insightsArticles

Read this if you are a chief compliance officer or an AML/CFT officer at a community bank, credit union, or broker-dealer firm. 

The US Department of the Treasury’s 2026 National Money Laundering Risk Assessment (NMLRA), which was issued in March 2026, provides a comprehensive look at the most significant illicit finance threats facing the US financial system. While the report spans the entire economy, several themes are particularly relevant for community banks, credit unions, and broker-dealers—all of which remain critical entry points and transit nodes for illicit funds. 

Why this matters for banks and broker-dealers

The Treasury report confirms that the core money laundering threats—fraud, drug trafficking, cybercrime, human trafficking, corruption, and professional money laundering networks—have not changed. What has changed is scale and velocity.

Criminals are generating larger proceeds more quickly by: 

• Leveraging digital channels, social media, and encrypted communications 
• Using artificial intelligence (AI) to create synthetic identities, deepfakes, and believable scam communications 
• Moving funds rapidly across banks, broker‑dealers, money services businesses (MSBs), and digital asset platforms 

For smaller institutions and broker‑dealers with limited compliance resources, this evolution increases both operational risk and regulatory exposure. 

Fraud risks facing banks and broker-dealers 

The NMLRA identifies fraud—not drug trafficking—as the largest source of illicit proceeds entering the US financial system. The most common suspicious activity includes:  

• Investment fraud 
• Business email compromise 
• Confidence scams 
• Elder financial exploitation 
• Digital asset‑related scams 

Key implications:

• Community banks and credit unions are frequently used as deposit and transit accounts for fraud proceeds, often involving unwitting account holders or money mules (people who collect or receive illicit proceeds and then transport, transfer, or convert the funds on behalf of another person or organization). 
• Broker‑dealers face rising exposure to: 
  • Ramp‑and‑dump (a market-manipulation scheme where bad actors artificially “ramp” up a stock’s price/volume—often via deceptive promotion—then sell into the spike, leaving other investors with losses) and pump‑and‑dump (similar manipulation: promoters “pump” a stock with misleading hype, then “dump” their shares at inflated prices) securities schemes 
  • Foreign‑based investment clubs operating via social media 
  • Omnibus and correspondent-style accounts masking beneficial ownership 

Regulators are increasingly focused not just on transaction monitoring failures, but on whether firms understand how modern scams operate and have controls aligned to current typologies. 

Digital assets and stablecoins: No longer peripheral 

Although the report notes that most laundering still occurs through fiat channels, digital assets—especially stablecoins—play a growing role across fraud, ransomware, sanctions evasion, and drug trafficking. 

For community banks and broker‑dealers, the takeaway is not limited to crypto custody or trading: 

• Fraud proceeds are often converted into stablecoins after passing through traditional deposit accounts. 
• Digital asset kiosks, over-the-counter (OTC) brokers, and foreign exchanges are frequently downstream of US institutions. 
• Even firms that do not directly offer digital asset products may still be the first regulated touchpoint in the laundering chain.

Institutions are expected to recognize digital asset exposure through customer behavior, not just through product offerings.

Regulatory expectations are increasingly risk‑based—and personal 

The assessment highlights that most anti-money laundering (AML) enforcement actions in recent years stem from: 

• Weak internal controls 
• Inadequate customer due diligence 
• Insufficient authority, independence, or resourcing of the BSA (Bank Secrecy Act)/AML officer 
• Failure to reassess risk as products, technologies, or customer behavior change 

Notably, enforcement actions and SEC/FINRA cases against broker‑dealers emphasize individual accountability, including AML and compliance officers. 

What regulators are signaling: 

• “Check‑the‑box” AML programs are no longer sufficient 
• Firms must demonstrate active understanding of emerging risks 
• Boards and senior management are expected to own AML risk, not delegate it entirely 

Community institutions face unique pressure points 

The Treasury report recognizes that most US banks and credit unions are small institutions, often operating with lean compliance teams while facing the same threat environment as large, global firms. 

Common vulnerabilities include: 

• Rapid customer onboarding driven by competition and fintech pressures 
• Mergers or core conversions that disrupt customer risk profiles 
• Third‑party and fintech relationships that blur AML accountability 
• Overreliance on vendors without sufficient internal challenge or oversight 

At the same time, Treasury explicitly acknowledges the need to avoid excessive compliance burden, reinforcing that risk‑based tailoring—not volume of suspicious activity reports (SARs)—is the benchmark.

How community banks, credit unions, and broker-dealers can stay ahead 

The 2026 National Money Laundering Risk Assessment reinforces a central message: Illicit finance risk is no longer confined to niche products or large institutions. 

Community banks, credit unions, and broker‑dealers sit at critical points in the financial ecosystem. Institutions that proactively align their AML programs to modern fraud typologies, digital behaviors, and evolving regulatory expectations will be best positioned to manage risk without incurring unnecessary burden.

Practical takeaways for financial institutions and broker-dealers 

1. Refresh fraud risk assessments: This is especially important for elder customers, peer-to-peer (P2P) payments, wire activity, and investment‑related referrals. 
2. Revisit customer due diligence: Focus on beneficial ownership, nominee activity, and unexplained changes in behavior. 
3. Assess stress‑test controls around money mule activity: Funnel accounts, rapid movement of funds, and pass‑through behavior remain top red flags. 
4. Evaluate digital asset exposure—even indirectly: Consider how customers interact with exchanges, kiosks, or stablecoins outside the institution. 
5. Ensure BSA/AML governance is board‑engaged: Regulators increasingly expect documented oversight and challenge from senior leadership. 

BerryDunn can help

Our risk management team helps clients develop and implement effective risk management programs tailored to each organization’s size, risk level, and resources. If you have questions, please reach out to your BerryDunn financial institutions and broker-dealers teams. 

As states apply Medicaid work requirements, policymakers and stakeholders must look past top-line enrollment projections to grasp the full scope of the impact. Experience shows that work requirements introduce administrative complexity, enrollment volatility, and financial ripple effects across Medicaid programs, health insurers/managed care organizations (MCOs), providers, and employers. 

For stakeholders evaluating potential implementation, the central question is not simply how many people will lose coverage, but rather: how will this policy reshape enrollment, risk pools, utilization, provider finances, and commercial insurance markets within a specific state? 

Answering that question requires state-specific actuarial modeling grounded in real-world experience. 

Medicaid work requirements: Lessons from early state experience 

Two states, Arkansas and Georgia, that have already implemented work requirements offer important insight. The experiences in these states have highlighted the following themes:^1,2 

• Administrative complexity materially impacts state budgets and decreases Medicaid enrollment. 
• Coverage losses were primarily driven by verification and administrative hurdles instead of actual noncompliance. 
• Labor market impacts may be limited as there has been no evidence that the requirements led to sustained increases in employment.  

Expected impacts of Medicaid work requirements

The impact of these work requirements will vary by state but will likely include: 

• Loss of coverage due to administrative challenges rather than true ineligibility 
• Enrollment shifts by eligibility category and age group 
• Increased turnover frequency and coverage gap duration 
• Short-term increased utilization and severity of services due to delayed care during coverage loss 
• Longer-term acuity changes tied to interrupted care

Impacts across market segments 

Work requirements do not affect Medicaid agencies in isolation. The effects cascade through multiple stakeholders. 

State Medicaid Programs 

For Medicaid agencies, expansion adults may experience greater volatility in enrollment and average member cost. Turnover will be particularly consequential, and these interruptions in care create instability in both enrollment and expenditure projections. The effects will vary significantly by state due to differing demographics, labor markets, managed care penetration, and verification processes. Accurate forecasting requires custom modeling.  

MCOs 

For MCOs, work requirements can introduce risk pool and rate-setting challenges. Even modest increases in turnover can materially impact medical loss ratios, risk adjustment performance, and rate adequacy. Since every Medicaid program operates within a unique state environment, actuarial modeling must use state-specific data.  

Providers 

Providers, particularly safety-net hospitals and community clinics, may face critical challenges: lost Medicaid revenue, increased uncompensated care, and greater revenue cycle volatility. Providers experience increased financial pressure when coverage gaps move patient care out of primary clinics and into emergency rooms. A shift toward reactive, inpatient treatment disrupts care continuity and increases the volume of uncompensated services. Bespoke modeling could increase the accuracy of cost projections for providers based on their specific data and circumstances.  

Employers 

Work requirements may also affect employer-sponsored insurance (ESI), especially among small employers, as they historically have had a higher percentage of employees covered by Medicaid. Coverage gaps may worsen employee health status and increase absenteeism and turnover. There may be pressure to offer ESI to maintain workforce stability. Employers may be incentivized to look for defined contribution options for health insurance. There is also the potential for upward pressure on fully insured premiums due to hospital cost shifting and potential higher claim costs if individuals transitioning from Medicaid into ESI have higher unmet health needs. Large employers may be less impacted by employees’ losing coverage. However, there are still potential increases in claim costs tied to uncompensated care costs shifting into commercial healthcare costs and potentially higher claim costs for employees shifting from Medicaid. There is also potential labor market dynamics impact as health coverage becomes a larger share of total compensation, affecting hiring decisions, job quality, and worker mobility. 

Understanding these dynamics requires modeling not only Medicaid enrollment changes, but also downstream impacts on commercial insurance markets. 

Why bespoke actuarial modeling matters 

State Medicaid programs operate in vastly different environments with unique populations and managed care structures. Implementation choices create nuances, such as moving from monthly to quarterly reporting or utilizing automated wage verification, can significantly shift enrollment and costs.  

Our actuarial team builds customized models to account for these variables and provide more precise projections. During the COVID-19 Public Health Emergency (PHE), when service delivery patterns shifted dramatically, our actuaries built a specialized model to help each client adapt individual reimbursement strategies and monitor utilization trends, which was critical to maintaining the provider networks in the early stages of the PHE. 

The same disciplined, scenario-based approach applies to Medicaid work requirements. Bespoke modeling allows you to: 

• Model enrollment changes by category of aid and demographic segment 
• Quantify procedural disenrollment risk 
• Estimate turnover-related utilization volatility 
• Model potential health status deterioration due to coverage gaps 
• Assess impacts on capitation rates and commercial premiums 
• Support rate negotiations and policy decision-making 
• Evaluate employer benefit strategies, including fully insured options, level-funded plans, and defined contribution options like Individual Coverage HRAs (ICHRAs)

Most importantly, outcomes can fluctuate based on state-specific design and implementation capacity. This variation underscores the need for customized, state-level modeling rather than a reliance on broad national assumptions. 

Our work is grounded in state-specific data and operational realities. We prioritize cross-market financial dynamics to provide a precise and actionable analysis for each unique environment. 

Turning policy uncertainty into actionable insight 

Medicaid work requirements are more than an eligibility policy. They represent a structural shift with implications across public programs, managed care, provider finance, and employer-sponsored insurance. For stakeholders navigating this evolving landscape, robust and customized actuarial modeling is essential. By combining deep Medicaid experience with advanced customized modeling capabilities, our team helps clients move beyond uncertainty and provides clear data-driven insight into financial exposure, operational risk, and strategic opportunity. In an environment defined by policy change and market interconnectedness, precision matters. 

Key takeaways 

• Medicaid work requirements primarily reduce coverage through administrative barriers, not widespread noncompliance. 
• Enrollment volatility and coverage gaps create downstream effects on utilization, risk pools, and costs. 
• Early state experience shows limited employment gains, alongside meaningful disruption to Medicaid programs. 
• Impacts extend beyond Medicaid to MCOs, providers, employers, and commercial insurance markets. 
• State-specific actuarial modeling is essential to accurately forecast enrollment shifts, financial exposure, and cross‑market impacts.    

About BerryDunn 

Our team plays a key role in helping healthcare clients maintain financial stability by accurately assessing risks. Like our clients, who range from not-for-profit managed care organizations, risk-bearing provider systems, and group health insurance purchasers to state insurance regulators and government healthcare policy agencies, each of our solutions is unique. We embrace innovative, creative ideas to achieve the best possible results, and tailor our engagements to meet each client’s needs, providing the right services at the right time. Learn about our team and services.

References 

1. Arkansas study 5 Key Facts About Medicaid Work Requirements | KFF, Medicaid eligibility and enrollment in Arkansas 
2. Georgia study CMS’s Georgia Waiver Extension Underscores the Failure of Medicaid Work Requirements – Center For Children and Families 
3. State level cost/enrollment estimates Medicaid Cuts and the States: Tracking State-Specific Estimates of the Impacts of Proposed Changes 

Read this article if you are a compliance officer, risk manager, or healthcare administrator in an ambulatory care practice, federally qualified health center, or rural health center and have responsibility for developing your organization’s workplace violence prevention program or complying with state reporting requirements.

Did you know workplace violence is increasingly prevalent in the healthcare industry? If your organization doesn’t have a plan, it might be time to consider one. This article addresses the definition and types of workplace violence, regulations, plan elements, and other considerations. 

Workplace violence in healthcare by the numbers 

Data from the US Bureau of Labor Statistics shows that prior to the COVID-19 pandemic, the incidence rate of nonfatal workplace violence to full-time healthcare workers was 10.4 per 10,000 in comparison to an all-worker rate of 2.1 per 10,000. In 2018, healthcare workers accounted for 73% of all nonfatal workplace injuries and illnesses due to violence.

Post-pandemic, the Bureau of Labor Statistics reported that healthcare and social assistance workers experienced the highest counts and annualized incidence rates for workplace violence of any private industry sector over the two-year period from 2021 – 2022. There were 41,960 total nonfatal cases of workplace violence requiring days away from work, job restriction, or transfer in the healthcare and social assistance industry over this time, accounting for 72.8% of all cases in private industry over the two-year period. These cases occurred at an annualized incidence rate of 14.2 cases per 10,000 full-time workers.

How is workplace violence defined?  

In its 2024 Comprehensive Accreditation Manual for Behavioral Health Care and Human Services Glossary, The Joint Commission (TJC) defined workplace violence as, “Any act or threat occurring in the workplace that can include any of the following: 

• Verbal, nonverbal, written, or physical aggression 
• Threatening, intimidating, harassing, or humiliating words or actions 
• Bullying 
• Sabotage 
• Sexual harassment 
• Physical assaults 
• Other behaviors of concern involving staff, licensed practitioners, patients, or visitors”    

How is workplace violence classified? 

The Institute for Healthcare Improvement (IHI) is a leading, globally recognized, nonprofit healthcare improvement organization that has been applying evidence-based quality improvement methods to meet healthcare challenges for more than 30 years. In its Framework for Standardized Data Collection of Workplace Violence Incidents in Health Care, the IHI classifies workplace violence incidents into five distinct categories: 

• Type 1: The offender has no connection to the workplace or its employees. 
• Type 2: The offender is a customer or patient associated with the workplace or its staff. 
• Type 3: The offender is a current or former employee of the organization. 
• Type 4: The offender maintains a personal relationship with employees but has no ties to the workplace itself. 
• Type 5: Violence motivated by ideological, religious, or political beliefs targeting a healthcare facility, its personnel, or property. This type is carried out by extremists or groups driven by their convictions. 

Have you developed a workplace violence prevention program? 

Key aspects of your healthcare organization’s or practice group’s program should include: 

• Conducting an environmental risk assessment 
• Contacting local law enforcement to build or enhance relationships 
• Performing trend analysis of reported incidents by site, location on the premises, day of week/time of day, and classification type    
• Obtaining feedback from staff: What do they consider to be reportable? This will help you develop meaningful training
• Recognizing staff champions while building the program  
• Testing your reporting system 
• Providing staff training, soliciting anonymous feedback, and identifying any unresolved questions  
• Identifying program gaps and developing remediation strategies 
• Keeping executive leadership and the Board regularly informed about the program and emerging trends or needs 

Which states require employer-sponsored workplace violence prevention programs? 

Two factors have led states to establish requirements for healthcare organizations to develop workplace violence prevention programs. The first reason for state action: There has been no corresponding action by the federal Occupational Safety and Health Administration (OSHA). Secondly, the proposed Workplace Violence Prevention for Health Care and Social Service Workers Act has not been enacted by Congress.  

As of January 2026, 20 states require mandatory workplace violence prevention plans or workplace safety* plans. These are Arizona, California, Connecticut, Illinois, Hawai’i, Kentucky*, Louisiana, Maine*, Maryland, Minnesota, Nevada, New Hampshire, New Jersey, New York, Ohio, Oregon, Texas, Vermont, Virginia, and Washington. 

In addition, seven states now require mandatory reporting of workplace violence incidents to a designated state agency. These states are California, Connecticut, Maryland, Montana, North Carolina, Oregon, and West Virginia.

BerryDunn can help 

Has your healthcare organization developed a workplace violence prevention plan? If yes, has it been reviewed recently? How do you train your staff to respond when a situation escalates? How do you analyze incidents? Do you have questions about your healthcare organization’s compliance with state requirements for submitting its plan?  Does your state require you to submit incident reports to a designated state agency? 

Our healthcare compliance team can help. We incorporate deep, hands-on knowledge with industry best practices to help your organization manage compliance and revenue integrity risks. Learn more about BerryDunn’s healthcare compliance consulting team and services. 

Additional resources for workplace violence prevention planning: 

• Boord J., Weckman A., Martinez N. Framework for Standardized Data Collection of Workplace Violence Incidents in Health Care, Boston: Institute for Healthcare Improvement; 2025. (Available at ihi.org) 
• US Bureau of Labor Statistics: Injuries, illnesses, and fatalities

As we previously wrote about, on February 20, 2026, the US Supreme Court invalidated tariffs imposed under the International Emergency Economic Powers Act (IEEPA).

Last week, the US Customs and Border Protection (CBP) announced a new process that allows importers to request refunds of those tariffs. We'll walk through how to actually claim refunds, what to expect from the process, and where complications can arise.

About the CAPE tariff refund system

CBP’s new system, called CAPE (Consolidated Administration and Processing of Entries), is an added functionality accessed through the existing ACE (Automated Commercial Environment) Portal, which most importers already use for customs reporting.

How to request a tariff refund

To submit a refund claim, importers should take the following steps:

• Confirm that your importer information and ACE Portal account are active and up to date.
• Ensure you are enrolled in ACH Refund (required to receive refund payments).
• Note: If you do not already have an ACE Portal account, be aware that setting one up can take several weeks.

Refund requests are submitted by filing a CAPE Declaration in the ACE Portal. This declaration is a spreadsheet‑style (.CSV) file listing entries eligible for refunds of IEEPA tariffs. Each declaration can include up to 9,999 entries, with additional filings required for larger volumes. CBP provides guidance on how to prepare and submit this file.

Which imports qualify for tariff refunds?

At this time, refund claims are only available for:

• Unliquidated entries
• Entries liquidated within the past 80 days

Other types of entries are currently excluded from the CAPE process. CBP has indicated that future system expansion may allow for the submission of additional types of claims beyond the above. Importers are encouraged to consult with their customs broker or advisor(s) to determine whether any of their imports fall into excluded categories and whether additional steps are needed to protect refund claims.

How long does the refund process generally take?

Once a CAPE Declaration is submitted:

• The invalid IEEPA tariffs are removed.
• Duties are recalculated as if those tariffs never applied.
• Refunds including 6% interest are automatically calculated.
• Payments are made via ACH, generally within 60 – 90 days after acceptance of the CAPE Declaration.

How BerryDunn can help

Our dedicated audit, tax, and consulting professionals understand the impact of tariffs and can assist with developing strategies for refunds as they become available. Learn more about our team and services.

In today’s increasingly digital environment, cybersecurity has become a critical concern for nonprofit (NFP) organizations. While many NFPs operate with smaller teams and tight budgets, they still handle sensitive information—donor records, payment data, client demographics, and sometimes even health‑related or financial assistance files. Unfortunately, cybercriminals recognize this and often view NFPs as soft targets with valuable data. Because community trust is so important, a cybersecurity incident can create financial and reputational hurdles for an organization. The good news, however, is that strong cybersecurity safeguards do not always require major capital investments. With strategic planning and a focus on essential controls, even the most resource‑constrained organizations can significantly reduce cyber risk.

The cyber threat landscape for nonprofits 

NFPs face a wide variety of cyber threats, many of which exploit human error or outdated systems. Phishing attacks remain the most common, often leading to credential theft or unauthorized access to email accounts. Business Email Compromise (BEC) schemes, which can trick employees into sending fraudulent payments or sensitive data by impersonating trusted email addresses, can be particularly damaging for smaller organizations with smaller internal control structures. Beyond causing operational slowdowns, a breach can make donors and other stakeholders more cautious and raise understandable questions. 

Practical, low‑cost cybersecurity strategies 

Despite limited budgets, NFPs can meaningfully enhance their cybersecurity position by focusing on high‑impact, low‑cost strategies. 

Strengthening governance is a key first step. Establishing basic cybersecurity policies—such as acceptable use, password standards, and incident response—creates a foundation for consistent practices across employees and volunteers. Free frameworks, like the NIST Cybersecurity Framework resources, designed originally for government use, but applicable to many organizations, provide a helpful starting point, including a Quick Start Guide for small businesses.

Next, NFPs can maximize the value of technology they already own. Many cloud platforms commonly used in the sector, such as Microsoft 365 and Google Workspace, include built‑in security features at no extra cost. Enabling multifactor authentication (MFA), automatic software updates, and email filtering tools can significantly reduce the likelihood of a successful cyberattack. Removing unused accounts and reviewing permissions helps ensure attackers don't exploit dormant access. We recommend a formal user access review at least annually for small organizations and quarterly for medium-sized organizations or if there is higher turnover at a small NFP. 

Because many cyber incidents stem from unintentional mistakes, training is one of the most cost‑effective defenses. Free or low‑cost cybersecurity awareness programs can be incorporated into onboarding for staff and volunteers. Regular reminders about phishing, safe browsing, and password practices—combined with simple processes for reporting suspicious activity—create a culture of security without significant expense. 

Data protection is another essential component. Tracking where sensitive data resides and limiting access to only those who need it helps reduce exposure. Continuously testing that cloud-based backups are working effectively can ensure critical information is recoverable in the event of a ransomware attack or system failure. We recommend testing data backups at least quarterly, especially with your cloud vendors, to help ensure their responsibilities around data are being upheld.  

Finally, NFPs can leverage outsourced support and community resources. Many managed service providers offer NFPs pricing, and state or local government programs sometimes provide free cybersecurity assessments or monitoring tools. These partnerships allow small organizations to access expertise they may not be able to hire internally. 

The path to cost-effective cybersecurity 

Effective cybersecurity is achievable—even for NFPs with limited resources. By focusing on governance, human awareness, existing technology, and targeted use of outside support, NFPs can build a resilient security foundation without heavy financial investment. With the right culture and controls in place, organizations can protect their data, safeguard their reputation, and continue advancing their mission with confidence.

BerryDunn can help 

We help organizations understand their cybersecurity risk environment and translate threats into leadership-ready insights. Our consultants guide you in identifying actionable next steps, gaining engagement and buy-in from key decision-makers. With deep experience across sectors, we deliver practical cybersecurity solutions tailored to your systems and compliance needs. Learn more about our team and services. 

For many people, charitable giving is deeply personal, motivated less by tax considerations and more by values and a connection to a cause or organization. While tax benefits are rarely the primary reason people give, understanding how charitable contributions may affect your taxes remains important. 

Tax benefit for charitable giving 

Generally, a tax benefit for charitable giving was only available to taxpayers who itemized their deductions. In 2017, with the passing of the Tax Cuts and Jobs Act, the standard deduction was increased and the state and local tax (SALT) deduction was capped at $10,000. These changes made it more beneficial for some taxpayers to shift from itemizing their deductions to taking the standard deduction. This shift essentially removed the federal tax benefit for charitable giving for such taxpayers. For some, this put charitable giving on the sidelines, either by reducing giving, not giving to qualified public charities, or simply not keeping track of their giving. 

2026 charitable tax benefit with standard deduction 

Beginning in 2026, a permanent change expands the charitable tax benefit to taxpayers who take the standard deduction. Under the One Big Beautiful Bill Act, non-itemizers may now claim an above-the-line charitable deduction up to $2,000 for married taxpayers filing jointly (or $1,000 for single filers).  

To qualify to take this deduction, a few requirements must be met: 

• The donation must be cash 
• The donation must be made to a qualified public charity 
• The donation cannot be a contribution to a donor-advised fund 

Some important reminders: 

• Documentation is a must. Acknowledgment letters are a good form of documentation. 
• Verify the organization you are donating to is a qualified public charity. One common mistake some taxpayers make is assuming online crowdfunding fundraisers are qualified public charities.   
• Remember to provide your charitable giving information to your tax professional.   

Admittedly, the change is modest, not transformational, but it does broaden the number of taxpayers who benefit from donating to charity. It is important to keep in mind that each individual taxpayer’s situation is unique. State tax implications must also be considered, as not all states follow federal tax law.  

BerryDunn can help 

Our seasoned tax professionals partner with you to offer practical, accessible guidance and to develop a detailed strategy that supports your unique needs. We excel at tax strategy and solutions, placing an emphasis on building long-term relationships. Our deep expertise spans a full range of tax concerns, tax services, and consulting to support individuals, businesses, and nonprofit organizations. Our consultants are specialists in their industry, working closely with their colleagues across the firm to deliver integrated, comprehensive solutions. Learn more about our team and services.

Read this if you are a chief financial officer or controller at a community bank.

On April 23, 2026, the federal banking agencies—the Office of the Comptroller of the Currency, the Federal Reserve, and the Federal Deposit Insurance Corporation—issued a final rule revising the Community Bank Leverage Ratio (CBLR) framework. The changes are intended to encourage broader adoption of the CBLR framework while maintaining strong capital standards for qualifying community banks.

What are the key changes under the final rule? 

Lower CBLR requirement 

• Threshold lowered from 9% to 8% 
• Likely increase in community banks that qualify for the simplified CBLR framework rather than the more complex risk‑based capital rules

Expanded grace period 

• Grace period for banks that temporarily fall out of compliance with the CBLR qualifying criteria extended from two quarters to four quarters, provided the bank maintains a leverage ratio above 7% 
• Institutions may remain in the CBLR framework while reestablishing compliance or transitioning back to the risk‑based capital framework

Limits on repeated grace period use 

• Grace period use is limited to no more than eight quarters during the prior five-year (20‑quarter) period to preserve safety and soundness 
• Institutions exceeding the threshold must immediately comply with risk‑based capital requirements if they again fall out of CBLR compliance

The final rule is effective July 1, 2026.

Why does this matter for community banks?  

Regulators expect these changes to reduce regulatory burden, provide banks with additional balance sheet flexibility, and increase capacity for community lending—while keeping capital levels consistent with well‑capitalized standards. For banks currently near the prior 9% threshold or concerned about short‑term capital volatility, the revised framework may make the CBLR a more practical and sustainable option. 

Key takeaways

• Broader CBLR adoption: The lower qualifying threshold means more community banks can opt into the simplified CBLR framework. 

• Grace period expansion: Banks have a longer runway to recover from temporary shortfalls without needing to revert to the risk-based capital framework. 

• Grace period restrictions: Limitations have been added to avoid reliance on grace period use. 

• Compliance relief: The changes are meant to ease compliance burden while facilitating consistent capital levels.  

BerryDunn can help

Our dedicated audit, tax, and consulting professionals understand the financial services industry and its challenges and are committed to helping you meet and exceed regulatory requirements. We partner with you to bring tailored approaches to fit your needs and operations and provide guidance on best practices and recommendations that make sense for you. Learn more about our services and team. 

Read this if you’re a CEO, CFO, or a compliance officer at a Federally Qualified Healthcare Center (FQHC).

FQHCs that expend $1 million or more in federal awards in a fiscal year (FY) must have single audits conducted. Single audit reports must be submitted to the Federal Audit Clearinghouse (FAC) within 30 days of receiving the auditors’ reports or within nine months after the audit period ends, whichever comes first. 

New single audit requirements 

Effective October 1, 2025, the Health Resources and Services Administration (HRSA) expanded its delinquent audit process for FQHCs that have failed to complete their single audits and submit the corresponding reports within the designated time frame. Prior follow-up was generally limited to confirming the health center had engaged a CPA firm (via a signed engagement letter) and documenting the expected audit completion date. If health centers fail to complete their single audits and submit the corresponding reports within the designated time frame, they may face additional actions, such as: 

• Drawdown restriction 
• Reimbursable drawdown restriction 
• Withholding a percentage of federal funds 
• Suspending federal funds 
• Termination of grant

Delinquent audit follow-up 

HRSA’s Division of Financial Integrity (DFI) sends monthly emails to health centers that are delinquent in submitting their single audit report to the FAC. This email includes: 

• Notification of which FY audits are delinquent 
• Request for expected submission date 
• Request for an electronic copy of the auditor engagement letter 
• A reminder that follow-up emails will continue until all delinquent audits are accepted by the FAC 

To provide guidance to FQHCs, the DFI conducts technical assistance sessions for health centers that are past due in submitting their audits. 

A new 120-day grant condition letter 

HRSA will email all health centers with multiple years of noncompliance about a new 120-day grant condition regarding audit requirements. This email will outline the following: 

• Health centers have 15 days to notify HRSA and confirm receipt if audits have already been sent to the FAC, or to submit a corrective plan for any deficiencies. 
• If the audits or the plans are not submitted within 15 days, a 120-day grant condition will be applied to all HRSA grants requiring submission of the most delinquent grants to the FAC. 
• Continued noncompliance will result in suspensions of all HRSA grants for 30 days. 
• Additional actions, such as termination, may result if the most delinquent audits are not submitted before the 30-day suspension ends. 

This process will continue until all outstanding audits are submitted to the FAC. 

How BerryDunn can help 

With this tightening of federal oversight, health centers need to prepare by implementing proactive monitoring and strategic planning to ensure compliance and avoid administrative delays.  Our CPAs, business and cost reporting consultants, and IT professionals are singularly focused on supporting community health centers. Our team is comprised of respected industry leaders and professionals with comprehensive credentials. With expert guidance, we help you mitigate risk, gain regulatory confidence, and enhance operational integrity. Learn more about our services and team.  

Over my nearly 40 years in public safety, I have seen a dramatic evolution in how public safety handles the ‘paperwork’ side of the job. My career started with punch cards and carbon paper forms in triplicate, moved on to electric typewriters, and eventually, I rode the digital wave as computers, computer software, and various peripherals sought to obliterate pen and paper from our daily lives. I have gone from green screens to graphical interfaces, from floppy disks to CDs and thumb drives, and now, even servers are disappearing as everything seems to be migrating to the cloud. The pace of change has been incredible, and honestly, it has been at times daunting, while also life changing.

In the early days of the digital reformation, back in the mid-1990s, I remember being both excited and a little bit resistant as computer-aided dispatch (CAD) and records management systems (RMS) started making their way into the public safety space. Back then, the technology was still in its infancy—brand new, expensive, and just starting to find its footing in our world. But even in those early days, it was already beginning to reshape how we did business, and I had no way of knowing how significantly those changes would eventually change our operational world.

Forty years might sound like a long time, but the truth is, real momentum in public safety tech has only picked up in the last 20 years. In reality, when it comes to meaningful innovation in law enforcement, the past five to 10 years have been game changing. Tools like body-worn cameras, and now artificial intelligence, are not just new gadgets; they are fundamentally transforming how we operate.

Despite the great strides we have made in developing a myriad of technology-based applications, public safety organizations still face major challenges in finding and implementing CAD and RMS solutions that truly meet their unique operational needs. Although the market is flooded with more software vendors than ever before, and rapid advancements in technology in the last five years have produced a flood of “latest and greatest” solutions, many of these products still fall short of delivering comprehensive functionality and essential analytics across the platform, both of which are cornerstones of operational success.

While a handful of vendors claim to offer “fully customizable” platforms that can be modified to align with our organization’s unique requirements, those promises do not ensure a perfect fit, and many are so cost prohibitive that the organizations who need them the most abandon those options because of fiscal constraints. Even for those organizations who invest in top-tier systems, they still frequently hear a familiar refrain from their teams when asked about the software: “It sucks.”

Honestly, I get it. I have seen systems on the market today that any reputable and knowledgeable tech consultant would deem archaic, considering the level of technology capabilities within the space. Some systems offer just the bare minimum in terms of functionality— at an affordable price—which the overall operational and inefficiency costs cannot offset. Conversely, I have seen top-tier platforms—systems with robust capabilities that can meet or even exceed our needs—that fail to perform at an optimal level.

So why is it that time and again, we still hear the same frustrated utterance from end users:

“This system sucks.”

Why does it seem like so many of our staff members feel this way, and how did we end up in this condition?

Based on my many years of public safety experience and now as part of a national public safety consulting group, I find there are two primary reasons why staff are frustrated with their existing systems:

First, the current system is either homegrown or outdated and cannot meet organizational needs. Though perhaps it was once a top-tier product, technology has advanced, leading to several issues:

• The vendor now promotes a newer product and no longer supports the old one.
• The platform or company was acquired and the product's standing diminished under the new vendor.
• The system is simply too old to remain capable.

Second, we find that poor implementation is to blame:

• Instead of leveraging the new technology to improve various efficiencies, the new system is configured to essentially replicate the agency’s existing processes and workflows, without an assessment of the efficiency or effectiveness of those processes.
• Critical routing, review, and quality assurance processes were not configured properly, resulting in data challenges and inefficiencies.
• Implementation did not leverage cross-system integration and interfaces in an optimal manner.

If the first example is accurate, then your staff are likely correct; you probably need a new system. If they are wrong, however, you may exhaust significant time, resources, and expenses unnecessarily. If the system does not need replacing, but instead, it simply needs to be adjusted to meet your operational needs, this could be a less costly path to pursue, and one that could be accomplished much more quickly.

With that said, how do you know the difference?

How the organization fails their system

When your CAD/RMS is not meeting your needs, the organization needs to ask a critical question from an objective perspective: Is it really the system that sucks, or is it possible that the organization is failing the system.

Organizations can unintentionally pave the way for problems by overlooking key steps and creating a situation where even the most capable system struggles. Not because the technology is flawed, but because of how it is managed and supported internally. Many vendors—with good intentions—will miss critical system architecture and design elements, which diminish the value of the technology implemented. This can occur for several reasons, such as:

1. The organization did not do their due diligence during the evaluation phase. The organization may have rushed the selection process or failed to fully understand what the system could and could not do. Critical features or services they assumed were included may have been left out in the final contract, leading to costly surprises later.
2. The organization did not invest enough people, time, and effort in configuration, implementation, and training. While it seems easy to try to implement a new system with in-house resources, this often leads to problems down the line. Resources are rarely fully dedicated to a project—the project is an ancillary duty. However, these are foundational steps, and cutting corners here almost always leads to long-term issues.
3. The system was never implemented to its full capacity. Organizations often stop short of leveraging all the tools and features available to them, even though the system has the features built in. Whether due to lack of time, lack of training or expertise, resistance to change, or internal silos, the result is the same: underutilization.
4. Instead of addressing system issues head-on, the organization created workarounds. These temporary fixes often become permanent problems, undermining the system’s effectiveness.

How the system is failing the organization

In some cases, the organization may not be to blame, and in those cases, it is the system that is not supporting the organization’s needs. The list that follows provides a distinguishing perspective. When one or more of these circumstances exists, it becomes clear that these are not just minor hiccups or inconveniences, they are fundamental shortcomings. This is the moment of realization, where the perception becomes reality that “the system sucks.” The point where you understand the problems go beyond minor deficiencies, user error, or inadequate organizational support. Sometimes, these gaps cannot be bridged, no matter how much effort, training, or workarounds you throw at them. In these cases, it is not that the organization dropped the ball; it is that the system itself is failing to deliver.

The platform simply lacks the necessary capabilities or support to meet the organization’s needs, and no amount of internal process improvement, reconfiguration, or updates will ever change that. This is where you need to recognize that the problem is rooted in the technology, and overcoming these deficiencies may not be possible without moving on to a new solution.

1. The system lacks critical functionality: First and foremost, the platform fails to deliver essential features needed for day-to-day operations. It truly does not have the capabilities built into the system to meet operational needs. What once satisfied the organization’s needs, now struggles to support its expanding operations and evolving demands. The platform lags behind modern technology standards and user experience expectations.
2. Integrations and interfaces do not work or were never implemented: Promised integrations or interfaces either malfunction, underperform, or were never fully deployed.
3. Promised future features never materialized: Vendors often fail to deliver on “roadmap” commitments, leaving key features perpetually “in development.”
4. The system became a secondary product after acquisition: Following a corporate acquisition, the system or platform is deprioritized by the new vendor, receiving minimal updates or innovation, or is decommissioned altogether.
5. Customer support is ineffective: Support is slow, unresponsive, or unable to resolve issues in a timely or satisfactory manner.

So, where do you go from here? It may be time to evaluate where you are and where you want to go.

This assessment tool is a valuable and proactive step toward making well-informed decisions about your organization’s future CAD/RMS technology needs. Through this quick assessment of your current system, you will gain insight into whether investing in a new platform is justified or if strategic improvements to your existing system could address your operational needs.

After examining both sides, you should have a clearer picture about whether your organization is failing the system, or the system is failing your organization (or in some cases, both may be true). This is where a critical evaluation should begin, and a deeper understanding of where you should focus your efforts needs to be determined. It is possible that now is the time to start looking for a new system—then again, maybe not. Going through an evaluative process can help you determine whether investing in your current system is the right choice, and that decision could result in substantial cost and time savings to your organization.

Key takeaways 

• Differentiate between system limitations and implementation challenges before pursuing replacement 
• Assess how workflows, training, and governance affect CAD and RMS performance 
• Avoid treating system replacement as a default solution to user frustration 
• Use objective evaluation criteria to support defensible technology decisions 
• Plan next steps based on operational needs rather than assumptions 

A checklist to help you assess your CAD or RMS environment

Deciding whether to replace or optimize a CAD or RMS system requires more than gut instinct—it requires a structured, objective review of how your system is actually being used.

To support that process, we’ve created a practical checklist that helps public safety and local government organizations:

• Identify whether performance issues stem from system limitations or implementation challenges
• Evaluate workflows, training, governance, and system administration
• Clarify which features and integrations are underused or misaligned
• Document findings to support defensible technology decisions

Download the CAD/RMS system assessment checklist to guide your internal conversations and planning.

How BerryDunn can help

BerryDunn helps public safety and local government organizations evaluate, optimize, and plan for their CAD and RMS environments. Our team brings objective insight and deep operational experience to help agencies make informed technology decisions that align systems, processes, and people. Learn more about our team and services.