November 2024 Financial Reporting, Governance, and Risk Management

CFPB issues open banking Section 1033 final rule

On Oct. 22, 2024, the Consumer Financial Protection Bureau (CFPB) issued its long-awaited final rule on personal financial data rights, carrying out the mandate set forth by Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Financial Protection Act of 2010. The final rule, commonly called the open banking rule, requires covered entities to make a consumer’s transaction data and other information available to the consumer upon request, in a standardized format designated by the rule. It also allows consumers to authorize third parties to access their data and requires such third parties to provide the consumer with certain disclosures and certifications limiting the third party’s collection, use, and retention of the consumer’s covered data.

Compliance dates differ for covered institutions based on size and nature, as follows:

• April 1, 2026, for depository institutions with at least $250 billion in total assets and nondepository institutions that generated at least $10 billion in total receipts in either calendar year 2023 or 2024
• April 1, 2027, for depository institutions with between $10 billion and $250 billion in total assets, and nondepository institutions that generated less than $10 billion in total receipts in both 2023 and 2024
• April 1, 2028, for depository institutions with between $3 billion and $10 billion in total assets
• April 1, 2029, for depository institutions with between $1.5 and 3 billion in total assets
• April 1, 2030, for depository institutions with between $1.5 billion and $850 million in total assets

Institutions with less than $850 million in assets are exempt from the final rules. On the same day of the rule’s issuance, the Bank Policy Institute and Kentucky Bankers Association filed a lawsuit seeking injunctive relief, alleging the CFPB exceeded its statutory authority. Crowe will be tracking these and other developments on any potential impact to the final rule’s compliance deadlines and will continue to provide updates and further analysis on the comprehensive rule.

OCC issues final rule on revised recovery plans for large banks

On Oct. 22, 2024, the Office of the Comptroller of the Currency (OCC) issued a final rule amending recovery planning guidelines and expanding them to apply to large insured national banks, federal savings associations, and federal branches of foreign banks with average total consolidated assets of $100 billion or more (compared to the previous threshold of $250 billion or more). The amendments clarify how a covered bank should address nonfinancial risks, such as operational and strategic risk, in its recovery plan, highlighting that both financial and nonfinancial risks should be considered. In addition, a new testing provision requires covered institutions to implement risk-based testing, validate the effectiveness of its recovery plan, test the recovery plan at least annually, and revise the recovery plan as appropriate following testing.

The final rules are effective Jan. 1, 2025. Compliance dates are phased in for different aspects of the final rule:

• Banks that are covered banks under the current guidelines (those with at least $250 billion in average total consolidated assets) must comply with the amendments on nonfinancial risk and the new testing provision within 12 and 18 months of the effective date, respectively.
• Banks that become covered banks as a result of the final rule (those with less than $250 billion but at least $100 billion in average total consolidated assets) must comply with the amendments on non-financial risk and the new testing provision within 12 and 24 months of the effective date, respectively.
• Banks that become a covered bank (cross the $100 billion threshold) under the final rule after its effective date must comply with the amendments on nonfinancial risk and the new testing provision within 12 and 24 months of becoming a covered bank, respectively.

FDIC extends comment period for proposed brokered deposit rule

On Oct. 8, 2024, the Federal Deposit Insurance Corp. (FDIC) announced that it is extending the comment period for its proposal to strengthen safety and soundness rules about brokered deposits. The proposed amendments are intended to make reporting of brokered deposits more uniform and consistent and reduce reporting burdens, and they would simplify and broaden the definition of “deposit broker.” The FDIC received significant initial input on the proposed rule that was issued in July, as reported in the August 2024 Financial Institutions Executive Briefing. Comments now are due Nov. 21, 2024.

NYDFS issues guidance on AI-related cybersecurity risks to financial institutions

On Oct. 16, 2024, the New York State Department of Financial Services (NYDFS) issued an industry letter on cybersecurity risks arising from AI, discussing how entities can assess and address these AI-related risks. It is intended to provide guidance for NYDFS covered entities in assessing AI-related risks and does not impose any new requirements. The letter describes risks amplified by the rise of AI, including cyberattacks driven by more personalized and sophisticated AI-enabled social engineering; increases in scale, speed, damage, and volume of AI-enhanced security attacks; heightened potential exposure of nonpublic information (NPO) including biometric data; and increased vulnerabilities due to the use of third-party service providers (TPSP). It also discusses how entities should address these risks, including by implementing robust access controls; TPSP and vendor policies and procedures; cybersecurity training for all personnel; monitoring processes to identify and remediate security vulnerabilities; and effective data management, including data minimization practices and data governance procedures.

FHFA issues proposal to revise FHLB governance

On Oct. 21, 2024, the Federal Housing Finance Agency (FHFA) issued a proposed rule to introduce new requirements related to corporate governance for boards of directors and executive management of the Federal Home Loan Banks (FHLBanks) and the FHLBank System’s Office of Finance. The proposal would update knowledge and experience requirements for independent directors, expanding them to include “artificial intelligence, Community Development Financial Institution (CDFI) business models, climate risk, information technology and security, and modeling.” It would also clarify how an FHLBank should determine whether an individual meets the required qualifications for public interest independent directors, and other board-level provisions. The proposed rule would also require FHLBanks to adopt and implement a conflict of interest policy applicable to FHLBank employees.

Comments are due Feb. 3, 2025.

FASB finalizes income statement expenses disaggregation guidance

On Nov. 4, 2024, the FASB issued Accounting Standards Update (ASU) 2024-03, “Income Statement – Reporting Comprehensive Income – Expense Disaggregation Disclosures (Subtopic 220-40): Disaggregation of Income Statement Expenses,” to provide more information about a public business entity’s (PBE’s) expenses by requiring additional detail on expenses reported in income statements.

Public companies will provide detailed disclosure in interim and annual periods of specified categories underlying certain expense captions. Relevant expense categories for financial institutions include, among others, employee compensation, depreciation, and amortization of intangible assets. Other expenses presented on the face of the income statement (for example, credit losses or income taxes) are not expense categories listed in the ASU and therefore do not require disaggregated disclosure. Financial institutions should refer to Example 3 for an illustrative example of a disclosure format. Institutions reporting under SEC Rule 9-04 of Regulation S-X can elect to apply a practical expedient to continue presenting salaries and employee benefits under Rule 9-04 instead of the definition under Subtopic 220-40.

The ASU applies prospectively, with an option to use retrospective application. PBEs will comply with the requirements beginning with financial statements for fiscal years beginning after Dec. 15, 2026, and interim periods within fiscal years beginning after Dec. 15, 2027. Early adoption is permitted.

FASB proposes interim reporting improvements

On Nov. 13, 2024, the FASB issued a proposed ASU, “Interim Reporting (Topic 270): Narrow-Scope Improvements,” aimed at clarifying when guidance is applicable and what disclosures are required in interim reporting periods. The intention of the proposed ASU is not to change the required interim disclosures.

The proposed ASU would provide clarity by:

• Explaining that the guidance in Topic 270 applies to all entities that provide interim financial statements and notes in accordance with GAAP
• Providing a complete list of interim disclosures that are required in interim financial statements and notes in accordance with GAAP
• Including a requirement that entities disclose events and changes that occur after the end of the most recent fiscal year that have a material impact on the entity
• Enhancing guidance about information included in and the format of interim financial statements

Comments are due March 31, 2025.

FASB proposes guidance on determining the acquirer in the acquisition of a VIE

On Oct. 30, 2024, the FASB issued a proposed ASU, “Business Combinations (Topic 805) and Consolidation (Topic 810): Determining the Accounting Acquirer of a Variable Interest Entity,” to improve the requirements for identifying the accounting acquirer in a business combination and improve comparability. The proposed ASU would establish more consistent requirements for determining the accounting acquirer when a business is acquired in a transaction achieved by exchanging equity interests and more closely align the requirements for determining the accounting acquirer in the acquisition of a variable interest entity (VIE) with the existing requirements that apply to transactions not involving a VIE.

Comments are due Dec. 16, 2024.

For additional information, see the Crowe article “Proposed ASU Clarifies Identifying the Accounting Acquirer.”

FASB proposes improvements to internal-use software accounting guidance

On Oct. 29, 2024, the FASB issued a proposed ASU, “Intangibles – Goodwill and Other – Internal-Use Software (Subtopic 350-40): Targeted Improvements to the Accounting for Internal-Use Software,” to address the diversity in practice in determining when to begin capitalizing software costs. The proposed ASU would:

• Replace the current project-stage-based framework with a principles-based approach, under which entities would capitalize internal-use software costs incurred after 1) management has authorized and committed to funding the project, and 2) the “probable-to-complete” threshold is met
• Require an entity to separately present cash paid for capitalized internal-use software costs as investing cash outflows in the statement of cash flows
• Eliminate current guidance specific to website development costs and incorporate accounting for these costs within Subtopic 350-40

Under this ASU, the FASB expects more software development costs could be expensed as incurred under the proposed framework for cloud computing arrangements and software-as-a-service arrangements. This could increase consistency with costs incurred to develop external-use software accounted for under Subtopic 985-20, under which fewer costs are typically capitalized.

Comments are due Jan. 27, 2025.

For more details regarding the proposed ASU, see the Crowe article “FASB Proposes Internal-Use Software Accounting Changes.”

SEC adopts final rule and amendments on covered clearing agencies

On Oct. 25, 2024, the SEC adopted final amendments and a new rule for covered clearing agencies (CCAs), putting into place new requirements related to risk-based margin system policies and procedures for certain CCAs, as well as requirements for a CCA’s recovery and orderly wind-down plan.

The final amendments require a CCA that provides central counterparty services to have in place “policies and procedures to establish a risk-based margin system that monitors intraday exposures on an ongoing basis.” Under the amendments, a covered CCA’s margin methodology must enable it to make intraday margin calls “as frequently as circumstances warrant,” such as when designated risk thresholds are surpassed, or when markets served “display elevated volatility.” A covered CCA must also document when it chooses not to make an intraday margin call in accordance with its written policies and procedures.

The final rule enacts new requirements for the contents of a CCA’s recovery and orderly wind-down plan (RWP). New elements required under the final rule include the “identification and use of scenarios, triggers, tools, staffing, and service providers.” The final rule also includes requirements for timing, implementation, testing, and board approval of the RWP.

Covered CCAs must file any proposed rule changes regarding revisions to their margin methodologies under Rule 19b-4, or advanced notices, within 150 days of publication in the Federal Register. The proposed rule changes and advanced notices must be effective within 390 days of publication in the Federal Register.

SEC commissioner speaks on regulatory environment

On Nov. 1, 2024, Commissioner Hester Peirce spoke at the Wharton School of Business FinTech lecture series on the role of government in creating a regulatory environment that supports innovation and investment, and she warned against the risks of excessive regulation stifling the advancement of the financial markets. Peirce criticized the SEC’s recent enforcement surrounding the crypto markets, asserting that the SEC has failed to provide a viable path to register with the SEC and then disciplined entities for failing to register. Peirce promoted the creation of a “micro-innovation sandbox” to allow entities to develop pioneering projects – citing the need for innovation in tokenization and other crypto-related projects, as well as other arenas such as mutual funds and exchange-traded funds – while maintaining designated guardrails to protect the financial markets.

SEC commissioner remarks on private credit

On Oct. 15, 2024, Peirce spoke on private credit before the Securities Industry and Financial Markets Association (SIFMA) Private Credit Forum. Peirce acknowledged that private credit “deserves scrutiny from market participants, academics, and regulators” and should be carefully and continuously monitored as a growing sector of the market. At the same time, she asserted that many regulatory concerns are appropriately mitigated through existing lender incentives that drive strong due diligence, credit protection, and portfolio diversification, and the long-term nature of private credit lending. Peirce described the existence of the private credit market outside of the prudentially regulated banking system as a “strength” and cautioned against overregulation, noting that “invoking systemic risk to regulate private credit” in the same fashion as banks would impede both the flexibility of the sector and small-business access to capital, and “could make future financial contagion more, not less, likely” by homogenizing the market.

PCAOB holds Standards and Emerging Issues Advisory Group meeting

On Nov. 12, 2024, the PCAOB’s Standards and Emerging Issues Group met virtually. It opened with an update on standard-setting, offered a presentation on a company’s information technology risks and control environment, held breakout sessions on artificial intelligence, and discussed subsequent events. A recording of the meeting is available on the meeting event page.

PCAOB updates standard-setting and rulemaking agendas

The PCAOB on Nov. 4, 2024, posted its updated agendas for its standard-setting and rulemaking projects. Chair Erica Williams said “the PCAOB continues to achieve significant results and advance our investor-protection mission in 2024 by modernizing our standards and rules that have fallen out of date after decades without substantial revision.” During 2024, the PCAOB adopted four new standards or rules addressing quality control systems, general responsibilities of the auditor in conducting an audit, amendments related to aspects of designing and performing audit procedures that involve technology-assisted analysis of information in electronic form, and contributor liability.

The seven short-term projects (and next action) include noncompliance with laws and regulations (“TBD pending analysis of comment letters on June 6, 2023 proposal and March 6, 2024 Roundtable, and responses to targeted inquiries of firms about their approach relating to noncompliance with laws and regulations or illegal acts”), update to attestation standards (proposal), going concern (proposal), firm and engagement metrics (final), substantive analytical procedures (final), inventory (proposal), and auditor reporting in specified circumstances (proposal). Seven midterm standard-setting projects address fraud, interim ethics and independence standards, use of service organizations, interim financial information reviews, internal audit, subsequent events and other matters arising after the date of the auditor’s report, and interim standards.

PCAOB releases investor bulletin on audit committee and independent auditor dialogue

On Oct. 25, 2024, the PCAOB Office of the Investor Advocate released an investor bulletin, “Audit Committee and Independent Auditor Dialogue.” It lists publications that provide investors resources for engaging with audit committees regarding their discussions with their independent auditors and reminds audit committees of the available resources to address interactions with their auditors. To fulfill their oversight responsibilities, it is important that audit committees engage in effective dialogue with their auditors and ask relevant questions throughout the audit.

Among other resources, the bulletin highlights these staff publications:

• Spotlight: 2023 Conversations With Audit Committee Chairs
• Spotlight: Staff Priorities for 2024 Inspections and Interactions With Audit Committees
• Spotlight: Audit Committee Resource
• Spotlight: Staff Update on 2023 Inspection Activities

Each of these publications provides reminders and suggestions to consider as reference points for outreach and discussion with independent auditors.

CAQ issues fall Audit Partner Pulse Survey results

The CAQ on Oct. 30, 2024, released the “2024 Audit Partner Pulse Survey,” reporting results of its poll, conducted in September and October 2024, of audit partners at the country’s leading public company accounting firms about their perspectives on the current business environment. Topics include U.S. economic health, challenges and risks facing businesses, and how business leaders are adjusting their strategies.

The survey revealed that a potential recession, ongoing inflation, regulations, and geopolitical instability are among the top concerns of audit partners and the companies they audit. Half of audit partners are neutral on the economy despite a potential recession and concerns over inflation. Although businesses are concerned about the U.S. election, most public companies were not preparing for the possibility of business interruptions due to the election. Regarding labor strategies, the survey revealed that upskilling employees and reducing headcount capacity were the top two priorities. Partners reported that the use of AI has increased primarily in process automation (62%), customer service (52%), and predictive analysis (34%). The use of AI may be influencing the change in labor strategies as well.