Home > News & Events > Financial Institution Letters




Financial Institution Letters


Part 363 Annual Reports and Other Required Reports

Section 36 of the Federal Deposit Insurance Act (FDI Act) and Part 363 of the FDIC's regulations impose annual audit and reporting requirements on insured depository institutions with $500 million or more in total assets.

Effective and Compliance Dates of Amendments to Part 363

Except as noted below, the amendments to Part 363 will take effect 30 days after they are published in the Federal Register. Part 363 Annual Reports with a filing deadline on or after the effective date of the amendments should be prepared in accordance with the final rule.

To provide sufficient time for boards of directors of institutions currently subject to Part 363 to develop and adopt written criteria for evaluating an audit committee member's independence (Guideline 27), the compliance date for this provision has been delayed until December 31, 2009. To provide institutions that currently comply with Part 363 at the holding company level but would not meet the 75-percent-of-consolidated-total-assets threshold for eligibility to comply at the holding company level set forth in the final rule ( 363.1(b)(1)(ii)) sufficient time to comply with this new requirement, the effective date of this provision has been delayed until fiscal years ending on or after June 15, 2010. For fiscal years ending on or before June 14, 2010, an institution that is a subsidiary of a holding company may continue to satisfy the audited financial statements requirement of Part 363 at a holding company level whether or not the institution's total assets (or the consolidated total assets of all of its parent holding company's insured depository institution subsidiaries) comprise 75 percent or more of the holding company's consolidated total assets at the beginning of the fiscal year.

Part 363 Reporting Requirements

The following information is intended to clarify what must be included in a Part 363 Annual Report for (1) institutions with $500 million or more but less than $1 billion in total assets and (2) institutions with $1 billion or more in total assets. Also discussed are other requirements that are applicable to all institutions subject to Part 363. With certain exceptions, the Part 363 annual reporting requirements may be satisfied by an institution's holding company if services and functions comparable to those required of the institution are provided at the holding company level. An institution's total assets are measured as of the beginning of its fiscal year.

The information included in this Attachment is an overview of the annual reporting and certain other reporting requirements of Part 363. The management, board of directors, and audit committee of each institution subject to Part 363 and independent public accountants that provide audit and attestation services to institutions subject to Part 363 are encouraged to read and become familiar with the Part 363 regulatory text, the Guidelines and Interpretations in Appendix A, and the Illustrative Management Reports in Appendix B to obtain a complete understanding of the compliance requirements of Part 363. For example, Part 363 also includes requirements for audit committees of institutions with $500 million or more in total assets. These requirements direct each such institution to have an independent audit committee comprised entirely of outside directors who must be "independent of management," although a minority of the audit committee members of institutions with $500 million or more but less than $1 billion in total assets need not be "independent of management." In addition, Part 363 addresses the duties of the audit committee.

Part 363 Annual Reports for Institutions With $500 Million or More but Less Than $1 Billion in Total Assets

Section 36 of the FDI Act and Part 363 of the FDIC's regulations, as amended, require insured depository institutions with at least $500 million but less than $1 billion in total assets to file a Part 363 Annual Report that must include the following:

  1. Audited comparative annual financial statements;
  2. The independent public accountant's report on the audited financial statements;
  3. A management report that contains:
    1. A statement of management's responsibilities for:
      1. Preparing the annual financial statements;
      2. Establishing and maintaining an adequate internal control structure over financial reporting;1 and
      3. Complying with the designated safety and soundness laws and regulations pertaining to insider loans and dividend restrictions; and
    2. An assessment by management of the institution's compliance with the designated laws and regulations pertaining to insider loans and dividend restrictions during the year, which must state management's conclusion regarding compliance and disclose any noncompliance with these laws and regulations.

In general, an institution that is required to file, or whose parent holding company is required to file, management's assessment of the effectiveness of internal control over financial reporting with the Securities and Exchange Commission (SEC) or the appropriate federal banking agency in accordance with Section 404 of the Sarbanes-Oxley Act of 2002 must submit a copy of such assessment with its Part 363 Annual Report as additional information. However, this assessment will not be considered part of the institution's Part 363 Annual Report.

Part 363 Annual Reports for Institutions With $1 Billion or More in Total Assets

Section 36 of the FDI Act and Part 363 of the FDIC's regulations, as amended, require insured depository institutions with $1 billion or more in total assets to file an annual report that must include the following:

  1. Audited comparative annual financial statements;
  2. The independent public accountant's report on the audited financial statements;
  3. A management report that contains:
    1. A statement of management's responsibilities for:
      1. Preparing the annual financial statements;
      2. Establishing and maintaining an adequate internal control structure over financial reporting;2 and
      3. Complying with the designated safety and soundness laws and regulations pertaining to insider loans and dividend restrictions; and
    2. An assessment by management on the effectiveness of the institution's internal control structure over financial reporting as of the end of the fiscal year that must:
      1. Identify the internal control framework3 used by management to evaluate the effectiveness of internal control over financial reporting;
      2. State that the assessment included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions and identify the regulatory reporting instructions;
      3. State management's conclusion as to whether internal control over financial reporting is effective as of the institution's fiscal year-end;4 and
      4. Disclose all material weaknesses in internal control over financial reporting, if any, that management has identified that have not been remediated prior to the institution's fiscal year-end.
    3. An assessment by management of the institution's compliance with the designated laws and regulations pertaining to insider loans and dividend restrictions during the year, which must state management's conclusion regarding compliance and disclose any noncompliance with these laws and regulations.

  4. The independent public accountant's attestation report concerning the effectiveness of the institution's internal control structure over financial reporting. The accountant's report must not be dated prior to the date of the management report and management's assessment of the effectiveness of internal control over financial reporting and must:
    1. Identify the internal control framework used by the independent public accountant, which must be the same as the internal control framework used by management, to evaluate the effectiveness of the institution's internal control over financial reporting;
    2. State that the independent public accountant's evaluation included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions and identify the regulatory reporting instructions;
    3. State the independent public accountant's conclusion as to whether internal control over financial reporting is effective as of the institution's fiscal year-end;5 and
    4. Disclose all material weaknesses in internal control over financial reporting, if any, that the independent public accountant has identified that have not been remediated prior to the institution's fiscal year-end.

Filing Deadlines for Part 363 Annual Reports

For fiscal years ending on or before June 14, 2010, an insured depository institution that is neither a public company nor a subsidiary of a public company shall file its Part 363 Annual Report within 120 days after the end of its fiscal year. An institution that is a public company or a subsidiary of a public company shall file its Part 363 Annual Report within 90 days after the end of its fiscal year.

For fiscal years ending on or after June 15, 2010, an institution shall file its Part 363 Annual Report within 120 days after the end of its fiscal year if (1) it is neither a public company nor a subsidiary of a public company or (2) it is a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company's insured depository institution subsidiaries) comprise less than 75 percent of the consolidated total assets of the public holding company as of the beginning of its fiscal year.

An institution shall file its Part 363 Annual Report within 90 days after the end of its fiscal year if (1) it is a public company or (2) it is a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company's insured depository institution subsidiaries) comprise 75 percent or more of the consolidated total assets of the public holding company as of the beginning of its fiscal year.

If an institution will be unable to file its Part 363 Annual Report by the specified deadline, it must submit a notification of late filing, which is discussed in the "Notification of Late Filing" section of this Attachment.

Other Requirements – All Institutions With $500 Million or More in Total Assets

Other Reports and Letters Issued by the Independent Public Accountant

Except for the independent public accountant's reports that are included in its Part 363 Annual Report, each insured depository institution must file with the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor a copy of any management letter or other report issued by its independent public accountant with respect to the institution and the audit and attestation services provided by the accountant within 15 days after receipt. Such reports include, but are not limited to:

  • Any written communication regarding matters that the accountant is required to communicate to the audit committee (for example, critical accounting policies, alternative accounting treatments discussed with management, and any schedule of unadjusted differences);
  • Any written communication of significant deficiencies and material weaknesses in internal control required by the auditing or attestation standards of the American Institute of Certified Public Accountants (AICPA) or the Public Company Accounting Oversight Board (PCAOB), as appropriate;
  • For an institution with total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year that is (1) a public company or (2) a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company's insured depository institution subsidiaries) comprise 75 percent or more of the consolidated total assets of the public holding company as of the beginning of its fiscal year, any report by the independent public accountant on the audit of internal control over financial reporting required by Section 404 of the Sarbanes-Oxley Act of 2002 and the PCAOB's auditing standards;
  • For an institution that is (1) a public company or (2) a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company's insured depository institution subsidiaries) comprise 75 percent or more of the consolidated total assets of the public holding company as of the beginning of its fiscal year, any written communication by the independent public accountant of all deficiencies in internal control over financial reporting that are of a lesser magnitude than significant deficiencies, which is required by the PCAOB's auditing standards; and
  • For an institution that is (1) a nonpublic company or (2) a subsidiary of a nonpublic holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company's insured depository institution subsidiaries) comprise 75 percent or more of the consolidated total assets of the nonpublic holding company as of the beginning of its fiscal year, any written communication by the independent public accountant of all deficiencies in internal control over financial reporting that are of a lesser magnitude than significant deficiencies, which is required by the AICPA's auditing and attestation standards.

Notice of Engagement, Change, Dismissal, or Resignation of Accountants

Within 15 days after a change in or the dismissal or resignation of the institution's independent public accountant or the engagement of a new independent public accountant, the institution must file written notice with the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor. Also, within 15 days after the institution's independent public accountant resigns or is dismissed, the independent public accountant must file written notice with the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor. These written notices should set forth in reasonable detail the reasons for the resignation or dismissal of the institution's independent public accountant.

In this regard, before engaging an independent public accountant, the institution's audit committee should satisfy itself that the independent public accountant is in compliance with the qualifications and other requirements applicable to independent public accountants set forth in Part 363, including the independence standards of the AICPA, the SEC, and the PCAOB. Also, the audit committee should ensure that engagement letters and any related agreements with the independent public accountant for audit and attestation services to be performed under Part 363 do not contain any limitation of liability provisions that: (1) indemnify the independent public accountant against claims made by third parties; (2) hold harmless or release the independent public accountant from liability for claims or potential claims that might be asserted by the client institution, other than claims for punitive damages; or (3) limit the remedies available to the client institution.

Peer Reviews and Inspection Reports

Within 15 days of receiving notification that a peer review has been accepted or a PCAOB inspection report has been issued, or before commencing any audit or attestation service under Part 363, whichever is earlier, the independent public accountant must file two copies of its most recent peer review report and the public portion of its most recent PCAOB inspection report, if any, accompanied by any letters of comments, response, and acceptance, with the FDIC, Accounting and Securities Disclosure Section, 550 17th Street, NW, Washington, DC 20429, if the report has not already been filed. Also, within 15 days of the PCAOB making public a previously nonpublic portion of an inspection report, the independent public accountant must file two copies of the previously nonpublic portion of the inspection report with the FDIC.

Notification of Late Filing

An institution that is unable to timely file all or any portion of its Part 363 Annual Report or any other report or notice required to be filed by Part 363 must submit a written notice of late filing to the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor. The notice shall disclose the institution's inability to timely file the report or notice and the reasons for the late filing in reasonable detail and state the date by which the report or notice will be filed. The written notice should be filed on or before the deadline for filing the Part 363 Annual Report or any other required report or notice, as appropriate.

Place for Filing Reports and Notices

Except for the peer review reports and inspection reports discussed in the "Peer Reviews and Inspection Reports" section of this Attachment, the Part 363 Annual Report, any written notification of late filing, and any other required report or notice should be filed as follows:

(1) FDIC: Appropriate FDIC Regional or Area Office (Division of Supervision and Consumer Protection), i.e., the FDIC regional or area office in the FDIC region or area that is responsible for monitoring the institution or, in the case of a subsidiary institution of a holding company, the consolidated company. A filing made on behalf of several institutions subject to Part 363 that are owned by the same parent holding company should be accompanied by a transmittal letter identifying all of the institutions covered.

(2) Office of the Comptroller of the Currency (OCC): Appropriate OCC Supervisory Office.

(3) Federal Reserve: Appropriate Federal Reserve Bank.

(4) Office of Thrift Supervision (OTS): Appropriate OTS District Office.

(5) State bank supervisor: The filing office of the appropriate state bank supervisor.


1 For purposes of Part 363, financial reporting encompasses both financial statements prepared in accordance with generally accepted accounting principles and those prepared for regulatory reporting purposes.

2 See footnote 1.

3 For example, in the United States, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission has published Internal Control – Integrated Framework, including an addendum on safeguarding assets. Known as the COSO report, this publication provides a suitable and available framework for purposes of management's assessment.

4 If there are one or more material weaknesses that have not been remediated prior to the institution's fiscal year-end, management must conclude that internal control over financial reporting is ineffective.

5 If there are one or more material weaknesses that have not been remediated prior to the institution's fiscal year-end, the independent public accountant must conclude that internal control over financial reporting is ineffective.



Last Updated 6/24/2009 communications@fdic.gov