3 of the standard names five (5) categories: discounted cash flow, loss-rate, roll-rate, probability of default, and aging schedule. Some categories, like loss-rate, have several methods. Additionally, some methods seem to be referred to by different names, giving people the impression that there are exponentially more options out there than there really are. With this in mind, I tend to think of two (2) broad categories, and seven (7) unique methods:  

  • Loss-rate methods
    • Snapshot (open pool, static pool, cumulative loss rate)
    • Remaining Life and Weighted Average Remaining Maturity (WARM)
    • Vintage
       
  • Other methods
    • Scaled CECL Allowance for Losses Estimator (SCALE) (option for banks with assets <$1 billion)
    • Discounted Cash Flow (DCF)
    • Probability of default 
    • Migration (roll rate, aging schedule)  

What’s the difference?

The loss-rate methods use actual historical net charge-off information in different ways to derive a loss rate that can then be used to calculate expected losses over the remaining life of a pool. In general, they do this by holding the mix of a group of loans constant (e.g., by year of origination) and then tracking net losses tied to that grouping over time. The “other” methods employ a variety of mathematical techniques and/or credit quality information to estimate expected lifetime losses. For a quick overview of each method and corresponding resources, access our CECL methodologies guide here.

How do I know which to use?

This is the CECL equivalent of the proverbial million-dollar question. Technically, any institution could use any one, or all of these methods. But there are considerations that make some of them a more or less likely fit. For example, if your institution has >$1 billion in assets, SCALE is not even an option for you, and you can cross it off the list. If you are not in a position to afford software, or lack the internal expertise to build a similar model internally, then discounted cash flow and probability of default methods would likely be extremely burdensome in the normal course of business. For that reason, you may need to cross those off your list. If you lack large pools with consistently diverse performance over time, then migration methods will be difficult to support. If you have a relatively stable loan mix, consistent credit culture, and a lot of reliable historical loss data—especially through multiple economic cycles—the loss-rate methods may be a good fit, with or without software. If your portfolio has undergone a lot of changes—products, underwriting standards, merger and acquisition activity—and/or there are significant gaps in key data that cannot be restored, then you might want to re-consider software and one of the “other” methods. 

What are the pros and cons of the various methods?

One pro of the loss-rate and SCALE methods is they have been shown to be manageable without software. Examples of all of these methods have been illustrated using Excel spreadsheets. The use of Excel is also potentially a con, given that more spreadsheets and, maybe more people, are likely going to be involved in computing the Allowance for Credit Losses (ACL). As a result, version control as well as validation of spreadsheet macros, inputs, formulas, math, and risk of accidentally overwriting or deleting values should be addressed. One pro of the discounted cash flow method is that it is a bottom-up approach, meaning each loan’s discounted cash flow (DCF) is computed and then rolled up to the segment level. Because of this, DCF can more easily handle mixed pools, e.g., loans of all vintages, sizes, terms, payment and amortization schedules, etc. A potential con of DCF is that it really requires software, staff trained to use the software appropriately, and an understanding of the vast array of choices, levers, and decisions that come with it.     

Does my choice of method affect my qualitative adjustment options?

How’s this for commitment: maybe. In general, I think it’s safe to say that CECL requires additional thought be given to the nature and degree of adjustments. This is especially true when you look at the combination of potential segmentation changes, new elements of the calculation, and the variety of methods now available. Consider the example of a bank using a loss-rate method and facing a potential economic downturn. If that bank has sufficient history and a relatively stable portfolio mix, credit culture, and geography, then it might elect to use a different time period—say, historical loss-rates observed from the last recession—rather than those more recently computed. In this case, the loss-rate method would already be using a recessionary experience. 

How then, would the bank approach additional qualitative adjustments for changing economic outlooks to ensure it is not layering (or double counting) reserve? Going back to the original “maybe” response, perhaps the answer is less about inherent conflicts between methods and qualitative adjustments. Rather, it’s about understanding that given your chosen method, you may be faced with even more decisions about if, where, and how much adjusting you are doing.

CECL adoption is required. Struggling to adopt isn’t. We can help.

No matter what stage of CECL readiness you are in, we can help you navigate the requirements as efficiently and effectively as possible. For more information, visit the CECL page on our website. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions.

For more tips on documenting your CECL adoption, stay tuned for our next article in the series. You can also follow Susan Weber on LinkedIn.

Article
Questions to ask when deciding your CECL Method

Read this if you are a financial institution.

As you know by now, ASU No. 2016-13, Financial Instruments – Credit Losses (Topic 326), better known as the CECL standard, has already been implemented for some and will soon be implemented for all others (fiscal years beginning after December 15, 2022 to be exact). During your implementation process, the focus has likely been on your loan portfolio, and rightfully so, as CECL overhauls 40+ years of loan loss reserve practices. But, recall that the CECL standard applies to all financial instruments carried at amortized cost. So, it therefore includes held-to-maturity (HTM) debt securities. And, although not carried at amortized cost, the CECL standard also makes targeted enhancements to available-for-sale (AFS) debt securities. As if re-hauling your entire allowance methodology wasn’t enough! Before tearing out your hair because of another CECL-related change, let’s quickly review what is currently required for securities, and then focus on how this will change when you implement CECL.

Current US GAAP

Under current US generally accepted accounting principles (GAAP), direct write-downs on HTM and AFS debt securities are recorded when (1) a security’s fair value has declined below its amortized cost basis and (2) the impairment is deemed other-than-temporary. This assessment must be completed on an individual debt security basis. Providing a general allowance for unidentified impairment in a portfolio of securities is not appropriate. The previous amortized cost basis less the other-than-temporary impairment (OTTI) recognized in earnings becomes the new amortized cost basis and subsequent recoveries of OTTI may not be directly reversed into interest income. Rather, subsequent recoveries of credit losses must be accreted into interest income.

CECL: Held-to-maturity securities

Then comes along CECL  and changes everything. Once the CECL standard is implemented, expected losses on HTM debt securities will be recorded immediately through an allowance for credit loss (ACL) account, rather than as a direct write-down of the security’s cost basis. These securities should be evaluated for risk of loss over the life of the securities. Another key difference from current GAAP is that securities with similar risk characteristics will need to be assessed for credit losses collectively, or on a pool basis, not on an individual basis as currently prescribed. Also, contrary to current GAAP, since expected losses will be recorded through an ACL account, subsequent improvements in cash flow expectations will be immediately recognized through earnings via a reduction in the ACL account. CECL effectively eliminates the direct write-down method, with write-offs only occurring when the security, or a portion thereof, is deemed to be uncollectible. 

In practice, there may be some types of HTM debt securities that your institution believes have no risk of nonpayment and thus risk of loss is zero. An example may be a US Treasury debt security or possibly a debt security guaranteed by a government-sponsored enterprise, such as Ginnie Mae or Freddie Mac. In these instances, it is acceptable to conclude that no allowance on such securities is necessary. However, such determination should be documented and changes to the credit situation of these securities should be closely monitored.

Financial institutions that have already implemented CECL have appreciated its flexibility; however, just like anything else, there are challenges. One of the biggest questions that has risen is related to complexity, specifically from financial statement users in regards to the macroeconomic assumptions used in models. Another common challenge is comparability to competitors’ models and estimates. Each financial institution will likely have a different methodology when recording expected losses on HTM debt securities due to the judgment involved. These concerns are not unique to the ACL on HTM debt securities but are nonetheless concerns that will need to be addressed. A description of the methodology used to estimate the ACL, as well as a discussion of the factors that influenced management’s current estimate of expected losses must be disclosed in the financial statements. Therefore, management should ensure adequate information is provided to address financial statement users’ concerns.  

CECL: Available-for-sale securities

Upon CECL adoption, you are also expected to implement enhancements to existing practices related to AFS debt securities. Recall that AFS debt securities are recorded at fair value through accumulated other comprehensive income (AOCI). This will not change after adoption of the CECL standard. However, the concept of OTTI will no longer exist. Rather, if an AFS debt security’s fair value is lower than its amortized cost basis, any credit related loss will be recorded through an ACL account, rather than as a direct write-down to the security. This ACL account will be limited to the amount by which fair value is below the amortized cost basis of the security. Credit losses will be determined by comparing the present value of cash flows expected to be collected from the security with its amortized cost basis. Non-credit related changes in fair value will continue to be recorded through an investment contra account and other comprehensive income. So, on the balance sheet, AFS debt securities could have an ACL account and an unrealized gain/loss contra account. The financial institution will be responsible for determining if the decline in the value below amortized cost is the result of credit factors or other macroeconomic factors. In practice, the following flowchart may be helpful:

Although changes to debt securities may not be top of mind when working through CECL implementation, ensuring you reserve time to understand and assess the impact of these changes is important. Depending on the significance and composition of your institution’s debt security portfolio, these changes may have a significant impact on your financial institution’s financial statements from CECL adoption forward. For more information, visit the CECL page on our website. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions.

Article
Don't forget about me! Changes in debt security accounting resulting from CECL 

Read this if you are at a financial institution.

While documentation of your CECL implementation and ongoing practices is essential to a successful outcome, it can sometimes feel like a very tall order when you are building a new methodology from the ground up. It may help to think of your CECL documentation as your methodology blueprint. While others will want to see it, you really need it to ensure that what you are building is well-designed, structurally sound, appropriately supported, and will hold up to subsequent “renovations” (model changes or tweaks). To help you focus on what’s essential, consider these documentation tips:

Getting started

Like any good architect, you need to understand the expectations for your design—what auditors and regulators want to see in your documentation. Two resources that can really help are the AICPA Practice Aid: Allowance for credit losses-audit considerations1, and the Interagency Supervisory Guidance on Model Risk Management2. One way to actively use these guides is to take note of the various section/subject headers and the key points, ideas, and questions highlighted within each, and turn that into your documentation checklist. You’ll also want to think strategically about where to keep the working document, who needs access to it, and how to maintain version control. It is also a good idea to decide up-front how you will reference, catalog, and store the materials (e.g., data files, test results, analyses, committee minutes, presentations, approvals, etc.) that helped you make and capture final decisions. You can download our CECL Documentation checklist now.   

What to watch out for

What’s new under CECL are areas requiring documentation (e.g., broader scope of “financial assets,” prepayments, forecasts, reversion, etc.). But watch out for elements that seem familiar—they may now have a new twist (e.g., segmentation, external data, Q factors, etc.). It’s a good idea to challenge any documentation from the past that you feel could be re-purposed or “rolled into” your CECL documentation. Be prepared also to spend time explaining or customizing vendor-provided documents (e.g., model design and development, data analysis memos, software procedures, etc.). 

While this material can give you a running start, they will not on their own satisfy auditor and regulator expectations. Ultimately, your documentation will need to reflect your own understanding and conclusions: how you considered, challenged, and got comfortable with the vendor’s work; what validations and testing you did over that work, and how you’ve translated this into policies and procedures appropriate for your institution’s operations, workflows, governance, and controls. For more information on making the vendor decision, and for suggestions of vendor selection criteria, read our previous article “CECL Readiness: Vendor or no vendor?” 

Point of view

It is human nature, especially whenever entering new territory, to want to know how others are approaching the task at hand. Related to CECL, networking, joining peer discussion groups, researching what and how those who have already adopted CECL are disclosing, are all great ways to see possibilities, learn, and gain perspective. When it comes to CECL documentation, however, the most important point of view to communicate is that of your institution’s management. Consider the difference in these two documentation approaches: (a) we looked at what others are doing, this is what most of them seem to be doing, so we are too; or (b) this is what we did and why we feel this decision is the best for our portfolio/risk profile; as part of our decision-making process, we did this type of benchmarking and discovered this. Example b is stronger documentation: your point of view is the primary focus, making it clear you reached your own conclusions. 

Other elements for CECL documentation

Documenting your CECL implementation, methodology, and model details is critical, but not the only documentation expected as you transition to CECL. It has been said that CECL is a much more enterprise-wide methodology, meaning that some of the model decisions or inputs may require you use data and assumptions traditionally controlled in other departments and for other purposes. One common example of this is prepayments. Up to this point, prepayment data may have been something between management and a vendor and used for management discussion and planning, but not necessarily validated, tested, or controlled for in the same way as your loss model calculations. Under CECL, this changes specifically because it is now an input into the loss estimate that lands in your financial statements. As a result, prepayments would be subject to, for example, “accuracy and completeness” considerations, among others (for more information on these expectations, refer to our earlier articles on data and segmentation). Prepayments is just one example, but does illustrate how CECL adoption will likely trigger updates to policies, procedures, governance, and controls across multiple areas of the organization.    

One final note: There are some new financial statement disclosures required with CECL adoption. Beyond those, there may be other CECL-related information either you want to share, or your audit/tax firm recommends be disclosed. Consulting with your auditor at least a quarter prior to adoption will help make sure you aren’t scrambling last minute to draft new language or tables.  

Struggling with CECL documentation or other elements of CECL? 

No matter what stage of CECL readiness you are in, we can help you navigate the requirements as efficiently and effectively as possible. For more information, visit the CECL page on our website. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions.

For more tips on documenting your CECL adoption, stay tuned for our next article in the series. You can also follow Susan Weber on LinkedIn.

1You can find the AICPA Practice Aid here.
2The interagency guidance was released as OCC Bulletin 2011-12, FRB SR 11-7, and as FDIC FIL 22-2017

 

Article
CECL documentation: Your methodology blueprint

Read this if you are a not-for-profit organization.

With springtime upon us, it may be difficult to start thinking about this upcoming fall, but that is exactly what many folks in the nonprofit sector are starting to do. The reason for this? It’s because 2022 brings with it the mid-term election cycle. While technically an off-year election, many congressional and gubernatorial races are being contested, in addition to a myriad of questions that will appear on ballots across the country. It is around this time of year we start to see many questions from clients in the nonprofit sector in the area of political campaign activities, lobbying (both direct and grassroots), and education/advocacy.

This article will discuss the three major types of activities nonprofit organizations may or may not undertake in this arena and will offer guidance to give organizations the vote of confidence they need to not run afoul of the potential pitfalls when it comes to undertaking these activities.

Political campaign activity

Political campaign activities include participating or intervening in any political campaign on behalf of (or in opposition to) any candidate for elective public office, be it at the federal, state, or local level. Examples of such activities include contributions to political campaigns as well as making public statements in favor of or in opposition to any candidate. The IRS explicitly prohibits section 501(c)(3) organizations from conducting political campaign activities, the consequence of doing so being loss of exempt status. However, other types of exempt organizations (such as 501(c)(4) organizations) are allowed to engage in such activities, so long as those activities are not the organization’s primary activity. Only Section 527 organizations may engage in political campaign activities as their primary purpose. 

Direct lobbying

Direct lobbing activities attempt to influence legislation by directly communicating with legislative members regarding specific legislation. Examples of direct lobbying include contacting members of Congress and asking them to vote for or against a specific piece of legislation.

Grassroots lobbying

Grassroots lobbying, on the other hand, attempts to influence legislation by affecting the opinions of the general public and include a call to action. Examples of grassroots lobbying include requesting members of the general public to contact their representatives to urge them to vote for or against specific legislation.  

A quick way to remember the difference:
Political = think “P” for People – advocating for or against a specific candidate 
Lobbying = think “L” for Legislation – advocating for or against a specific bill

Education/advocacy

Organizations may engage in activities designed to educate or advocate for a particular cause so long as it does not take a specific position. For example, telling members of Congress how grants helped constituents would be considered an educational activity. However, attempting to get a member of Congress to vote for or against specific piece of legislation that would affect grant funding would be considered lobbying. Another example would be educating or informing the general public about a specific piece of legislation. Organizations need to be mindful here as taking a specific position one way or the other would lend itself to the activity being deemed to be lobbying, and not merely education of the general public. There is no limit on how much education/advocacy activity a nonprofit organization may conduct.

Why does this matter?

As you can see, there is a very fine line between lobbying and education, so it is important to understand the differences so that an organization conducting educational activities does not inadvertently end up conducting lobbying activities.

Organizations exempt under Code Section 501(c)(3) can conduct only lobbying activities that are not substantial to its overall activities. A 501(c)(3) organization may risk losing its exempt status and may face excise taxes on the lobbying expenditures if it is deemed to be conducting excess lobbying, whereas section 501(c)(4), (c)(5), and (c)(6) organizations may engage in an unlimited amount of lobbying activity.

What is substantial?

Unfortunately, there is no bright line test for determining what is considered substantial versus insubstantial. As an industry standard, many practitioners have taken a position that insubstantial means five percent or less of total expenditures, but that position is not codified and could be challenged by the IRS. 

Section 501(c)(3) organizations that intend to conduct lobbying activities on a regular basis may want to consider making an election under Code Section 501(h). This election is only applicable to 501(c)(3) organizations and provides a defined amount of lobbying activity an organization may conduct without jeopardizing its exempt status or becoming subject to excise tax. The 501(h) election limit is based on total organization expenditures with a maximum allowance of $1 million for “large organizations” (defined as an organization with total expenditures over $17,000,000). 

While the 501(h) election provides some clarity as to how much lobbying activity can be conducted, it may be prohibitive for some organizations whose total expenditures greatly exceed the $17,000,000 threshold. Another item to be aware of is that the lobbying threshold applies to all members of an affiliated group combined, which means the entire group shares the maximum threshold allowed. 

Another option for those engaging in lobbying is to create a separate entity (such as a 501(c)(4) organization) which conducts all lobbying activities, insulating the 501(c)(3) organization from these activities. As previously mentioned, organizations exempt under Code Section 501(c)(4) can conduct an unlimited amount of lobbying activities but can only conduct limited political campaign activities.

What about political campaign activities?

Section 527 organizations, known as political action committees, are exempt organizations dedicated specifically to conducting political campaign activities. If a 501(c)(4), (c)(5), or (c)(6) organization makes a contribution to a 527 organization, it may be required to file a Form 1120-POL and be subject to tax at the corporate tax rate (currently a flat 21%) based on the lesser of the political campaign expenditures or the organization’s net investment income. State income taxes may also be applicable. Section 501(c)(3) organizations may not make contributions to 527 organizations. 

If your organization is considering participation in any of the above activities, we would recommend you reach out to your not-for-profit tax team for additional information. We’re here to help!

Article
Lobbying and politics and education, oh my!

Read this if you are at a financial institution.

This article is part of our series on CECL implementation. You can read previous articles in the CECL series here

Segments, sub-segments, pools, cohorts—by whatever name you call it, grouping loans (and other financial instruments) for CECL1 is kind of a big deal. Like choosing an inner circle of friends, creating effective loan pools can have a lot of influence over your CECL experience, from methodology decisions to your allowance estimates. As a CECL adopter, you are expected to evaluate, support, and document segmentation choices (no such requirement for your inner circle of friends!), even if you plan to use the same segmentation in place today. To do so successfully, consider these segmentation ABCD’s:

A: Accuracy and completeness of data

The accuracy and completeness of data used to determine the most appropriate segmentation under CECL covers a lot of ground – everything from what information you considered to be relevant and why, to where the data came from and how it was determined to be valid (aka accurate and complete). CECL requires loans sharing similar risk characteristics2 to be pooled together for “collective evaluation”; examples include loans with similar terms and structures, lien position on collateral (e.g. first, or junior lien), or collateral use (e.g. owner-occupied or investment real estate). As a result, “accuracy and completeness” applies not only to the data you rely on to pool loans, but also to what you determined the common risk characteristics to be, why those, what others you identified but ultimately didn’t use, and why. Read our earlier article, CECL Adoption: The five W's of data, for more information on data considerations.

B: Balance between granularity and significance

Striking a balance between how many segments you create and the significance of doing so can be a little like trying to achieve the “just right” goal of Goldilocks. For example, is pooling all your consumer loans together most aligned with your past loss experience, or does the type of collateral also influence your risk of loss? How far is too far (real estate, cars, boats, RV’s, tractors)? At what point does it become difficult to consistently demonstrate or predict meaningful differences in risk of loss for each? Several sections of the standard address this need to balance detail with what is useful3. In this way pools should be small enough that the risk characteristics they share are relevant to estimating inherent risk, but not so small as to be confusing, misleading, or not able to be modeled consistently over time. Being aware of how small a pool is in terms of the number of loans it consistently contains may be one consideration for whether or not the segmentation is too granular. 

C: Controls over the selection of risk characteristics

Your segmentation choices will likely have far-reaching effects on other key decisions in your CECL methodology. Model selection, qualitative adjustments, and even if/what/how external or peer data may apply are examples of what could be impacted by your segmentation selection.  As a result, and in addition to the above, your auditors and regulators will want to see evidence the risk characteristics driving your segmentation choices were robustly reviewed, challenged, tested, and documented. Further, they will want to see that you have a similar systematic approach in place, and ongoing, to identify when a loan no longer shares the defined risk characteristics of its segment, resulting in its removal from the pool to be assessed individually.4  

D: Documentation tips

Documentation is like exercise—you know you should do it, but sometimes you don’t make it a priority. CECL opens the door for all kinds of documentation expectations, so coming up with a way to do this as you work through implementation can save you a lot of headache later. For segmentation, setting up a simple spreadsheet with the ABC’s to the left and columns to the right to list data, testing, key considerations, decisions, approvers, and even links to supporting evidence (data files, governance memos, etc.) is but one example of how you might keep track of these items as you work. Be sure to include any assumptions you had to make along the way (e.g. how you handled missing information on old or purchased loans), or aggregations (larger-level pools than you might have preferred) you accepted and why.

Finally, while you may be checking out what segmentation others in the industry are using—which will vary as it does today—what you’ll want to document most is why the choices you made are right for your institution.

For more tips on documenting your CECL adoption, stay tuned for our next article in the series on documentation. You can also follow Susan Weber on LinkedIn.

No matter what stage of CECL readiness you are in, our Financial Institutions team is here to help you navigate the requirements as efficiently and effectively as possible. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions.

1Current Expected Credit Loss (CECL) methodology as provided for in the Financial Accounting Standards Board (FASB) Accounting Standards Update (ASU) Financial Instruments-Credit Losses Topic 326, commonly referred to as FASB ASU 326. A copy of the standard is available for download from the FASB website.
2Refer to FASB ASU 326-20-55-5
3Examples include FASB ASU 326-20-50-3, 326-20-55-10, and 326-20-55-11 (for financing receivables)
4Refer to FASB ASU 326-20-30-2

Article
CECL implementation: Segmentation ABCD's

Read this if you have a cybersecurity program.

This week President Joe Biden warned Americans about intelligence that indicated Russia may be preparing to conduct cyberattacks on our private sector businesses and infrastructure as retaliation for sanctions applied to the Russian government (and the oligarchs) as punishment for the invasion of Ukraine. Though there is no specific threat at this time, President Biden’s warning has been an ongoing message since the invasion began. There is no need to panic, but this is a great time to re-visit your current security controls. Focusing on basic IT controls goes can make a big difference in the event of an attack, as hackers tend to go after the easy, low hanging fruit. 

  1. Access controls
    Review and understand how all access to your networks is obtained by on-site employees, remote employees, and vendors and guests. Make sure that users are maintaining strong passwords and that no user is connecting remotely to any of your systems without some form of multi-factor authentication (MFA). MFA can come in the form of a token (in hand or built-in) or as one of those numerical codes you have delivered to your phone or email. Poor access controls are simply the difference between leaving your house unlocked versus locked when you leave to go somewhere. 
  2. Patching
    One of the most common audit findings we have to date and one of the biggest reasons behind successful attacks is related to unpatched systems. Software patches are issued by software providers to address vulnerabilities in systems that act as an unlocked door to a hacker, and allow hackers to leverage the vulnerability as a way to get into your systems. Ensuring your organization has a robust patch management program in place and that systems are up-to-date on needed patches is critical to your security operations. Think of an unpatched system like a car with a broken window—sure the door is locked, but any thief can reach through the broken window and unlock the car. 
  3. Logging 
    Account activity, network traffic, system changes—these are all things that can be easily logged and with the right tools, configured to alert you to suspicious activity. Logging that is done correctly can alert management to suspicious activity occurring on your network and notifies your security team to investigate the issue. Consider logging and alerting like your home’s security camera. It may alert you to the activity outside, but someone still needs to review the footage and react to it to mitigate the threat.  
  4. Test backups and more
    Making sure that your systems are successful backed up and kept separate from your production systems is a control we are all familiar with. Organizations should do more than just make sure their backups are performed nightly and maintained, but need to make sure that those data backups can be restored back to a useable state on a regular basis. More so than backups, we also often hear in the work we do that our client’s test only parts of their disaster recovery and failover plans—but have never tested a full-scale fail-over to their backup systems to determine if the failover would be successful in the event of an event or disaster. Organizations shouldn’t be scared to do a full-scale failover test, because when the time comes, you may not have the option to do a partial failover and just hope that it occurs successfully. Not testing your backups is like not test driving a car before you buy it. Sure it looks nice in the lot, but does it actually run? 
  5. Incident Management Plan 
    We often review Incident Management Plans as part of the work we do, and often note that the plans are outdated and contain incorrect information. This is an ideal time to make sure your plans are current and reflect changes that may have occurred, like your increasingly remote work force, or that systems have changed. An outdated Incident Management Plan is like being sick and trying to call your doctor for help only to find out your doctor has retired. 
  6. Training—phishing attacks
    Hackers’ most common approach to gain access to systems and deploy crippling ransomware attacks is through phishing campaigns via email. Phishing campaigns trick a user into either providing the hacker with credentials to log into systems or to download malware that could turn into ransomware through what appears to be legitimate business correspondence. Training end-users on what to look for in verifying an email’s authenticity is critical and should be seen as an opportunity that benefits the entire organization. Testing users is also critical so management understands the current risk and what is needed for additional training. Security teams should also have other supporting controls to help prevent phishing emails and detection tools in place in case a user does fall for an email. Not training your employees on security is like not coaching your little league team on how to play baseball and then being surprised you didn’t win the game because no one knew what to do. 

In the current environment, information security is an asset to any organization and needs to be supported so that you can protect your organization from cyberattacks of all kinds. While we can never guarantee that having controls in place will prevent an attack from occurring, they make it a lot more challenging for the hacker. One more analogy, and then I’m done, I promise. Basic IT controls are like speedbumps in a neighborhood. While they keep most people from speeding (and if you hit them too fast they do a number on your car), you can still get over them with enough motivation. 

If you have questions about your cybersecurity controls, or would like more information, please contact our IT security experts. We’re here to help.

Article
Cyberattack preparation: A basics refresher