Often, a CPA will receive a request for a “comfort letter” when a client is seeking a loan or is taking part in one of many other types of financial transactions. Despite a strong relationship with the client, it would not be wise to jump into fulfilling such a request before taking several precautions. To let us know what some of those steps would be, we spoke with Suzanne M. Holl of CAMICO Services Inc.
By: Bill Hayes, Pennsylvania CPA Journal Managing Editor
Time to time, CPAs will receive requests from third parties looking for comfort letters connected to a loan or other such transaction sought by a client. However, it would not be wise to jump directly into supplying such a letter without first thinking through your responsibilities to your client or the profession’s ethical standards. To walk us through the way CPAs should proceed when confronted with such a dilemma, today we're with Suzanne M. Holl, CPA, of CAMICO Services Inc.
How common is it for CPAs to receive letters from banks, lenders, brokers, or entities such as these requesting these comfort letters? Or is it an unusual practice?
[Holl] It's actually a very, very common practice. It's a theme we've had over our advice call hotlines for years. And it seems to ebb and flow a bit, but certainly over the last few years has stayed relatively steady. Just to give you a little bit of perspective, last year, we had approximately 7,200 advice calls that we handled and close to 600 related to third-party-reliance type calls that our policyholders reached out to us for some guidance on. So, still a very common practice, and it comes from lots of different entity types, whether it's the lenders, bankers, mortgage brokers, adoption agencies, governmental entities, so they're coming from different sources and that kind of ebbs and flows over the years, but still a very common practice.
So what are the dangers for CPAs who elect to provide these letters?
[Holl] There are certainly some dangers to be very cautious about. First and foremost, whenever providing information to a third party, CPAs need to be very sensitive to client confidentiality. Certainly you do not want to breach client confidentiality with respect to giving any information without appropriate client consent. Next, certainly falling below the standard of care is a potential danger. The AICPA has issued under their professional standards for attestation services an interpretation making it very clear that CPAs should not be providing any level of assurance, for example, as it relates to solvency. So, being sensitive to making sure that the request falls within the purview of what you, as a CPA, could provide to a third party.
Certainly, there’s always the risk from a potential claim that a lender may allege that you, as a CPA, misrepresented the client’s credit worthiness or potentially misled them with respect to other information you were asked to provide. And I think this last danger is always a sensitive one for CPAs. Just making sure that you know that saying "no" to a client and, that you’re not willing to comply with providing one of these letters, could potentially cost you a client. That’s a potential danger to consider as well.
Where does professional judgment come in for CPAs when they’re weighing whether they’re going to provide or not provide such a letter? Is there a gray area that people have to balance?
[Holl] When it comes to professional judgment, it's really important. It is a balancing act. And, as a CPA, you assess risk versus reward. Certainly, as a CPA, you're not obligated to provide this type of letter.
Before you decide to move forward, you really want to make sure that it makes sense to do so. Consider what is being asked of you by the third party, assuming you have appropriate client consent to respond - does it make sense given the level of service you provided to that client? Is there potentially an opportunity to provide another service that would be better suited to what that third party is asking you to verify or provide information on? There's a lot of judgment that goes into it, which is why CPAs, at least we found with CAMICO policyholders, reach out to us so frequently as a sounding board with respect to weighing those risks versus rewards. Certainly, from a client's perspective, there should be no reward because, from their perspective, they shouldn't have to pay you to provide this lender letter or comfort letter or third-party-verification type communication. It should be part of what you've already done for them. A lot of professional judgment goes into the evaluation of whether or not it makes sense to provide such a letter to a third party.
Say you're a CPA and you get one of these types of requests: What's the first one or two things you need to be doing? Who do you have to notify?
[Holl] First and foremost, you need to reach out to your client. You need to make sure that the client is willing to consent to you providing information to a third party. And this is your first opportunity to really start to educate the client a bit as to what you can and can't do with respect to giving information to that third party, but without appropriate client consent, you really can't move forward at all. That's really, really, very important and the most critical first step.
The next step is hopefully trying to, as you educate your client, getting the client to agree that you provide information to the client and then the client can provide information to the third party. Looking for those opportunities can minimize the risk exposure on the CPA and yet still comply with a request from the third party.
There's a circumstance, and this seems like it could be particularly dangerous, I guess, but there's a circumstance where CPAs are asked to make certain verifications via phone, such as regarding a client's employment status or financial information. Can you tell us about these requests and how they should be handled?
[Holl] There's a huge danger with respect to giving any information verbally over the phone. Sometimes, the caller indicates they're from the underwriting quality control division of their entity, and they're just going to have a couple quick questions for you as a CPA to assess the client's situation. Typically, there's some pressure just to handle it via phone; it will take less time on behalf of the CPA. There is huge danger with giving anyone over-the-phone information. Typically, what we encourage CPAs to do in those circumstances is just to be honest: that professional standards prohibit them from being able to share any client confidential information with them without appropriate client consent. Request that that individual send you either a letter with the questions they would like you to respond to and/or an email, and that once you receive that information, you will reach out to your client, get appropriate consent, and then respond via email or in writing back to the contact.
You really want to make sure though that when you do that, if you get one of these calls, you get their contact information, and then you send them a communication back as soon as possible. Ideally, within the hour, if at all possible. Acknowledging the call and being very clear that, as part of that call, you did not provide them any information in accordance with your professional standards, and that you've requested that they provide you back in writing the questions that they would like you to respond to, and that you will reach out to your client and if you receive appropriate consent, will respond back accordingly.
It's really important that you minimize any potential exposure the telephone contact could allege; that somehow, on that call, you provided some level of assurance or verification or certification on some information. That defensive documentation back to that contact will be very, very important and protective for the CPA.
This is an interesting one here where it's a third type: a CPA being asked to confirm information provided on a previous letter, so one presumably issued by another party prior to the engagement. What should be done in this case?
[Holl] CPAs need to be very wary of such requests. It typically signifies a red flag that the client, or your client, the potential borrower, may have defaulted on their loan. You really need to be very careful. The best practice from CAMICO's perspective to our CPAs is to not respond. There's no obligation for you to have to respond to that type of communication. A lot of our calls relate to this fact pattern. If we determine that it makes sense to respond - for example, the borrower is still your client, and you have some information that would be important to communicate - you would go through the same protocols with respect to receiving client consent, responding as appropriate to the information they're asking you to respond to. But I would say that very few of these actually go to that extreme. Most of the time, there's no response that should be provided by the CPA in these situations.
So let's jump to the idea of a CPA who does decide to respond to such a request. What are some best practices to keep them out of hot water here?
[Holl] This is a common question because most CPAs really don't elect to say no to their clients. They do want to work with their clients and respond to the request. First and foremost, we start with only sticking to the facts and only the facts. You don't want to end that communication, speculate, draw conclusions, give your personal opinions. You really want to address the facts, and short and sweet is best. You want to identify the scope of the service you've rendered to the client, you want to identify what you haven't performed because most of these are really requests that a tax preparer receives. That's probably the most common, I'd say 85-to-90%. And with respect to the tax returns that they prepared, the CPA didn't audit, review, or otherwise verify their information. They're allowed to rely on representations by the client. You really want to make sure you clarify that the information you used to prepare the returns are the representations of the client.
You want to avoid using words that expand rather than narrow your responsibility. You avoid using any words such as "certify, assert, attest to." And you also want to make it very clear that the lender, or the broker, or whoever that third party is, is responsible for performing their own independent due-diligence procedures and tests that they deem necessary for their specific purpose. You want to make that very, very clear in this letter. Many times, we actually put in the letter that as a courtesy to your client you are responding to this communication, but that your work product was not designed with this request in mind. Again, it really is helpful to clarify that the responsibility is on that third party to do their own due diligence.
It seems as we've been talking through this that one of the common threads we have here, probably the most important thread, is just that you have to have good communication with your clients in a situation like this. So what obligation do CPAs have to educate their clients about comfort letters, the information a CPA can provide, and third parties in general?
[Holl] It's really, really helpful and appropriate for CPAs to help educate their clients. Their clients are typically thinking that there is no risk to the CPA to prepare these letters. In their mind, they're just trying to seek that loan, extend their credit; their request seems pretty harmless for them. It's prudent for the CPA to help educate their clients about these types of requests, about the limitations of their services, and maybe there's an opportunity to do additional services to meet the needs of that third party. But always helping to educate the client is really a good first step for CPAs with respect to satisfying their responsibility, because they have no obligation to actually issue these letters. But most CPAs, being one myself, married to one, you really want to try to help your clients in most situations and do as much as you can do to ease the client's pain point.
By educating them, you can hopefully come to some compromise with respect to what you can do to satisfy that third party request, and yet not put you, the CPA, at risk, or, for the client's benefit, not be misleading at all to that third party with respect to the client situation.