Helpful Articles News

Cybersecurity takes the spotlight

Abstract: Federal and state regulators are increasingly scrutinizing banks’ information security efforts. This article points out that, in light of this heightened scrutiny, banks should review, and if necessary, update their cybersecurity programs. The article explains what examiners look for, including risk identification, risk measurement and risk mitigation. A sidebar discusses increased state regulation of cybersecurity.

Cybersecurity takes the spotlight

Cybersecurity is a key issue for banks today, so it’s no surprise that federal and state regulators have been scrutinizing banks’ information security (IS) efforts. Recently, several federal and state regulatory agencies have taken some new steps in the ongoing effort to protect sensitive account information. In light of the heightened scrutiny — and the significant risks involved — it’s a good idea for all banks to review and, if necessary, update their cybersecurity programs.

Recent developments
In September 2016, the Federal Financial Institutions Examination Council (FFIEC) updated its Information Security booklet, part of its Information Technology Examination Handbook. The booklet provides banks with an excellent framework for evaluating and strengthening their cybersecurity programs.
Also in September, the New York State Department of Financial Services proposed comprehensive cybersecurity requirements for banks and other financial institutions. (See “State regulation of cybersecurity: A burgeoning trend?”) Finally, in October 2016, the OCC, FDIC and Federal Reserve issued a joint proposal to develop enhanced cyber risk management standards for the largest financial institutions (those with total consolidated assets of $50 billion or more).

What examiners look for
According to the FFIEC booklet, an effective IS program should cover four key areas: 1) risk identification, 2) risk measurement, 3) risk mitigation, and 4) risk monitoring and reporting. The 95-page publication contains detailed guidance on identifying threats, measuring risk, defining IS requirements and implementing appropriate controls.
An appendix contains updated examination procedures, providing valuable insights into examiners’ cybersecurity expectations. The procedures are designed to meet a number of examination objectives, including determining whether management:
• Promotes effective governance of the IS program through a strong IS culture, defined responsibilities and accountability, and adequate resources,
• Has designed and implemented the program so that it supports the bank’s IT risk management process, integrates with its lines of business and support functions, and is responsive to the cybersecurity concerns associated with the activities of technology service providers and other third parties,
• Has established risk identification processes,
• Measures risk to help guide the development of mitigating controls,
• Effectively implements controls to mitigate identified risk, and
• Has effective risk monitoring and reporting processes.
In addition, it’s important to ascertain whether security operations encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers, and have adequate resources. Implementing assurance and testing activities to provide confidence that the program is operating as expected and reaching its goals is also necessary.
Although the guidance applies to all types of institutions, the booklet emphasizes that banks should develop and maintain risk-based IS programs commensurate with their size and operational complexity.

Focus on security operations
The updated publication contains a new section on security operations that emphasizes:

Threat identification. A bank should go beyond risk identification to pinpoint specific threat sources and vulnerabilities and analyze the potential for exploitation. Management can use this information to develop strategies and tactics for protecting the bank’s IT system and detecting attacks.

Threat monitoring. Threat monitoring — both continual and ad hoc — is critical. And management should clearly delineate the responsibilities of security personnel and system administrators as well as review and approve monitoring tools and the conditions under which they’re used. Monitoring should focus not only on incoming network traffic, but also on outgoing traffic to identify malicious activity and data exfiltration.

Incident identification and assessment. Management needs a process that will identify compromise indicators — for example, antivirus alerts or unexpected file changes or logins — and rapidly report them for investigation.

Incident response. A bank’s incident response plan should include defined protocols for containing an incident, coordinating with law enforcement and third parties, restoring systems, preserving data and evidence, and providing customer assistance.

Third-party oversight

Banks often outsource services, such as data and transaction processing, cloud computing and even information security. But management remains responsible for ensuring the bank’s system and information security.
Oversight of outsourced activities includes due diligence in selecting and managing third-party service providers. In addition, management should obtain contractual assurances for security, controls and reporting; get nondisclosure agreements regarding the bank’s data and systems; and arrange for independent auditing and testing of third-party security.

Get with the program
Given the level of regulatory activity related to cybersecurity and the serious consequences of a data breach, banks can expect scrutiny of IS programs to intensify. Now’s the time to review your program to ensure that your institution is protected.

Sidebar: State regulation of cybersecurity: A burgeoning trend?
In September 2016, the New York State Department of Financial Services (DFS) proposed comprehensive cybersecurity requirements for banks and other financial institutions under its jurisdiction. Among other things, the proposal would require banks to undertake the following steps:
• Establish and maintain a cybersecurity program — reviewed by the board of directors and approved by a senior officer — designed to ensure the confidentiality, integrity and availability of its information systems.
• Incorporate certain mandatory functions into the program, designed to identify risks, implement defensive infrastructure and policies, detect and respond to cybersecurity events, and fulfill regulatory reporting obligations.
• Appoint a chief information security officer with specified responsibilities, including providing the board with biannual written assessments of the program.
• Adopt written cybersecurity and third-party information security policies addressing specified areas.
• File annual certifications of compliance with the DFS and report material cybersecurity events to the agency within 72 hours.
If finalized, the proposed regulations likely would affect not only New York banks, but also banks that do business in New York. This also could mark the beginning of a trend toward increased state regulation of cybersecurity.
© 2016


New rules on customer due diligence

Abstract: As a result of an action in May 2016 by the Financial Crimes Enforcement Network (FinCEN), financial institutions will be required to verify the identities of the beneficial owners of their legal-entity customers when the owners open new accounts. This article answers some questions regarding the new due diligence rules, such as which institutions are covered and who a beneficial owner is. The article also notes that banks should have a plan to ensure that the policies and procedures are in place to collect information about the beneficial owners of legal-entity customers.

New rules on customer due diligence
FinCEN answers frequently asked questions about beneficial ownership

Beginning on May 11, 2018, financial institutions will be required to verify the identities of the beneficial owners of their legal-entity customers when those entities open new accounts. This is the result of an action in May 2016 by the Financial Crimes Enforcement Network (FinCEN), which issued its “Customer Due Diligence Requirements for Financial Institutions” (CDD Rule).
More recently, FinCEN published frequently asked questions (FAQs) to help banks understand the new requirements and incorporate them into their Bank Secrecy Act and anti–money-laundering (BSA/AML) compliance programs.

The highlights
Here’s a brief look at some of the often-asked questions and responses about the new requirements:
Q: Which institutions are covered?
A: The CDD Rule applies to federally regulated banks and federally insured credit unions, as well as to mutual funds, securities brokers and dealers, and certain other financial services firms. Note that a recent FinCEN proposal would expand its customer identification program (CIP) requirements, including the CDD Rule, to non–federally regulated institutions.
Q: What’s a legal-entity customer?
A: Generally, “legal entity” refers to a corporation, limited liability company or general partnership, or similar entities formed in foreign jurisdictions. It also includes limited partnerships, business trusts and other entities created by filing a public document with the Secretary of State or its equivalent. Exceptions include natural persons, unincorporated associations, government entities, federally regulated financial institutions and U.S. public companies.
Q: Which accounts are covered?
A: The CDD Rule generally uses the same definition of “account” as the CIP rules do, with certain exceptions. Covered institutions are required to obtain beneficial owner information only for new accounts opened on or after May 11, 2018. The rule doesn’t apply to existing accounts.
Q: Who’s a beneficial owner?
A: There are two types of beneficial owners:
1. Each individual, if any, who owns 25% or more of an entity’s equity interests (directly or indirectly — the “ownership prong”),      or
2. A single individual — such as a CEO, CFO, COO, president, vice president, treasurer, managing member, general partner           or other person who performs similar functions — with significant responsibility to control, manage or direct an entity (the             “control prong”).
Generally, covered financial institutions are required to collect beneficial ownership information concerning up to five individuals for a given legal-entity customer: one person under the control prong, and zero to four persons under the ownership prong.

Required procedures
Covered institutions must establish and maintain written procedures that are “reasonably designed to identify and verify the beneficial owners of legal-entity customers” at the time a new account is opened. These procedures should, at a minimum, contain the same elements the CIP rules require for verifying individual customer identities. But the regulator’s FAQs clarify that, for documentary verification, institutions may use photocopies or other reproductions of identification documents.
Institutions needn’t obtain information directly from an entity’s beneficial owners. Rather, they may obtain such information from the individual seeking to open a new account on behalf of the legal entity.
The CDD Rule also amends the BSA/AML requirements to require covered institutions to implement and maintain appropriate risk-based procedures for conducting ongoing customer due diligence.

Get ready
If your bank is covered by the CDD Rule, you have until May 11, 2018, to comply. Because examiners may ask you about your preparation process if they visit you before the effective date, begin now to review your BSA/AML program and be sure you have a plan to ensure the policies and procedures are in place to collect information about the beneficial owners of legal-entity customers.
© 2016

Financial Institutions and Banking Financial News

Bank Wire: Beware of UDAAP

Abstract: This summary of recent developments in banking looks at how the Consumer Financial Protection Bureau has been cracking down on banking practices it views as unlawful under the Dodd-Frank Act’s regulations on unfair, deceptive or abusive acts or practices. In addition, the article cites the evidence supporting use of a fraud hotline and explains updated OCC guidance on corporate and risk governance.

Bank Wire
Beware of UDAAP
The Consumer Financial Protection Bureau (CFPB) continues to exercise its authority to crack down on banking practices it views as unlawful under the Dodd-Frank Act’s regulations on unfair, deceptive or abusive acts or practices (UDAAP). In one recent enforcement action, for example, the agency entered into a $28.5 million settlement with the Navy Federal Credit Union for alleged UDAAP violations related to its collection of delinquent accounts.
The institution’s unfair, deceptive or abusive practices included:
• Threatening legal action it didn’t intend to take or lacked the authority to take, including wage garnishment,
• Making false threats to contact service members’ commanding officers (the CFPB found that an account agreement provision permitting the credit union to do so wasn’t consented to, as required, because the clause was “buried in fine print, non-negotiable and not bargained for by consumers”), and
• Misrepresenting the impact of loan delinquencies on customers’ credit ratings.
The institution also unfairly froze customers’ electronic account access and disabled some electronic services after the accounts became delinquent.

Should your bank have a fraud hotline?
The evidence suggests that the answer is a resounding “yes” — your bank should have a fraud hotline. Employee fraud is a problem for most organizations, but it’s particularly prevalent among banks and other financial institutions. According to the Association of Certified Fraud Examiners (ACFE), banking and financial services was the most-represented sector in its 2016 Report to the Nations on Occupational Fraud and Abuse.
According to the report, the most common method of detecting fraud was via tips from employees, customers, vendors and others. In fact, the report found that fraud is more likely to be detected through a tip than as a result of an internal audit or management review. The ACFE also found that organizations with reporting hotlines are nearly twice as likely to detect fraud through tips than those without hotlines.
Telephone hotlines (used by 39.5% of organizations with formal fraud reporting mechanisms) are the most common source of tips, followed by tips submitted via email (34.1%) and tips submitted via Web-based or online forms (23.5%).

OCC guidance on corporate and risk governance
Recently, the OCC revised its Corporate and Risk Governance booklet, which is part of its Comptroller’s Handbook. Among other things, the updated booklet:
• Outlines management and board responsibilities for governing a bank’s structure, operations and risks,
• Explains enterprise risk management (ERM) and the importance of viewing risk in a comprehensive, integrated manner,
• Discusses the benefits of a risk governance framework — and the role of risk culture and risk appetite within that framework, and
• Provides guidance on strategic, capital and operational planning.
You can find the booklet at
© 2016

Helpful Articles

Don’t compare apples to oranges

Abstract: Borrowers’ accounting practices can vary widely. An accounting tool called “normalizing” can help adjust income statements and balance sheets to compensate for companies’ different accounting methods. Failing to normalize financial statements may result in faulty lending decisions. This article uses some examples to illustrate how normalizing works and the difference it can make in helping a lender who is evaluating a borrower accurately compare its practices to those of a competitor or to industry benchmarks.

Don’t compare apples to oranges
Evaluate borrowers accurately by normalizing financial statements

In evaluating their borrowers, lenders need to use all the tools at their disposal — including an accounting tactic called “normalizing.” Normalizing involves adjustments to income statements and balance sheets to compensate for companies’ differing accounting methods. Because borrowers’ accounting practices vary widely, comparing them without adjusting their financial statements is like comparing apples to oranges. Ultimately, failing to normalize financial statements may result in faulty lending decisions.

No two are alike

Even within the broad confines of Generally Accepted Accounting Principles (GAAP), it’s rare for two companies to follow exactly the same accounting practices. When you compare a borrower’s practices to those of a competitor or to industry benchmarks, it’s important to understand how they report transactions.
A small firm, for example, might report earnings when cash is received (cash basis accounting), but its competitor might record a sale when it sends out the invoice (accrual basis accounting). Differences in inventory reporting, pension reserves, depreciation methods and cost capitalization vs. expensing policies also are common.
Additionally, some tax accounting practices — expanded Section 179 and bonus depreciation deductions, for example — may temporarily defer income taxes. So, consider the tax implications when reconciling different tax accounting methods.

Past vs. future

Lenders need to distinguish between historic performance results that represent potential ongoing earning power and those historic results that don’t. If a one-time revenue (or expense) or gain (or loss) will temporarily distort the company’s future earnings potential, you would add back expenses and losses (or subtract the revenues and gains) if they’re not expected to recur.
If a borrower’s plant was devastated by a hurricane or a borrower experienced a $1 million equipment theft, for instance, you’d add back the extraordinary losses to get a clearer picture of normal operating performance. Or if the borrower won a $5 million lawsuit, you’d subtract the gain. Other nonrecurring items might include discontinued lines or expenses incurred in an acquisition.
But go beyond just adjusting these charges. One-time charges — insurance claims and fraud losses are examples — could shed light on future risk factors. Ask about the nature of these charges and any preventive measures the borrower has taken or will be taking to minimize the risk of recurrence.

At arm’s length

Some closely held business owners are paid based on the company’s cash flow or the owner’s personal needs, not on the market value of services they provide. Many closely held businesses also employ family members, conduct business with affiliates and extend loans to company insiders.
Because of this, you, as the lender, should identify all related-party transactions and inquire whether they occur at “arm’s length.” Also consider reconciling for unusual perquisites provided to insiders, such as season tickets to sporting events, college tuition or company vehicles.

On an equal basis

While most normalizing reconciliations are made to the income statement, many flow through to the balance sheet, which is often the lender’s starting point in determining collateral values.
Suppose one manufacturer uses eight-year useful lives for its equipment, but another uses six-year useful lives for the same items. To create an equal basis of comparison, you might reconcile the first company’s earnings downward to reflect its slower depreciation technique. In addition, the net book value of its equipment should be lowered to reflect its relatively inadequate depreciation deductions. These lender-made normalizing adjustments effectively make the first borrower appear less attractive than initially shown on its financial statements when compared to the second borrower.

See your borrowers as they are

Obviously, you need to evaluate each borrower based on its individual circumstances. But in assessing your borrowers’ performances and potential for future growth, you also need to be able to engage in comparisons — whether between industries or over time. To that end, normalizing reconciliations to financial statements can help you see borrowers’ financial situations more clearly, leading to better lending decisions.
© 2016

Financial Institutions and Banking

Bank Wire: Overtime Requirements, Cybersecurity, and IT systems

Abstract:   This issue’s “Bank Wire” reports on the DOL’s new overtime requirements, which increase the salary level threshold for white-collar exempt employees and are expected to yield a large impact on financial institutions. It also discusses the FFIEC’s new cybersecurity guidance, which urges financial institutions to review their risk-management practices and controls for IT systems and wholesale payment networks, and recommends using multiple-layered security controls.

Bank Wire

Are you ready for the new DOL overtime rule?

New overtime requirements are expected to yield a large impact on financial institutions. The U.S. Department of Labor (DOL) recently finalized its overtime rule, doubling the salary threshold for exempt employees.

The final rule increases the salary level threshold for white-collar exempt employees from $455 to $913 per week, or $23,660 to $47,476 per year, starting December 1. Any employee making less than those amounts will likely be required to be paid overtime compensation.

The new rule also hikes the salary threshold for highly compensated employees (HCEs) from $100,000 per year to $134,004 per year. HCEs must receive at least the full standard salary amount — or $913 — per week on a salary or fee basis without regard to the payment of nondiscretionary bonuses and incentive payments. But such payments will count toward the total annual compensation requirement. The standard salary and HCE annual compensation levels will automatically update every three years.

Once the rule takes effect, employers will have several options for dealing with exempt employees who’re reclassified as nonexempt: 1) Raise their salaries above the new threshold, 2) pay them time-and-a-half for overtime, 3) limit them to 40 hours per week, or 4) some combination of the above.

Between now and December 1, assess the impact of the new rule on your workers and develop a plan for implementing it. Some questions to ask:

  • What are the relative costs of increasing salaries to the new threshold vs. paying time-and-a-half for overtime?
  • How will the rule affect employee morale? Will employees view loss of exempt status as a demotion?
  • How will you deal with job titles in which some employees are exempt and some aren’t?
  • How will the rule affect compensation arrangements that provide for a modest base salary but a generous bonus potential?

FFIEC issues new cybersecurity guidance

Financial institutions need to actively manage the risks associated with interbank messaging and wholesale payment networks. So warns a recent statement from the Federal Financial Institutions Examination Council (FFIEC), which reports that recent cyberattacks have targeted these banking functions. By attempting to originate unauthorized transactions, cybercriminals have shown a capability for compromising a financial institution’s wholesale payment networks and bypassing information security controls, the agency says.

The FFIEC urges financial institutions to review their risk-management practices and controls for information technology systems and wholesale payment networks. It also recommends using multiple-layered security controls to set up several lines of defense.

You can read the statement at

© 2016









Financial Institutions and Banking

Differences of C corporation and S corporationg financial statements

Abstract:   Most bankers on the business-lending side of operations have a constant stream of customer financial statements passing over their desk (virtual or otherwise) for an evaluation of the borrowers’ creditworthiness. Thus, bankers need to possess enough knowledge about different types of business structures to shine the right spotlight on diverse financial statements. This article discusses the similarities between, and differences of, C corporation and S corporation financial statements.


Do you “speak” both S corporation and C corporation?


You likely have a constant stream of customer financial statements passing over your desk (virtual or otherwise) for an evaluation of the borrowers’ creditworthiness. But do you possess enough knowledge about different types of business structures to shine the right spotlight on their diverse financial statements?

Both “languages” have similarities

Both S and C corporations maintain books, records and bank accounts separately from those of their owners and follow state rules about annual directors’ meetings, fees and administrative filings. And both must pay and withhold payroll taxes for working owners in the business.

At first glance, it may be hard to tell which borrowers have elected S status. But there are a few telltale signs. Importantly, S corporations don’t incur corporate-level tax, so they can forgo reporting federal (and possibly state) income tax expense on their income statements. Also, S corporations generally don’t report prepaid income taxes, income taxes payable, or deferred income tax assets and liabilities on their balance sheets. Instead, S corporation owners pay tax at the personal level on their share of the corporation’s income and gains.

The reporting of dividends vs. distributions

Other financial reporting differences are more subtle. For instance, when C corporations pay dividends, they’re taxed twice: They pay tax at the corporate level when the company files its annual tax return, and the individual owners pay again when dividends and liquidation proceeds are taxed at the personal level.

When S corporations pay distributions — the name for dividends paid by S corporations — the payout is generally not subject to personal-level tax as long as the shares have positive tax “basis.” (S corporation basis is typically a function of capital contributions, earnings and distributions.)

So, in the equity section of an S corporation’s balance sheet, there may be a sizable negative line item for shareholder distributions. In fact, S corporation distributions are far more common than dividends for privately held C corporations.

There are two reasons for this: S corporation distributions aren’t subject to double taxation, so there’s no tax penalty for making distributions. And S corporations often distribute cash to owners to cover the owners’ shares of the personal income taxes attributable to the company’s income (although they’re not required to do so).

To further complicate matters, S corporations may use different strategies from year to year to extract cash from the business. For example, the owners might use shareholder loans in year 1, pay higher bonuses in year 2, and take quarterly distributions in year 3. Such variety makes it difficult for lenders to compare an S corporation’s performance over time — or to that of borrowers that operate as C corporations.

Owner motivation varies when setting salaries

C corporations may be tempted to pay owners above-market salaries to get cash out of the business and avoid the double taxation that comes with dividends. Conversely, S corporations tend to do the reverse: They may try to maximize tax-free distributions and pay owners below-market salaries to minimize payroll taxes.

The IRS is on the lookout for corporations that compensate owners too much (or too little) for their day-to-day contributions. Regardless of entity type, an owner’s compensation should be commensurate with his or her skills, experience and involvement in the business.

If the IRS audits an owner’s compensation, it might impair the borrower’s ability to service debt. For example, to the extent that an S corporation shareholder’s compensation doesn’t reflect the market value of the services he or she provides, the IRS may reclassify a portion of earnings as unpaid wages. Then the company will owe additional employment tax, interest and penalties on the reclassified wages.

Understanding the ins and outs

Both S and C corporation business structures offer certain advantages and shortcomings for their owners. It’s your job to make sure you know the nuances of both entity types before you give their loan requests your stamp of approval.

© 2016

Financial Institutions and Banking

Combating Money Laundering

Abstract:   As federal banking regulators intensify their scrutiny of Bank Secrecy Act and Anti-Money Laundering compliance, community banks need to become more proactive in combating money laundering. One potential tool worth considering is data visualization software. This article examines recent compliance requirements and how to effectively incorporate data visualization software into a bank’s antifraud lines of defense.

Data visualization helps banks combat money laundering


As federal banking regulators intensify their scrutiny of Bank Secrecy Act and Anti-Money Laundering compliance, community banks need to become more proactive in combating money laundering. One potential tool worth considering is data visualization software.

Increased emphasis on BSA/AML

Several recent developments reflect the federal banking agencies’ increasing concern about Bank Secrecy Act and Anti-Money Laundering (BSA/AML) compliance efforts:

  • In July, the Financial Crimes Enforcement Network (FinCEN) introduced new customer due diligence (CDD) rules that require institutions to incorporate beneficial ownership identification requirements into existing CDD policies and procedures.
  • In its Spring 2016 Semiannual Risk Perspective, the Office of the Comptroller of the Currency (OCC) alerted banks to increasing BSA/AML risks associated with technological developments and new product offerings in the banking industry.
  • In recent months, regulators have been scrutinizing automated monitoring systems used by banks to detect suspicious activity to ensure that they’re configured properly.

And don’t assume that regulators are limiting their heightened scrutiny to larger banks. The OCC’s report noted that some large banks are restricting certain customers’ activities or closing their accounts because of BSA/AML concerns. Displacement of these customers, the report warned, “may result in higher-risk customers moving to smaller and less sophisticated banks . . . that potentially have less experience managing the associated BSA/AML risks.”

Banks that fail to take reasonable steps to detect and prevent money laundering activity risk not only government fines, but negative publicity and reputational risk.

Seeing the big picture

Data visualization software — also known as visual analytics — can be a powerful AML tool. Traditional AML software products and methods do a good job of detecting known AML issues. But data visualization software, which is commonly used as an antifraud weapon, excels at spotting new or unknown AML activity.

As criminal activity becomes more sophisticated and more difficult to detect, traditional AML software or methods may no longer be enough. Data visualization software creates visual representations of data. These representations may take many different forms, from pie charts and bar graphs to scatterplots, decision trees and geospatial maps. Visualization helps banks identify suspicious patterns, relationships, trends or anomalies that are difficult to spot using traditional tools alone. It’s particularly useful in identifying new or emerging risks before they do lasting damage.

Criminal enterprises that wish to launder money typically use multiple entities and multiple bank accounts, both domestic and foreign. Using data visualization software, banks can map out the flow of funds across various accounts, identifying relationships between accounts and the entities associated with them. Data visualization can reveal clusters of interrelated entities that would be difficult and time-consuming to spot using traditional methods.

These clusters or other relationships don’t necessarily indicate criminal activity. But they help focus a bank’s AML efforts by pinpointing suspicious activities that warrant further investigation.

Get your data in order

Perhaps the biggest challenge in taking advantage of data visualization software and other automated AML tools is the fact that, at many institutions, information is scattered among many separate systems. For data visualization to do its job, the first step is to collect and integrate this information into a single database. Once this is done, data visualization software can help your bank detect potential AML issues more quickly and effectively.

© 2016

Financial Institutions and Banking

Dramatic Changes to Bank Accounting Guidelines

Abstract:   In a dramatic change to bank accounting guidelines, the FASB recently finalized its long-awaited CECL model for estimating credit losses. This article highlights the most important elements of the new model, including its forward-looking approach (which involves its treatment of covered and PCD assets, as well as its position on estimating losses and accounting for AFS securities) and its impact on community banks. A sidebar explains when banks must adopt the CECL model.

Accounting for credit losses

Get ready for CECL

In a dramatic change to bank accounting guidelines, the Financial Accounting Standards Board (FASB) recently finalized its long-awaited Current Expected Credit Loss (CECL) model for estimating credit losses. The new standard — Accounting Standards Update (ASU) No. 2016-13 — applies to all organizations. But financial institutions will be affected the most.

Although CECL’s impact will depend on a particular institution’s facts and circumstances, it will cause many banks to increase their allowances for loan and lease losses (ALLL), affecting both earnings and capital.

Forward-looking approach

Currently, banks measure credit impairment based on incurred losses. Under CECL, they’ll adopt a forward-looking approach, recognizing an immediate allowance for all expected credit losses over the asset’s life.

The FASB believes that the incurred-loss model, which delays recognition of credit losses until they become probable, provides information that’s “too little, too late.” CECL addresses this problem by requiring organizations to record credit losses that are expected, but don’t yet meet the “probable” threshold. It also sets a single impairment model for all financial assets carried at amortized cost, in contrast to the multiple models used today.

Here are some highlights of the new standard, which doesn’t take effect for several years (see “When must you adopt CECL?”):

Covered assets. CECL will apply to 1) financial assets measured at amortized cost, including loans, held-to-maturity debt securities, trade and reinsurance receivables and net investments in leases, and 2) certain off-balance-sheet credit exposures, such as loan commitments and financial guarantees.

Estimating losses. The allowance for credit losses will be the difference between financial assets’ amortized cost basis and the net amount expected to be collected. To estimate expected losses, banks will consider a broader range of data than they do under current standards, including not only historical and current information, but also “reasonable and supportable forecasts that affect the collectability of the reported amount.”

Potential impact. Some experts, including the Comptroller of the Currency, predict that CECL will increase banks’ loan loss reserves by 30% to 50%. Other estimates are lower, but ultimately the impact on a particular institution will depend on a variety of factors, including historical experience, current conditions and market forecasts.

Accounting for AFS securities. The new standard will change the way credit losses are measured for available-for-sale (AFS) debt securities, requiring banks to use an allowance for credit losses. Unlike the current practice of writing down individual securities for other-than-temporary impairment, the new approach will allow banks to recognize subsequent reversals in credit loss estimates in current income. In addition, the credit losses on AFS debt securities will be limited to the amount by which fair value falls short of amortized cost.

Treatment of PCD assets. To simplify the accounting for purchased credit-deteriorated (PCD) assets, the ASU requires institutions to recognize an initial allowance for credit losses. Thereafter, such assets will be treated similarly to other financial assets measured at amortized cost.

Impact on community banks

In the years after CECL was first proposed, many community banks expressed concern about its potential complexity and the need to implement sophisticated modeling techniques. A recent joint statement by federal banking agencies should help ease these concerns. According to the statement, CECL will be scalable to institutions of all sizes. And it doesn’t prescribe specific estimation methods — rather, institutions should apply judgment in developing methods that are appropriate and practical.

The agencies “do not expect smaller and less complex institutions will need to implement complex modeling techniques.” Rather, they expect that these institutions will be able to meet CECL’s requirements by building on existing systems and methods for estimating credit losses. For example, a bank that uses historical loss rate methods would need to adjust its inputs to estimate remaining lifetime credit losses.

The statement also points out that CECL contemplates pooling assets with similar risk characteristics when estimating expected credit losses. In most cases, smaller banks will be able to continue using established practices for segmenting their portfolios.

Be prepared

CECL’s effective date is several years away. Nevertheless, banks should begin preparing soon to develop institution-appropriate credit loss models, evaluate the potential impact on capital, and identify any necessary system changes or additional data collection requirements.



Sidebar: When must you adopt CECL?

Here’s a summary of the new standard’s effective dates:

Organization type Takes effect for: Interim periods affected
SEC filers Fiscal years beginning after 12/15/19 In 2020
Other PBEs* (non-SEC filers) Fiscal years beginning after 12/15/20 In 2021
Private companies Fiscal years beginning after 12/15/20 Beginning after 12/15/21

*Public business entities

Early application is permitted by all entities for fiscal years beginning after December 15, 2018, including interim periods within those fiscal years. For loans and other financial assets carried at amortized cost, banks will recognize a cumulative-effect adjustment on their balance sheets as of the beginning of the first reporting period in which CECL is effective.

© 2016


Alexander Thompson Arnold CPA Is Again Recognized Nationally by INSIDE Public Accounting’s as a Top 200 Accounting Firm

The award-winning newsletter for the accounting profession, INSIDE Public Accounting (IPA), released its annual ranking of the nation’s 300 largest accounting firms. Over 500 accounting firms participated in the twenty sixth annual IPA Survey and Analysis of Firms in 2016, which resulted in Alexander Thompson Arnold being among the National IPA Top 200 list. ATA CPAs twelve offices throughout Tennessee and western Kentucky were awarded this distinction. “This ranking, and accompanying analysis, is one of the most comprehensive, accurate and largest of its kind and reflects the “state of the Union” of the profession says The Platt Group, the publisher of IPA.

In the most recent fiscal year, IPA 200 firms range in size from $15 million to $34 million net revenue and employ anywhere from 58 to 235 staff. This is an independent report for the accounting profession compiled annually since 1990. For more than two decades, IPA’s Benchmarking Report has been one of the most thorough, complete and insightful analyses of CPA firms in the U.S. The annual IPA survey and Analysis of Firms, the data source for the benchmarking report, is one of the longest-running management of an accounting practice surveys in the nation.

The report is well-respected and includes aggregated data compiled from the firm’s and the more than 300 data points from the survey are analyzed and broken down by revenue bands and geographical locations in more than 100 pages of tables and graphs.

ATA is a regional accounting firm that offers its clients the resources and expertise of a large firm while maintaining the personalized service of a small firm. The firm has 18 partners and approximately 150 staff members and offers a complete range of accounting, auditing, tax, and consulting services to a diverse portfolio of clients. Offices are located in Dyersburg, Henderson, Jackson, Martin, McKenzie, Memphis, Milan, Nashville, Paris, Trenton and Union City, Tennessee and Murray, Kentucky. Each office reflects the community it serves and gives exceptional personal attention to its clients. For more information about Alexander Thompson Arnold CPAs, visit

News Tax

Act soon if you want to help your child buy a home

Act soon if you want to help your child buy a home

Mortgage interest rates are still at historically low levels, but they’re expected to go up by year end. So if you’ve been thinking about helping your child — or grandchild — buy a home, consider acting soon. There also are some favorable tax factors that will help:

0% capital gains rate. If the child is in the 10% or 15% tax bracket, instead of giving cash to help fund a down payment, consider giving long-term appreciated assets such as stock or mutual fund shares. The child can sell the assets without incurring any federal income taxes on the gain, and you can save the taxes you’d owe if you sold the assets yourself. As long as the assets are worth $14,000 or less (when combined with any other 2015 gifts to the child), there will be no federal gift tax consequences — thanks to the annual gift tax exclusion.

Low federal interest rates. Another tax-friendly option is lending funds to the child. Now is a good time for taking this step, too. Currently, Applicable Federal Rates — the rates that can be charged on intrafamily loans without causing unwanted tax consequences — are very low by historical standards. But these rates are also expected to increase by year end.

If you have questions about these or other tax-efficient ways to help your child or grandchild buy a home, please contact us.

© 2015