Monthly LRA Update

TAX DEVELOPMENTS

Tax Legislation – Update

President Biden signed into law the Infrastructure Investment and Jobs Act on November 15. This was bipartisan legislation that includes provisions related to federal-aid highway, transit, highway safety, motor carrier, research, hazardous materials, and rail programs.

In a separate development, the House passed the Build Back Better Act (“BBBA”) on November 19. The BBBA provides funding, establishes programs, and otherwise modifies provisions relating to a broad array of areas, including education, labor, child care, health care, taxes, immigration, and the environment. Of note, this legislation would reinstitute a corporate alternative minimum tax (AMT) for certain businesses.

A description of the Corporate AMT provision was provided in a Section by Section summary posted on November 3. Noteworthy excerpts:

The corporate alternative minimum tax (AMT) proposal would impose a 15 percent minimum tax on adjusted financial statement income for corporations with such income in excess of $1 billion. Under the proposal, an applicable corporation’s minimum tax would be equal to the amount by which the tentative minimum tax exceeds the corporation’s regular tax for the year. Tentative minimum tax is determined by applying a 15 percent tax rate to the adjusted financial statement income of the corporation for the taxable year (after taking into account the AMT foreign tax credit and the financial statement net operating losses).

For these purposes, adjusted financial statement income (AFSI) is the net income or loss of the taxpayer stated on the taxpayer’s applicable financial statement with certain modifications. Generally an applicable financial statement is a corporation’s form 10-K filed with the Securities and Exchange Commission, an audited financial statement, or other similar financial statement.

Similar to the AMT tax credit under pre-2018 corporate AMT and the AMT currently in effect for individuals, corporations would be eligible to claim a tax credit for AMT paid in prior years against normal income tax, to the extent normal tax exceeds the tentative minimum tax for such taxable year.

As highlighted in the above excerpt, this version of Corporate AMT will operate similarly to the prior regime in that any AMT obligations would be creditable toward future tax years where the regular tax exceeds the AMT. The proposal would be effective for taxable years beginning after December 31, 2022.

We did not observe any other business tax provisions that appear likely to impact BOLI/COLI.

The JCT released estimated budget effects of the revenue provisions of the BBBA in early November. In total (excluding increased IRS enforcement which is scored by the CBO), the JCT estimated a total revenue increase of $1.48 trillion over ten years. The corporate alternative minimum tax was estimated to increase tax revenues by ~$320 billion over the ten-year period.

Senate Majority Leader, Chuck Schumer (D-N.Y.) has indicated a target to bring the BBBA to the Senate floor as soon as the week of 12/13. However, at present it remains unclear if the Senate Democrats will unanimously support the legislation (which will be needed for passage).

REGULATORY DEVELOPMENTS

Banking Regulators Release Computer-Security Incident Notification Final Rule

On November 18 the banking regulators released a final rule to establish computer-security incident notification requirements for banking organizations and their bank service providers. The final rule requires that a banking organization promptly notify (no later than 36 hours after determination) its primary Federal regulator of any ‘‘computer-security incident’’ that rises to the level of a ‘‘notification incident.”

The definition of “notification incident” is provided below; however, the regulators also included a non-exhaustive list of incidents that would generally be considered “notification incidents” under the final rule. These included the following:

1. Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
2. A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
3. A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
4. An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
5. A computer hacking incident that disables banking operations for an extended period of time;
6. Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from internet-based network connections; and
7. A ransom malware attack that encrypts a core banking system or backup data.

The final rule separately requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

Important Definitions

• “Computer-security incident” is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
• “Notification incident” is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—
  • (i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • (ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • (iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
• A “bank service provider” is a company (or person) who performs “covered services.”
• “Covered services” are services that are subject to the Bank Service Company Act (12 U.S.C. 1861-1867).

Conclusion

MBSA maintains comprehensive information security governance policies and procedures, including a Business Continuity Plan and a Data Breach Response Policy. However, MBSA is not a “bank service provider” and we do not anticipate that a “computer-security incident” involving our operations would rise to the level of a “notification incident” for our clients.

We are happy to discuss our protocols (including incident notification protocols) with any interested clients.