Regtech: An Innovation Quickly Going Mainstream

 

 

 

By Vishal Ranjane, Managing Director
Risk and Compliance

and Shubhendu Mukherjee, Director
Risk and Compliance

 

Last year, we wrote about the various ways financial institutions were using technology to streamline and improve regulatory compliance. We thought it was time to revisit the topic, given regtech’s quiet but steady advancement in the financial services industry in the time that has passed.

A specific definition of “regtech” is still evolving, but generally speaking, the term applies to any automation or digitalization of manual regulatory compliance processes to add speed, security, accuracy and agility in complying with regulatory requirements. Part of a broader trend toward digital transformation in financial services, the term typically refers to the regulatory application of existing technology, not the technology itself — a point well-made by my colleagues John Harvie and Derek Cummings in Regtech: A Confluence of Opportunities, a paper Protiviti published earlier this year.

Much of the driving force behind this transformation is coming from financial institutions, who are replacing outdated and disjointed legacy systems with new core technology and are looking for ways to replace expensive and error-prone manual processes with automated processes across all functions, including compliance.

It is fair to say that, historically, technology funding for compliance functions has been low. As the regulatory expectations increased over the years, many compliance processes were enhanced in an ad hoc manner, utilizing antiquated systems and manual consolidation of multiple data streams from disparate sources that were hard to manage and/or update. A common solution to the complexity (which still exists today) is to add more resources to existing teams.

Digital transformation initiatives have created opportunities to consolidate and integrate these systems, generating efficiencies that organizations are using to reduce the time and resources devoted to routine compliance tasks. These opportunities and technology applications are in various stages of maturity. Financial institutions are now in a position to prioritize the more mature and proven technologies to provide real-world solutions to high-cost business problems in areas that cause the biggest expense.

One such technology that is higher on the maturity curve is robotic process automation (RPA) — the use of software to work alongside human operators to perform high-volume repetitive tasks. It is most commonly encountered in the automated menus most large companies use to route incoming calls, or schedule an automatic call-back at times of high call volume. Increasingly, financial institutions are using RPA to perform compliance tasks, specifically in AML transaction monitoring, OFAC screening, and ”know your customer” (KYC) activities.

Visual analytics is another technology seeing widespread regtech application. Dashboards and other graphic representations of real-time data with drilldown capabilities and cross-tabulation provide at-a-glance insights that were functionally impossible to achieve previously with manual-based reporting. (The Protiviti Risk Index is one such example of a dashboard used to provide dynamic risk information at glance.)

Other innovations, such as artificial intelligence and biometrics, are making regtech inroads as well, particularly in onboarding and KYC compliance, though they are behind in the maturity curve compared to RPA and visual analytics. Technology acceptance is changing fast, however, with regulators encouraging “responsible innovation” and testing of new applications in a controlled environment. The number of vendors offering regtech solutions is also increasing. One research cites $3.2 billion in funding raised in the past five years for startups specifically focused on regtech solutions, primarily for the financial services industry.

Regtech is an exciting trend, with a promising future. As our clients look for ways to drive down costs and increase compliance efficiency, we continue to advise them to assess their options carefully, invest time, effort and resources in those activities most likely to deliver value, and be prepared to learn quickly from the failures as well as the successes of others.

Criminal Finances Act 2017 Aimed at Terrorist Financing Affects All Firms With UK Operations

By Bernadine Reese, Managing Director
Risk and Compliance, Protiviti UK

 

 

 

One of the recent examples of efforts to clamp down on terrorist financing and tax evasion comes from the UK, where the Criminal Finances Act 2017 received Royal Assent in April.

The Act, expected to take effect this September, is being touted as a powerful new tool in the investigation and prosecution of tax evasion and terrorist financing crime in the UK. In response to concerns raised by regulated firms, it also includes provisions that will make it easier for firms to share information on potential criminal activity, without violating privacy laws.

Essentially, the Act introduces two new offences of failure to prevent facilitation of a foreign tax evasion and UK tax evasion. The Act is intended to hold companies automatically liable, by criminalising the facilitation of domestic and foreign tax evasion by means of not having “reasonable prevention procedures” in place to prevent their “associated persons” from facilitating it. “Associated persons” is a purposely broad term and can include the employees, agents, subcontractors, or anyone else who performs work for or on behalf of the company. Protiviti has published a paper addressing some of the most common concerns regarding the new Act as a series of frequently asked questions. Here are some of them:

Q: How does the new law tackle terrorism?

A: A number of provisions that address money laundering will apply broadly to persons suspected of terrorist financing, or property that has been acquired with terrorist funds or with the intended purpose to facilitate terrorist financing. The law provides mechanisms for both voluntary and mandatory disclosures by regulated firms, as well as provisions for the seizure and freezing of assets.

Q: What is the difference between “tax avoidance” and “tax evasion?”

A: While the distinction between tax evasion and tax avoidance continues to be politically sensitive, tax avoidance is generally considered to be the lawful minimization of one’s tax burden — for example, taking legal tax deductions on expenses. Tax evasion is the unlawful non-payment of taxes that are legally due to the government. Examples might include intentionally misreporting taxable income in order to pay lower (or no) taxes, concealing assets in overseas accounts, failing to file a tax return, using false documentation, or deliberately suppressing taxable income.

Q: What are “reasonable prevention procedures?”

A: The paper examines this in detail, but briefly, law enforcement will be looking for evidence of top-level commitment to anti-money laundering; regular risk assessments; proportional, rather than one-size-fits-all, approach to risk as part of the organization’s overall risk management efforts; due diligence; robust communication; and monitoring and review of account activities.

Q: What should our priorities be to get ready for the new legislation?

A: Protiviti has put together a four-point plan:

  1. Understand how the new law affects your business and customers: The scope of the Act seems broad but many of its provisions relate to increasing transparency and information sharing intended to prevent the money trail from going any further, and to tackling financial crime, which now includes tax offences within its definition. Customers likely to be the target of increased scrutiny under this law include corporate clients with complex company structures; individuals who use tax planners, such as celebrities and politicians; wealthier private clients with large asset holdings and/or associations with low-tax offshore jurisdictions; and entities, such as religious organizations and charities, which may be used as vehicles for terrorist financing. A risk assessment will need to be performed.
  2. Review and update policies and procedures: Once senior management has articulated its position on tax evasion, this should be communicated through the firm’s policies and procedures in a clear and practical way. In particular, firms will be expected to demonstrate that they have “reasonable prevention procedures” in place to combat the facilitation of tax evasion and should consider whether new or additional procedures are necessary, including those for associated persons, depending on risk levels and potential exposure.
  3. Prepare and train staff: Identify staff likely to be impacted by the new legislation — such as customer-facing teams, compliance, and internal audit. Prepare and give tailored training to relevant employees to ensure that they are aware of legislative changes and the impact on their role. Circulate regular communications to reinforce the company’s policy and staff’s responsibilities.
  4. Review existing clients: Consistent with taking reasonable prevention procedures, firms should adopt a risk-based approach to dealing with the assessment of their existing customer base. This might include an immediate review of those customers considered to be at the highest risk of tax evasion, while lower risk customers might be covered as part of the firm’s periodic review of “know your customer” information for anti-money laundering purposes. Firms will need to plan and take action according to the risks presented by their existing customer base.

Companies should seek help early rather than late with some of the more complex and tedious elements of complying with the new legislation, including conducting a gap analysis, developing risk-based evaluations, reviewing customer files and providing training. For a detailed analysis of the UK Criminal Finances Act 2017, download the free paper from our website.

Security and Privacy in Financial Services: Q&A Addressing Top Concerns

 

By Ed Page, Managing Director
Technology Consulting, Financial Services

and Andrew Retrum, Managing Director
Security and Privacy

 

Global cybersecurity risk has never been higher, especially at financial institutions, which are often targeted for their high-value information. Earlier this year, Protiviti published its 2017 IT Security and Privacy Survey, which found a strong correlation between board engagement and effective information security, along with a general need to improve data classification, policies and vendor risk management.

We sat down with our colleagues Scott Laliberte, Managing Director in our Cybersecurity practice, and Adam Hamm, Managing Director, Risk and Compliance, to discuss how these overall findings compared to those specific to the financial services segment, and why the financial services industry differed from the general population in some aspects. We outlined the comparisons in a recently published white paper. What follows is a sampling of some of the questions we addressed, with a brief summary of the answers. For a more detailed analysis and more data specific to the industry, we recommend downloading the free paper from our website.

Q: What are the top IT security and privacy-related challenges facing financial services firms today?

A: Disruptive technologies, third party risk, shadow IT — systems and solutions built and used inside the organization without explicit organizational approval — and data classification, are top concerns, not only for FSI firms but for survey respondents generally.

Data classification is a particularly challenging and important issue for the financial services industry — both from security and compliance perspective. We often talk about “crown jewels” — data that warrants greater protection due to its higher value. Establishing effective data classification and data governance are multi-year efforts for most institutions, and they must be consistently managed and refreshed. And, the difficulty of these efforts are compounded by the unique complexity of financial systems. Naturally, financial services forms are slightly ahead in the data classification game than their counterparts in other industries, due to their more acute awareness and ongoing and focused efforts, but they still have a long way to go.

Q: Boards of directors of financial firms are more engaged and have a higher understanding of information security risks affecting their business compared to other industries. What does this tell you about the level of board engagement at financial institutions?

A: Financial institutions are being attacked and breached more often than companies in other industries due to the high value of their information. As a result, regulators have been pushing boards at financial services firms to become more aware of and involved in cyber risk management. The Gramm-Leach-Bliley Act (GLBA), as well as guidance from the Federal Financial Institutions Examination Council (FFIEC), both encourage regular cyber risk reporting to the board and management. The New York Department of Financial Services similarly requires that CISOs at insurance companies provide a report to the board on the cyber program and material cyber risks of the company, at least annually. As we noted in the beginning, our survey found a strong correlation between board engagement and cybersecurity maturity in all organizations — so the higher involvement of financial services firms’ boards bodes well for their companies’ cybersecurity, provided directors get actively engaged with management on this topic.

Q: Over half of financial services respondents to the survey said they were “moderately confident” they could prevent a targeted external attack by a well-funded attacker. Is this an accurate assessment of most financial institutions?

A: Given that the probability of a cyber attack on a financial institution has become a matter of “when,” rather than “if,” we would not expect any institution to have a high — or even moderate — degree of confidence. It may be a measure of false confidence that so many organizations think they can prevent an attack. The onus is now on firms to assume that an attack is likely, and be prepared to limit its impact.

Q: Most financial services respondents indicated that they were working with more big data for business intelligence compared to last year. What should firms be concerned about with regard to their growing use of big data?

A: Big data includes both structured and unstructured data, which is more difficult to classify. Firms may also be dealing with new technologies with different security characteristics as well as more data distributed in the cloud. All of these factors complicate data management for financial institutions. As financial institutions rely more on big data, it is critical that they know what data to protect, its location and all of the places it might travel over its lifecycle in the system. Just as important is the need to control access to data and to protect the integrity of that data as more users interact with it for a growing number of reasons.

Q: More and more firms are using third parties to access better services and more advanced technology, but are financial institutions doing enough to counter new risks arising from third parties, such as partnerships with fintech companies?

A: Financial institutions are digital businesses, with more and more capabilities provided via mobile devices and through partnerships with financial technology, or fintech, companies. Many fintechs are small startup organizations that may lack the rigor and discipline of a traditional financial services firm. While innovation is necessary to compete in today’s fast-paced world, organizations need to take appropriate steps to ensure there are appropriate controls in place, and test those controls to minimize risk from third parties.

The full paper goes into significantly more detail on these and other questions than the abstract provided here, and presents the perspective of both security and risk and compliance experts. Let us know if you find it helpful.

A New Look at Politically Exposed Persons – Focus on Risk, not Rules

By Matt Taylor, Managing Director
Risk and Compliance, Protiviti UK

 

 

 

Implementation of the European Union’s (EU) Fourth Anti-Money Laundering Directive (4AMLD) went into effect on Monday, June 26, for all EU countries. Back in April, Protiviti sponsored a “PEP Breakfast” in anticipation of this directive, at which we had the opportunity to share information with key clients and other leading industry figures about the changes now in effect. The discussion centered on the UK’s Financial Conduct Authority’s Guidance Consultation, which provides guidelines on how to implement 4AMLD in the UK, and spells out how the new regulations will change firms’ design of – and approach to – enhanced scrutiny of accounts with high money-laundering risk, including those associated with “politically exposed persons,” or PEPs. The PEP Breakfast presented details regarding the changing approach to PEPs, and offered participants the opportunity to compare notes and learn from one another’s approaches to changing anti-money laundering (AML) regulations and best practices in the EU and UK.

With 4AMLD now in force, it seems like a good time to recap some of this discussion.

PEPs are individuals whose position and/or influence in government or public bodies may present heightened risks of financial crime, generally bribery and corruption. AML regulations require obliged organizations to consider subjecting such individuals to enhanced due diligence to identify, mitigate and manage such potential heightened risks.

Historically, many financial institutions have approached the potential heightened risk of PEPs on a “one size fits all” and “once a PEP, always a PEP” basis. The new regulations (and indeed, maturing risk assessment models) are driving a move to a more risk-based approach to identifying, mitigating and managing the potential heightened risk of financial crime posed by PEPs.

A more risk-based approach to PEPs includes, among other things:

  • A detailed assessment of the real financial crime risk inherent in the PEP’s current (or recent) role in the public body and ability to exert control or influence over areas which pose a heightened risk of bribery and corruption. PEPs who have been out of public office for, say, 18 months may no longer pose any heightened risk since they can no longer control or influence decisions that could make them open to bribery or corruption.
  • A thorough review of the risks posed by relatives and close associates (RCAs) of the PEP. PEPs are often sophisticated individuals and know that their financial dealings are subject to enhanced scrutiny, and may use relatives and/or close associates to act as nominees, “independent consultants” or the like in corrupt transactions.
  • Not distinguishing between “domestic” and “non-domestic” PEPs in the overall assessment of heightened financial crime. Local government officials, for example, may have control or strong influence over building development planning consent or licences, which can result in large profits for property developers and the like. In addition, the distinction between domestic and non-domestic PEPs is not practical for multinational financial institutions where clients may have accounts in multiple jurisdictions regardless of where they were initially on-boarded.
  • Enhanced transaction monitoring for PEPs and RCAs (if they are a customer or linked to a customer).
  • A recognition that negative news and other public information sources are open to manipulation in certain circumstances.

In addition, a holistic AML approach to the risk of bribery and corruption should focus on those industries and/or countries which currently carry a higher risk of such activities. These would include, for example, oil and gas companies in developing countries with ranking PEPs on their boards, or global sports organizations, where transfer fees (including layers of agents/consultants) and salaries and other payments in the tens of millions create a heightened risk of bribery and corruption.

What will these changes mean for financial services firms’ day-to-day operations? Up-to-date, detailed and (where necessary) verified “know your customer” information about customers is crucial. Red flags might be garnered from business records, powers of attorney, contracts for services rendered, and even social media profiles. PEPs’ direct (or more commonly indirect through RCAs) links to offshore entities and other opaque ownership structures is perhaps the biggest red flag of all. In general, PEPs and their RCAs will seek to place funds in jurisdictions and entities that are most likely to shield them from reporting to tax or regulatory authorities either through anonymity or due to a lack of such reporting.

Organizations must review their approach to PEP risk in light of changes to regulations and a maturing view on financial crime risks to focus resources on true, rather than merely theoretical, risk. Asking the following questions will help:

  • Has the organization designed a method of assessing risk appropriate to its business model? “Method” implies a rigorous, documented approach not only to the process of identifying the real risk, but also to the process of monitoring the PEPs and RCAs to ensure such risk is mitigated and managed.
  • Is the established approach being applied appropriately and consistently? Firms should be able to demonstrate that the documented methods are applied without exception. For example, the organization’s procedures should be designed to identify both foreign and domestic PEPs and all the jurisdictions in which the company operates.
  • Does the organization invest effort to validate that its approach has been effective? Regulators will be assessing whether the methods in place are applied consistently and are yielding meaningful results in identifying, mitigating and managing risk and, where appropriate, reporting suspicious activity.

Updates to the definition of and approach to PEPs is just one of several changes required by 4AMLD. Others include the introduction of registers of ultimate beneficial owners for companies and other legal entities, including trusts; the removal of the entitlement for automatic application of simplified due diligence; and the addition of tax evasion as a predicate offence to money laundering. And 5AMLD is hot on 4AMLD’s heels. 5AMLD will broaden the definition of obliged entities to include virtual currencies, anonymous prepaid cards and other digital currencies, plus further changes to tighten AML control requirements. Banks should waste no time in making sure they are prepared to comply with the new rules, and seek help promptly where needed.

EU Payments Directive Opens Door to Open Banking

By Bernadine Reese, Managing Director
Risk and Compliance, Protiviti UK

 

 

 

The second European Payment Services Directive (PSD2) is scheduled to become law on January 13, 2018. Heralded as a way to make it faster, easier and less expensive for consumers to pay for goods and services, it also forces European banks to share customer data and payment infrastructure with third-party service providers and disruptive new competitors known as fintechs.

For better or worse, banks will soon have to comply with the law. Their only choice lies in whether to embrace this disruption and use it as the catalyst for an “open banking” business model, or succumb to the competitive threat.

The European Parliament adopted PSD2 in October 2015 to promote innovation (especially by third-party providers), enhance payment security and standardise payment systems across Europe. Its practical effects would be to:

  • Regulate fintechs that fall within the wider definition of what is regulated in payment services
  • Limit transaction fees and rebates
  • Require banks to open their payment infrastructure and customer data to third-party financial service providers; and
  • Provide new protections to consumers and users of payment services.

In practical terms, PSD2 would create an open banking environment where banks would be required to share a customer’s personal financial data, at the customer request, with any regulated account information service provider (AISP), while the bank still retains responsibility for the risk and compliance aspects of the customer and his or her data. This will be done through an application programming interface (API) that complies with a set of technical standards set forth by PSD2.

For sure, this expanded access and consolidation of data increases existing risks (i.e., fraud) and poses new potential risks to the current business model of certain institutions such as banks, but it bring opportunities as well — particularly for challenger banks, and for traditional banks that choose to do more than the bare minimum PSD2 compliance. Perhaps a bit surprisingly, the prevailing sentiment — even among some bankers — is one of excitement and optimism.

Time will tell what innovations and unintended consequences PSD2 will create. In the most likely scenario, the financial services industry will see a dramatic rise in mobile technology driven by APIs. In the future, banks wishing to remain competitive will use API to build an “ecosystem” with not just payment providers but merchants, so they would remain their customers’ “everyday bank.” The use of APIs in financial services has been hampered by privacy rules and the private ownership of data and infrastructure. PSD2 clears those hurdles.

Consider this small sampling of possibilities:

  • Account aggregation, which provides consumers with an overview of all accounts held across different institutions, without having to log into multiple proprietary customer portals.
  • Automated balances sweeping across multiple accounts to maximise interest payments and minimise debit balances.
  • “Marketplace” banks that offer lowest-cost services for loans, overdrafts and foreign currency transfers.
  • Credit decisions based on actual data by any institution and not just the institution currently providing bank account services — increasing choice and competition.
  • Payment facilities for the Internet of Things, such as, say, a self-replenishing refrigerator authorized to “shop” on the owner’s behalf, or a car that can pay for fuel or recharge without the customer leaving the vehicle.

There will be winners and losers. Potentially the biggest winners will be consumers and entities making and receiving payments within the European Economic Area. Cost and lack of competition in the existing payment space has been a concern for European regulators, and the opening up is likely to drive costs down for banks and consumers alike as competition increases.

An issue I deliberately did not mention here is data security and the safeguards built into PSD2 to ensure that personally identifiable data is protected. This is a topic for a discussion of its own right, and we will be covering the security aspect of PSD2 here on this blog and elsewhere. In the meantime, you can bet that PSD2 will be front and center, when the European financial services industry gathers June 26-28 in Copenhagen for Money 20/20. I hope to see you there!

John Harvie, Business Performance Improvement, Protiviti UK and Justin Pang, Risk and Compliance, Protiviti UK contributed to this content.

Cyber Attacks Can Be Costly – Is Cyber Insurance the Answer?

By Adam Hamm, Managing Director
Risk & Compliance

 

 

 

The WannaCry malware attack in mid-May focused the attention of corporations around the world on escalating cyber threats. Our Flash Report released immediately after the attack noted that it marked a new and unsettling aggressiveness on the part of cyber criminals: No previous assault matched the breadth of impact of WannaCry, which affected hospitals, corporations and government offices in more than 150 countries around the world.

The cost of getting businesses up and running after the attack was expected to potentially add up to billions of dollars. Additionally, some organizations could face lawsuits over their failure to secure the previously disclosed Windows vulnerability that the criminals exploited.

In fact, news on May 23 that Target Corp. had agreed to pay $18.5 million to settle state and financial institution claims stemming from an enormous data breach should have warranted as much corporate attention as the WannaCry event. Hackers stole data from up to 40 million credit and debit cards belonging to the retailer’s shoppers during the holiday season in 2013, and the company disclosed that the total cost of its cyber security failure had amounted to $202 million so far. A settlement stemming from a consumer class action has yet to be finalized.

The grave consequences of weak cyber security – from business disruptions to the expense of repairs and lawsuit payouts – may lead some to believe organizations are scrambling to make cyber liability insurance part and parcel of their IT security protocols. Yet, according to recent surveys, roughly half of U.S. firms don’t have cyber risk insurance, and more than 25 percent of executives without a policy say they have no plans to add one. Among the companies that have insurance, only 16 percent reported that they have policies that cover all liabilities.

There are reasons many companies are reluctant to purchase cyber liability insurance or beef up existing policies, and the two main ones are cost and complexity. Certainly, insurers can improve clarity on their policies and enhance the ability for customers to compare different proposals. And, it may very well be the prohibitive cost of cyber insurance that is causing some companies hit by ransomware attacks to try and recoup their losses using kidnapping, ransom and extortion policies originally acquired to protect workers in dangerous locations.

Even so, a cyber liability insurance policy is a prudent course of action in most cases. Although it should never be a substitute for strong cybersecurity defenses, it can spell the difference between a severely affected and fairly unscathed bottom line in the aftermath of an attack. Before committing to a policy, however, it is important that management teams and their insurance brokers discuss three pivotal issues:

  • What kind of cyber liability insurance policy does the company need? Does it need a first-person policy to cover the cost of retrieving data critical to the operation, or does the company possess consumer information that requires protection against third-party lawsuits? Does it need both?
  • What amount of coverage does the company want to obtain? This figure will depend on a number of factors, including the size of the company and the type of coverage it needs. To mitigate third-party risk, for example, settlements like Target’s could provide useful benchmarks.
  • What is the premium an organization is willing to pay? A number of variables should be used to determine this figure, including a company’s earnings, the size of the IT budget, and the operations or data at risk.

Once a company has answered these questions, it can begin to shop for cyber liability insurance. As part of the process, the management team needs to fully understand what the policies cover. But perhaps most importantly, organizations need to understand what the policies don’t cover, which will ultimately indicate whether the policy is worth the expenditure.

Given the sophistication and prevalence of successful data breaches, it is now more important than ever for companies to analyze whether a cyber liability insurance policy should be a part of their overall cyber strategy.

Financial Firm Auditors: Are You Ready to Audit Under CECL?

 

 

By Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit

and Benjamin Shiu, Director, Model Risk Management

 

Amid widespread concern that Generally Accepted Accounting Principles (GAAP) are inadequate when it comes to advising investors on deteriorating credit quality, the Financial Accounting Standards Board (FASB) has issued a new methodology. The new standard, known as Current Expected Credit Loss, or CECL, uses data analytics to forecast expected losses based on internal and external trends, as well as borrower-specific information. In its simplest form, CECL replaces the old standard of actual or “incurred” loss with a forward-looking estimate of “expected loss” over the foreseeable future. (See our analysis of its anticipated impact.)

The standard was originally scheduled to become effective for public companies in December 2018, but that deadline has been pushed back to December 2020, with private companies to follow a year later.

CECL represents a significant change with far-reaching implications for loss reserves. And yet, just one in ten affected companies has made any significant effort to assess the potential impact and prepare for the change.

Protiviti conducted a webinar recently aimed at internal auditors trying to get the ball rolling at their organizations. As is often the case, the webinar generated more questions than we were able to address during the live session. We want to address some of the additional questions here.

Q: Isn’t the “foreseeable future” loss prediction based on “historical losses” as well? It’s hard to see how CECL offers any real improvement if the underlying data is essentially the same.

A: The forecast into the foreseeable future could be based on historical experiences (losses) and management judgment based on the most updated information.

For the forecasting based on historical losses, data is essential, and that is why CECL implementation will require companies to retain a variety of historical data over a much longer time horizon and analyze it against external information, such as FICO scores, loan-to-value and debt-to-income ratios, and debt service coverage. Internal audit will need to provide assurance on data completeness. With a longer time horizon and more variety of historical data, the CECL model should be able to better estimate the loss under different foreseeable future scenarios. Most companies already have such data saved. Even those who don’t, if they start saving data now, will have four years of historical data to work with by 2020.

For the forecasting based on management judgment, unlike the incurred loss model, the CECL model explicitly requires management to take into account the current information and identify the future scenarios for loss estimation.

Q: With the implementation of CECL, will there also be a corresponding allowance for loan and lease losses (ALLL) requirement on the lending institution?

A: Yes. Regulators published a Joint Statement on CECL on June 17, 2016. Expect more on ALLL in the future, but the June 17 statement is already out there.

Q: Isn’t stress modeling sometimes subjective even when using a third party?

A: Not necessarily. Third-party vendors typically use industry-level data to develop their models, and these models then serve as objective benchmarks against which institutional assets can be evaluated.

Q: What is going to be expected of internal auditors under CECL? Will we be expected to audit the ALLL process and controls over the model, or will we be expected to perform full model validation as well?

A: Both would be expected. Right now, internal auditors should be talking to management to ensure there is transparency into the portfolio and the credit quality evaluation process. There should be clear lines of reporting and communication to the board, and internal audit must remain close to the process throughout to ensure that the model is being applied, and that the model itself is valid as a predictor of credit losses in the foreseeable future.

As we discussed during the webinar, and at the highest level, processes, data sources and accounting will be changing under the CECL guidance. Whenever processes change, internal controls must be reassessed to make sure that no new critical risks have been created and that all critical risk areas have adequate controls in place.

Once in place, the controls must be tested by internal audit. For example, here are some critical concerns:

  • Data, process and judgments – Internal audit must collect and test company loss experience and other past events. Some of the processes will require judgment; those judgements must be articulated and supported by evidence. Forecasts on factors that affect collectability, either internal or third-party, must be validated and back-tested.
  • Other models – For some institutions, Asset Liability Management (ALM) and DFAST/CCAR models, because they incorporate effective lifetime and credit risk assessment, may be utilized (or modified) for CECL estimates as well. However, these models are used for regulatory and management purposes, not as a source of disclosures in financial statements.
  • Documenting processes and controls – Documenting processes and controls will be a major undertaking. Ideally, areas of control weakness in the new processes should be identified as the processes are being developed, not after the fact.
  • New skill sets – Many internal audit departments may require skills in data and modelling. Adequate budget must be provided for staff and training.

Q: Do you advise firms to develop benchmarking CECL models?

A: It may not be necessary to develop a complete benchmarking model. Nevertheless, during the development process, it is reasonable to assume that after considering a variety of alternative approaches, data and assumptions, a benchmarking model may emerge as a side product of verifying the performance of the primary model.

The bottom line is that the time for the internal audit function to develop key CECL-related objectives is now. What auditors have to audit has changed significantly. Data has a certain subjectivity, and auditors must ensure that subjectivity is reduced. In addition, auditors have to increase their skill competency – they have to increase their understanding of modeling and data analytics. To provide assurance, auditors must become confident of their skills and ability to analyze credit risk. The archived webinar is a good first step.

Jeff Marsh of Protiviti’s Risk and Compliance practice co-presented the webinar and contributed to the development of this content.