After my last article about periodic reviews, a few people asked questions about the types of certifications submitted to the IRS – which is what the periodic review leads to. In the last article, I explained how the responsible officer of a QI must conduct a periodic review using an independent consultant (or QI competent internal auditor) to gain proper oversight of their compliance to the QI agreement. All of this is part of the control, oversight and enforcement regime built into the QI agreement.

Each QI agreement cycle is six years long, and is divided into two ‘certification periods’ of three years each. Each certification period defines a three-year block of time, and the responsible officer will choose one of those years to perform the periodic review on. Once the review is done, the responsible officer needs to add any information they have on the firm’s compliance that wasn’t included in the periodic review. That includes things like training records, systems audits and business change management procedures – none of which are included in the periodic review. At that point, you can decide which type of certification you need to submit.

The Two Types of Certifications

Once your periodic review has been completed, you will be required to submit a certification to the IRS. There are two types of certifications you can submit:

Certification of Effective Controls: This is a full certification of effective controls. It essentially says ‘There’s nothing wrong here!’ and that everything has been reviewed and found to be in order.

Qualified Certification: If your reviewer finds that you have material failures or events of default within your organisation that haven’t been fixed, then you will need to submit a qualified certification. I’ll get into what both of those mean later on.

Both of these certifications are submitted and processed through the IRS QAAMs website. When you submit the report, you’ll be ticking boxes to certify that you adhered to specific parts of the QI agreement.

Submitting Factual Information

Along with your certification, you’re required to upload something called ‘factual information’. This is a detailed set of data that the responsible officer must gather and report to the IRS. They will need to do this once you receive the periodic review report, and look for two specific types of issues – material failures and events of default.

The idea is that if the QI does have effective controls in place (as they should) then they will have spotted any problems and fixed them before the reviewer gets their hands on the data. While perfect compliance is the ideal objective, we are all human and we do make mistakes. The IRS recognises this too, and that institutions will have issues from time to time. The purpose of the certification periods and the periodic review is to make independently sure that the responsible officer does, in fact, have effective controls in place.

Material Failures and Events of Default

Within that factual information report, you will need to include any material failures and events of default. But they only have an impact on the type of certification you submit if they haven’t been fixed before your periodic review takes place. So if the reviewer finds, or you disclose to them, a material failure or event of default that hasn’t been fixed, then you will have to submit a ‘qualified certification’. This is essentially you telling the IRS that you don’t have effective controls in place to manage your contractual obligations. And that’s not good news.

Material failures and events of default are both terms defined in the QI agreement. Now it might be a while since you’ve read that contract, so we’ll give you a hint – it’s in section 10.03(B) for material failures and section 11.06 (A)-(S) if you want to brush up on what’s included. We would expect every QI to include protective controls in their written QI compliance program (which is also mandated, in section 10.01 of the QI agreement). This provides the answer to the question ‘how do I make sure this failure doesn’t happen, and if it does, how will I know?’

It’s also important to note that the definition of material failure is limited to acts that were ‘deliberate actions of an employee or officer of the QI trying to avoid or evade the obligations in the QI agreement.’ That’s a pretty high bar to reach in most cases – except for the responsible officer, who is expected to know all about the agreement.

What Happens If You Submit A Qualified Certification?

If you do need to submit a qualified certification, you will need to provide the IRS with a remediation plan that details how and when you’re going to fix the problems, alongside a personal attestation that you, as the responsible officer, will fix the problems.

The IRS will review your plan, and they might agree with it right away. They might suggest changes, or even require a different plan from you. Or they might insist on some sort of oversight of your remediation. Obviously, the IRS wants everyone to be compliant, and it will work with you if you’re willing to rectify the issue. But beware. There have been cases of QIs having their QI status revoked for non-compliance, which is usually discovered through the periodic review and qualified certification process.

The lesson here is simple. The certifications submitted through your periodic reviews are important, and can have a major effect on your firm’s status with the US regulator. That’s why it’s so important to understand how the system works, and check that your compliance program is as good in reality as you hope it is.

At TConsult, we exist to support financial institutions with their regulatory compliance, including QIs. We can act as an independent reviewer to conduct periodic reviews, submit certifications with guidance and opinions based on our detailed knowledge of the regulations. If you’re struggling with your periodic reviews or certifications and would like support, just get in touch, and one of our experts will be happy to help.