Financial Services Alert - April 8, 2014 April 08, 2014
In This Issue

Basel Committee Issues Revised Guidelines Concerning External Audits of Banks

The Basel Committee on Banking Supervision (the “Basel Committee”) of the Bank for International Settlements issued a revised set of guidelines (the “Guidelines”) concerning the external audits of banks.  The Basel Committee said that the recent global financial crisis highlighted the need to improve the quality of banks’ external audits.  The Basel Committee further stated in the Guidelines that external auditors of banks can contribute to financial stability “when they deliver quality bank audits which foster market confidence in banks’ financial statements.”  A sound bank audit, continued the Basel Committee, provides valuable input to a bank’s regulatory supervisors.  The Guidelines replace two earlier sets of guidelines on these issues released by the Basel Committee in 2002 and in 2008, respectively.

The Guidelines are divided into two parts.  In Part 1, the Guidelines discuss the role and responsibilities of bank audit committees in the context of external audits and the interaction of bank supervisors with auditors and audit oversight authorities.  Part 1 of the Guidelines also provides a framework that supervisors can use to assess the effectiveness of an audit committee in overseeing a bank’s external audit.  Part I of the Guidelines sets forth nine key principles concerning the audit committee and bank supervisors’ roles and interactions related to banks’ external audits.”  The nine principles articulated by the Basel Committee are:

Principle 1

The audit committee should have a robust process for approving, or recommending for approval, the appointment, reappointment, removal and remuneration of the external auditor.

Principle 2

The audit committee should monitor and assess the independence of the external auditor.

Principle 3

The audit committee should monitor and assess the effectiveness of the external audit.

Principle 4

The audit committee should have effective communication with the external auditor to enable the audit committee to carry out its oversight responsibilities and to enhance the quality of the audit.

Principle 5

The audit committee should require the external auditor to report to it on all relevant matters to enable the audit committee to carry out its oversight responsibilities.

Principle 6

The supervisor and the external auditor should have an effective relationship that includes appropriate communication channels for the exchange of information relevant to carrying out their respective statutory responsibilities.

Principle 7

The supervisor should require the external auditor to report to it directly on matters arising from the audit that are likely to be of material significance to the functions of the supervisor.

Principle 8

There should be open, timely and regular communication between the banking supervisory authority, audit firms and the accounting profession as a whole on key risks and systemic issues as well as a regular exchange of views on appropriate accounting techniques and auditing issues.

Principle 9

There should be regular and effective dialogue between the banking supervisory authority and the relevant audit oversight body.

The Basel Committee noted that differences in national laws may impact the implementation of these Principles.

Part 2 of the Guidelines discusses the Basel Committee’s expectations and suggestions regarding improving the quality of banks’ external audits.  The suggestions cover key areas where the Basel Committee believes there is a relatively high risk of material misstatements in a bank’s financial statements.  The six expectations articulated by the Basel Committee are:

Expectation 1

The external auditor of a bank should have banking industry knowledge and competence sufficient to respond appropriately to the risks of material misstatement in the bank’s financial statements and to properly meet any additional regulatory requirements that may be part of the statutory audit.

Expectation 2

The external auditor of a bank should be objective and independent in both fact and appearance with respect to the bank.

Expectation 3

The external auditor should exercise professional skepticism when planning and performing the audit of a bank, having due regard to the specific challenges in auditing a bank.

Expectation 4

Audit firms undertaking bank audits should comply with the applicable standards on quality control.

Expectation 5

The external auditor of a bank should identify and assess the risks of a material misstatement in the bank’s financial statements, taking into consideration the complexities of the bank’s activities and the effectiveness of its internal control environment.

Expectation 6

The external auditor of a bank should respond appropriately to the significant risks of a material misstatement in the bank’s financial statements.

Last, the Guidelines provide an annex providing examples of an external auditor’s report to bank supervisors and guidelines on the timing and context of meetings between bank supervisors and external auditors.

FFIEC Issues Joint Statements on DDoS Cyber-Attacks and Cyber-Attacks on ATM and Card Authorization Systems

On April 2, 2014 the members of the Federal Financial Institutions Examination Council (“FFIEC”) issued two joint statements: the first joint statement regards distributed denial-of-service (“DDoS”) attacks, and the second joint statement concerns cyber-attacks on ATM and card authorization systems.  The six members of the FFIEC are the FRB, FDIC, OCC, CFPB, NCUA and the State Liaison Committee, which is comprised of five state banking supervisors.

Joint Statement Regarding DDoS Cyber-Attacks

Citing an increased number of DDoS attacks in recent years whereby certain internet services are temporarily or indefinitely interrupted or suspended, the first FFIEC joint statement warns financial institutions about the risks associated with such attacks, including operational and reputation risks.  DDoS attacks also may be accompanied by attempted fraud, further exposing the institution to possible fraud losses and liquidity and capital risks.  The joint statement also outlines several ways to mitigate such attacks as part of an institution’s information security and incident response plans.  Risk mitigation steps outlined in the joint statement (that the FFIEC members expect financial institutions to take) include: (1) maintenance of an ongoing information security risk assessment program; (2) monitoring of the institution’s website; (3) activation of incident response plans and notification of service providers in the event of a suspected attack; (4) staffing during the attack so as to sufficiently manage web-based traffic; (5) sharing information with certain organizations, as appropriate, e.g., law enforcement authorities, and (6) evaluating deficiencies in the institution’s responses, risk assessments, and risk management controls.

Joint Statement Regarding Cyber-Attacks on ATM and Card Authorization Systems

The second FFIEC joint statement addresses cyber-attacks on the ATM and card authorization systems of financial institutions. Noting that there has been a recent increase in cyber-attacks launched in connection with “Unlimited Operations” (a type of large dollar value ATM cash-out fraud whereby funds are withdrawn in excess of cash balances or other account control limits), the FFIEC identifies certain related risks for financial institutions that issue debit, prepaid or ATM cards. Such risks include operational risks, fraud losses, liquidity and capital risks, and reputation risks. The FFIEC stated that institutions may be exposed to additional losses if they outsource their card issuing function. The joint statement outlines several actions that an institution is expected to take to mitigate the risks associated with such attacks, including: (1) maintenance of an ongoing information security risk assessment program; (2) engaging in security monitoring, prevention, and risk mitigation; (3) ensuring protections are in place to limit unauthorized access; (4) regularly implementing and testing controls around “critical systems”; (5) conducting regular information security awareness and training programs; (6) testing the effectiveness of incident response plans; and (7) participating in certain information sharing forums.

SEC Reopens Comment Period on Proposed Target Date Fund Disclosure Requirements to Address Investor Advisory Committee Recommendation Regarding Risk-Based Glide Path Illustration

The SEC issued a release reopening the comment period on proposed amendments (the “Proposed Amendments”) to Rule 482 under the Securities Act of 1933, as amended, and Rule 34b-1 under the Investment Company Act of 1940, as amended, that are designed primarily to provide potential investors with additional information about target date funds (“TDFs”).  (The Proposed Amendments were described in the June 29, 2010 Financial Services Alert.)  The SEC is reopening the comment period to solicit public comment on a recommendation of the SEC’s Investor Advisory Committee (the “Committee”) that the SEC develop a glide path illustration for TDFs that is based on a standardized measure of fund risk as a replacement for, or supplement to, the SEC’s proposed asset allocation glide path.  (The Committee’s recommendations were discussed in the April 23, 2013 Financial Services Alert.)

The reopened comment period extends for 60 days after the release’s publication in the Federal Register.

SEC Staff Provides Guidance for Advisers Using Social Media on Compliance with General Prohibition on Testimonials

The staff of the SEC’s Division of Investment Management (the “Staff”) issued IM Guidance Update No. 2014-4 discussing how a registered adviser or its investment advisory representatives (“IARs”) may use public commentary about them that appears on independent, third‑party social media sites without violating the general prohibition against testimonials in advertisements set forth in Rule 206(4)-1(a)(1) under the Investment Advisers Act of 1940 (the “Testimonial Rule”).  In a question and answer format, the Guidance Update reviews the circumstances under which such social media commentary may be used in adviser advertisements that are themselves broadcast through social media or the internet by “hyperlinking, posting, live streaming, tweeting, or forwarding or any similar public dissemination”  (all such broadcasts being referred to as  “Republication”).  In general terms, the Guidance Update provides that “[w]hen an investment adviser or IAR has no ability to affect which public commentary is included or how the public commentary is presented on an independent social media site; where the commentators’ ability to include the public commentary is not restricted; and where the independent social media site allows for the viewing of all public commentary and updating of new commentary on a real-time basis, the concerns underlying the testimonial prohibition may not be implicated.”

The Guidance Update presents the following three principal conditions for Republication to comply with the Testimonial Rule:

  • the independent social media site provides content that is independent of the investment adviser or IAR;
  • there is no material connection between the independent social media site and the investment adviser or IAR that would call into question the independence of the independent social media site or commentary; and
  • the investment adviser or IAR publishes all of the unedited comments appearing on the independent social media site regarding the investment adviser or IAR.

In addition to explaining these conditions, the Guidance Update also addresses various aspects of social media that may implicate the Testimonial Rule such as the ability to sort comments, averages of commenter ratings, inclusion of subjective analysis of public commentary, presentation of friends or contacts on an adviser or IAR social media site, adviser advertising on third party social media sites, and third party community or fan sites.  The Guidance Update also discusses the circumstances under which an adviser’s non-social media advertisements may refer to public commentary on independent third party social media sites.  The Guidance Update notes that even if an advertisement uses third party social media commentary without raising concerns under the Testimonial Rule, the advertisement must still comply with the broad anti-fraud provisions of Rule 206(4)‑1(a)(5) under the Advisers Act. 

The Guidance Update includes a background discussion of SEC and Staff positions on the Testimonial Rule and announces that the Staff “no longer takes the position, as it did a number of years ago, that an advertisement that contains non-investment related commentary regarding an IAR, such as regarding an IAR's religious affiliation or community service, may be deemed a testimonial violative of [the Testimonial Rule].”

CFTC Staff Provides Guidance on Auditor Independence Requirements Under FCM Customer Protection Rules

The CFTC’s Division of Swap Dealer and Intermediary Oversight (the “Division”) issued an interpretive letter regarding the auditor independence standards included in CFTC Regulation 1.16, specifically as it applies to auditors of futures commission merchants (“FCMs”).   As discussed in the November 12, 2013 Financial Services Alert, the CFTC adopted rule changes designed to enhance the protections for FCM customers and customer funds.  Among these protections is a requirement that a certified public accountant’s audit report of an FCM state whether the audit was conducted in accordance with the auditing standards adopted by the Public Company Accounting Oversight Board (the “PCAOB”).  The interpretive letter explains that Regulation 1.16 had been amended, in part, to be consistent with the auditor independence requirements of SEC Rule 17a-5 under the Securities Exchange Act of 1934 applicable to the audits of registered broker-dealers, but notes that the Regulation 1.16 is silent with respect to certain provisions of the SEC regime, such as those exempting auditors of non-issuer broker-dealers from partner rotation requirements and cooling-off periods for employment.   Responding to concerns regarding potential conflicting rules or interpretations applicable to firms dually registered as FCMs and broker-dealers, as well as concerns about potentially inconsistent treatment, the interpretive letter clarifies that if FCMs, firms dually registered as FCMs and broker-dealers, and their auditors comply with the auditor independence requirements in SEC Rule 17a-5, they will also be in compliance with CFTC Regulation 1.16.