Skip to Content

Proposed Rule

Annual Independent Audits and Reporting Requirements

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 44293

AGENCY:

Federal Deposit Insurance Corporation (FDIC).

ACTION:

Notice of proposed rulemaking.

SUMMARY:

The FDIC is proposing to amend its regulations concerning annual independent audits and reporting requirements, which implement Section 36 of the Federal Deposit Insurance Act (FDI Act). Section 36 and the FDIC's implementing regulations are generally intended to facilitate early identification of problems in financial management at insured depository institutions with total assets above a certain threshold (currently $500 million) through annual independent audits, assessments of the effectiveness of internal control over financial reporting and compliance with designated laws and regulations, and related reporting requirements. Section 36 also includes requirements for audit committees at these insured depository institutions. The FDIC's amendments would raise the asset size threshold from $500 million to $1 billion for internal control assessments by management and external auditors and for the members of the audit committee, who must be outside directors, to be independent of management. As required by section 36, the FDIC has consulted with the other Federal banking agencies. These amendments are proposed to take effect December 31, 2005.

DATES:

Comments must be received on or before September 16, 2005.

ADDRESSES:

Interested parties are invited to submit written comments to the FDIC by any of the following methods:

  • Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
  • Agency Web site: http://www.fdic.gov/​regulations/​laws/​federal/​propose.html. Follow the instructions for submitting comments on the FDIC Web site.
  • E-mail: Comments@FDIC.gov. Include RIN number in the subject line of the message.
  • Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.
  • Hand Delivery/Courier: Guard station at the rear of the 550 17th Street building (located on F Street) on business days between 7 a.m. and 5 p.m.

Instructions: All submissions received must include the agency name and RIN number for this rulemaking. All comments received will be posted without change to http://www.fdic.gov/​regulations/​laws/​federal/​propose.html including any personal information provided. Comments may be inspected and photocopied in the FDIC Public Information Center, Room 100, 801 17th Street, NW., Washington, DC, between 9 a.m. and 4:30 p.m. on business days.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Harrison E. Greene, Jr., Senior Policy Analyst (Bank Accounting), Division of Supervision and Consumer Protection, at hgreene@fdic.gov or (202) 898-8905; or Michelle Borzillo, Counsel, Supervision and Legislation Section, Legal Division, at mborzillo@fdic.gov or (202) 898-7400.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

A. Background

Section 112 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) added Section 36, “Early Identification of Needed Improvements in Financial Management,” to the FDI Act (12 U.S.C. 1831m). Section 36 is generally intended to facilitate early identification of problems in financial management at insured depository institutions above a certain asset size threshold through annual independent audits, assessments of the effectiveness of internal control over financial reporting and compliance with designated laws and regulations, and related requirements. Section 36 also includes requirements for audit committees at these insured depository institutions. Section 36 grants the FDIC discretion to set the asset size threshold for compliance with these statutory requirements, but it states that the threshold cannot be less than $150 million. Sections 36(d) and (f) also obligate the FDIC to consult with the other Federal banking agencies in implementing these sections of the FDI Act, and the FDIC has performed that consultation requirement.

In June 1993, the FDIC published 12 CFR part 363 (58 FR 31332, June 2, 1993) to implement the provisions of section 36 of the FDI Act. Under part 363, the requirements of section 36 apply to each insured depository institution with $500 million or more in total assets at the beginning of its fiscal year (covered institution). Often referred to as the “FDICIA reporting requirements,” part 363 requires each covered institution to submit to the FDIC and other appropriate Federal and state supervisory agencies an annual report that includes audited financial statements, a statement of management's responsibilities, assessments by management of the effectiveness of internal control over financial reporting and compliance with designated laws and regulations, and an auditor's attestation report on internal control over financial reporting. In addition, part 363 provides that each covered institution must establish an independent audit committee of its board of directors comprised of outside directors who are independent of management of the institution. Part 363 also includes Guidelines and Interpretations (Appendix A to part 363), which are intended to assist institutions and independent public accountants in understanding and complying with section 36 and part 363.

A covered institution may satisfy the audited financial statements requirement of part 363 at the holding company level. Subject to certain conditions, the other requirements of part 363 may be satisfied at the holding company level. Members of the independent audit committee of a holding company may serve as the audit committee of a subsidiary covered institution provided they are otherwise independent of the subsidiary's management and meet the other criteria set forth in part 363.

When it adopted part 363 in 1993, the FDIC stated that it was setting the asset size threshold at $500 million rather Start Printed Page 44294than the $150 million specified in section 36 to mitigate the financial burden of compliance with section 36 consistent with safety and soundness. In selecting $500 million in total assets as the size threshold, the FDIC noted that approximately 1,000 of the then nearly 14,000 FDIC-insured institutions would be subject to part 363. These covered institutions held approximately 75 percent of the assets of insured institutions at that time. By imposing the audit, reporting, and audit committee requirements of part 363 on institutions with this percentage of the industry's assets, the FDIC intended to ensure that the Congress's objectives for achieving sound financial management at insured institutions when it enacted section 36 would be focused on those institutions posing the greatest risk to the insurance funds administered by the FDIC. Today, due to consolidation in the banking and thrift industry and the effects of inflation, approximately 1,150 of the 8,900 insured institutions have $500 million or more in total assets and are therefore subject to part 363. These covered institutions hold approximately 90 percent of the assets of insured institutions.

B. Increasing the Asset Size Threshold for Internal Control Assessments

An effective internal control structure is critical to the safety and soundness of each insured institution. Given its importance, internal control is evaluated as part of the supervision of individual institutions and its adequacy is a factor in the management rating assigned to an institution. Furthermore, in the audit of an institution's financial statements, the external auditor must obtain an understanding of internal control, including assessing control risk, and must report certain matters regarding internal control to the institution's audit committee.

An institution subject to part 363 has the added requirement that its management perform an assessment of the internal control structure and procedures for financial reporting and that its external auditor examine, attest to, and report on management's assertion concerning the institution's internal control over financial reporting. For purposes of these internal control provisions of part 363, the FDIC has advised covered institutions that the term “financial reporting” includes both financial statements prepared in accordance with generally accepted accounting principles and those prepared for regulatory reporting purposes.[1] Until year-end 2004, external auditors performed their internal control assessments in accordance with an attestation standard issued by the American Institute of Certified Public Accountants (AICPA) known as “AT 501.”

The Sarbanes-Oxley Act was enacted into law on July 30, 2002. Section 404 of this Act imposes a requirement for internal control assessments by the management and external auditors of all public companies that is similar to the FDICIA requirement. The Securities and Exchange Commission's (SEC) rules implementing these requirements took effect at year-end 2004 for “accelerated filers,” i.e., generally, public companies whose common equity has an aggregate market value of at least $75 million, but they will not take effect until 2006 for “non-accelerated filers.” For the section 404 auditor attestations, the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard No. 2 (AS 2) applies. AS 2 replaces the AICPA's AT 501 internal control attestation standard for public companies, but AS 2 does not apply to nonpublic companies. The SEC's section 404 rules for management and the provisions of AS 2 for section 404 audits of internal control establish more robust documentation and testing requirements than those that have been applied by covered institutions and their auditors to satisfy the internal control reporting requirements in part 363.

For internal control attestations of nonpublic companies, the AICPA is currently developing proposed revisions to AT 501 that are expected to bring it closer into line with the provisions of AS 2. The revisions also are likely to have the effect of requiring greater documentation and testing of internal control over financial reporting by an institution's management in order for the auditor to perform his or her attestation work.

As the environment has changed and continues to change since the enactment of the Sarbanes-Oxley Act, the FDIC has observed that compliance with the audit and reporting requirements of part 363 has and will continue to become more burdensome and costly, particularly for smaller nonpublic covered institutions. Thus, the FDIC has reviewed the current asset size threshold for compliance with part 363 in light of the discretion granted by Section 36 that permits the FDIC to determine the appropriate size threshold (at or above $150 million) at which insured institutions should be subject to the various provisions of section 36. Based on this review, the FDIC is proposing to amend part 363 to increase the asset size threshold for internal control assessments by management and external auditors from $500 million to $1 billion. Raising the threshold to $1 billion would achieve meaningful burden reduction without sacrificing safety and soundness.

In reaching this decision, the FDIC concluded that raising the $500 million asset size threshold to $1 billion and exempting all institutions below this higher size level from all of the reporting requirements of part 363 would not be consistent with the objective of the underlying statute, i.e., early identification of needed improvements in financial management. In contrast, the FDIC believes that relieving smaller covered institutions from the burden of internal control assessments, while retaining the financial statement audit and other reporting requirements for all institutions with $500 million or more in total assets, strikes an appropriate balance in accomplishing this objective. If the FDIC were to raise the size threshold for internal control assessments to $1 billion, about 600 of the largest insured institutions with approximately 86 percent of industry assets would continue to be covered by the internal control reporting requirements of part 363. At the same time, the managements of covered institutions would remain responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and all institutions with $500 million or more in total assets would continue to include a statement to that effect in their part 363 annual report.

Accordingly, the FDIC is seeking comments on the proposed amendment to part 363 to increase the asset size threshold for internal control assessments by management and external auditors to $1 billion. This amendment is proposed to take effect December 31, 2005. For insured institutions (both public and non-public) with calendar year fiscal years that had $500 million or more in total assets, but less than $1 billion in total assets, on January 1, 2005, this proposal would mean that the part 363 annual report for 2005 that they submit to the FDIC and other appropriate Federal and state supervisory agencies would need to include only audited financial statements, statements of management's Start Printed Page 44295responsibilities, management's assessment of the institution's compliance with designated laws and regulations, and an auditor's report on the financial statements.

For insured depository institutions that are public companies or subsidiaries of public companies, regardless of size, the FDIC's proposed amendment to part 363 would not relieve public companies of their obligation to comply with the internal control assessment requirements imposed by section 404 of the Sarbanes-Oxley Act in accordance with the effective dates for compliance set forth in the SEC's implementing rules.

Nevertheless, the FDIC reminds insured institutions with $1 billion or more in total assets that are public companies or subsidiaries of public companies that they have considerable flexibility in determining how best to satisfy the internal control assessment requirements in the SEC's section 404 rules and the FDIC's part 363. As indicated in the preamble to the SEC's section 404 final rule release, the FDIC (and the other Federal banking agencies) agreed with the SEC that insured depository institutions that are subject to both part 363 (as well as holding companies permitted under the holding company exception in part 363 to file an internal control report on behalf of their insured depository institution subsidiaries) and the SEC's rules implementing section 404 can choose either of the following two options:

  • They can prepare two separate reports of management on the institution's or the holding company's internal control over financial reporting to satisfy the FDIC's part 363 requirements and the SEC's section 404 requirements; or
  • They can prepare a single report of management on internal control over financial reporting that satisfies both the FDIC's requirements and the SEC's requirements.[2]

For more complete information on these two options, institutions (and holding companies) should refer to Section II.H.4. of the preamble to the SEC's Section 404 final rule release (68 FR 36648, June 18, 2003).

C. Composition of the Audit Committee

Currently, part 363 requires each covered institution to establish an independent audit committee of its board of directors, comprised of outside directors who are independent of management of the institution. The duties of the audit committee include reviewing with management and the institutions' independent public accountant the basis for the reports included in the part 363 annual report submitted to the FDIC and other appropriate Federal and state supervisory agencies. The FDIC's Guidelines to part 363 provide that, at least annually, the board of directors of a covered institution should determine whether all existing and potential audit committee members are “independent of management of the institution.” The guidelines also describe factors to consider in making this determination.[3]

Section 36 provides that an appropriate Federal banking agency may grant a hardship exemption to a covered institution that would permit its independent audit committee to be made up of less than all, but no fewer than a majority of, outside directors who are independent of management. To grant the exemption, the agency must find that the institution has encountered hardships in retaining and recruiting a sufficient number of competent outside directors.

Notwithstanding this exemption provision of section 36, the FDIC has observed that a number of smaller covered institutions, particularly those with few shareholders that have recently exceeded $500 million in total assets and become subject to part 363, have encountered difficulty in satisfying the independent audit committee requirement. To comply with this requirement, these institutions must identify and attract qualified individuals in their communities who would be willing to become a director and audit committee member and who would be independent of management.

To relieve this burden, but also recognizing that the FDIC has long held that individuals who serve as directors of any insured depository institution should be persons of independent judgment, the FDIC is proposing to amend part 363 to increase from $500 million to $1 billion the asset size threshold for requiring audit committee members to be independent of management. Conforming changes would be made to Guidelines 27-29 of Appendix A to part 363. Each insured depository institution with total assets of $500 million or more but less than $1 billion would continue to be required to have an audit committee comprised of outside directors. Consistent with Guideline 29 of Appendix A to part 363, an outside director would be defined as an individual who is not, and within the preceding year has not been, an officer or employee of the institution or any affiliate of the institution.

This proposed amendment to the audit committee requirements for institutions with between $500 million and $1 billion in total assets would allow an outside director who is, for example, a consultant or legal counsel to the institution, a relative of an officer or employee of the institution or its affiliates, or the owner of 10 percent or more of the stock of the institution to serve as an audit committee member. Nevertheless, the FDIC would encourage each institution with between $500 million and $1 billion in assets to make a reasonable good faith effort to establish an audit committee of outside directors who are independent of management.

Accordingly, the FDIC is seeking comments on the proposed amendment to increase from $500 million to $1 billion the asset size threshold at which members of a covered institution's audit committee must be outside directors who are independent of management. This amendment is proposed to take effect December 31, 2005.

D. Technical Changes

The FDIC also proposes to make certain technical changes to part 363 to correct outdated titles, terms, and references in the regulation and its appendix.

E. Other Revisions

The FDIC has identified other aspects of part 363 that may warrant revision in light of changes in the industry and the passage of the Sarbanes-Oxley Act. However, the FDIC believes that finalizing the amendments in this proposal should take priority over other possible revisions to part 363 in order to reduce compliance burdens and expenses for affected institutions in the current year. The FDIC expects to propose further revisions to part 363 as soon as practicable. Start Printed Page 44296

Request for Comments

The FDIC welcomes comments on all aspects of this proposal.

Solicitation of Comments on Use of Plain Language

Section 722 of the Gramm-Leach-Bliley Act, Pub. L. 106-102, sec. 722, 113 Stat. 1338, 1471 (Nov. 12, 1999), requires the Federal banking agencies to use plain language in all proposed and final rules published after January 1, 2000. We invite your comments on how to make this proposal easier to understand. For example:

  • Have we organized the material to suit your needs? If not, how could this material be better organized?
  • Are the requirements in the proposed regulation clearly stated? If not, how could the regulation be more clearly stated?
  • Does the proposed regulation contain language or jargon that is not clear? If so, which language requires clarification?
  • Would a different format (grouping and order of sections, use of headings, paragraphing) make the regulation easier to understand? If so, what changes to the format would make the regulation easier to understand?
  • What else could we do to make the regulation easier to understand?

Solicitation of Comments on Impact on Community Banks

The FDIC seeks comments on the impact of this proposal on community banks. The FDIC recognizes that community banks operate with more limited resources than larger institutions and may present a different risk profile. Thus, the FDIC specifically requests comments on the impact of the proposal on community banks' current resources, including personnel, and whether the goals of the proposed rule could be achieved, for community banks, through an alternative approach.

Regulatory Flexibility Act Analysis

The Regulatory Flexibility Act (RFA) requires that each Federal Agency either certify that a proposed rule would not, if adopted in final form, have a significant economic impact on a substantial number of small entities or prepare an initial regulatory flexibility analysis (IRFA) of the proposal and publish the analysis for comment. See 5 U.S.C. 603, 605. The Small Business Administration (SBA) defines small banks as those with less than $150 million in assets. Because this rule expressly exempts insured depository institutions having assets of less than $500 million, it is inapplicable to small entities as defined by the SBA. Therefore, it is certified that this proposed rule would not have a significant economic impact on a substantial number of small entities.

Paperwork Reduction Act

This proposed rule would revise a collection of information that has been reviewed and approved by the Office of Management and Budget under control number 3064-0113, pursuant to the Paperwork Reduction Act (44 U.S.C. 3501 et seq). The primary revisions increase the asset size threshold for compliance with sections 363.2(b), 363.3(b), and 363.5(a). It is anticipated that these changes will result in a burden reduction for affected insured institutions. Comments are invited on: (a) Whether the collection of information is necessary for the proper performance of the FDIC's functions, including whether the information has practical utility; (b) the accuracy of the estimates of the burden of the information collection; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the information collection on respondents, including through the use of automated collection techniques or other forms of information technology.

Comments should be addressed to Steven F. Hanft, Paperwork Clearance Officer, Room MB-3064, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429, with copies to Desk Officer Mark Menchik, Office of Information and Regulatory Affairs, Office of Management and Budget, NEOB, Washington, DC 20503.

The paperwork burden associated with this rule was last reviewed in 2002. At that time, the FDIC estimated the burden to be 42,639 hours for FDIC-supervised institutions. Since then, data has become available to the FDIC that indicates the 2002 estimate was too low. Taking that information (including the results of a burden study conducted by a major trade association) into account, the FDIC believes a more accurate estimate for this collection of information is 118,535 hours. If the revisions in this proposed rule are implemented, the resulting estimated reporting burden for the collection of information would be 65,612 hours, a 45 percent reduction (52,923 hours).

Number of Respondents: 5,243.

Total Annual Responses: 15,684.

Total Annual Burden Hours: 65,612.

Start List of Subjects

List of Subjects in 12 CFR Part 363

End List of Subjects

For the reasons set forth in the preamble, the Board of Directors of the FDIC proposes to amend part 363 of title 12, chapter III, of the Code of Federal Regulations as follows:

Start Part

PART 363—ANNUAL INDEPENDENT AUDITS AND REPORTING REQUIREMENTS

1. The authority citation for part 363 continues to read as follows:

Start Authority

Authority: 12 U.S.C 1831m.

End Authority

2. Section 363.1 is amended by revising paragraph (b)(2)(ii)(B) to read as follows:

Scope.
* * * * *

(b) * * *

(2) * * *

(ii) * * *

(B) Total assets of $5 billion or more and a composite CAMELS rating of 1 or 2.

* * * * *

3. Section 363.2 is amended by revising paragraph (b)(2) and adding paragraph (b)(3) to read as follows:

Annual reporting requirements.
* * * * *

(b) * * *

(1) * * *

(2) An assessment by management of the institution's compliance with such laws and regulations during such fiscal year; and

(3) For an institution with total assets of $1 billion or more at the beginning of such fiscal year, an assessment by management of the effectiveness of such internal control structure and procedures as of the end of such fiscal year.

4. Section 363.3 is amended by revising paragraph (b) to read as follows:

Independent public accountant.
* * * * *

(b) Additional reports. For each insured depository institution with total assets of $1 billion or more at the beginning of the institution's fiscal year, such independent public accountant shall examine, attest to, and report separately on, the assertion of management concerning the institution's internal control structure and procedures for financial reporting. The attestation shall be made in accordance with generally accepted standards for attestation engagements.

* * * * *

5. Section 363.5 is amended by revising paragraph (a) to read as follows:

Start Printed Page 44297
Audit committees.

(a) Composition and duties. Each insured depository institution shall establish an audit committee of its board of directors, the composition of which complies with paragraphs (a)(1), (2), and (3) of this section, and the duties of which shall include reviewing with management and the independent public accountant the basis for the reports issued under this part.

(1) Each insured depository institution with total assets of $1 billion or more as of the beginning of its fiscal year shall establish an independent audit committee of its board of directors, the members of which shall be outside directors who are independent of management of the institution.

(2) Each insured depository institution with total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year shall establish an audit committee of its board of directors, the members of which shall be outside directors.

(3) An outside director is a director who is not, and within the preceding fiscal year has not been, an officer or employee of the institution or any affiliate of the institution.

* * * * *

6. Appendix A to Part 363 is amended as follows:

a. Footnote 2 Guideline 10 is amended by adding “and Consumer Protection Risk Management” after “FDIC's Division of Supervision”;

b. Guideline 16 is amended by removing “Registration and Disclosure Section” and adding in its place “Accounting and Securities Disclosure Section”;

c. Guideline 22 is amended by revising the first sentence of paragraph (a) to read as set forth below:

d. Guideline 27 is amended by revising the second sentence to read as set forth below;

e. Guideline 28 is amended by revising paragraph (a) to read as set forth below;

f. Guideline 29 is revised to read as set forth below; and

g. The first sentence of Guideline 36 is revised to read as set forth below.

The revisions read as follows:

Appendix A to Part 363—Guidelines and Interpretations

* * * * *

Filing and Notice Requirements (§ 363.4)

22. * * *

(a) FDIC: Appropriate FDIC Regional or Area Office (Supervision and Consumer Protection), i.e., the FDIC regional or area office in the FDIC region or area that is responsible for monitoring the institution or, in the case of a subsidiary institution of a holding company, the consolidated company. * * *

* * * * *

Audit Committees (§ 363.5)

27. * * * At least annually at an institution with $1 billion or more in total assets at the beginning of its fiscal year, the board should determine whether all existing and potential audit committee members are “independent of management of the institution.” * * *

28. * * *

(a) Has previously been an officer of the institution or any affiliate of the institution;

29. Lack of Independence. An outside director should not be considered independent of management if such director owns or controls, or has owned or controlled within the preceding fiscal year, assets representing 10 percent or more of any outstanding class of voting securities of the institution.

* * * * *

Other

36. * * * The FDIC Board of Directors has delegated to the Director of the FDIC's Division of Supervision and Consumer Protection (DSC) authority to make and publish in the Federal Register minor technical amendments to the Guidelines in this appendix in consultation with the other appropriate Federal banking agencies, to reflect the practical experience gained from implementation of this part. * * *

* * * * *
Start Signature

By order of the Board of Directors.

Federal Deposit Insurance Corporation.

Dated at Washington, DC, this 19th day of July, 2005.

Robert E. Feldman,

Executive Secretary.

End Signature
End Part End Supplemental Information

Footnotes

1.  See FDIC Financial Institution Letter (FIL) 86-94, dated December 23, 1994. FIL-86-94 indicates that financial statements prepared for regulatory reporting purposes encompass the schedules equivalent to the basic financial statements in an institution's appropriate regulatory report, e.g., the bank Reports of Conditions and Income and the Thrift Financial Report.

Back to Citation

2.  Footnote 117 in the preamble to the SEC's Section 404 final rule releases states that “[a]n insured depository institution subject to both the FDIC's [internal control assessment] requirements and our new requirements [i.e., a public depository institution] choosing to file a single report to satisfy both sets of requirements will file the report with its primary Federal regulator under the Exchange Act and the FDIC, its primary Federal regulator (if other than the FDIC), and any appropriate state depository institution supervisor under part 363 of the FDIC's regulations. A [public] holding company choosing to prepare a single report to satisfy both sets of requirements will file the report with the [Securities and Exchange] Commission under the Exchange Act and the FDIC, the primary federal regulator of the insured depository institution subsidiary subject to the FDIC's requirements, and any appropriate state depository institution supervisor under part 363.”

Back to Citation

3.  See Guidelines 27 through 29 of Appendix A to part 363.

Back to Citation

[FR Doc. 05-15109 Filed 8-1-05; 8:45 am]

BILLING CODE 6714-01-P