Coronavirus Sparks CECL Uncertainty

Even before COVID-19, the first quarter of 2020 was shaping up to be an uncertain one for large public banks. Now, it could be a disaster.

There is broad concern that the current expected credit loss standard, which has been effective since the start of 2020 for big banks, will aggravate an already bad situation by discouraging lending and loan modification efforts just when the new coronavirus is wreaking havoc on the economy. Congress is poised to offer banks temporary relief from the standard as a part of its broader relief act.

Section 4014 of the Coronavirus Aid, Relief, and Economic Security Act, or CARES Act, would give insured depository institutions and bank holding companies the option of temporarily delaying CECL implementation until Dec. 31, 2020, or “the date on which the public emergency declaration related to coronavirus is terminated.”

Congress’ bill comes as the Financial Accounting Standards Board has already rebuffed the efforts of one regulator to delay the standard.

On March 19, Federal Deposit Insurance Corp. Chairman Jelena McWilliams sent a letter to the board seeking, among other requests, a postponement of CECL implementation for banks currently subject to the standard and a moratorium for banks with the 2023 effective date.

McWilliams wrote that a moratorium would “allow these financial institutions to focus on immediate business challenges relating to the impacts of the current pandemic and its effect on the financial system.”

FASB declined to act on both proposals. “We’re continuing to work with financial institutions to understand their specific challenges in implementing the CECL standard,” wrote spokesperson Christine Klimek in an email to me later that day.

It’s not an overstatement to say that the standard’s reporting effective date could not come at a worse time for banks — or that a potential delay necessitating a switch back to the incurred loss model may be a major undertaking for banks scheduled to report results in the next several weeks.

“Banks are being tasked with something pretty complex in a very short timeframe. And of course, this is the first period that they’re including these numbers and a lot of the processes are brand new,” says Reza Van Roosmalen, a principal at KPMG who leads the firm’s efforts for financial instruments accounting change. “They’ve practiced with parallel runs. But you’re immediately going to the finals without having had any other games. This is the hardest situation you could be in.”

CECL has been in effect since the start of the new year for large banks and its impact was finally expected to show up in first-quarter results. But the pandemic and related economic crisis creates major implications for banks’ allowances and could potentially influence their lending behavior.

The standard requires banks to reserve lifetime loan losses at origination. Banks took a one-time adjustment to increase their reserves to reflect the lifetime losses of all existing loans when they switched to the standard, deducting the amount from capital with the option to phase-in the impact over three years. Afterwards, they adjusted their reserves using earning as new loans came onto the books, or as their economic forecasts or borrowers’ financial conditions changed. The rapid spread and deep impact of COVID-19, the bulk of which has been experienced by the U.S. in March, has led to a precipitous economic decline and interest rate freefall. Regulators are now encouraging banks to work with borrowers facing financial hardship.

“For banks, [CECL is] going to be a true test for them. It’s not just going through this accounting standard in the macroeconomic scenario that we’re in,” says Will Neeriemer, a partner in DHG’s financial services group, pointing out that the change comes as many bankers adjust to working from home or in shifts to keep operations running. “That is almost as challenging for them as going through the new standard for the first time in a live environment.”

The concern is that CECL will force allowances to jump once more at the beginning of the standard as once-performing loans become troubled all at the same time. That could discourage new lending activity — leading to procyclical behavior that mirrors, rather than counters, economic peaks and troughs.

It remains to be seen if that would happen if Congress doesn’t provide temporary accounting and provisioning relief, or if some banks decline the temporary relief and report their results under CECL. Regardless, the quarter will be challenging for banks.

“It’s temporary relief and it’s only for this year. It keeps the status quo, which I think is important,” says Lawrence Kaplan, chair of the bank regulatory group in Paul Hasting’s global banking and payments systems practice. “You don’t have to have artificial, unintended consequences because we’re switching to a new accounting standard during a period where there are other extraordinary events.”

Developing a Future-Proof Bank

Banks are growing more fintech-friendly, giving them an avenue to strengthen their capabilities. In this video, Mbanq CEO Vlad Lounegov shares how traditional financial institutions can better compete with tech-savvy upstarts in the financial space.  

  • The Changing Relationship Between Banks & Fintechs
  • Examining Core Systems
  • Four Qualities of a Good Solution

Small Changes Lead To Big Payoffs In Reducing Fraud

Banks can leverage their relationships with clients and empower to better control fraud.

Many financial institutions find themselves in difficult positions as a growing number of their customers are targeted for business takeover attacks. Hackers gain access to company funds through a variety of manipulations, often tricking an internal employee to send a wire transfer. Some corporates have ineffective controls around their bank accounts or make poor decisions when sharing banking information. Banks are often stuck in the middle. Regardless of its lack of involvement in a fraudulent transaction, the bank will likely receive the first call when money goes missing.

Organizations are increasingly concerned about these business takeover threats, according to RSM’s recent Middle Market Business Index Cybersecurity Special Report. The survey found that 64% of middle market executives believe their businesses are at risk of attempted employees manipulation in the coming year, up 9% from the previous year. They are right to be worried: These attacks are growing in popularity with criminals because of their low-tech and low-risk nature, combined with the potential of significant rewards.

Business takeover cases are simple on the surface, but can have complex details. In one recent example, a portfolio company from a private equity company sent an email to the PE firm’s chief financial officer seeking additional funds. A hacker who took control of the portfolio company’s email sent a follow-up email with the hacker’s bank account information to receive the fraudulent wire transfer. The CFO quickly recognized that something was wrong and called the bank. The company and the hacker used the same bank, which froze the funds. But the hacker successfully convinced the institution to release the funds and wired them out of the country.

While banks are not required to encourage customers to adopt stronger protections against takeover threats or modify their own internal processes to identify fraud, some small adjustments can make a big difference to help deter criminals.

Many banks still do not coach customers on how they can discourage takeover threats, or help them understand the tools at their disposal. For example, many banks offer two-factor authentication for wire transfers that customers choose to disable it, creating unnecessary vulnerabilities. When customers elect to turn off security controls, banks can intervene and help them understand how why those controls exist. Coaching can help clients avoid painful experiences.

In addition, banks should offer security information and training to their clients on a regular basis to help understand threats and the role the bank plays. Institutions need more visibility into emerging risks and the behavior and activity that clients need to avoid. They can use these touchpoints to check on their customers’ status, improve business relationships and discuss any additional necessary services. 

Many banks utilize flexible core banking systems that can identify high-risk transactions. These platforms feature extensive functionality, but banks often do not use all of the built-in capabilities and sometimes miss questionable transactions in real time. In many cases, they can establish controls to flag suspicious activity. 

For example, if a middle market company that traditionally only does domestic wire transfers sends funds to Romania, that transaction should stick out like a sore thumb. Perhaps a company that usually sends wire transfers under $20,000 suddenly sends one for $60,000. While large banks may not be able to pick up the phone to validate that transaction, community banks have an opportunity to reach out personally and provide more value than their larger counterparts.

Obviously, detecting a fraudulent wire transfer from within the bank is not always this straightforward. But the institution is often the last point of resistance in these attacks. Individuals responsible for oversight should review suspicious activity reports and other notifications of wire transfer fraud regularly to identify criminal activity.         

Banks may be able to better control fraud in three ways: confirming transfers with clients, being more conservative with internal fraud detection processes and paying attention for any outlier transactions.

Most banks and many customers have taken steps to improve their internal cybersecurity following high-profile attacks and increased regulatory scrutiny. However, plans to reduce business takeover risks both inside the bank and when guiding customer activities must be adaptable to new threats. Criminals’ methods will constantly evolve to circumvent today’s detective controls and protective measures.

Educating clients about how to avoid and address risks while adjusting internal bank processes can improve operations for both your bank and your clients. A stronger risk environment can increase customer satisfaction, reduce the strain on internal employees tasked to track down lost funds and help you avoid having to guide your customers through the fallout of a criminal hacking.

Technology Adoption Starts at the Contract

Financial institutions are increasingly looking outside their core provider for the technology solutions that are right for their bank and their customers. In this video, Aaron Silva of Paladin fs explains the challenges community banks face in working with new providers and how to overcome these issues. He also shares three key areas to watch before signing on the dotted line.

  • Why Banks Should Look Outside the Core
  • Challenges in Working With New Providers
  • Avoiding Contract Mistakes

 

Will Iran Target U.S. Banks?

Should U.S. banks be concerned about possible cyberattacks from Iran following the killing of its top general, Qasem Soleimani, in a U.S. drone attack in early January?

Two federal banking regulators apparently think so.

The Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. issued a joint statement on Jan. 16 — 13 days after Soleimani’s assassination — to “remind supervised financial institutions of sound cybersecurity risk management principles,” including response and resilience capabilities, strong authentication controls and securely configured systems.

Iran responded to Soleimani’s killing four days later by firing missiles at two U.S. military bases inside Iraq, but that may not be the end of the matter. A short news item in the Jerusalem Post on Feb. 2 quoted Hashim Al-Haidari, an official in the Popular Mobilization Forces, a Shiite militia group that serves as an umbrella organization for a number of Iran-backed militias operating in Iraq, as saying that Iran’s initial reprisal was just a “first slap” and that “hard revenge” was coming.

What form might that revenge take?

Iran’s missile attack was a carefully calibrated reprisal, intended to limit the possibility of a major U.S. counterattack, according to Jamil Jaffer, senior vice president for strategy, partnerships and corporate development at IronNet Cybersecurity. The Fulton, Maryland-based consulting firm was co-founded by Keith Alexander, a retired four-star Army general who was director of the National Security Agency and the first commander of the U.S. Cyber Command.

“They were very careful to control the way they responded in that one instance … but I also don’t think we’ve seen the end of the Iranian response,” Jaffer says. “They are likely to come at us again, whether that’s because they’re returning to their old behaviors or because they want to continue to respond to the killing of Soleimani — or maybe a little bit of both — but they will come back again because it’s how they operate.”

Jaffer says that Iran might respond in one of two ways (or perhaps even both). The first would be traditional terrorist attacks on overseas targets intended either to kill people or damage important infrastructure, like the September 2019 attack on Saudi Arabia’s state-owned oil company, Saudi Aramco. These direct attacks will most likely occur outside the United States and could involve U.S. allies like Saudi Arabia, a regional adversary of Iran. “I think they recognize that an attack like that, conducted inside the United States, would result in catastrophic consequences for their regime, and I don’t think they’re looking to do that,” Jaffer says.

A more likely longer-term response from Iran might be cyberattacks on targets inside the United States, including banks. Why banks? Because they are a critical component in the country’s financial infrastructure.

“Physical attacks are much more binary,” Jaffer says. “Either you go blow something up or you don’t, you kill somebody or you don’t, you attack a facility or you don’t. Cyberattacks can be ratcheted up or down in real time. You can go from a nuisance attack to destroying data and [then] back off of that. You can modify how you’re behaving, so they’re dynamically scalable in scope and nature.”

Cyberattacks also provide the source with some element of plausible deniability. “Iran wants to be seen as responding to the Soleimani attack, but they also at times want to be able to say, ‘Yeah, but it wasn’t really us.’ Even though they want you to know it was them and even though they in fact did it, they also want to be able to deny it publicly,” Jaffer explains.

Jaffer says that Iran’s cyber warfare skills should be taken seriously. “They have real capabilities,” he says. In 2014, Iran launched a highly destructive cyberattack on the Las Vegas Sands Corp., where according to Jaffer “they went in and bricked computers and deleted data.” A bricked computer is one that has been rendered useless through a cyberattack and cannot not be repaired through normal means, like installing a new operating system. Why would Iran target Las Vegas Sands? The casino company’s CEO, Sheldon Adelson, is a major supporter of Israel and once said the U.S. should consider dropping a nuclear bomb on Iran.

Between December 2011 and September 2013, Iran launched distributed denial of service attacks against 46 major U.S. financial institutions, according to a federal indictment against a group of Iranian hackers filed by the U.S. Department of Justice and the Southern District of New York. According to the indictment, these institutions incurred tens of millions of dollars in remediation costs. Banks should always be focusing on their cybersecurity defenses, of course. But the current hostilities between the U.S. and Iran, combined with Iran’s demonstrated willingness to use its cyber warfare against U.S. companies including banks, serves as a reminder that an ounce of prevention might be worth a pound of cyber cure.

The High Cost of Bad Customer Data

Bad data may mean banks miss out on major moments in their customers lives — and big opportunities to cement and deepen the customer relationships.

Providing personalized service and exclusive offers to customers is perhaps more important for financial institutions than any other industry. Consumers expect personalization, according to a study from Epsilon, and they become more comfortable with providing personal data when they believe there is a benefit or incentive to doing so. But most consumers don’t think their primary financial institution really knows the important components of their financial lives — according to research from Accenture, less than 3% of customers felt confident their bank knows them and their financial needs well.

As bank customers, we’ve all been on the receiving end of a new product offer based on bad data. From emails touting the first-time home-owner program sent to individuals preparing for retirement to student loan offers received by recent graduates, disconnects like this can plant the seed of perceived ineptitude for an otherwise successful company.

To prevent these common, and costly errors, banks need to prioritize maintaining their customer data. Not contextualizing your bank’s marketing is bad; what’s worse is when attempts at personalization fail. Your bank loses customers’ trust and undermines its own brand.

Banks can learn valuable lessons from the healthcare industry when it comes to maintaining customer data. Before patients ever talk to a doctor, they are prompted to verify basic pieces of information and to confirm that nothing has changed since their previous visit, alerting the healthcare provider to any recent life changes. This process typically takes less than 2 minutes and is a simple step banks can and should do to ensure customer data is accurate and updated.

Bad data is generally thought of as information that is inaccurate, incomplete, non-conforming, duplicative or the result of a poor input process. But this is not the complete picture. Data that is aggregated or siloed in a way that makes it inaccessible or unusable is also considered bad data, as is information that doesn’t garner any meaning or insight into business practices or isn’t available in a timely manner. Simply put, data that is not working for your organization is bad data.

The advancement of cloud storage has lowered the infrastructure cost of maintaining data over the last few years. At the same time, the exponential growth of collectable data points and the advancements of smart technologies have compounded the growth rate, leading to increased data management cost. If your bank is not scrubbing collected data to make sure it is complete, accurate and, most importantly, useful, your bank is wasting valuable company resources.

The cost of bad data to your institution is more than just dollars spent on data management

  • It is the inability to take advantage of opportunities that utilize AI and predictive analytics.
  • It is the slowed business cycle that prevents bank executives from reacting to changes in their market.
  • It is the increased operational cost that forces managers to focus on data instead of on company initiatives.
  •  It is a marketing campaign that results in unmeasurable revenue and no focused customer insights. 
  • It is the misallocation of employee’s knowledge and potential disillusionment with the organization.
  • At its worst, it is the abandonment of your trusted customers.

Understanding the right information to collect and anticipating the future expectation to not only access, but also aggregate data in a meaningful way, is paramount to enduring success in this new “big data” era. Good data also translates into strong decision making. When an organization has access to critical consumer information or insights into market tendencies, it is equipped to make decisions that increase revenue, market share and operational efficiencies. When meaningful data is presented timely and in an easy-to-digest manner, executives can react quickly to changes affecting the organization, rather than waiting until the end of the quarter or the next strategic planning meeting.

Financial institutions that want to avoid marketing mishaps and the associated blows to their brand need to shift away from data silos and place a greater emphasis on their data quality. Providing departments across the bank with an accurate view of customers is essential to meeting their evolving needs. Institutions that ignore the growing importance of data quality risk losing customers and becoming irrelevant in today’s digital environment. Precise, up-to-date marketing and communication to your customers begins and ends with access to current and relevant data.

Winners Announced for the 2019 Best of FinXTech Awards


Awards-9-10-19.pngBanks face a fundamental paradox: They need to adopt increasingly sophisticated technology to stay competitive, but most have neither the budget nor the risk appetite to develop the technology themselves.

To help banks address this challenge, a legion of fintech companies have sprung up in the past decade. The best of these are solving common problems faced by financial institutions today, from improving the customer experience, growing loans, serving small business customers and protecting against cybersecurity threats.

To this end, we at Bank Director and FinXTech have spent the past few months analyzing the most innovative solutions deployed by banks today. We evaluated the performance results and feedback from banks about their work with fintech companies, as well as the opinions of a panel of industry experts. These fintechs had already been vetted further for inclusion in our FinXTech Connect platform. We sought to identify technology companies that are tried and true — those that have successfully cultivated relationships with banks and delivered value to their clients.

Then, we highlighted those companies at this year’s Experience FinXTech event, co-hosted by Bank Director and FinXTech this week at the JW Marriott in Chicago.

At our awards luncheon on Tuesday, we announced the winning technology solutions in six categories that cover a spectrum of important challenges faced by banks today: customer experience, revenue growth, loan growth, operations, small business solutions and security.

We also announced the Best of FinXTech Connect award, a technology-agnostic category that recognizes technology firms that work closely with bank clients to co-create or customize a solution, or demonstrated consistent collaboration with financial institutions.

The winners in each category are below:

Best Solution for Customer Experience: Apiture

Apiture uses application programming interfaces (APIs) to upgrade a bank’s digital banking experience. Its platform includes digital account opening, personal financial management, cash flow management for businesses and payments services. Each feature can be unbundled from the platform.

Best Solution for Revenue Growth: Mantl

MANTL developed an account-opening tool that works with a bank’s existing core infrastructure. Its Core Wrapper API reads and writes directly to the core, allowing banks to set up, configure and maintain the account-opening product

Best Solution for Loan Growth: ProPair

ProPair helps banks pair the right loan officer with the right lead. It integrates with a bank’s systems to analyze the bank’s data for insights into behaviors, patterns and lender performance to predict which officer should be connected with a particular client.

Best Small Business Solution: P2BInvestor

P2Binvestor provides an asset-based lending solution for banks that helps them monitor risk, track collateral and administer loans. It partners with banks to give them a pipeline of qualified borrowers.

Best Solution for Improving Operations: Sandbox Banking

Sandbox Banking builds custom APIs that communicate between a bank’s legacy core systems like core processors, loan origination, customer relationship management software and data warehouses. It also builds APIs that integrate new products and automate data flow.

Best Solution for Protecting the Bank: Illusive Networks

Illusive Networks uses an approach called “endpoint-focused deception” to detect breaches into a bank’s IT system. It plants false information across a bank’s network endpoints, detects when an attacker acts on the information and captures forensics from the compromised machine. It also detects unnecessary files that could serve as tools for hackers.

Best of FinXTech Connect: Sandbox Banking

The middleware platform, which also won the “Best Solution for Improving Operations” category, was also noted for working hand-in-hand with bank staff to create custom API connections to solve specific bank issues. In addition, banks can access three-hour blocks of developer time each month to work on special projects outside of regular technical support.

How Banks Can Use the Dark Web to Shed Light on Cybersecurity


cybersecurity-9-5-19.pngCyberthreat intelligence, or CTI, can give bankers a deeper understanding of the potential threats that face their business.

Whether it is knowing your enemy or learning about the latest malware, CTI provides information that can help executives make prudent, risk-based decisions. This information comes from the open internet as well as closed sources, including the darknet and dark web. Analyzing this CTI can produce insights and identify signs of a potential breach, leaked data or pending attacks.

The darknet is the part of the internet that is not accessible through conventional browsers and requires specific software or configurations; the deep web is the part of the internet that is not accessible through search engines. Some nation states, cybercriminal gangs and threat actors thrive in this underground economy through illegal activity that includes the sale of personal information, financial goods and illicit services. For bank’s CTI, the deep web and darknet are a treasure trove of breached information and threat indicators.

A vast majority of these cyberthreat intelligence sources contain goods and sensitive data stolen from the financial services industry. Potential financial gain drives bad actors to maintain a thriving marketplace built on illicit items, including debit and credit card numbers, identity theft services and banking malware.

While no tool or service can completely eliminate the risk of a data breach, integrating CTI into a bank’s cybersecurity program can make it more difficult to target and lower the likelihood of a breach. To get value from CTI, a bank can:

  • Identify the threat actors that are leveraging potential vulnerabilities in systems used by the financial sector;
  • Understand whether a particular organization or client is being targeted directly;
  • Detect active malware campaigns that could target the bank;
  • Learn where its customer and employee information may exist;
  • Find breached credit or debit cards on deep web or darknet marketplaces; and
  • Understand emerging trends regarding data theft.

There are a variety of ways that financial institutions can leverage, and directly benefit from, CTI. Some examples include:

  • Incorporating technical indicators of compromise into the company’s security information and event management system;
  • Briefing high-level executives on industry trends and providing intelligence on potential future attacks;
  • Providing intelligence briefings to security operation centers (SOCs), increasing the situational awareness of technical campaigns and bad actors;
  • Developing incident response scenarios;
  • Achieving timely integration with fraud teams to deactivate stolen credit or debit cards;
  • Working with law enforcement to remove stolen credit, debit or other financial information from the deep or dark web;
  • Segregating and limiting internal access to systems if an individual’s credentials are exposed;
  • Communicating with social media and marketing teams about exposed data; and
  • Implementing patches for known vulnerabilities that are discovered on external-facing systems and applications.

What does a successful CTI program look like at financial institutions?
Deep analytical CTI is usually not possible at small- to medium-sized financial institutions using the internal resources of their existing security teams, and is often outsourced to a vendor or third party. Outsourcing can provide some value-added actions, such as:

  • Identifying breached credit and debit cards or other financial information;
  • Monitoring chatter about C-suite executives;
  • Assisting in fraud prevention through credential theft;
  • Thwarting attacks planned by adversaries that uses new financial theft malware, ransomware or Trojans;
  • Examining reputational damage or brand-related chatter for an organization;
  • Identifying large credential data dumps or breaches;
  • Identifying or ascertaining stolen or fraudulent goods like blueprints, skimmers and physical devices, or sensitive data such as tax forms, personally identifiable information and protected health information.

CTI can provide a variety of actionable information that executives can use to make better cybersecurity decisions and assess their risk appetite. With CTI, bankers can prioritize initiatives, address budgets and create business strategies for securing customer, employee and client data. A deeper understanding of the threats they face gives companies a firmer grasp of the tumultuous cyber landscape and a clearer vision of how to prevent problems.

The Strategic Side of Cybersecurity Governance


cybersecurity-8-7-19.pngWithout a comprehensive cyber risk governance strategy, banks risk playing Whac-A-Mole with their cybersecurity.

Most financial institutions’ cybersecurity programs are tactical or project-oriented, addressing one-off situations and putting out fires as they arise. This piecemeal approach to cybersecurity is inefficient and increasingly risky, given the growing number of new compliance requirements and privacy and security laws. Institutions are recognizing that everyone in the C-suite should be thinking about the need for a cyber risk governance strategy.

There are three key advantages to having a cyber risk governance strategy:

  • Effectively managing the audit and security budget: Organizations that address current risks can more effectively prepare for cybersecurity threats, while meeting and achieving consistent audit results. A thorough risk assessment can highlight real threats and identify controls to evaluate on an ongoing basis through regular review or testing.
  • Reducing legal exposure: Companies and their officers can reduce the potential for civil and criminal liability by getting in front of cybersecurity and demonstrating how the institution is managing its risk effectively.
  • Getting in front of cybersecurity at an organizational level: Strategic planning is an important shift of responsibility for management teams. It proactively undertakes initiatives because it’s the right thing to do, versus an auditor instructing a company to do them.

So what’s required to set up a cyber risk governance strategy? Most organizations have talented individuals, but not necessarily personnel that is focused on security. Compounding the industry shortage of cybersecurity professionals, banks may also lack the resources necessary to do a risk assessment and ensure security practices are aligned to the cyber risk governance. As a result, banks frequently bring in vendors to help. If that’s the case, they should undertake a cyber risk strategy assessment with the help of their vendor.

Bank boards can perform a cyber risk governance strategy assessment in three phases:

  1. An assessment of the current cyber risk governance strategy. In phase one, a vendor’s team will review a bank’s current organizational and governance structure for managing information security risk. They’ll also review the information technology strategic plan and cybersecurity program to understand how the bank implements information security policies, standards and procedures. This provides a baseline of the people and processes surrounding the organization’s cyber risk governance and information security risk tolerance.
  2. Understand the institution’s cyber risk footprint. Here, a vendor will review the technology footprint of customers, employees and vendors. They’ll look at internal and external data sources, the egress and ingress flow of data, the data flow mapping, the technology supporting data transport and the technology used for servicing clients, employees, and the third parties who support strategic initiatives.
  3. Align information security resources to cyber governance goals. In phase three, a vendor will help the bank’s board and executives understand how its people, process and technology are aligned to achieve the company’s institution’s cyber governance goals. They’ll review the bank’s core operations and document the roles, processes and technology surrounding information security. They’ll also review the alignment of operational activities that support the bank’s information security strategic goals, and document effective and ineffective operational activities supporting the board’s cyber governance goals.

Once the assessment is complete, a bank will have the foundation needed to follow up with an operational analysis, tactical plan and strategic roadmap. With the roadmap in place, a bank can craft a cyber risk strategy that aligns with its policies, as well as an information security program that addresses the actual risks that the organization faces. Instead of just checking the boxes of required audits, bank boards can approach the assessments strategically, dictating the schedule while feeling confident that its cyber risks are being addressed.

How CECL Impacts Acquisitive Banks


CECL-7-30-19.pngBank buyers preparing to review a potential transaction or close a purchase may encounter unexpected challenges.

For public and private financial institutions, the impending accounting standard called the current expected credit loss or CECL will change how they will account for acquired receivables. It is imperative that buyers use careful planning and consideration to avoid CECL headaches.

Moving to CECL will change the name and definitions for acquired loans. The existing accounting guidance classifies loans into two categories: purchased-credit impaired (PCI) loans and purchased performing loans. Under CECL, the categories will change to purchased credit deteriorated (PCD) loans and non-PCD loans.

PCI loans are loans that have experienced deterioration in credit quality after origination. It is probable that the acquiring institution will be unable to collect all the contractually obligated payments from the borrower for these loans. In comparison, PCD loans are purchased financial assets that have experienced a more-than-insignificant amount of credit deterioration since origination. CECL will give financial institutions broader latitude for considering which of their acquired loans have impairments.

Under existing guidance for PCI loans, management teams must establish what contractual cash flows they expect to receive, as well as the cash flows they do not expect to receive. The yield on these loans can change with expected cash flows assessments following the close of a deal. In contrast, changes in the expected credit losses on PCD loans will impact provisions for loan losses following a deal, similar to changes in expectations on originated loans.

CECL will significantly change how banks treat existing purchased performing loans. Right now, accounting for purchased performing loans is straightforward: banks record loans at fair value, with no allowance recorded on Day One.

Under CECL, acquired assets that have only insignificant credit deterioration (non-PCD loans) will be treated similarly to originated assets. This requires a bank to record an allowance at acquisition, with an offset to the income statement.

The key difference with the CECL standard for these loans is that it is not appropriate for a financial institution to offset the need for an allowance with a purchase discount that is accreted into income. To take it a step further: a bank will need to record an appropriate allowance for all purchased performing loans from past mergers and acquisitions that it has on the balance sheet, even if the remaining purchase discounts resulted in no allowance under today’s standards.

Management teams should understand how CECL impacts accounting for acquired loans as they model potential transactions. The most substantial change relates to how banks account for acquired non-PCD loans. These loans first need to be adjusted to fair value under the requirements of accounting standards codification 805, Business Combinations, and then require a Day One reserve as discussed above. This new accounting could further dilute capital during an acquisition and increase the amount of time it takes a bank to earn back its tangible book value.

Banks should work with their advisors to model the impact of these changes and consider whether they should adjust pricing or deal structure in response. Executives who are considering transactions that will close near their bank’s CECL adoption date not only will need to model the impact on the acquired loans but also the impact on their own loan portfolio. This preparation is imperative, so they can accurately estimate the impact on regulatory capital.