Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Accounting and Auditing Resource Center

Accounting and Auditing: Part 363, Annual Independent Audits and Reporting Requirements

PART 363 ANNUAL REPORTS
AND OTHER REPORTS AND NOTICES –
SUMMARY OF FILING REQUIREMENTS

Section 36 of the Federal Deposit Insurance Act (FDI Act) and Part 363 of the FDIC's regulations impose annual audit and reporting requirements on insured depository institutions (institutions) with $500 million or more in consolidated total assets. Because Section 36 was added to the FDI Act by Section 112 of the Federal Deposit Insurance Corporation Improvement Act (FDICIA), these annual audit and reporting requirements are often referred to as the "FDICIA requirements."

The following information is an overview of the annual and certain other reporting requirements of Part 363. The management, board of directors, and audit committee of each institution subject to Part 363 and independent public accountants that provide audit services to institutions subject to Part 363 are encouraged to read and become familiar with the Part 363 regulatory text, the Guidelines and Interpretations in Appendix A of Part 363, and the Illustrative Management Reports in Appendix B of Part 363 to obtain a complete understanding of the compliance requirements of Part 363.

Part 363 Annual Report Requirements

The following information is intended to clarify what must be included in a Part 363 Annual Report for (1) institutions with $500 million or more but less than $1 billion in consolidated total assets and (2) institutions with $1 billion or more in consolidated total assets. Other requirements that are applicable to all institutions subject to Part 363 also are discussed. With certain exceptions, the Part 363 annual reporting requirements may be satisfied by an institution's holding company if services and functions comparable to those required of the institution are provided at the holding company level. An institution's total assets are measured as of the beginning of its fiscal year.

Part 363 Annual Reports for Institutions with $500 Million or More but Less Than $1 Billion in Consolidated Total Assets

The Part 363 Annual Report for institutions with at least $500 million but less than $1 billion in consolidated total assets must include the following:

  1. Audited comparative annual financial statements;
  2. The independent public accountant's report on the audited financial statements;
  3. A management report that contains:
    1. A statement of management's responsibilities for:
      1. Preparing the annual financial statements;
      2. Establishing and maintaining an adequate internal control structure over financial reporting1; and
      3. Complying with the designated safety and soundness laws and regulations pertaining to insider loans and dividend restrictions; and
    2. An assessment by management of the institution's compliance with the designated laws and regulations pertaining to insider loans and dividend restrictions during the year, which must state management's conclusion regarding compliance and disclose any noncompliance with these laws and regulations.

In general, an institution that is required to file, or whose parent holding company is required to file, management's assessment of the effectiveness of internal control over financial reporting with the Securities and Exchange Commission (SEC) or the appropriate federal banking agency in accordance with Section 404 of the Sarbanes-Oxley Act of 2002 must submit a copy of such assessment with its Part 363 Annual Report as additional information. However, this assessment is not considered part of the institution's Part 363 Annual Report.

Part 363 Annual Reports for Institutions with $1 Billion or More in Consolidated Total Assets

The Part 363 Annual Report for institutions with $1 billion or more in consolidated total assets must include the following:

  1. Audited comparative annual financial statements;
  2. The independent public accountant's report on the audited financial statements;
  3. A management report that contains:
    1. A statement of management's responsibilities for:
      1. Preparing the annual financial statements;
      2. Establishing and maintaining an adequate internal control structure over financial reporting2; and
      3. Complying with the designated safety and soundness laws and regulations pertaining to insider loans and dividend restrictions;
    2. An assessment by management of the institution's compliance with the designated laws and regulations pertaining to insider loans and dividend restrictions during the year, which must state management's conclusion regarding compliance and disclose any noncompliance with these laws and regulations; and
    3. An assessment by management of the effectiveness of the institution's internal control structure over financial reporting as of the end of the fiscal year; and
  4. The independent public accountant's report on the effectiveness of the institution's internal control structure over financial reporting3. The accountant's report must not be dated prior to the date of the management report and management's assessment of the effectiveness of internal control over financial reporting.

Management's assessment of the effectiveness of internal control over financial reporting must:

The independent public accountant's report on the effectiveness of the institution's internal control over financial reporting must:

Filing Deadlines for Part 363 Annual Reports

An institution shall file its Part 363 Annual Report within 120 days after the end of its fiscal year if (1) it is neither a public company nor a subsidiary of a public company7 or (2) it is a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company's insured depository institution subsidiaries) comprise less than 75 percent of the consolidated total assets of the public holding company as of the beginning of its fiscal year.

An institution shall file its Part 363 Annual Report within 90 days after the end of its fiscal year if (1) it is a public company or (2) it is a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company's insured depository institution subsidiaries) comprise 75 percent or more of the consolidated total assets of the public holding company as of the beginning of its fiscal year.

If an institution will be unable to file its Part 363 Annual Report by the specified deadline, it must submit a notification of late filing, which is discussed below.

Other Reporting Requirements – All Institutions with $500 Million or More in Consolidated Total Assets

Other Reports and Letters Issued by the Independent Public Accountant

Except for the independent public accountant's reports that are included in its Part 363 Annual Report, each institution must file with the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor a copy of any management letter or other report issued by its independent public accountant with respect to the institution and the audit services provided by the accountant within 15 days after receipt. Such reports include, but are not limited to:

Notice of Engagement, Change, Dismissal, or Resignation of Accountants

Within 15 days after a change in or the dismissal or resignation of an institution's independent public accountant or the engagement of a new independent public accountant, the institution must file written notice with the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor. Also, within 15 days after the institution's independent public accountant resigns or is dismissed, the independent public accountant must file written notice with the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor. These written notices should set forth in reasonable detail the reasons for the resignation or dismissal of the institution's independent public accountant.

In this regard, before engaging an independent public accountant, the institution's audit committee should satisfy itself that the independent public accountant is in compliance with the qualifications and other requirements applicable to independent public accountants set forth in Part 363, including the independence standards of the AICPA, the SEC, and the PCAOB, regardless of whether the institution or its parent holding company, if any, is a public company. Also, the audit committee should ensure that engagement letters and any related agreements with the independent public accountant for audit services to be performed under Part 363 do not contain any limitation of liability provisions that: (1) indemnify the independent public accountant against claims made by third parties; (2) hold harmless or release the independent public accountant from liability for claims or potential claims that might be asserted by the client institution, other than claims for punitive damages; or (3) limit the remedies available to the client institution.

Peer Reviews and Inspection Reports

Within 15 days of receiving notification that a peer review has been accepted or a PCAOB inspection report has been issued, or before commencing any audit or attestation service under Part 363, whichever is earlier, an independent public accountant must file two copies of its most recent peer review report and the public portion of its most recent PCAOB inspection report, if any, accompanied by any letters of comments, response, and acceptance, with the FDIC, Accounting and Securities Disclosure Section, 550 17th Street, NW, Washington, DC 20429, if the report has not already been filed. Also, within 15 days of the PCAOB making public a previously nonpublic portion of an inspection report, the independent public accountant must file two copies of the previously nonpublic portion of the inspection report with the FDIC's Accounting and Securities Disclosure Section.

Notification of Late Filing

An institution that is unable to timely file all or any portion of its Part 363 Annual Report or any other report or notice required to be filed by Part 363 must submit a written notice of late filing to the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor. The notice shall disclose the institution's inability to timely file the report or notice and the reasons for the late filing in reasonable detail and state the date by which the report or notice will be filed. The written notice should be filed on or before the deadline for filing the Part 363 Annual Report or any other required report or notice, as appropriate.

Place for Filing Reports and Notices

Except for the peer review reports and inspection reports discussed above, the Part 363 Annual Report, any written notification of late filing, and any other required report or notice should be filed as follows:

  1. FDIC: Voluntarily file electronically through FDICconnect – Supervisory Business Center. Otherwise, file copies with the appropriate FDIC Division of Risk Management Supervision Regional or Area Office, i.e., the FDIC Regional or Area Office in the FDIC Region or Area that is responsible for monitoring the institution or, in the case of a subsidiary institution of a holding company, the consolidated company. A filing made on behalf of several institutions subject to Part 363 that are owned by the same parent holding company should be accompanied by a transmittal letter identifying all of the institutions within the scope of the filing.
  2. Office of the Comptroller of the Currency (OCC): Appropriate OCC Supervisory Office.
  3. Federal Reserve: Appropriate Federal Reserve District Bank.
  4. State bank supervisor: The filing office of the appropriate state bank supervisor.

Helpful Links:


[1] For purposes of Part 363, financial reporting encompasses both financial statements prepared in accordance with generally accepted accounting principles and those prepared for regulatory reporting purposes.

[2] See footnote 1.

[3] For periods ending on or after December 15, 2016, auditors of nonpublic banks and nonpublic holding companies must comply with the internal control over financial reporting requirements of Part 363 by performing integrated audits in accordance with Statement on Auditing Standards No. 130.

[4] For example, in the United States, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission has published Internal Control – Integrated Framework, including an addendum on safeguarding assets. Known as the COSO report, this publication provides a suitable and available framework for purposes of management's assessment.

[5] If one or more material weaknesses have been identified, but not remediated, before the institution's fiscal year-end, management must conclude that internal control over financial reporting is ineffective as of year-end.

[6] If one or more material weaknesses have been identified, but not remediated, before the institution's fiscal year-end, the independent public accountant must conclude that internal control over financial reporting is ineffective as of year-end.

[7] As defined in Section 363.1(d)(4) of the FDIC's regulations, a "public company" is an insured depository institution or other company that has a class of securities registered with the U.S. Securities and Exchange Commission or the appropriate Federal banking agency under Section 12 of the Securities Exchange Act of 1934. A "nonpublic company" is an insured depository institution or other company that does not meet the definition of a public company. The term "public company" for purposes of Part 363 is not synonymous with the term "public business entity" as defined in U.S. generally accepted accounting principles.

Skip Footer back to content