Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

CORPORATE GOVERNANCE, AUDITS, AND REPORTING REQUIREMENTS

TO: CHIEF EXECUTIVE OFFICER (also of interest to Chief Financial Officer and Members of the Board) 
SUBJECT: Effect of the Sarbanes-Oxley Act of 2002 on Insured Depository Institutions 
Summary: The FDIC is providing guidance to institutions about selected provisions of the Sarbanes-Oxley Act, including the actions the FDIC encourages institutions to take to ensure sound corporate governance. The guidance also discusses the applicability of the auditor independence provisions of the Act and the Securities and Exchange Commission's implementing regulations to institutions with $500 million or more in total assets. 

The provisions of the Sarbanes-Oxley Act of 2002 are primarily directed toward those companies, including insured depository institutions, that have a class of securities registered with the Securities and Exchange Commission (SEC) or the appropriate federal banking agency under Section 12 of the Securities Exchange Act of 1934, i.e., public companies. Since enactment of the Act, the Federal Deposit Insurance Corporation (FDIC) has received questions about the applicability of the Sarbanes-Oxley Act to insured depository institutions. The answers to these questions depend, in large part, on an institution's size and whether it is a public company or a subsidiary of a public company.

FDIC-Supervised Banks That Are Public Companies or Subsidiaries of Public Companies 

Some FDIC-supervised banks have registered their securities with the FDIC pursuant to Part 335 of the FDIC's regulations and are, therefore, public companies. Other FDIC-supervised banks are subsidiaries of bank holding companies that are public companies. These public companies and their independent public accountants must comply with the Sarbanes-Oxley Act — including those provisions governing auditor independence, corporate responsibility and enhanced financial disclosures — and the implementing regulations. The SEC is at various stages in the adoption of these regulations. For banks whose securities are registered with the FDIC, Part 335 currently incorporates applicable SEC regulations by reference, but the FDIC expects that certain amendments to Part 335 will be necessary.

Non-public FDIC-Supervised Banks With Less Than $500 Million in Total Assets 

FDIC-supervised banks that have less than $500 million in total assets as of the beginning of their fiscal year are not subject to the annual audit and reporting requirements of Section 36 of the Federal Deposit Insurance (FDI) Act. Banks in this size range that are not public companies, or subsidiaries of public companies, generally do not fall within the scope of the Sarbanes-Oxley Act and the SEC's implementing regulations. Nevertheless, certain provisions of the Sarbanes-Oxley Act mirror existing policy guidance related to corporate governance that the FDIC and the other banking agencies have issued. Other provisions of the Sarbanes-Oxley Act represent sound corporate governance practices.

Attachment I presents a summary of selected provisions of the Sarbanes-Oxley Act that the FDIC believes are of relevance to FDIC-supervised banks with less than $500 million in total assets that are not public companies. The sound corporate governance practices detailed in Attachment I are not mandatory for smaller, non-public institutions; however, the FDIC recommends that each institution consider implementing them to the extent feasible given its size, complexity, and risk profile.

Insured Depository Institutions With $500 Million or More in Total Assets 

Institutions that have $500 million or more in total assets as of the beginning of their fiscal year are subject to the annual audit and reporting requirements of Section 36 of the FDI Act as implemented by Part 363 of the FDIC's regulations. Some of these large institutions are public companies or subsidiaries of public companies. Some institutions subject to Part 363 currently satisfy the requirements of this regulation on a holding company basis. The applicability of the Sarbanes-Oxley Act to institutions with $500 million or more in total assets is discussed in Attachment II.

The Sarbanes-Oxley Act can be accessed at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.txt.pdf (204KB File - PDF Help or Hard Copy ). For further information on the applicability of the Sarbanes-Oxley Act provisions, please contact Examination Specialist Mike Jenkins (202-898-6896) or Senior Staff Accountant Dennis Chapman (202-898-8922) of the Division of Supervision and Consumer Protection's Risk Management Policy and Examination Support Branch.

For your reference, FDIC Financial Institution Letters may be accessed on the FDIC's Web site at http://www.fdic.gov/news/financial-institution-letters/2003/index.html.

 

Michael J. Zamorski

Director
 

Attachments:

Applicability of Selected Provisions of the Sarbanes-Oxley Act of 2002 to FDIC-Supervised Banks With Less Than $500 Million In Total Assets That Are Not Public Companies 

Applicability of Selected Provisions of The Sarbanes-Oxley Act of 2002 to Insured Institutions With $500 Million Or More In Total Assets 

Distribution: FDIC-Supervised Banks (Commercial and Savings) and Insured Depository Institutions with $500 Million or More in Total Assets

NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342, option 5, or (703) 562-2200).

Last Updated: March 5, 2003