2016 Was an Eventful Year – This Is How We Covered It

As 2016 comes to a close, I want to look back on the events that made this year unique in ways both rewarding and challenging – and summarize the topics Protiviti professionals discussed, and our readers engaged with, here on The Protiviti View.

Perhaps the most seminal events of 2016 with the biggest implications were Brexit and the election of Donald Trump as president. The Brexit was brought about by sovereignty and immigration issues as those who voted to leave the European Union believed the UK – and no one else – should address UK-related decisions and control over its own borders. The U.S. presidential election arose from many issues such as immigration, trade, healthcare reform and jobs, among others.

We covered the implications of these events, both general and industry-specific, in special reports (here and here) and on the blog (here and here). But other events made waves too – record-setting security breaches across industries, including massive unauthorized release of financial data from offshore accounts, and DDoS attacks enabled by the Internet of Things.

In technology, Google’s AI robot AlphaGo defeated GO champion Lee Sedol, and Uber launched its fleet of driverless cars despite some opposition. Both of these events speak to the future of artificial intelligence, an emerging risk we continue to track in our PreView newsletter). Also in technology, the financial services industry seems poised for change and excited by the possibilities of new financial technology in payments, compliance and more.

Finally, natural disasters and viral diseases like the Zika virus created real economic damage, raising questions about resource availability and business continuity planning. We summarized the potential implications of these unpredictable business disruptors here.

Given the flavor of events this year, it is not surprising our top two most read blog posts had to do with cybersecurity and cyber awareness. Our third most popular blog had to do with money laundering and increased regulatory scrutiny in that area.

The posts that saw the most love on social media were submitted by our fraud investigation experts and focused on fraud prevention and fraud risk management. 2016 was a big year in fraud, as the much-awaited Fraud Risk Management Guide was released by COSO and the FCPA launched its Pilot Program. (Also, SEC gave six out of its 10 highest whistleblower awards this year).

Also widely shared was anything related to cybersecurity and the protection of personal identity, an issue that continues to affect billions of people and to which no company or entity seems to be immune.

This is plenty to look back on and think about in planning for the new year. Once again, I want to thank both our readers and contributors for their participation and engagement. We look forward to continuing these conversations in 2017.

Jim DeLoach

Four U.S. Regulatory Agencies Issue CECL FAQs – Here Is the Summary

Charles Soranno - MD New Jersey

By Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit 



Four U.S. regulatory agencies – the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC) – have issued a set of frequently asked questions (FAQs) in an effort to assist banks and other financial institutions with the implementation process for the Financial Accounting Standards Board’s (FASB) new accounting standard. The FASB standard introduces the current expected credit loss (CECL) methodology  for estimating allowances for credit losses under U.S. generally accepted accounting principles (U.S. GAAP), and many firms are grappling with how to implement it.

Aside from reiterating the reasons behind the need for the new standard, the FAQs highlight some key areas that firms need to take notice of.

By issuing the new CECL standard, the FASB:

  • Removed the current “probable” threshold and the “incurred” notion as triggers for credit loss recognition and instead adopted a standard that states that financial instruments carried at amortized cost should reflect the net amount expected to be collected over the life of the instrument.
  • Broadened the range of data that is incorporated into the measurement of credit losses to include forward-looking information, such as valid forecasts, in assessing the collectability of financial assets.
  • Introduced a single measurement objective for all financial assets carried at amortized cost.

In terms of changing current GAAP, the new standard:

  • Introduces a new credit loss methodology – The new allowance for credit losses will be an estimate of the expected credit losses on financial assets measured at amortized cost, which is measured using relevant information about past events and other factors.
  • Recognizes credit losses earlier – By removing the “probable” threshold and the “incurred” notion, CECL eliminates the triggers used for recognizing credit losses under existing U.S. GAAP and will require entities to record expected losses earlier, where appropriate.
  • Will allow leverage of existing credit risk management practices – Management will continue to incorporate qualitative and quantitative factors, including information related to underwriting practices, when estimating allowances for credit losses under CECL, but better alignment and timing will be necessary.
  • Will need to incorporate forward looking information in the models – CECL is forward-looking and broadens the range of data that must be considered in the estimation of credit losses. It must consider not only past events and current conditions, but valid forecasts that affect expected collectability.
  • Will reduce the number of credit impairment models – The existing guidance is complex because it encompasses multiple impairment models for different asset types. In contrast, CECL introduces a single measurement objective to be applied to all financial assets.
  • Will introduce the concept of purchased credit-deteriorated (PCD) financial assets – This replaces purchased credit-impaired (PCI) assets under existing U.S. GAAP. The difference in the PCD criteria means that more purchased loans held for investment, more debt securities held to maturity, and more available-for-sale (AFS) debt securities will be accounted for as PCD financial assets.
  • Will modify today’s accounting for impairment on AFS debt securities – Under this new standard, institutions will recognize a credit loss on an AFS debt security through an allowance for credit losses, rather than a direct write-down as is required by current U.S. GAAP.
  • Will require vintage disclosures by public business entities (PBE) in U.S. GAAP financial statements – Under the new accounting standard, disclosures of credit quality indicators need to be disaggregated by vintage year to provide users of financial statements greater transparency regarding the credit quality trends within the portfolio from period to period.

The new guidance is effective for PBEs beginning on January 1, 2020, and for non-PBEs beginning a year later, on January 1, 2021.

We summarized the impact and challenges of the CECL earlier this year in a point-of-view paper and a blog post, which provide more details on the methodology, timeline and action points for firms. Although the expected timeline gives the industry several years to implement the updates, the main message to organizations is that they need to begin the planning process now in order to meet the expected deadline.

Fewer Oil Companies Are on the Edge of Bankruptcy — Is This Really Good News?

In this Industry Perspective series, we offer the views of Protiviti leaders on developments and news in specific industries. The perspective below focuses on Energy & Utilities.


Tyler Chase

robert-patrickBy Tyler Chase, Managing Director, Energy and Utilities Industry
and Robert L. Patrick, Director, Corporate Restructuring and Recovery



A recent update from Debtwire states that 135 oil companies headed for bankruptcy is good news compared to the 180 companies that were on the Debtwire list in January. According to the article, oil prices have recovered from their lows around $26 a barrel and are now hovering around $50, which has helped some companies stabilize. Most of the companies on Debtwire’s list have already eliminated jobs and closed plants, so the industry appears to have hit bottom, the article claims.

Our perspective:

It may be prudent for oil company management teams and investors to hold back on optimism-based strategies for the present time.

Oil market fundamentals and the U.S. economic outlook portend, at best, flat results for the foreseeable future. That said, and as crazy as it might sound, the energy industry was the highest performing industry in 2016, so those that have had positions in energy stocks have benefitted. However, investors who are willing to accept the oil market- and company-specific dangers inherent in placing capital into distressed oil and gas companies should not be looking for immediate returns in 2017.

Those who have been waiting for the industry to “hit bottom” before pulling the trigger on new investments, acquisitions or expansions might want to add this decreased trend of bankruptcies to other recent optimistic news (for example, an energy-friendly federal administration, oil stabilizing around $50/bbl, OPEC cutting production) as an indicator that the industry is headed in the right direction.

Bottom line: Even if a lower number of oil companies appear to be headed for bankruptcy, the industry’s stress is likely to continue and companies will need to continue to strengthen their profit-and-loss monitoring and forecasting, risk management analysis, and strategic planning processes.

‘Tis the Season to Get Serious About Part 504

Carol Beaumier

By Carol Beaumier, Executive Vice-President and Managing Director
Regulatory Compliance Practice



There is nothing unusual with a U.S. bank regulator issuing a consent order (CO) to a foreign banking organization for deficiencies in the organization’s anti-money laundering (AML) compliance program. However, a December 2016 New York Department of Financial Services (DFS) consent order with an European bank and its New York Branch warrants a second look.

The financial institution in question is, according to the DFS, a repeat offender that has been subject to various AML-related enforcement actions since 2007, and, as a result, the CO was accompanied by a fine of $235 million. Cited deficiencies include:

  • Deficient transaction monitoring that failed, among other things, to consider shell company activity
  • Alert clearing practices that deviated from written policies and procedures
  • Undetected logic flaws/gaps in the transaction monitoring system
  • Non-transparent payment processing in which key details were omitted from payment instructions
  • Breakdowns in audit and management oversight

It’s not the serious deficiencies that make this CO unusual, though. What is noteworthy is that the CO provides a platform for the DFS to justify and reinforce its commitment to its newly enacted Part 504, Transaction Monitoring and Filtering Program Requirements and Certifications. In the Introduction to the CO, the DFS focuses on The Culture of Compliance in the Age of Risk and Transaction Monitoring – An Essential Compliance Tool – basic tenets of Part 504 – and, in fact, closes out the Introduction with language reminiscent of its introduction of Part 504:

“In both past investigations and routine examinations, the Department has identified significant shortcoming in transaction monitoring and filtering programs of a number of major financial institutions. The Department found that such deficiencies generally were attributable to a lack of robust governance, oversight, and accountability at senior levels. These findings have resulted in a number of enforcement actions, and have led the Department to issue a new regulation (effective January 1, 2017) governing transaction monitoring and filtering systems. Among other things, the regulation creates an obligation for a covered institution’s chief compliance officer (or functional equivalent) to certify compliance with this regulation, thereby encouraging institutions to proactively ensure compliance with existing federal and state anti-money laundering and sanctions requirements. The Department views effective transaction monitoring systems as an essential tool in the battle against illicit transactions and terrorist financing in this age of risk.”

New York-regulated financial institutions that haven’t developed and launched their Part 504 compliance initiatives should enjoy the holidays. Next year may be a very busy year.

For additional information on Part 504, see the Protiviti flash report, New York Department of Financial Services’ Final Transaction Monitoring and Filtering Program Regulation.

Engaging the New Workforce: Talking to Millennials

Rick ChildsBy Richard Childs, Managing Director
Policy, Strategy and Communications




Millennials, the ascendant demographic group of people who came of age in the early 2000s, will soon surpass baby boomers as the majority of the global workforce. This is not a trivial fact for employers. Without overstating a generational difference, it’s safe to say that millennials interact with information differently from previous generations. To connect with these workers more effectively, organizations need to take a generation-appropriate approach to communication.

We recently published our views on millennial-friendly communication in a white paper, Millennial Communication 101, to help organizations understand who this new workforce is and what forces have influenced the way millennials learn and communicate. Our recommendations apply to everyday communication, as well as the design of educational and training materials for the workplace.

As the first digitally native generation, millennials are quick to embrace and master technology. Multitasking is second nature, and it is not unusual for them to be working on three to five screens at a time, shifting attention from task to task, every eight seconds on average, and alternating between business and personal communication.

Having been immersed in a ceaseless flow of information and stimuli since birth, millennials have become adept at skimming, dipping deeper into the data stream for more information only when something captures their imagination. Raised to process information newsfeed-style, they are more likely to engage with communications that are entertaining and visually oriented.

This is particularly relevant for on-the-job training. Whereas long training sessions requiring sustained attention may work for older workers, millennials absorb information best if it is presented in short, easy-to-digest modules drawn from relatable work-life experiences. Microlearning — the use of short two- and three-minute monthly videos, instead of a single long annual training session — can have a significant positive effect on retention.

Posters and other printed educational materials can help raise awareness, but for that information to be retained and applied, it will need to be presented and reinforced in a variety of formats over time, preferably in digital form. Video voiceovers work best when they are energetic, and ideally of the same generation. Animated objects and characters — particularly youthful ones — can create a greater visual memory than static illustrations or photos.

As a social generation, millennials prioritize their personal image. Tapping into this personal brand identity and its potential for increased or decreased social status among peers is often the best way to communicate about consequences — say, of opening a phishing email containing a virus, or being careless with client data.

For many employers, especially those with long-standing corporate culture, undertaking such shifts may seem like an imposition or even assault on traditional corporate values. However, we believe that streamlining corporate communications to meet millennial needs is an opportunity, as statistics show that these changes are enabling employers to revitalize their workplace culture and create stronger employee relations overall.

How does is your organization engaging with millennials? We are interested in your experiences — let us know in the comments. You can download the white paper here.

Brexit Raises Questions About Personal Data Protection

mark-petersBy Mark Peters, Managing Director
IT Audit Practice Leader, UK




Not all border crossings are visible. The decision by the United Kingdom earlier this year to leave the European Union (EU) brings a basket of challenges and opportunities for the management and protection of personal data through cyber checkpoints, once the UK goes its own way. Personal data is a crown jewel of commerce, and the secure transfer and storage of data across national and regional borders is a hotly contested topic.

We examine this issue in our recent point-of-view paper, Responding to the Challenges and Opportunities Presented by Brexit — Data Protection and Management Implications, available for free download from our website.

Under current regulations, personal data can be transferred between countries within the EU, but it can only be transferred to outside countries that guarantee an adequate level of protection. The new EU General Data Protection Regulation (GDPR) — effective May 2016, with enforcement to begin May 2018 — which aims to harmonize existing data laws and strengthen data protection rules, was a long-time coming, and carries fines of up to four percent of global revenue for noncompliance.

Some UK companies have incorrectly assumed that, following Brexit, GDPR will no longer apply, and have drawn the conclusion that Brexit will simplify data governance. In fact, the timetable for GDPR compliance is likely to run ahead of the UK’s formal exit, which means UK companies will have to comply with the GDPR, even as UK regulators craft their own personal data rules and negotiate transfer terms with the EU. It is likely, as well, that the EU will require companies in the UK to continue to meet GDPR standards as a condition of access to the EU market.

The split also raises questions for UK companies with data centers and cloud providers in the EU, and vice versa. Even if not required by the GDPR, many EU companies restrict suppliers from exporting personal data outside the EU, as part of their internal data risk management policies. That means some EU companies are likely to require suppliers to move data out of the UK and into EU data centers. Now would be a good time to take inventory of data locations and develop contingency plans.

Similarly, any ongoing business change projects approved before the Brexit vote and involving a significant IT investment should be reassessed and modified to address any implications on data storage and transmission. Given the broad definition of personal data under GDPR, virtually all projects will be affected. As a priority, all organizations should evaluate their data center strategy for these projects and decide whether it might be prudent to move or split data centers across different territories.

Organizations that utilize cloud service providers should determine what arrangements those providers have made for segregating data for EU and UK customers.

Client contracts should also be reviewed, and modified as needed, to clarify expectations on data residency and exchange.

As with any significant change, human factors can make or break the transition. Organizations should identify key decision makers who are likely to require early awareness training in order to keep abreast of potential changes in data protection legislation. Areas most likely to be affected include customer management, marketing, legal, compliance, human resources, IT, facilities, contracts, and project management.

We will continue to monitor this situation and revisit, as needed, as details become available. The above is just a summary; download the full paper here.

Your Personal Information Is Not Personal Anymore – So Who’s Guarding It?

Scott Laliberte (2014)

By Scott Laliberte, Managing Director
IT Security and Privacy



We live in an age of great convenience enabled by technology. Snap a photo of your check on your smartphone to make a deposit, simple. Rollover an IRA from your home office, easy. Change the password on your bank account from the airport, no problem.

What is less apparent to consumers of these services is the risks they may be assuming by making use of these conveniences. And while few of us have the wish to give up our conveniences, we’d better be ready to demand the best processes and technologies available to protect us from the risk of fraud and identity theft.

For businesses, meeting demands for enhanced personal identity protection can be costly, and it introduces new inconveniences to their customers – something of which businesses are always conscious. It helps when consumers realize the value of better security, and even demand it, despite the potential costs and inconveniences. We are all familiar with the annoyance of forgetting our password and having to jump through a half a dozen hoops to get it back – but at least we recognize it’s our own interest that demands it.

Businesses are limited to just a few options when they want to confirm the identity of a consumer: These are things the consumer knows, things the consumer has, and things the consumer is. For instance, a consumer knows her password, date of birth, social security number, and the answers to several secret questions, like make of car or mother’s maiden name. Some of these are easy to guess; all are easy for a hacker to store and reuse: If one breach reveals the customer’s password and secret question responses for one site, hackers are smart enough to “replay” this information to hack other sites. Things the consumer has, like her cell phone, are harder for hackers to obtain. Adding an “out of band” element to authentication – like texting a PIN to the phone to authorize a logon to a website – protects customers even when hackers have other identifying data. Finally, things the customer is offer strong protection as well (though they also may be subject to replay or other issues). Biometrics, such as fingerprints and retina scans, are two methods in this category right now.

These are the kinds of protections businesses must now routinely offer and customers must demand, or at least reward with their patronage those businesses that offer them.

Here are some suggestions for businesses that wish to add themselves to the category of companies with strong, responsible customer identity protection:

  • Offer enhanced security features but allow your customers to opt in. Not all consumers will be willing to take on more complex authentication to protect their identities against theft. Some simply don’t care, and the complexity may drive them away.
  • Consider how fees might offset the costs of enhanced protection, and also how fees might affect customer loyalty. Monitor how these services are priced by other players in your industry.
  • Develop your in-house knowledge of the changing cybersecurity landscape and expedite development of your expertise in areas that are affecting your business the most.
  • Educate your consumers so they can recognize the value of the enhanced security you offer to protect them against significant losses – and why the added inconvenience is a minor hassle compared to the syphoning of their 401k, for example.
  • Employ advanced fraud analytics to monitor for suspicious activities and high-risk transactions.

From the consumers’ perspective, the following actions should help us to become partners in the effort to protect their own identity:

  • Sign up for identity theft protection services. These services monitor credit inquiries and can protect against thieves using stolen personal information to apply for credit in your name. While they may not be able to detect activity directed at your 401k, HSA, or other financial accounts, these services may provide support to resolve problems resulting from identity theft and some even offer insurance against loss.
  • Monitor financial statements promptly to ensure all transactions are valid.
  • Change passwords often; don’t reuse passwords on other sites. Vary your secret questions; choose questions with answers that are the hardest to guess (e.g., the name of your best friend in high school is harder to guess than your favorite color).
  • Welcome enhanced security features like out-of-band authentication (such as a PIN texted to your phone) and biometrics (using your fingerprint or iris) – especially for high-risk transactions such as changes to key account information (password, email, address) or transfers of money.
  • Vote with your wallet: Gravitate toward businesses that offer enhanced security features. Encourage your established providers, via survey responses and direct requests, to offer enhanced security features, and be prepared to pay for them – perhaps in higher fees; certainly in inconvenience.

Businesses will continue to benefit from offering convenient online features to their customers, as a way of achieving customer loyalty and competitive advantage. Consumers will come to expect faster, secure, seamless services as platforms and technology allow. Businesses and consumers alike will do well to stay informed about how to protect consumer data in this evolving landscape. As long as identity theft continues to reward hackers, they’ll keep looking for ways to circumvent security measures. We need to evolve our security techniques to keep up with the ever-changing threats from cybercriminals.