Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank



Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations




FDIC Federal Register Citations

FDIC Office of Inspector General

DATE:                             September 16, 2005

MEMORANDUM TO:        Robert E. Feldman
                                      Executive Secretary

FROM:                           Russell A. Rau
                                     Assistant Inspector General for Audits

SUBJECT:                Comments on Notice of Proposed Rulemaking, 12 C.F.R. Part 363, Annual Independent Audits and Reporting Requirements  (FDIC, RIN 3064-AC91)

The Office of Inspector General (OIG) provides the following comments for consideration by the Federal Deposit Insurance Corporation (FDIC) on the proposal to amend its regulations concerning annual independent audits and reporting requirements for insured depository institutions with $500 million or more in total assets.

Summary of the Proposed Amendment

In a Financial Institution Letter (FIL-72-2005) dated August 2, 2005, the FDIC issued a proposal to amend Part 363 of the FDIC Rules and Regulations and requested comments by

September 16, 2005.  The regulation’s annual audit and reporting requirements currently apply to insured institutions with $500 million or more in total assets.  Among other things, the current regulation requires each covered institution to:

  • have an annual independent audit of its financial statements,
  • provide a management assessment of the effectiveness of internal control over financial reporting and compliance with designated safety and soundness laws,
  • obtain an independent public accountant’s attestation on management’s assertion concerning internal control over financial reporting, and
  • have an independent audit committee whose members shall be outside directors independent of institution management.

The FDIC is proposing to amend Part 363 for those covered institutions with less than $1 billion in total assets by eliminating the requirements for:

  • management’s assessment of the effectiveness internal control over financial reporting,
  • an independent public accountant’s attestation on management’s internal control assertion, and
  • independence of audit committee members from management.

The amended regulation would continue to require all institutions with $500 million or more in total assets to obtain an annual independent financial statement audit, provide management’s assessment of the institution’s compliance with designated laws and regulations, and have an independent audit committee composed of outside directors.  The amendments are proposed to take effect December 31, 2005 for institutions meeting the asset size threshold on January 1, 2005, thereby reducing the reporting requirements for these institutions starting in 2005.

FDIC’s Rationale for the Amendment

The FDIC’s Director, Division of Supervision and Consumer Protection (DSC), stated in a

June 23, 2005 memorandum to the FDIC Board of Directors that institutions covered by the existing regulation, particularly smaller nonpublic institutions, are experiencing increasing compliance and cost burdens.  These compliance obligations are growing considerably as a result of the Sarbanes-Oxley Act, the Securities and Exchange Commission’s (SEC) implementing rules, new auditing standards, and expected revisions in attestation standards.  The FDIC staff has observed that compliance with the audit and reporting requirements of Part 363 has and will continue to become more burdensome and costly, particularly for smaller nonpublic, covered institutions.  The FDIC staff believes that relieving smaller covered institutions from the burden of internal control assessments while retaining the financial statement audit and other reporting requirements for all institutions with $500 million or more in total assets would strike an appropriate balance in accomplishing the objective of Part 363.  Additionally, regulatory examinations would continue to evaluate internal control and consider its adequacy as a factor in rating institution management, and external audits of an institution’s financial statements would continue to assess internal control risk and report certain internal control matters to the audit committee.

The DSC Director further stated that the FDIC staff has observed that a number of smaller covered institutions have encountered difficulty in satisfying the independent audit committee requirement.  To comply with this requirement, these institutions must identify and attract qualified individuals in their communities who would be willing to become a director and audit committee member and who would be independent of management.  To relieve this burden, but also recognize that the FDIC has long held that individuals who serve as directors of any insured depository institution should be persons of independent judgment, the FDIC staff is proposing to amend Part 363 to increase the asset size threshold from $500 million to $1 billion.  The proposed amendment would continue to require that an audit committee be composed of outside directors for institutions with $500 million to $1 billion in assets.  An outside director is defined as an individual who is not, and within the preceding year has not been, an officer or employee of the institution or any affiliate of the institution.  This proposed amendment to the audit committee requirement would allow an outside director who is, for example, a consultant or legal counsel to the institution, a relative of an officer or employee of the institution or its affiliates, or the owner of 10 percent or more of the stock of the institution, to serve as an audit committee member.

SEC Rule Covers Public Insured Institutions

The FDIC points out that the proposed amendment to Part 363 would not relieve insured depository institutions that are public companies or subsidiaries of public companies, regardless of size, of their obligation to comply with the internal control assessment requirements imposed by Section 404 of the Sarbanes-Oxley Act.  The SEC’s Final Rule: Management's Report on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports contains requirements that are similar to the FDIC’s Part 363 regarding assessing and reporting on the effectiveness of internal control over financial reporting.  Therefore many of the institutions that would be provided partial relief from compliance with the internal control assessment requirements of Part 363 must comply with similar requirements in the SEC’s regulations.

OIG’s Comments on the Proposed Amendment

As of September 12, 2005, 8,888 institutions were insured by the FDIC.  The table reflects the change in the number of covered financial institutions as a result of the proposed amendment.

Institutions Fully Subject to Part 363 (Current and Proposed Threshold)

Subject to Part 363

Current Threshold
$500 Million or More

Proposed Threshold
$1 Billion or More

Number of covered institutions

1,184

603

As a percent of total insured institutions

13.3%

6.8%

     Source:  FDIC online resources.

If the proposed amendment was implemented at this time, the number of institutions covered by Part 363 would be reduced by 581 institutions, or by 49 percent.  If the proposed amendment is placed into effect, DSC should notify its examiners that these institutions may pose a higher degree of risk that should be considered in risk-scoping examinations.

Performance Ratings of Covered Institutions 

Of the 581 institutions that would not be fully covered by Part 363, 16 institutions have a less than satisfactory rating.  Specifically, 11 of these institutions have a composite safety and soundness rating of 3, and the other 5 institutions have a 4 rating.  In addition, over the last several months, as many as 15 other institutions had a component Management rating of 3, with a composite rating of 2.

The condition and/or management of these institutions is not fully satisfactory; therefore, it would be prudent for the FDIC to exclude these institutions from the relief offered by the proposed amendment.  Also, for those covered institutions that subsequently receive a composite or component Management rating of 3 or worse, the FDIC should require full compliance with Part 363, reinstating the requirements for the internal control assessment and attestation over financial reporting and the requirement that audit committee members be independent of management.   Full compliance with the requirements of Part 363 provides further protection to the deposit insurance funds in cases where the safety and soundness of the institution is not fully satisfactory.

The adequacy of internal control over financial reporting and the independence of the audit committee is of great importance when an institution is not in satisfactory condition.  In reviewing past failures of insured institutions, the OIG has observed that weak corporate governance, including financial reporting problems and the lack of independence of the board from institution management, is often a factor in the failure of these institutions and material losses to the insurance funds.*  Specifically, the OIG has reported that, in some cases: 

  • deficiencies by boards of directors directly led to failures, including the emergence of a dominant person as well as internal control and audit deficiencies;
  • internal control and audit deficiencies at failed institutions have included inadequate interaction between management, internal auditors, and external auditors, and institution management did not implement and maintain a control environment that promoted risk management in operations; and
  • external audits of these institutions did not fairly, accurately, and promptly identify the actual financial condition of the institutions, and the external auditors did not provide a written report of internal control weaknesses to the audit committee.

Additionally, the OIG observed that an inattentive or passive board of directors is a precursor to most problems.  Maintaining the full requirements of Part 363 for less than satisfactory institutions would help to address these potential concerns and mitigate the possibility of institution failure. 

Conclusion

The FDIC’s proposed amendment to Part 363 could relieve about 600 insured financial institutions of certain audit and reporting requirements.  However, for public institutions with total assets of $500 million or more, the proposed amendment to Part 363 would provide relief only from the requirement that audit committee members be independent of management, because the SEC’s comparable rule includes assessment and reporting requirements for internal control over financial reporting.  Additionally, the requirements for annual financial statement audits and outside director membership in the audit committee would still apply to all institutions with assets of $500 million or more.  Nevertheless, if the proposed amendment is placed into effect, DSC should notify its examiners that these institutions may pose a higher degree of risk that should be considered in risk-scoping examinations.

Furthermore, some of the institutions otherwise eligible for the reduced requirements may be rated less than satisfactory; therefore, the OIG recommends that the FDIC require these institutions to comply with the full requirements of Part 363.


* OIG Audit Report Number 04-004, Observations from FDIC OIG Material Loss Reviews Conducted 1993 through 2003, dated January 22, 2004.
 


Last Updated 09/19/2005 Regs@fdic.gov

Skip Footer back to content