The Financial Institutions Executive Briefing offers updates on financial reporting, governance, and risk management topics from Crowe Horwath LLP. In each issue of this electronic newsletter, you will find abstracts of recent standard-setting activities and regulatory developments affecting financial institutions.
From the Federal Financial Institution Regulators
Frequently Asked Questions on Cybersecurity Assessment Tool Issued
On Oct. 17, 2016, the Federal Financial Institutions Examination Council (FFIEC), whose members include a member of the Board of Governors of the Federal Reserve System (the Fed), the chair of the Federal Deposit Insurance Corp. (FDIC), the director of the Consumer Financial Protection Bureau (CFPB), the Comptroller of the Currency, the chair of the National Credit Union Administration (NCUA), and the chair of the State Liaison Committee, published
a list of frequently asked questions
related to the FFIEC Cybersecurity Assessment Tool. The tool, released in 2015 and used on a voluntary basis, is designed to assist banks in determining their risk profile, identifying cybersecurity risks, and assessing their preparedness. This document answers questions received by FFIEC member agencies from financial institutions over the past year.
Advance Notice of Proposed Rulemaking on Cyberrisk Management Standards Issued
The Fed, FDIC, and Office of the Comptroller of the Currency (OCC), on Oct. 19, 2016, issued
an advance notice of proposed rulemaking
seeking comments on a set of enforceable cybersecurity risk management standards for depository institutions and depository holding companies with $50 billion or more in assets. The new proposed standards would supplement, not replace, existing interagency requirements and guidance for cyber resilience and would be tiered.
Three main approaches are being considered to implement the standards:
- Proposing minimum requirements for a cyberrisk governance framework, similar to previous interagency supervisory guidelines
- Proposing regulations containing specific cyberrisk management standards in five categories (cyberrisk governance; cyberrisk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness)
- Proposing standards that include specific objectives in each of the five categories
The notice describes possible objectives in each of the five categories. These objectives may include:
- A written, board-approved, enterprisewide cyberrisk management strategy and risk appetite
- Adequate board expertise in cybersecurity
- Senior cybersecurity managers who report independently to the board
- Assessments of business-unit-level cybersecurity risk management
- An independent risk management function that includes cyberrisk
- Inventories of all internal and external assets that affect cyberrisk management
- Continuous monitoring of external dependencies
- Transition and backup plans in the event of a successful cyberattack
Comments are due Jan. 17, 2017.
Framework for Responsible Innovation Issued
The OCC, on Oct. 26, 2016, announced
it will create an office dedicated to responsible innovation and take steps to provide technical assistance to banks as part of its ongoing effort to support the investigation and consideration of new technologies and practices in financial services.
“The OCC supports responsible innovation that enhances the safety and soundness of the federal banking system, treats customers fairly, and promotes financial inclusion,” said Comptroller of the Currency Thomas Curry. Curry added, “By establishing an Office of Innovation, we are ensuring that institutions with federal charters have a regulatory framework that is receptive to responsible innovation and the supervision that supports it.”
Through this new office of innovation, the OCC will address requests and inquiries from banks and other industry stakeholders, direct research and outreach efforts, monitor trends and developments in financial services, and collaborate with other regulators.
Additionally, the OCC has committed to share experiences and best practices and to provide technical assistance to banks in the form of resource materials on regulatory principles, processes, and expectations. This assistance would include help for community banks in developing innovation strategies and better managing relationships with third-party vendors. Included in the guidance, the OCC acknowledged widespread industry support for a process that would provide banks and financial technology companies a way to test innovative products, services, and processes.
Foreign Correspondent Banking Risk Management Guidance Issued
On Oct. 5, 2016, the OCC released guidance describing its expectations for banks with respect to terminating foreign correspondent relationships and addressing the recent de-risking trend in anti-money laundering and Bank Secrecy Act compliance.
The guidance reminds banks to establish and implement procedures for periodically re-evaluating the risk posed by foreign correspondent relationships, with consideration of factors including these:
- Risks present in the foreign institution’s business and markets
- Anticipated account activity
- The supervisory environment of the geographic location in which the foreign financial institution is licensed
The guidance highlights the expectations that banks should perform periodic re-evaluations for all foreign correspondent accounts and should make decisions to terminate foreign correspondent relationships based upon these re-evaluations.
Additionally, the OCC includes best practices for making decisions about account retentions or terminations, including:
- Establish a governance function to review and monitor recommendations about foreign account termination
- Provide communication regarding decisions to terminate to both the bank’s senior management and the foreign financial institution
- Maintain supporting documentation of the decision-making process used for account terminations
As part of the re-evaluation process, the OCC also expects banks to consider the effects account closure might have on the foreign correspondent, particularly with respect to accessing banking services.
Exam Procedures Updated to Incorporate Military Lending Act Restrictions
On Oct. 7, 2016, the OCC announced
that the FFIEC Task Force on Consumer Compliance has updated interagency examination procedures to address the amendments to the Military Lending Act of 2006
(MLA) rule that extend MLA restrictions to cover credit cards, lines of credit, installment loans, and deposit advances offered to service members and their dependents. The new restrictions became effective Oct. 3, 2016, for consumer credit products other than credit cards and are effective for credit cards on Oct. 3, 2017.
The updated examination procedures incorporate the expansion of MLA protections to a wider range of consumer credit products, rules for calculating fees and charges, safe harbor provisions, required disclosures to covered borrowers, and limitations on consumer credit extended to covered borrowers. Early MLA compliance examinations will focus on financial institutions’ compliance management systems and overall efforts to comply, including implementation plans, actions to update policies and procedures, staff training, and handling of early implementation difficulties. The OCC plans to incorporate the revised procedures in its Comptroller’s Handbook as a supplement to the interagency procedures.
Rules on Credit Union Field of Membership Approved and Proposed
At its Oct. 27, 2016, board meeting
, the NCUA approved a final rule
that will expand the field of membership from which federal credit unions can draw their customers. The final rule updates definitions for local community, rural district, and underserved areas and makes several other changes to NCUA’s chartering and field-of-membership rule for federal credit unions, including updating the process for applying to charter or expand a federal credit union. The final rule will be effective 60 days after publication in the Federal Register.
In a separate proposed rule
, the NCUA recommended increasing the population limits on areas served by federal credit unions with community charters from 2.5 million to 10 million. In addition, federal credit unions applying for a community charter would be able to submit a narrative and supporting documentation to demonstrate that a community it proposes to serve qualifies as a well-defined local community based on a wide range of criteria. The proposal was posted in the Federal Register
on Nov. 9, 2016. Comments are due Dec. 9, 2016.
Use of PCC Standards by Federally Insured Credit Unions Clarified
On Sept. 13, 2016, the NCUA clarified, in Accounting Bulletin No. 16-1
, its policy regarding all federally insured credit unions’ use of Private Company Council (PCC) standards. The NCUA will permit a credit union to use PCC standards in call reports. However, if the administration determines that a PCC standard (or any standard under U.S. generally accepted accounting principles (GAAP)) is inconsistent with certain supervisory objectives, it reserves the right to prescribe a regulatory accounting standard that is no less stringent than the related GAAP standard. This policy is consistent with that of the other federal financial institution regulators.
From the Consumer Financial Protection Bureau (CFPB)
Final Rules on Prepaid Products Issued
The CFPB issued
, on Oct. 5, 2016, comprehensive final rules
on prepaid financial products, including prepaid cards and digital wallets that store and transfer funds. The final rule formalizes several consumer protections already offered by banks that provide these products, such as those related to unauthorized transactions, lost cards, error resolution rights, and access to account information.
The final rule also includes a standard set of two disclosures
, one short form and one long form, detailing important account information and fees, plus online posting of account terms.
Several small changes are intended by the CFPB to reduce unnecessary compliance burdens associated with the disclosure requirements. Other changes relate to disclosures for payroll card accounts and align the CFPB’s periodic statement alternative with the practices of many financial institutions. The CFPB also changed the requirement for public posting of prepaid agreements to cover only agreements offered to the general public.
The final rule is effective Oct. 1, 2017; however, issuers of prepaid financial products are not required to submit their prepaid account agreements until Oct. 1, 2018.
TILA-RESPA Integrated Disclosure Compliance Guide Updated
During October 2016, the CFPB issued an updated small-entity compliance guide to the Truth in Lending Act (TILA) and the Real Estate Settlement Procedures Act of 1974 (RESPA) integrated disclosures. The updates incorporate guidance from recent compliance webinars on records retention; construction loans; disclosures of seller-paid costs; and form completion, formatting, revision, and delivery; among other topics. The CFPB also issued a revised “Guide to the Loan Estimate and Closing Disclosure Forms.”
Review of Complaints Database Called For
In his speech at the Mortgage Bankers Association conference held on Oct. 25, 2016, in Boston, CFPB Director Richard Cordray advised all bankers to review and analyze complaints in the CFPB’s public database. Cordray said that entities should consider both “the feedback you receive directly from your own customers, but also … complaints made about others in the same markets.” He said that he considered these reviews “an important part of sound compliance management.”
Cordray acknowledged that banks have their own processes to address complaints from customers but added that “there is much to be learned from the complaints consumers raise about your industry, even if the complaints are not directed to you specifically.”
The CFPB issues monthly complaint reports summarizing complaint data, and the October monthly summary of complaints, released on Oct. 25, showed that debt collection, credit reporting, and mortgages continued to dominate the complaints, together accounting for 63 percent of complaints received in September.
From the Financial Crimes Enforcement Network (FinCen)
Bank Secrecy Act Reporting of Cyberthreats Guidance Issued
On Oct. 25, 2016, FinCen issued an advisory to financial institutions on cyber events and cyber-enabled crime. In the advisory, FinCen highlights that reports mandated by the Bank Secrecy Act (BSA) play a crucial role in helping stop cyberthreats. Banks must file suspicious activity reports (SARs) about cyber events such as those including malware intrusions that put customer funds at risk, intrusions into a bank’s systems or networks, and distributed denial of service attacks that prevent financial institution personnel from stopping an unauthorized money transfer. The alert details the kinds of information that must be reported in a cyber-related SAR.
The guidance also provides that banks may voluntarily report cyber events even when a SAR is not required, as such information may be very valuable in law enforcement investigations.
The advisory does not change existing BSA or other regulatory requirements. FinCen also issued a set of nine frequently asked questions to help BSA officers file SARs on cyber events and cyber-enabled crimes.
From the National Institute of Standards and Technology (NIST)
New Guide on Cyber Information Sharing Released
The National Institute of Standards and Technology, on Oct. 4, 2016, published a guide for companies interested in sharing information that can help identify and protect against cyberthreats. The guide offers procedures for establishing the goals and scope of information sharing initiatives, identifying cyberthreat information sources, controlling the publication and distribution of threat information, and working within the existing sharing communities. The guidance is consistent with the Financial Services Information Sharing and Analysis Center’s practices for information sharing.
From the Financial Accounting Standards Board (FASB)
Hedge Accounting Proposal: Upcoming Roundtable and Comment Period Closing Soon
The FASB has scheduled two roundtables on Dec. 2, 2016, as a follow-up to its proposed Accounting Standards Update (ASU), “Derivatives and Hedging (Topic 815): Targeted Improvements to Accounting for Hedging Activities,” issued on Sept. 8, 2016. The proposed ASU is aimed at improving the hedge accounting model for financial instruments and nonfinancial items as well as simplifying hedge accounting to align it with a company’s risk management practices. Comments on the proposal are due Nov. 22, 2016.
The two roundtable sessions will be held at the FASB offices in Norwalk, Connecticut. Registration for those interested in participating in one of the roundtables ended Nov. 4, 2016. Nonparticipating observers can register to attend in person by Nov. 18, 2016. Seating is available on a first-come, first-served basis. The FASB plans to audio webcast the meeting and archive it on the FASB website for 30 days. No registration is needed to listen to the webcast.
From the Securities and Exchange Commission (SEC)
Financial Reporting Manual Updated
The SEC’s Division of Corporation Finance (Corp Fin) staff released an updated Financial Reporting Manual, on Nov. 9, 2016. This manual represents informal guidance prepared by and for the Corp Fin staff and is made available to readers, who may find the guidance useful in preparing SEC filings.
Among the changes in this update are additions to the implementation guidance for the new major accounting standards on revenue recognition and lease accounting, which can be found in Topic 11 of the manual. The update for the lease accounting standard addresses the date of initial application in a specific fact pattern, which is related to a broader question that remained outstanding at the most recent CAQ SEC Regulations Committee joint meeting with SEC staff.
From the Center for Audit Quality (CAQ)
Audit Committee Transparency Barometer Released
The CAQ and Audit Analytics, on Nov. 1, 2016, released the 2016 “Audit Committee Transparency Barometer.” The annual report shows that since 2014, more Standard & Poor’s 500 companies are disclosing information on the audit committee’s role in external auditor oversight. Significant areas of expanded proxy disclosure, according to the report, include external auditor appointment and tenure, engagement partner selection and rotation, and evaluation criteria of the external audit firm.
Non-GAAP Highlighted at CAQ SEC Regulations Committee Meeting With the SEC Staff
On Nov. 8, 2016, the CAQ released highlights of the Sept. 27, 2016, CAQ SEC Regulations Committee joint meeting with SEC staff. Although the highlights do not represent authoritative SEC guidance, they do summarize the topics that were discussed at the meeting, including the following:
- SEC staff reminders about non-GAAP financial measures
- Full non-GAAP income statements are prohibited.
- Per-share non-GAAP measures that are presented as performance measures but appear consistent with liquidity measures are prohibited.
- The staff will object if non-GAAP measures represent an individually tailored (non-GAAP) accounting principle, and an example of consolidating an unconsolidated entity was provided.
- SEC staff comment letters on non-GAAP measures
- Comments are being issued for adjustments related to restructuring charges, acquisitions or purchase accounting items, and legal settlements in order to understand and evaluate the appropriateness of those adjustments.
- The staff is continuing to evaluate the appropriateness of non-GAAP adjustments related to derivatives and pensions.
- To date, non-GAAP adjustments related to stock-based compensation have not been a focus.
- Comment letters on non-GAAP measures may be sent to some registrants separate from comment letters relating to the routine review of periodic filings. It appears that staff reviews of non-GAAP measures, in some cases, are being performed separate from the routine review of periodic filings.
- Preparation of pro forma financial statements with fiscal year-ends that differ by more than 93 days
- These may be acceptable in specified circumstances.
From the Institute of Internal Auditors (IIA)
Tone at the Top on Managing Regulatory Compliance Risk Issued
On Oct. 28, 2016, the IIA issued the October 2016 Tone at the Top newsletter titled, “Regulatory Roulette? Best Bets for Managing Compliance Risk.” This issue discusses the increased burden of regulatory compliance and how to deal with the risk of noncompliance.
According to the issue, a 2015 global survey by the International Federation of Accountants found that 83 percent of accountants saw a significant increase in the regulatory impact on their organization from 2010 to 2015. The newsletter article notes, “some companies may not be taking their responsibility for identifying and managing compliance risk particularly seriously.” A lack of attention by chief audit executives (CAEs) to assessing their organizations’ regulatory compliance can raise significant risks to the organizations.
The publication provides recommendations for directors and management to improve how they manage compliance risks.
Internal Auditing Standards Updated
The IIA, on Oct. 18, 2016, announced the adoption of changes to the Standards for the Professional Practice of Internal Auditing, which will be effective Jan. 1, 2017.
The changing roles and responsibilities of CAEs are addressed in two new standards that deal with the increasing demands on CAEs and the impairment of CAEs’ objectivity that results. Additionally, the changes to the standards offer more clarity for the 10 core principles that were introduced as part of last year’s update to the IIA’s International Professional Practices Framework.
From the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Fraud Risk Management Guide Issued
COSO announced the release of the “Fraud Risk Management Guide,” on Sept. 28, 2016. This guide, which is co-sponsored with the Association of Certified Fraud Examiners, provides a framework for helping organizations establish an overall fraud risk management program. An executive summary of the guide also has been released.
From the Society of Actuaries (SOA)
New Mortality Improvement Scale Issued
The SOA, on Oct. 20, 2016, released
a new mortality improvement scale – the MP-2016 scale
– which represents an update from the scale released in October 2015. The new scale incorporates three additional years (2012-2014) of Social Security Administration mortality data, which indicates that U.S mortality continues to improve, but at a slower rate than in previous years. The new scale should be considered when evaluating conditions as of the balance sheet date for financial statements that have not yet been issued. According to the SOA, and depending on the individual characteristics of an entity’s benefit plan, the updated mortality scale could reduce plan liabilities.