Read this if you are a board member, C-suite, or accounting professional at a financial institution.
Congratulations! For most financial institutions across the US, 2023 marked the first full year of CECL (Current Expected Credit Losses, or Accounting Standards Codification (ASC) 326 – Credit Losses ) adoption. The sweeping changes brought about by CECL may have felt like dealing with the accounting version of a 100-year flood. As accounting and finance professionals are wrapping up year-end audits, disclosures, and annual reports, perhaps many are breathing a well-earned sigh of relief. Celebrations certainly are in order for accomplishing the most significant change in bank accounting ever during one of the most uncertain few years in recent history.
As with any major change event, CECL is not a one-and-done situation. There is an aftermath that needs addressing—a look-back assessment, clean-up, renovation—and consideration for what it means to move forward confidently in this “new normal.” Here are some things to consider as you enter this next phase.
The key questions test
After you have been zooming in on the details of CECL for the past several years, now is the right time for you to pan out and consider the broader view. After all the time and energy spent working on CECL, now is a good time for you and your team to look at how well you can confidently, succinctly, and consistently answer these key questions:
- How does your model work?
- How do you assess adequacy and assure consistency?
- Where are the risks?
- What controls are in place?
- Where are the opportunities for improvement?
- How are model changes handled?
More importantly, if none of you were there to answer those questions, is there sufficient documentation available that someone else could? Now that CECL is your new ongoing reality, it is critical that you can demonstrate understanding, both conversationally and also in formal documentation. When it comes to model documentation and direct or related policies, procedures, and controls, the ultimate litmus test is that an independent third party could both understand and replicate what you’re doing. This should be true no matter if the independent third party is internal or external to your organization.
Tip: Record your answers to the key questions above. Then hand someone in your organization who is not directly involved with the ACL process your model documentation to review and then ask them to explain back to you how your model works. How different are their answers and understanding from yours? This also works well to test specific procedures or processes.
Common themes or issues
One of the benefits of partnering with financial institutions across the US is the ability to pick up on common themes, trends, and issues—areas of opportunity to enhance and refine approaches to CECL. From this work, we offer the following observations and tips:
Change management
In our experience, few institutions have a formal process in place for how CECL model changes are to be handled from here, yet this is a crucial component of model risk management. A good change management process includes how changes—either by the vendor or the institution—are to be assessed, how much analysis is expected, what level of review and approval (including by the board) is required, and how quickly the changes are to take effect. There should also be confirmation that the changes were implemented. For a risk-based approach to model change management, consider which types of changes create the most risk to your institution’s model or create the most volatility in reserve estimation outcomes, and match that risk to the level of assessment and approval authority required.
Tip: An approval form cover sheet summarizing the changes and impacts along with maintaining a change log will help you evidence, track, and monitor these changes over time.
Qualitative (Q Factor) support
We’ve seen a wide variety of methods and methodology construction under CECL, but one thing they have in common is a lack of real support for qualitative adjustments. Even with software integration and modeling techniques, it remains up to management to document their rationale for when, why, and to what extent qualitative adjustments are needed. It is a baseline expectation that management can describe what risk of loss is already accounted for in the quantitative model, what internal and external conditions and factors they are uniquely monitoring for each qualitative adjustment category they feel is needed, and how they determine to what extent adjustments should be made. If this adjustment is based on designating when risk is moving from low to medium to high, management should be able to indicate what triggers a move among these risk levels. One quick example for illustrative purposes: what range of delinquency rates for your institution is typical of a “neutral” risk level, or of a low- vs. moderate- vs. high-risk level?
Tip: A simple spreadsheet documenting these critical aspects of management’s qualitative framework can go a long way to make sure this process is transparent and provides insight into any risk of reserve layering.
Vendor risk
Assessing and managing vendor risk is a big topic. For some of the same reasons we saw an increased use of vendor solutions to comply with CECL, we’ve also seen what could be characterized as an over-reliance on vendors. One area we’ve found that needs some additional attention is the financial institution’s review and assessment of both their CECL model vendor’s SOC-1 Type-2 report and of any model validation the vendor may have contracted for separately. It isn’t always easy reading through and understanding these documents; however, it is vital to your assessment of the risk and controls the vendor has in place over these models and systems they have developed that you are relying on for the largest estimate in your financial statements.
Knowing what you’re looking for is key. For example, user entity controls are identified in the SOC report and often, for CECL, mean that controls need to be in place in multiple areas of the institution. If your vendor has had their model(s) independently validated, we encourage a close read of this work, as it should alert you to any limitations of that validation, such as feeder models that were not validated.
Tip: Become familiar with the new supervisory interagency guidance on Third-Party Risk Management (June 2023) and the vendor life cycle. Doing so should help you assess gaps in your current approach to CECL vendor risk management.
CECL resources
No matter your CECL challenge or pain point, our team of experts is here to help you navigate the requirements as efficiently and effectively as possible. We’d love to hear from you, or please feel free to explore our CECL resources to help you along the way.