CPA-to-Lender ‘Comfort’ Letters

Complying with requests from banks and other lenders for assurances regarding clients' financial strength could put CPAs and their licenses at significant risk.

First, CPAs may face the risk of falling below professional standards if they don't adhere to AICPA Professional Standards. Interpretation No. 1, "Responding to Requests for Reports on Matters Relating to Solvency," of AT-C Section 105, Statements on Standards for Attestation Engagements (AICPA Professional Standards, AT-C §9105, ¶¶.01-.11), prohibits CPAs from providing any level of assurance that an entity is, or will continue to be, solvent.

Another risk is that lenders may allege that CPAs misrepresented their clients' creditworthiness should their clients later default on the loans. In some claims situations, lenders have alleged that CPAs were negligent and misrepresented their clients' self-employment status, financial condition, or creditworthiness.

Use Professional Judgment

The creditworthiness dilemma is a balancing act—CPAs need to carefully evaluate the risks associated with complying with these requests. For example, since professional standards do not require CPAs to provide any letters to third parties, what are the risks of saying "no" (e.g., losing the client, being sued by the client should the loan fall through) versus the risks of saying "yes" (e.g., not meeting the profession's standard of care, becoming a "deep pocket" target for the lending institution if the client later defaults).

Following are examples of requests and some ideas on how to traverse the delicate balance of mitigating your risks while managing client and third-party expectations.

Request #1: Verification of Tax Information/Employment/Self-Employment
Financial institutions often send forms directly to the CPA, requesting: 1) verification of tax information, employment, or self-employment; and/or 2) assurances that the client’s business or owner will not be impacted by a contemplated loan. Typically, the form is short, often completed, and calls for the CPA’s response and signature verifying the information provided. CAMICO strongly encourages CPAs to be cautious when considering these requests.

After the client has provided the CPA with appropriate written consent, CAMICO encourages CPAs to draft a letter in response that clearly identifies:
  1. the scope and limits of the services rendered to the client;
  2. the responsibility of the financial institution to exercise its own due diligence and to perform procedures and tests the lender deems appropriate in determining whether to extend credit; and
  3. the limited-response "facts" to the questions posed on the form that are relevant to your client, stating that these answers are based solely upon the information shared by the client and were not audited or otherwise verified. In order to avoid potential privity issues, this letter should also clearly state that the CPA’s response is not intended to establish a client relationship with the financial institution. CAMICO provides a sample response letter for this type of scenario to its policyholders.

Request #2: Telephone Verification
Another type of request that adds even more exposure to CPAs comes from the so-called "Underwriting Quality Control" divisions of large financial institutions, asking CPAs to provide verbal confirmations regarding their clients' self-employment and/or other assurances regarding their clients' financial information. We recommend letting the caller know that your professional standards regarding client confidentiality prohibit you from discussing your clients with them over the phone. Request that they put any questions they may have in writing and, if you receive written client consent to respond, you will address their inquiries in writing as you deem appropriate, given the scope and limitations of the services you have provided. Additional sample letters that can be tailored as appropriate, if written responses are deemed necessary, are available to CAMICO policyholders. CPAs should consider sending a letter or an email acknowledging the request and reiterating that no assurance was given during the conversation. This is excellent defensive documentation from later allegations that could suggest otherwise.

Request #3: Confirm Information on a Previously Issued Lender Letter
Be wary if ever contacted after the fact by a third party requesting that you confirm client information previously provided to the lender on behalf of your client. These individuals may work for a mortgage insurance company or other organization as investigators trying to build a fraud case against a borrower who has defaulted on a loan. You have no professional obligation to respond to these requests, and you would breach client confidentiality if you responded to this type of request without written client consent. As such, we strongly recommend that you do not sign or make any statements in writing, over the phone, or in person, to requests of this nature. Also, such calls typically suggest that the loan was selected at random, but the loans are typically nonperforming loans.

Tips When Responding to Third-Party Requests
Before tailoring your own response letters, please remember the following:
  • Be sure to obtain your client’s written consent before disclosing tax return information. A sample form for this purpose is available to CAMICO policyholders.
  • Your letter should be simple and clear.
  • Document only facts and the services you performed. Refrain from speculating on future events (e.g., forecast future income or contingencies) and avoid making conclusions not supported by the services performed for the client (i.e., do not make assurances regarding the accuracy or completeness of the information provided unless the scope of your services enables you to provide such assurances).
  • DO NOT provide any form of assurance regarding matters of solvency.
  • Avoid using words that expand, rather than narrow, your responsibilities.

Tips for Educating Your Clients
  • Have a conversation with your client regarding the scope and limits of the services you performed.
  • Clarify for the client what you can and cannot provide under the scope and limits of the services rendered.
  • Explain that professional standards prohibit you from providing assurance regarding the client’s financial position when the requisite scope of services hasn’t been performed.
  • State that professional standards for CPAs prohibit CPAs from offering any form of assurance regarding matters of solvency.

Following these guidelines is essential when the client or financial institution gives you little or no time to educate your client about the issues.

Share this post

Leave a comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Latest Articles

  • 05 Dec

    Six Tips for Safe Holiday Celebrations

    Employer-hosted events to celebrate the holidays and thank employees for jobs well done often come with liability and other risks when the events include alcohol.

    "Impaired judgment and lowered inhibitions as a result of alcohol consumption give rise to a variety of dangers,... read more

  • 13 Nov

    How to respond to subpoenas

    CPA firms are often uncertain about whether or how to respond to a subpoena, as they also need to comply with a number of rules and regulations that are intended to protect client confidentiality. The following Q&A focuses on understanding the nature of subpoenas and how CPA firms can ... read more

  • 13 Nov

    The New 'Hosting Services' Interpretation

    Under the new "Hosting Services" ethics interpretation in the AICPA's Code of Professional Conduct (ET §1.295.143), effective July 1, 2019, CPA independence is impaired by taking responsibility for hosting a client's data or records. As such, if the only way that the client can access its... read more