By Deena Coffman, GSEC, CIPP/US, CIPP/E, CIPM, FIP

Most nonprofit organizations collect, use and store “personal information” of donors and staff. There are well over 200 laws, just in the United States, that mandate protections of this information and apply, in whole or in part, to nonprofits. All nonprofit entities should understand the requirements that TCPA, GDPR and U.S. state data breach/protection laws impose upon their organizations.

Just a few years ago, many entities were largely unaware of the impact data privacy and cybersecurity could have on their organization overall. Most categorized these issues as belonging to the IT or HR departments. Now, data-privacy class-action litigation has erupted and data breach announcements dominate the headlines. Currently, in almost every survey conducted of boards and senior management, data issues rank as one of their three top concerns, if not their single greatest concern. Nonprofit entities would be well advised to tend to this important area which is often overlooked until it becomes a crisis.

TCPA

The Telephone Consumer Protection Act of 1991 (TCPA) was introduced in response to consumer sentiment toward unwanted telephone solicitations. Telemarketers calling during all hours—particularly the dinner hour—became a punchline and an irritant. TCPA has been updated several times over the years, and the most recent update tightens restrictions on calling without written permission, even if a “prior business relationship” existed. Nonprofit organizations are exempt from some, but not all, requirements under TCPA. For example, the “abandonment rules” are an exemption for nonprofits, and requirements for auto-dialers and prerecorded calls are different for nonprofit organizations than for commercial entities. While the requirements are less restrictive, nonprofit organizations still can’t afford to completely ignore TCPA, because some requirements do still apply, and the cost for getting this incorrect can be enormous.

The recent changes give the TCPA “teeth” by providing for a private right of action, effectively inviting consumers, the FCC and states’ attorneys general to join in enforcement efforts. Plaintiffs are able to recover the higher of their actual loss or $500 for each violation. And, if the court finds that the defendant acted willfully or knowingly, the court has discretion to triple the amount to $1,500 for each violation.

Organizations that conduct telemarketing should be tuned to recent changes in the TCPA. Professional plaintiffs are causing a rise in TCPA enforcement and there have been no shortage of multimillion dollar settlements. Interline Brands agreed to pay $40 million to Craftwood Lumber to settle a suit alleging a TCPA violation by sending over 1,500 advertisements via fax. And, Bank of America agreed to pay $32 million for violating TCPA through its use of auto-dialing technology and prerecorded voice messages without prior written consent.

TCPA has no cap on total damages—making it easy to imagine that an organization with a large roster of donors or potential donors could quickly expose itself to losses in the range of multiple millions of dollars.

How do you protect yourself from this exposure? Simple—get written consent from individuals before marketing to them via phone or fax.

State Data Breach Laws

Almost every U.S. state and territory has enacted laws requiring entities to protect sensitive consumer and employee information in their possession and, if that protection fails, to provide notification to the individuals so she or he is able to be alert to identity theft and fraud. These laws vary, but it is important to note that an entity must be informed of the evolving state laws that apply where their employees, customers and prospects reside and not just where the entity is located. These requirements were initiated in 2003 with California’s law with other states following suit. Some states have also already updated their original laws to keep up with current technology standards and consumer expectations. With identity theft continuing to rise and awareness increasing, the trend will certainly continue.

Increasingly, state laws address issues beyond breach notification. Some states require specific security measures such as a written information security plan or encryption. At last count, four states had specific requirements for a written information security plan, three states require a dedicated employee responsible for information security and seven states require security provisions in supplier contracts. Penalties for violations can range up to $500,000.

Some states require privacy policies to be posted. For example, since 2003 the California Online Privacy Protection Act (CalOPPA) has required that all websites that collect personal information about state residents post an online privacy policy if the information is collected for the purpose of providing goods or services for personal, family or household purposes. Most websites, even if not required, post privacy policies. Ensuring the privacy policy complies with applicable laws is a critical first step. It is important then to align technology and operations with the public-facing statements and to maintain that alignment as new systems and processes are adopted and the business grows. Some state laws even address internal privacy policies. In 2005, Michigan began requiring employers to publish internal privacy policies to address the proper handling of employee sensitive information. New York has adopted a similar statute as has Connecticut, Massachusetts, and Texas. As mentioned, states are working to keep pace with technology changes and evolving standards, which makes it important for entities to remain alert to developments.

General Data Protection Regulation (GDPR)

U.S. entities may, understandably, not be aware of developments in European privacy law. But, Europe recently made dramatic changes to its data privacy laws which will impact the way many U.S. entities do business. U.S. entities doing business with or within Europe (EU) or marketing goods and services (even if unpaid) to EU residents must update how they collect, handle and secure information that identifies a natural person, such as name, address or email address, or they risk facing heavy fines and penalties. Even entities that are not located in the EU may be impacted as their EU clients and suppliers may require compliance as a condition of continued business. This new regulation goes into effect on May 25, 2018, and contains important new operational requirements concerning data minimization, accuracy, accountability, purpose and storage limitations, and data protection that will require impacted organizations to begin making technology and administrative changes far in advance of the deadline.

The regulation also mandates that entities demonstrate compliance, which will require the creation of policies, procedures and documentation mechanisms. If your entity possesses data on EU residents, you are positioned to be impacted by this new regulation. If you market to or solicit donations from the EU market, you’ll want to stay tuned to updates to the ePrivacy Directive (this is also called the “Cookie” Directive) which is expected to create as much disruption for U.S. entities.

The GDPR authorizes regulators to levy remarkably steep fines in amounts exceeding €20 million or 4 percent of annual global revenue, whichever is higher. Germany and Spain have stated openly that they may move against U.S. entities quickly. France has mentioned codifying parts of GDPR earlier than 2018. Some example requirements likely to be of interest to nonprofit entities include the following:

• Consent must be “freely given, specific, informed and unambiguous.” Silence, pre-ticked boxes or inactivity is not sufficient to provide consent. Much of the data currently in use was collected using “opt out” mechanisms. This will need to be remediated if the information is going to continue to be retained and used.
• If the data is being used because consent has been given, then that consent must be able to be withdrawn at any time and withdrawn “as easily as it was given.” This will necessitate changes in processes and quite possibly technology in order to accommodate. This also means that the data belonging to that individual not only cannot be used going forward but must be erased.
• For data being used based on consent, the data subject has the right to request an inventory of all of the information an entity possesses on that individual. Accommodating these requests will require entities to establish mechanisms for receiving the requests, verifying the identity of the requestor, accurately and completely finding all relevant information to respond to requests and a documentation mechanism.
• A new “accountability principle” makes those that collect and use data responsible for demonstrating compliance with the general principles outlined in the regulation. (Demonstrating compliance is in the form of policies, procedures, impact assessments, documentation of consent, inquiry handling, responses and decisions, etc.)

Interpreting GDPR requirements strictly is likely to lead entities to incorrect conclusions. Special provisions for nonprofit organizations are present in the GDPR, but they are limited, so most of the regulation still applies to nonprofit entities just as it does for for-profit companies. Privacy rights are not absolute, and a balancing decision must be made by legal counsel familiar with EU privacy laws. The GDPR contains many different requirements and the requirements may or may not apply to all entities depending on various factors. To make correct decisions, counsel must know details on what data is processed, the circumstances around the original collection, what is done during processing, retention/disposition, access, security controls and onward transfers.

Data privacy is increasingly important and can, if ignored, have tremendous impact on a nonprofit. An annual privacy assessment is recommended to see that your technology, policies and operations are aligned with current applicable requirements.

This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Summer 2017). Copyright © 2017 BDO USA, LLP. All rights reserved. www.bdo.com

By Lee Klumpp, CPA CGMA

Most nonprofits rely on an investment committee to oversee their investment portfolios. This oversight group can have a big impact on real long-term wealth preservation and ensuring resources are available to realize organizational goals and aspirations.

These best practices are consistent with the fiduciary duties of care, loyalty and obedience, and include:

1. Form a strong investment committee that embraces the “commit” in committee.
2. Ensure diversity and experience in committee composition.
3. Set a strong Investment Governance and Operational Framework that establishes an Investment Policy Statement—including asset allocation, risk constraints, performance metrics and pay-out. It should be consistent with furthering the organization’s objectives and realistic given its resources.
4. Refresh the organizational Investment Policy Statement on a regular basis to make sure that it continues to articulate the organization’s long-term objectives and unique needs.
5. Define a realistic target for investment success that is consistent with the organization’s resources, and focus on the implementation.
6. Be strategic in asset and investment manager selection and perform regular evaluations.
7. Find an appropriate person or organization that can act as the organization’s Chief Investment Officer (CIO), to manage its investment portfolio, be held accountable to the committee and regularly review its performance.
8. Monitor results and make changes as needed.
9. Have regularly structured investment committee meetings and draft minutes from these meetings.

Above all, these best practices, which are fundamental regardless of the nature or size of the organization, can be boiled down to five C’s: commitment, coordination, communication, continuity and completion.

While an investment committee can operate successfully with a variety of structures and approaches, these best practices can make any investment committee more efficient and effective. This should lead to improved long-term portfolio operation—ultimately benefiting grantees, beneficiaries and stakeholders.

This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Spring 2017). Copyright © 2017 BDO USA, LLP. All rights reserved. www.bdo.com

By Lewis Sharpstone, CPA
Ensuring sustainability is a top priority for almost every nonprofit organization. But one sometimes overlooked piece of the sustainability puzzle is managing critical external relationships and ensuring their longevity. This is especially important in a climate characterized by pervasive change. As we’ve covered in our Nonprofit Standard blog posts, executive retirements are impacting nonprofits of all sizes as leaders age, many of whom have tenured long careers at their organizations. The industry is also seeing an uptick in merger and acquisition (M&A) activity aimed at consolidating costs, back-office and administrative functions, and building efficiencies to expand scope and reach. How new priorities in the executive branch will impact charitable organizations is also a big unknown.

Whether an organization is approaching succession planning, post-merger integration or other organizational transition, or simply examining its long-term sustainability, it’s important to invest in key relationships.

Paul Vandeventer, CEO of Community Partners, describes this concept especially well with what he’s coined “The Civic Power Grid.” He defines an organization’s civic reach as “the essential third leg of a nonprofit board’s sustainability platform,” with fundraising and governance as the first and second legs. As Paul explains, the term “civic reach” refers to an organization’s ability to develop, maintain and grow relationships with individuals who have influence over resources across the sectors in which it operates.

Most nonprofit executives can attest that a grant proposal is received differently when you have a relationship with the program officer who receives it. Similarly, consider how your views about a regulatory issue might be taken when you already have a relationship with the official listening to you. What about how an influential person might look at an invitation to join your board when the board is already home to well-connected and influential members?

While building civic reach may sound like mere networking, Vandeventer contends it’s much more important than that. It’s essential that every organization have a sustainability plan. See Laurie De Armond’s, partner and national co-leader of BDO’s Nonprofit & Education practice, article on page 1 discussing this topic in detail. Her advice was that “To prevent gaps in relationship management during an executive transition, organizations can encourage shared ownership and an open flow of information so that key relationships don’t become siloed with one individual.” Extending an organization’s civic reach is an often-forgotten, but essential, element of building a sustainable enterprise. In this article from Stanford Social Innovation Review’s archives, Vandeventer dives deeper into the concept of civic reach and gives plenty of examples illustrating how increasing civic reach led to great results.

Over the course of my career working with nonprofit organizations, I’ve met a host of inspiring and remarkable people. While they built well-respected organizations that carry on wonderful and impactful legacies in the communities they served, many didn’t devote resources to building ties with the wider community and may have been able to leverage their connections for even more meaningful results if they had invested in civic reach.

To illustrate what civic reach can do for an organization, let’s consider a nonprofit in my area that was facing foreclosure. When we were first engaged to work with them, we were able to stave off foreclosure on a temporary basis, buying the organization time. Three years later, though, when the financial issues bubbled up again, they had cultivated a strong civic reach. They engaged local and even some national politicians, businesspeople and community leaders to advocate against foreclosure—and it worked. A favorable long-term loan, a win-win for the organization and the bank, was put in place and the nonprofit is now moving from uncertainty to strength. I am convinced that leveraging the increased civic reach of this organization is the only thing that could have achieved this result.

Here you can find a self-assessment tool to identify gaps and target areas for growth, which will help you put in place a specific plan to increase your organization’s civic reach. Happy “reaching!”

This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Spring 2017). Copyright © 2017 BDO USA, LLP. All rights reserved. www.bdo.com

By Rebekuh Eley, CPA MST

Supporting organizations have been the subject of scrutiny over the last few years, from the Pension Protection Act in 2006, to Treasury Regulations in 2012 and 2015, to additional disclosure requirements to Form 990 Schedule A in 2014.

Supporting organizations, particularly those of grant-making foundations, are left wondering if their current activities will fall within these published rules. The consequences for not falling within these rules includes an organization being treated as a private foundation instead of a public charity. These organizations would be subject to excise taxes on investment income and would need to abide by stricter operational requirements.

Supporting organizations achieve public charity status by passing four tests, including an organizational test, operational test, relationship test and a control test. For the organizational test, an organization must be organized and operated exclusively for the benefit of, to perform the function of, or to carry out the purposes of one or more specified organizations described in IRC section 509(a)(1) or (2). The organization must also be operated, supervised, or controlled by or in connection with one or more organizations described in IRC section 509(a)(1) or (2). The control must not be direct or indirect by disqualified persons (other than foundation managers or organizations described in IRC sections 509(a)(1) or (2)).

Additionally, a supporting organization must fall into one of three relationship categories: operated, supervised, or controlled by a supported organization (Type I parent-subsidiary); supervised or controlled in connection with a supported organization (Type II, brother-sister) or; operated in connection with, one or more publicly supported organizations (Type III). The relationship must ensure that the supporting organization is responsive to the needs or demands of the supported organization(s), and the supporting organization will constitute an integral part of, or maintain a significant involvement in, the operations of the supported organization(s). Control is determined through the facts around the organizing documents, operations, and relationship between the supporting organization and the supported organization(s).

Many Type I and II supporting organizations do not make grants to the controlling organization, but rather make grants to other organizations that address the charitable purpose of the controlling organization. This commonplace industry practice could risk failure of the operational test. A supporting organization can only support or grant funds to an organization that is specified within its organizing documents. The rules on how to determine what is a “specified organization” are very complex and can be found in Treasury Regulation 1.509(a)-4(d). Specified organizations may be identified by designating an organization by name or by a charitable class that aligns with the mission of the controlling organization. If the supporting organization provides grants to organizations other than the controlling organization, the organizing documents should designate a supported organization by class rather than by name. The strict requirements for designating a supported organization by class are also found in the Treasury Regulations. This type of designation requires additional disclosures on the supporting organization’s Form 990 Schedule A, which may be scrutinized by the IRS.

Now is a good time to look at a supporting organization’s operations and confirm they are aligned with the governing documents, and grants made properly. If the organizational documents and operations are not aligned, the supporting organization may have to act intentionally to prevent private foundation status.

This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Spring 2017). Copyright © 2017 BDO USA, LLP. All rights reserved. www.bdo.com

By Patricia Duperron, CPA

Beginning with fiscal years ending June 30, 2017, the first of the two Other Postemployment Benefit (OPEB) standards from the Governmental Accounting Standards Board (GASB) becomes effective.

GASB Statement No. 74, Financial Reporting for Postemployment Benefit Plans Other Than Pension Plans replaces GASB Statements Nos. 43 and 57 for reporting of OPEB plans and mirrors the requirements of GASB Statement No. 67, Financial Reporting for Pension Plans. The good news is that most everything you learned in implementing the pension standards will apply to implementing the OPEB standards. There are, however, a few exceptions which will be discussed herein.

OPEB includes postemployment healthcare benefits such as medical, dental and vision, whether the benefit is provided separately from or through a pension plan. However other benefits, such as death benefits, life insurance, disability and long-term care are considered OPEB, subject to GASB 74 only when provided separately from a pension plan. OPEB does not include termination benefits or termination payments for sick leave.

GASB 74 applies to defined benefit plans and defined contribution plans administered through trusts, as well as plans not held in trust. Similar to pension plans, there are three types of defined benefit OPEB plans:

• Single-employer
• Cost sharing multiple-employer—in which the OPEB obligations to the employees of more than one employer are pooled and OPEB plan assets can be used to pay the benefits of the employees of any employer that provides pensions through the plan.
• Agent multiple-employer plans—in which OPEB assets are pooled for investment purposes but separate accounts are maintained for each individual employer so that each employer’s share of the pooled assets is legally available to pay the benefits of only its employees.

GASB 74 does not apply to insured plans (those financed through an arrangement whereby premiums are paid to an insurance company during employees’ active service and the insurance company unconditionally undertakes an obligation to pay the OPEB of those employees).

GASB 74 requires the same two financial statements currently required by GASB 43 for plans administered through trust:

• Statement of fiduciary net position (similar to GASB 67, receivables for contributions are only included if due pursuant to legal requirements)
• Statement of changes in fiduciary net position
• Footnotes specified by paragraph 35 of GASB 74 should include:
• Basic description of the plan and policies
• Investment information, including the annual money weighted rate of return
• Information about reserves
• Single and cost-sharing plans should also disclose:

–  Components of the OPEB liability

–  Significant assumptions

–  Healthcare cost trend analysis

–  Discount rate

–  Long-term expected rate of return

–  Sensitivity analysis of the discount rate and the healthcare cost trend rate

Note that the sensitivity analysis for OPEB includes the healthcare cost trend rate, which is something that wasn’t required for pension plan financial statements. The net OPEB liability will be shown at the current healthcare cost trend rate and one percentage point higher and lower. The discussion of actuarial assumptions will also include the healthcare cost trend rates.

Required supplementary information (RSI) for single and cost-sharing employers should include 10-year schedules of:

• Changes in the OPEB liability and related key ratios
• Actuarially determined contributions and actual contributions
• Annual money-weighted rate of return on investments
• Notes to the required schedules

RSI for agent OPEB plans requires a 10-year schedule of the annual money-weighted rate of return.

The OPEB liability should be determined by an actuarial valuation which can be no more than 24 months earlier than the plan’s most recent year-end, using the entry age actuarial cost method. The discount rate should be a single rate that reflects the long-term rate of return on investments that will be used to pay benefits. If there will be insufficient assets to pay the liability, the index rate for 20-year tax-exempt municipal bonds with an average rating of AA/Aa or higher would be used. Keep in mind that actuaries will be quite busy as everyone will be required to get OPEB valuations completed this year, so don’t wait until the last minute.

For assets accumulated to provide OPEB but not in a trust, the employer will continue to report the assets in an agency fund. For defined contribution plans there are specific disclosures required.

GASB has issued an Exposure Draft Implementation Guide No. 201X-X, Financial Reporting for Postemployment Benefit Plans other than Pension Plans, which follows the format of the GASB 67 Implementation Guide. The Implementation Guide includes illustrations to assist in determining the discount rate, money-weighted rate of return and sample note disclosures and should be finalized in April 2017.

Deferred inflows and deferred outflows of resources should be fairly rare as GASB has not identified any deferrals specific to OPEB. The draft Implementation Guide identifies a possible deferred outflow or deferred inflow related to derivatives, if applicable.

Implementing GASB 74 for OPEB plan financial statements will be very similar to the implementation of GASB 67 for pension plans. The GASB intentionally made GASB 74 similar to GASB 67 to minimize implementation issues for governments. However, in 2018 governments will be required to implement GASB statement No.75, Accounting and Financial Reporting for Postemployment Benefits Other than Pensions, which will require governments to record their proportionate share of the net OPEB liability in the financial statements. Previously, governments only recorded an OPEB obligation if they didn’t fully fund the annual required contribution and the net OPEB liability was only disclosed in the notes. Implementing GASB 75 will have a significant effect on a government’s net position because many OPEB plans are significantly underfunded or not funded at all.

This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Spring 2017). Copyright © 2017 BDO USA, LLP. All rights reserved. www.bdo.com