Skip to Main Content

Best practices for financial institution contracts with technology providers

As the financial services sector moves in an increasingly digital direction, you cannot overstate the need for robust and relevant information security programs. Financial institutions place more reliance than ever on third-party technology vendors to support core aspects of their business, and in turn place more reliance on those vendors to meet the industry’s high standards for information security. These include those in the Gramm-Leach-Bliley Act, Sarbanes Oxley 404, and regulations established by the Federal Financial Institutions Examination Council (FFIEC).

LIBOR is leaving—is your financial institution ready to make the most of it?

In July 2017, the UK’s Financial Conduct Authority announced the phasing out of the London Interbank Offered Rate, commonly known as LIBOR, by the end of 20211. With less than two years to go, US federal regulators are urging financial institutions to start assessing their LIBOR exposure and planning their transition. Here we offer some general impacts of the phasing out, specific actions your institution can take to prepare, and, finally, some background on how we got here (see Background at right).

Best Practices for Educating Your Financial Institution’s Board of Directors on Cybersecurity

According to Cybersecurity Ventures, cybercrime will account for $6 trillion annually by 2021—that’s more than the global trade of all major illegal drugs combined.  Data breaches and other information security events adversely impact organizations through significant losses in revenue, erosion of customer trust, substantial remediation costs, increased insurance premiums, and more.

In auditing, the concept of professional skepticism is ubiquitous. Just as a Jedi in Star Wars is constantly trying to hone his understanding of the “force”, an auditor is constantly crafting his or her ability to apply professional skepticism. 

All teams experience losing streaks, and all franchise dynasties lose some luster. Nevertheless, the game must go on. 

Reading through the 133-page exposure draft for the Proposed Statement on Auditing Standards (SAS) Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA, issued back in April 2017, and then comparing it to the final 100+ page standard approved in September 2018, may not sound like a fun way to spend a Sunday morning sipping a coffee (or three), but I disagree.

Artificial Intelligence, or AI, is no longer the exclusive tool of well-funded government entities and defense contractors, let alone a plot device in science fiction film and literature. Instead, AI is becoming as ubiquitous as the personal computer. 

The world of professional sports is rife with instability and insecurity. Star athletes leave or become injured; coaching staff make bad calls or public statements. The ultimate strength of a sports team is its ability to rebound. The same holds true for other groups and businesses.

Any sports team can pull off a random great play. Only the best sports teams, though, can pull off great plays consistently — and over time. The secret to this lies in the ability of the coaching staff to manage the team on a day-to-day basis, while also continually selling their vision to the team’s ownership.

A professional sports team is an ever-changing entity. To have a general perspective on the team’s fluctuating strengths and weaknesses, a good coach needs to trust and empower their staff to discover the details. Chapter 5 in BerryDunn’s Cybersecurity Playbook for Management looks at how discovery can help managers understand their organization’s ever-changing IT environment. 

Just as sports teams need to bring in outside resources — a new starting pitcher, for example, or a free agent QB — in order to get better and win more games, most organizations need to bring in outside resources to win the cybersecurity game.

It may be hard to believe some seasons, but every professional sports team currently has the necessary resources — talent, plays, and equipment — to win. The challenge is to identify and leverage them for maximum benefit.

It’s one thing for coaching staff to see the need for a new quarterback or pitcher. Selecting and onboarding this talent is a whole new ballgame. Various questions have to be answered before moving forward: 

For professional baseball players who get paid millions to swing a bat, going through a slump is daunting. The mere thought of a slump conjures up frustration, anxiety and humiliation, and in extreme cases, the possibility of job loss.

Are you in control? Preparing the internal control documentation required by the COSO framework can be difficult and daunting for some financial institutions.

On June 16th the FASB issued the final standard for credit losses. We’ve analyzed the new standard and pulled together some key items you’ll need to know:

When last we blogged about the Financial Accounting Standards Board’s (FASB) new “current expected credit losses” (CECL) model for estimating an allowance for loan and lease losses (ALLL), we reviewed the process for developing reasonable and supportable forecasts for use in establishing the ALLL. 

Recently, federal banking regulators released an interagency financial institution letter on CECL, in the form of a Q&A. Read it here

By now, pretty much everyone in the banking industry has heard plenty of talk about CECL – the forthcoming “Current Expected Credit Loss” model of accounting for an institution’s allowance for loan losses (ALL).

Financial fraud by the numbers. In a June 2016 Gallup poll, 72 percent of respondents said they had “very little” or only “some” confidence in banks.

By now you have heard that the Financial Accounting Standards Board’s (FASB) answer to the criticism the incurred-loss model for accounting for the allowance for loan and lease losses faced during the financial crisis has been released in its final form. 

Why it can happen to you and how to protect yourself. We’ve all seen the headlines. Stories about not-for-profit fraud have been popping up in the news, and the statistics confirm what you might have suspected: fraud in the not-for-profit sector is on the rise.

Welcome to part two of our article on nonprofit fraud. If you missed our first installment, you can read it here.

It’s Monday morning. You grab a cup of coffee and flip on the local morning news before you get ready for work. 

Read this if you are an engineering or architecture firm working with government agencies reimbursing overhead established in an overhead rate schedule based on direct labor.

We are approaching the end of 2020 and we still don’t have final and authoritative guidance from the U.S. Department of Treasury and the Office of Management and Budget about how to treat the PPP loan forgiveness. Will the Federal Acquisition Regulation, Part 31.201-5, Credits, apply and drastically diminish overhead rates for 2020? Will any credit follow the timing of legal forgiveness? Will you be required to offset subsequent forgiveness against 2020 expenses? 

The lobbyists are hard at work fighting any offset. Will they gain legislative support or will a compromise be negotiated? In the face of so many unknowns, we encourage companies to plan for potential outcomes of this unique situation in order to avoid unwanted surprises in the years to come. What can be done now? Let’s first explore trends we’ve observed for A/E firms for this year:

  • Certain costs, such as travel, meals, seminars and overall office expenses, are lower in 2020 with many employees working from home. 
  • Employees are traveling less and are not participating in networking events; they are focusing more of their time on chargeable work. As a result, utilization rates are higher in 2020 compared to recent years. A 1% change in utilization generally results in an approximate 4% directional change in overhead rate. 

These lower spending, higher chargeability trends are pushing overhead rates down considerably for 2020 and, likely too, for 2021. Depending on the type and the length of projects contracted to include those overhead rates, resulting profitability will also be lower for a few more years when indirect costs increase to normal levels. Proper planning is extremely important in this situation. Here are some questions to ask when considering your options:

  • Are there opportunities to negotiate the project price or terms so project profitability is maintained? Can you negotiate higher labor rates or a fixed overhead rate? 
  • If there isn’t any room for negotiations on projects using actual audited overhead rates, should your company focus business development efforts on bidding on or seeking and forming strategic partnerships to pursue more non-governmental projects? 
  • If the company remains profitable and realizes savings in certain costs this year, can you find ways to spend and increase allowable indirect costs while simultaneously strengthening your company? Can you award higher employee bonuses to boost employee morale and help retain great talent? Or maybe now is the time to ramp up cybersecurity training to strengthen IT controls and employee awareness of how to prevent, detect, and respond to cyber threats or invest in cyber penetration testing. 

Targeted spending on allowable costs will help elevate your overhead rate and help position your company to emerge stronger post-pandemic. If you need any help modeling expected overhead rates or have questions about allowable overhead costs, please contact Estera or Linda. We're here to help. 

Article
Planning for overhead rate changes: Considerations and strategies

Read this if you are a Financial Operations Principal or in the compliance department.

On July 30, 2013 the Securities and Exchange Commission (SEC) amended certain reporting, audit, and notification requirements for broker-dealers registered with the SEC. Among other things, these amendments required broker-dealers to file one of two new reports with the SEC—a compliance report, if the broker-dealer did not claim it was exempt from Rule 15c3-3 under the Securities Exchange Act of 1934, or an exemption report if the broker-dealer did claim it was exempt from Rule 15c3-3 throughout the fiscal year. The Division of Trading and Markets of the SEC came out with frequently asked questions regarding the amendments made on July 30, 2013 and periodically updates this list of frequently asked questions. This list was updated July 1, 2020. Here are some of the most notable changes to the FAQs. For the full list, click here.

Exemption provisions

As noted above, a broker-dealer may claim exemption from Rule 15c3-3. Paragraph (k) of Rule 15c3-3 outlines four exemption provisions: (k)(1), (k)(2)(i), (k)(2)(ii), and (k)(2)(iii). Exemption provision (k)(1) may be claimed by broker-dealers that only perform direct-way mutual fund or variable annuity business. If the broker-dealer performs any other type of business, this exemption may not be claimed. Exemption provision (k)(2)(i) is commonly seen as a catch-all for broker-dealers whose businesses don’t qualify for a different exemption. However, to qualify, the broker-dealer cannot carry margin accounts, must promptly transmit all customer funds and deliver all securities received, and cannot otherwise hold funds or securities for, or owe money or securities to, customers. All transactions must be completed through one or more bank accounts specially designated for such transactions. Exemption provision (k)(2)(ii) is for broker-dealers that introduce transactions to a carrying broker-dealer on a fully disclosed basis. Lastly, exemption provision (k)(2)(iii) may be granted by the SEC upon written application by a broker-dealer. However, the SEC has never granted such an exemption.

Exemption report prohibitions

In some instances, a broker-dealer may not meet any of the exemption provisions of paragraph (k) of Rule 15c3-3. However, the broker-dealer may have also not held customer securities or funds during the fiscal year and therefore not be required to file a compliance report. In these instances, the broker-dealer should file an exemption report, along with a corresponding accountant’s report based on a review of the exemption report. 

Since the broker-dealer has not claimed an exemption under paragraph (k) of Rule 15c3-3, its exemption report should include a description of all the broker-dealer’s business activities and a statement that during the reporting period the broker-dealer (1) did not directly or indirectly receive, hold, or otherwise owe funds or securities for or to customers, other than money or other consideration received and promptly transmitted in compliance with paragraph (a) or (b)(2) of Rule 15c2-4; (2) did not carry accounts of or for customers; and (3) did not carry a propriety securities account of a broker or dealer (PAB accounts, as defined in Rule 15c3-3). Furthermore, on the broker-dealer’s FOCUS report, items 4550, 4560, 4570, and 4580 should be left blank.

Broker-dealers with multiple lines of business

Non-carrying broker-dealers may have multiple lines of business with customers. For instance, a broker-dealer may introduce some customer transactions to a carrying broker-dealer on a fully disclosed basis and also provide M&A transaction services. For the former, a (k)(2)(ii) exemption would be most appropriate. However, in the latter, a (k)(2)(i) exemption would be most appropriate. In these cases, it is common for the broker-dealer to disclose the exemption that best fits their primary line of business. However, the SEC has indicated the broker-dealer should disclose both exemption provisions in these instances, including any exceptions under either exemption. Each exemption provision being claimed should also be indicated on the broker-dealer’s FOCUS report. 

Similarly, some broker-dealers may provide activities that qualify under one or more of the exemption provisions of Rule 15c3-3 as well as activities that involve the activities described in items 1, 2, and 3 above. In these instances, the broker-dealer would not qualify for exemption from Rule 15c3-3 and would be required to file a compliance report with a corresponding accountant’s report based on an examination of the compliance report.

The exemption provisions for broker-dealers can be difficult to navigate. Further exacerbating the difficulty of navigating the exemption provisions, each broker-dealer has a different set of circumstances. The SEC’s Division of Trading and Markets also acknowledges these difficulties, hence the creation of its FAQ list. Broker-dealers should refer to this list, in conjunction with Rule 15c3-3, to ensure compliance. If further clarification is needed, the broker-dealer should consult their Financial Industry Regulatory Authority (FINRA) representative. 

Article
The SEC updates its broker-dealer financial reporting rule FAQs 

Read this if your senior living facility is receiving Medicare payments.

A year ago the senior living industry was challenged with the transition to the Patient-Driven Payment Model (PDPM). In the months leading up to the implementation of PDPM providers prepared for new regulations, conducted employee training, and forecasted financial performance. By all accounts the implementation of PDPM went off with very few glitches. 

That all changed in the beginning of 2020 when the coronavirus (COVID-19) pandemic upended the industry and Medicare occupancy levels diminished. COVID-19 overturned the way providers were providing care at their facilities. Providers have seen a decrease in utilization of therapy services and an increase in medical management cases. Providers anticipated delivering more concurrent physical therapy, which has become impossible with COVID-19. We understand how demanding COVID-19 related change management has been for skilled nursing facilities, and want to help you re-focus your attention on the critical tasks and procedures driving your Medicare reimbursement.

New federal fiscal year, new rates

The Medicare Final Rule for fiscal year 2021 did not contain any major policy changes to PDPM but did contain routine updates to coding and Medicare billing rates effective October 1, 2020. After changing Medicare billing rates, you should test your system by carefully reviewing a remittance advice and the accounts receivable report for October service dates. Look for any balances, big or small, to help ensure billing rates and contractuals are correct for all payers following Medicare rules. Note:

  • Small balances may indicate errors in system configuration, such as PDPM rates, sequestration, or value-based purchasing adjustment.
  • Larger balances may indicate a claim missed in the facility's triple-check meeting and billed at an incorrect PDPM rate. View the FFY2021 Medicare Rate Calculator.
  • Providers should review ICD-10 mappings on an annual basis for new and discontinued ICD-10 codes. 

Medicare Advantage plan enrollment is growing. What does it mean for your facility?

With the continuing growth of Medicare Managed Care/Advantage plans, it is important to review your facility’s contracts. 

  • Most Medicare Advantage programs have adopted PDPM, but have differing requirements for pre-authorizations and payment rates, so be sure you understand how each of these contracts reimburses your facility
  • If there are new Medicare Advantage plans in your area, evaluate the need to negotiate a contract to admit patients covered by the new plan. 
  • Update the list of plans your facility contracts with:
     
    • Carefully review contract rates and request rate changes if the payor does not follow the Medicare fee schedule. 
    • To avoid denied claims, update contact information and understand preauthorization requirements and any patient status updates. Distribute the updated list to your admissions and case management teams.

Check on your MDS coordinator

  • With the COVID-related shift in responsibilities, we see an increase in MDS position turnover. We recommend reviewing or developing a backup for your MDS coordinator, as completion of MDS is critical for billing and regulatory compliance. 
  • If your facility has limited resources for backup, evaluate sub-contracting options or reach out to your state’s Health Care Association for available resources. 

Update your consolidated billing resources

Consolidated billing errors could result in significant reductions of your bottom line. CMS updates guidance on consolidated billing regularly. We recommend checking the CMS listing and ensuring your admissions, clinical, and medical records teams use up-to-date information for admission decisions and coordination of care with external health care providers. Get more information.

COVID-19 impact

  • CMS provided a number of flexibilities to help facilities with COVID-related care. Please note, a number of these provisions are temporary, and are only effective during the state of emergency. We recommend at least a monthly review of regulatory guidance to help ensure compliance. Get more information.
  • While the COVID-19 diagnosis and codes were not specifically incorporated into PDPM in the 2021 final rule, be sure to appropriately code isolation stays in the nursing component, and document additional costs of testing, PPE, and labor, as well as support of skilled status need to protect against audit risk.

Have questions? Our Senior Living revenue cycle team is here to help. 

Article
Patient Driven Payment Model―A year later

Read this if you are a director or manager at a Health and Human Services agency in charge of modernizing your state's Health and Human Services systems. 

When states start to look at outdated Health and Human Services systems like Eligibility Systems or Medicaid Enterprise Systems, they spend a lot of time on strategic planning efforts and addressing technology deficiencies that set the direction for their agencies. While they pay a lot of attention to the technology aspects of the work, they often overlook others. Here are three to pay attention to: 

  1. Business process improvement
  2. Organization development
  3. Organizational change management

Including these important steps in strategic planning often improves the likelihood of an implementation of Health and Human Service systems that provide the fully intended value or benefit to the citizen they help serve. When planning major system improvements, agencies need to have the courage to ask other critical questions that, when answered, will help guarantee greater success upon implementation of modernized system.

Don’t forget, it’s not only about new technology—it’s about gaining efficiencies in your business processes, structuring your organization in a manner that supports business process improvements, and helping the people in your organization and external stakeholders accept change.  

Business process improvement 

When thinking about improving business processes, a major consideration is to identify what processes can be improved to save time and money, and deliver services to those in need faster. When organizations experience inefficiencies in their business processes, more often than not the underlying processes and systems are at fault, not the people. Determining which processes require improvement can be challenging. However, analyzing your business processes is a key factor in strategic planning, understanding the challenges in existing processes and their underlying causes, and developing solutions to eliminate or mitigate those causes are essential to business process improvement.

Once you pinpoint areas of process improvement, you can move forward with reviewing your organization, classifying needs for potential organization development, and begin developing requirements for the change your organization needs.

Organization development

An ideal organizational structure fully aligns with the mission, vision, values, goals, and strategy of an organization. One question to ask when considering the need for organization development is, “What does your organization need to look like to support your state’s to-be vision?” Answering this question can provide a roadmap that helps you achieve:

  1. Improved outcomes for vulnerable populations, such as those receiving Medicaid, TANF, SNAP, or other Health and Human Services benefits 
  2. Positive impacts on social determinants of health in the state
  3. Significant cost savings through a more leveraged workforce and consolidated offices with related fixed expenses—and turning focus to organizational change management

Organization development does not stop at reviewing an organization’s structure. It should include reviewing job design, cultural changes, training systems, team design, and human resource systems. Organizational change is inherent in organization development, which involves integration of a change management strategy. When working through organization development, consideration of the need for organizational change should be included in both resource development and as part of the cultural shift.

Organizational change management

Diverging from the norm can be an intimidating prospect for many people. Within your organization, you likely have diverse team members who have different perspectives about change. Some team members will be willing to accept change easily, some will see the positive outcomes from change, but have reservations about learning a new way of approaching their jobs, and there will be others who are completely resistant to change. 

Successful organizational change management happens by allowing team members to understand why the organization needs to change. Leaders can help staff gain this understanding by explaining the urgency for change that might include:

  • Aging technology: Outdated systems sometimes have difficulty transmitting data or completing simple automated tasks.
  • Outdated processes: “Because we’ve always done it this way” is a red flag, and a good reason to examine processes and possibly help alleviate stressors created by day-to-day tasks. It might also allow your organization to take care of some vital projects that had been neglected because before there wasn’t time to address them as a result of outdated processes taking longer than necessary.
  • Barriers to efficiency: Duplicative processes caused by lack of communication between departments within the organization, refusal to change, or lack of training can all lead to less efficiency.

To help remove stakeholder resistance to change and increase excitement (and adoption) around new initiatives, you must make constant communication and training an integral component of your strategic plan. 

Investing in business process improvement, organization development, and organizational change management will help your state obtain the intended value and benefits from technology investments and most importantly, better serve citizens in need. 

Does your organization have interest in learning more about how to help obtain the fully intended value and benefits from your technology investments? Contact our Health and Human Services consulting team to talk about how you can incorporate business process improvement, organization development, and organizational change management activities into your strategic planning efforts.

Article
People and processes: Planning health and human services IT systems modernization to improve outcomes

Read this if you have a responsibility for acquiring and implementing victim notifications for your jurisdiction.

In the first article of this three-part series we explored the challenges and risks associated with utilizing multiple victim notification systems across your state. In this article we will explore what the choices are to address these challenges. 

System elements to consider

Many jurisdictions are under the impression that there are only one or two choices for victim notification systems. Though there are certainly market leaders in this space, you should select a system model that best meets your jurisdiction’s profile. The profile may include some of these elements:

  • Risk aversion (i.e., How risk averse is your organization regarding system implementations?)
  • Budget (i.e., How will the initial project be funded? Does your jurisdiction prefer an annual subscription model, or a traditional perpetual license with annual maintenance and support fees?)
  • Staff (Who do you need to implement and maintain the operational system?)
  • Time (i.e., Are you already out of compliance with state statutes?)
  • Hosting environment (i.e., Do you want to host in the cloud or on premise?)
  • Victim notification reach (i.e., state-wide, single jurisdiction, multiple justice partners)
  • Victim notification policy and statute complexity
  • Data ownership (i.e., To what degree does your jurisdiction enable the selling of victim notification data outside of the jurisdiction?)

Victim notification solutions range from hosted commercial off the shelf (COTS) solutions, which are typically least expensive; to custom solutions developed to address jurisdiction-specific needs. The latter tend to be more expensive, riskier than turnkey solutions, and take longer to operationalize. However, if your jurisdiction has unique requirements for victim notification, this may be a viable option. Unless you plan to engage the development vendor in a long-term contract for maintenance of this type of system, you must consider the impact on your existing IT staff. “Platform” solutions are a hybrid of COTS and custom development. With these solutions, there is typically a platform (i.e., Customer Relationship Management or CRM) on which the victim notification system is developed. Using a platform de-risks the development of the application’s architecture, may be a slightly less costly approach, and may simplify the maintenance of a system that is addressing unique requirements.

You may also already have licenses for victim notification capabilities, and not even realize it. Some offender management systems (OMS), jail management systems (JMS), and even prosecution systems (that support victim advocacy functions) may have built-in victim notification functionality included for the licensing price you are currently paying, or may include the option to purchase an add-on module. 

Advantages of using victim notification capabilities packaged with an existing system may include:

  • Lower acquisition and maintenance costs
  • Tighter integration with the OMS, JMS, or prosecution system may result in more seamless utilization of offender and victim data
  • You have a single contract, with a single vendor, reducing contract management overhead

A likely disadvantage, however, is the victim notification functionality may not be a robust as a point solution, or custom-built system. Additionally, if the “reach” of the JMS is a single county, then victim notification capabilities built into your JMS may not suffice for statewide use. However, if the built-in functionality meets your needs, then this is certainly a viable path to consider.

As mentioned in the first article, regardless of your approach the integration between your victim notification system and the JMS, OMS, prosecution system, and court system is critical to reducing redundancy and increasing the timeliness with which both offender and victim data is entered into the victim notification system―and used to trigger the notifications themselves.

Determining the best option for your victim notification system

So how do you determine which choice is best for your jurisdiction? The first step is to determine your jurisdiction’s risk profile versus the need to for jurisdiction-specific functionality. 

Mature market-based solutions are typically less risky to implement, since multiple jurisdictions are likely successfully using them to support their victim notification operations. However, these solutions may not be customizable or flexible enough to address your specific needs. 

“Build” models (using platform solutions or other application development models) tend to be a bit more risky (as many “from scratch” development projects can be); however these are more likely to address your specific needs. Here are a few questions that you should ask before making a determination between a COTS solution and a custom-build:

  1. Do we really have jurisdiction-specific victim notification needs?
  2. Can a COTS solution meet the statutes and policies in our jurisdiction?
  3. How risk-averse is our jurisdiction?
  4. Do we have time to develop a customized solution?
  5. Do we have the talent and capacity to maintain a custom solution?

Budget considerations

The next step is to determine your budget. We recommend you assess a budget over a 10-year total cost of ownership. The cost of a traditional, perpetual license-based COTS solution, including initial acquisition and implementation, will be higher in the first few years of use, but the ongoing annual fees will be lower. The cost of a custom-build solution will be even higher in the first few years, but annual maintenance should drop off dramatically. The cost of a subscription-based COTS solution will be relative even year over year. However, if you model these costs over 10 years, you will have a reasonable sense for how these costs trend (i.e., the cost of a subscription-based model will likely be higher over 10 years than the perpetual license model). 

The other consideration is how you plan to fund the system. If there are capital funds in the budget for initial acquisition and implementation, this may benefit the perpetual license model more than the subscription-based model. Regardless of the funding approach, you will likely be using the selected victim notification method for a significant period of time, so don’t settle.

Finally, determine how to acquire the system (or systems integration vendor that will help you develop the system), which is the subject of the third article in our series.

If you have questions about your specific situation, please contact our Justice & Public Safety team. We’re here to help. To learn more about other choices in victim notification procedures and systems, stay tuned for our third article in this series where we explore the process (and pitfalls) of procuring a statewide victim notification system.

Article
Victim notification systems: What choice do you have?