The Financial Institutions Executive Briefing offers updates on financial reporting, governance, and risk management topics from Crowe. In each issue of this electronic newsletter, you will find abstracts of recent standard-setting activities and regulatory developments affecting financial institutions.
Priorities of the OCC’s midsize and community bank supervision team, in conjunction with other regulatory examiners, will be credit underwriting; stress testing for portfolios related to oil and gas; strategic risk; operational risk, including third-party relationships and the Cybersecurity Assessment Tool; AML compliance; change management in consumer compliance; interest-rate risk modeling; allowance for loan and lease losses; and horizontal risk assessments.
For larger banks, the OCC plans to target responsiveness to matters requiring attention, ongoing operational risk management, avoiding AML compliance that limits financial inclusion, change management in consumer compliance, and complex credit underwriting.
speech on Sept. 28, 2016, at the annual Anti-Money Laundering and Financial Crime Conference, Comptroller of the Currency Thomas Curry stated that the OCC soon will issue guidance that formalizes its expectations for banks to routinely evaluate risk in their foreign correspondent banking portfolios.
Curry said that the upcoming guidance “reiterates our risk management expectations for banks to establish and follow policies and procedures for regularly conducting risk evaluations of their foreign correspondent portfolios.” Additionally, the guidance will include best practices that OCC examiners have observed, including risk governance for foreign correspondent accounts, communications to senior management, and consideration banks might give to “any adverse impact that closures may have on access to financial services for an entire group of customers or an entire region.”
According to Curry, other best practices will include communicating with customers while determining whether to end a relationship, providing sufficient time for customers to establish new accounts before termination, and maintaining clear audit trails documenting reasons for account termination.
issued final guidelines on recovery planning for the financial institutions it regulates with assets of $50 billion or more. Community banks will not be affected. The guidelines will be an appendix to the OCC’s safety and soundness regulations and will be enforceable by statute.
Per the planning guidelines, each covered bank would be expected to develop and maintain a recovery plan appropriate for its own risk profile, size, activities, and complexity. Each individual recovery plan would be expected to include an overview of the bank, qualitative and quantitative stress triggers for when the recovery plan would be implemented, the range of recovery options for each trigger and how they would be implemented, assessments of how each option would affect the covered bank, escalation procedures, reports to management or board members as appropriate, and communications procedures.
Banks with assets of $750 billion or more will need to comply within six months of Jan. 1, 2017, banks with $100 billion to $750 billion in assets will have 12 months, and banks with $50 billion to $100 billion in assets will have up to 18 months to comply.
issued its final policy statement outlining the framework the agency will follow in setting the Countercyclical Capital Buffer (CCyB) for banking organizations that are subject to the advanced approaches capital rules. The policy outlines several factors the Fed will consider as it evaluates settings for the buffer and was effective on Oct. 14, 2016.
The CCyB is a tool by which the Fed can gradually raise the capital requirements on internationally active banking organizations – generally institutions with $250 billion or more in assets or more than $10 billion in on-balance sheet foreign exposures – when there is a risk of meaningfully above-normal losses in the future. The buffer, which will be phased in, would range from 0 percent of risk-weighted assets in times of moderate vulnerability to a maximum of 2.5 percent when risk is determined to be higher. Banks failing to meet the buffer will face restrictions on capital distributions and the payment of discretionary bonuses.
Under the framework, the Fed will take into account a range of financial system vulnerabilities and other factors, including leverage in the nonfinancial and financial sectors, maturity and liquidity transformation in the financial sector, and asset valuation pressures. The Fed also will monitor a number of financial and economic indicators to assess risk to financial stability, and it expects to reduce or remove the buffer when conditions warrant.
issued, on Sept. 9, 2016, a comprehensive revised version of the FFIEC Information Security booklet, which is part of the “FFIEC Information Technology Examination Handbook.” The revised booklet addresses assessing the level of risk to a financial services organization’s IT systems. It also details an effective information security risk management program that includes risk identification, risk measurement, risk mitigation, and risk monitoring and reporting.
issued, on Sept. 6, 2016, an advisory to financial institutions to help them identify and prevent email frauds. The advisory covers business email compromises, in which criminals target a business customer of a bank, and email account compromises, which are aimed at personal bank accounts. The hallmark of these frauds is that they hack email accounts to take advantage of employees’ or financial institutions’ trust in existing customer relationships.
Since 2013, email compromise fraud has accounted for $3.1 billion in losses. “In some cases, financial institutions have absorbed losses through reimbursing customers victimized by e-mail compromise fraud,” FinCen noted, adding that preventing these frauds involves collaboration among banks’ compliance, AML, fraud prevention, and cybersecurity teams.
Within the advisory, FinCen identifies several red flags for email compromise fraud:
- Transaction instructions with languages, amounts, account information, authorizers, and email addresses different from those that usually are used
- Directions to deposit funds with a foreign bank previously implicated in such schemes
- Emails marked “urgent” or “secret” or otherwise trying to limit the time a financial institution would spend authenticating the transaction
- Follow-up transaction requests seeking additional payments into new accounts
letter to the Commission on Enhancing National Cybersecurity, the FSSCC offered five recommendations for mitigating the increasingly advanced threats related to cyber crime:
- Adoption by the federal government of a forward-looking, risk-based approach to emerging technologies and funding of research and development initiatives
- Use of a common lexicon for cyber regulatory endeavors
- Application of a risk-based approach to identify and prioritize essential sectors in the National Cyber Incident Response Plan
- Development of a cybersecurity workforce on a national level
- Increased global and cross-sector coordination addressing cyber norms, deterrence, and response capabilities
The Commission on Enhancing National Cybersecurity, which was developed in 2016 as part of a broader presidential initiative to help the federal government and businesses protect Americans from cyberattacks, is expected to publish a set of comprehensive cybersecurity recommendations by the end of 2016.
proposed a new regulation on cybersecurity, the first of its kind from a state regulator. All state-chartered, FDIC-insured banks are supervised for cybersecurity at the federal level; however, state-level New York actions could set precedents for other state regulators.
Under the proposed rules, New York-chartered financial institutions would be required to:
- Establish and maintain a cybersecurity program
- Implement a written cybersecurity policy that addresses specifically identified areas as listed in the regulation
- Designate a chief information security officer
- Have policies and procedures to verify the security of information systems and private information accessible to, or held by, third parties
If finalized, the rule would take effect Jan. 1, 2017, with compliance required 180 days after that date.
Comments are due Nov. 14, 2016.
Receivables – Nonrefundable Fees and Other Costs (Subtopic 310-20): Premium Amortization on Purchased Callable Debt Securities,” that would shorten the amortization period for premiums on callable debt securities by requiring that premiums be amortized to the first call date instead of as an adjustment to the yield over the contractual life. This change is expected to more closely align the accounting with the economics of a callable debt security and to align the amortization period with expectations that already are included in market pricing on the callable debt securities.
This proposal is in response to a stakeholder request that the board address the accounting for the premium or discount (components of interest income) associated with the purchase of callable municipal securities. Under current GAAP, premiums and discounts are amortized and accreted over contractual life, not to call date. Some commenters have observed that significant premiums on assets exist, particularly on instruments issued by municipalities that are likely to be repaid earlier than maturity. Under current GAAP, the result is overrecognition of interest income during the holding periods before the call and recognition of a loss during the period when the call occurs.
The proposal, which includes all callable debt securities, would not change the accounting for discounts on callable debt securities as the discounts would continue to be amortized to the maturity date.
Transition would be on a modified retrospective basis.
Comments are due Nov. 28, 2016.
Technical Corrections and Improvements to Update No. 2014-09, Revenue From Contracts With Customers (Topic 606): Additional Corrections,” that addresses four additional issues brought to the FASB’s attention. The issues relate to guarantee fees, two illustrative examples (one addressing contract assets and one addressing refund liabilities), and advertising costs.
Comments were due Oct. 4, 2016.
announcement on Oct. 5, 2016, that "Tandy" representations are no longer needed in filing reviews. The SEC staff began to include in filing review comment letters what became known as “Tandy” language during the mid-1970s. These letters required a company to state in writing that the disclosure in the document was its responsibility and that it would not point to the SEC review process and acceleration of effectiveness as a defense in any legal proceeding.
Companies still are responsible for the accuracy and adequacy of the disclosure in their filings, but, effective immediately, the SEC staff no longer will request those representations in writing. Alternatively, the SEC will include the following statement in its comment letters: “We remind you that the company and its management are responsible for the accuracy and adequacy of their disclosures, notwithstanding any review, comments, action or absence of action by the staff.”
SEC Staff Announcement on Recent Accounting Standards IssuedAt the Sept. 22, 2016, Emerging Issues Task Force meeting, an SEC staff member made an announcement about the recent major accounting standards (for credit losses, leases, and revenue) that have not yet been adopted. The staff member referred to Staff Accounting Bulletin (SAB) Topic 11.M (also known as SAB 74), which relates to disclosure of the impact that recently issued accounting standards will have on a registrant’s financial statements when adopted in the future.
The staff member stated that if a registrant does not know or cannot reasonably estimate the impact that adoption of the recent major accounting standards is expected to have on the financial statements, then in addition to making a statement to that effect, the registrant should consider additional qualitative financial statement disclosures to help the reader assess the significance of the impact that the standard will have on the registrant’s financial statements when adopted. The additional disclosures to be considered include these:
- A description of the effect of the accounting policies that the registrant expects to apply, if determined
- A comparison to the registrant’s current accounting policies
- A description of the status of the registrant’s process to implement the new standards
- The significant implementation matters yet to be addressed
Bricker offered a comprehensive historical perspective on reserving for bad loans in the U.S. dating back to the Revenue Act of 1921. He went on to discuss the SEC’s existing guidance that will continue to be applicable to the current expected credit loss (CECL) standard in the SEC’s Financial Reporting Release 28 and SAB 102, which “directs registrants to ensure their loan loss allowance methodologies:
- “Include a detailed analysis of the loan portfolio, performed on a regular basis;
- “Consider all known relevant internal and external factors that may affect loan collectibility;
- “Be applied consistently but modified for new factors affecting collectibility, when appropriate; and
- “Be well documented, in writing, with clear explanations of the supporting analyses and rationale.”
In discussing implementation plans, Bricker suggested the following considerations for companies, their audit committees, and their auditors as they assess those plans:
- Appropriately allocating time and resources
- Taking a fresh look at the estimation processes, procedures, systems, and internal controls, including changes to internal controls to implement the standard
- Setting the correct tone at the top and expectations for corporate conduct such that sound judgments (required by the new standard) will be applied consistently
Highlights of Ceresney’s remarks include:
- Generally, SEC’s cases against auditors fall into two categories: audit failures and auditor independence violations.
- Because of the SEC’s renewed focus on financial reporting issues, there has been a significant increase in the quality and quantity of financial reporting cases, and there have been numerous cases against auditors and audit firms.
- Although audit quality and processes have improved, the audit failures identified continue to include a variety of professional failures.
- Recent cases include failures in areas such as improper audit planning, inadequate training or supervision of staff, overreliance on management representations without sufficient corroborating evidence, incorrect auditing valuation estimates by management, and misunderstood and inappropriately audited related-party transactions.
The forum will be held at the SEC headquarters in Washington, D.C., on Nov. 14, 2016, and also will be webcast live on the SEC's website.
propose a rule amendment to shorten the standard settlement cycle from three business days to two business days after the trade date for most broker-dealer securities transactions. The intention of the rule amendment is to reduce the risks that result from the value and number of unsettled securities transactions prior to settlement completion. These risks include credit, market, and liquidity risks directly faced by U.S. market participants.
Comments are due Dec. 5, 2016.
released for public comment two exposure drafts with guidance for the evaluation of businesses’ cyberrisk management.
The exposure draft “Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program” is aimed at both management and public auditors. For management, the criteria are to be used in designing and describing a company’s cybersecurity risk management program; public accounting firms are to use the criteria to report on management’s description.
The second exposure draft, “Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy,” gives public accounting firms that provide advisory or attestation services a framework of the revised AICPA trust services criteria to evaluate the controls within an entity’s cyberrisk management program, or Service Organization Controls (SOC) 2 engagements. This second set of criteria also may be used by management to gauge the suitability of controls’ design and operating effectiveness.
According to the AICPA release, “Our primary objective is to propose a reporting framework through which organizations can communicate useful information regarding their cybersecurity risk management programs to stakeholders.” The AICPA also states that the development of a common set of criteria will lead toward the introduction of a new engagement – a cybersecurity examination – that CPAs can use to help boards of directors, senior management, and other pertinent stakeholders evaluate their cybersecurity risk management program’s effectiveness.
Comments are due Dec. 5, 2016.