Federal Deposit Insurance Act; implementation: Annual independent audits and reporting requirements,

[Federal Register: November 28, 2005 (Volume 70, Number 227)]

[Rules and Regulations]

[Page 71226-71233]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr28no05-4]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 363

RIN 3064-AC91

Independent Audits and Reporting Requirements

AGENCY: Federal Deposit Insurance Corporation (FDIC).

ACTION: Final rule.

SUMMARY: The FDIC is amending part 363 of its regulations concerning annual independent audits and reporting requirements, which implement section 36 of the Federal Deposit Insurance Act (FDI Act), as proposed, but with modifications to the composition of the audit committee and the effective date. The FDIC's amendments raise the asset-size threshold from $500 million to $1 billion for internal control assessments by management and external auditors. For institutions between $500 million and $1 billion in assets, the amendments require the majority, rather than all, of the members of the audit committee, who must be outside directors, to be independent of management and create a hardship exemption. The amendments also make certain technical changes to part 363 to correct outdated titles, terms, and references in the regulation and its appendix. As required by section 36, the FDIC has consulted with the other federal banking agencies.

Effective Date: The final rule is effective December 28, 2005 and applies to part 363 annual reports with a filing deadline (90 days after the end of an institution's fiscal year) on or after the effective date of these amendments.

FOR FURTHER INFORMATION CONTACT: Harrison E. Greene, Jr., Senior Policy Analyst (Bank Accounting), Division of Supervision and Consumer Protection, at hgreene@fdic.gov or (202) 898-8905; or Michelle Borzillo, Counsel, Supervision and Legislation Section, Legal Division, at mborzillo@fdic.gov or (202) 898-7400.

SUPPLEMENTARY INFORMATION:

  1. Background

    Section 112 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) added section 36, ``Early Identification of Needed Improvements in Financial Management,'' to the FDI Act (12 U.S.C. 1831m). Section 36 is generally intended to facilitate early identification of problems in financial management at insured depository institutions above a certain asset size threshold (covered institutions) through annual independent audits, assessments of the effectiveness of internal control over financial reporting and compliance with designated laws and regulations, and related requirements. Section 36 also includes requirements for audit committees at these insured depository institutions. Section 36 grants the FDIC discretion to set the asset size threshold for compliance with these statutory requirements, but it states that the threshold cannot be less than $150 million. Sections 36(d) and (f) also obligate the FDIC to consult with the other Federal banking agencies in implementing these sections of the FDI Act, and the FDIC has performed that consultation requirement.

    Part 363 of the FDIC's regulations (12 CFR part 363), which implements section 36 of the FDI Act, requires each covered institution to submit to the FDIC and other appropriate Federal and state supervisory agencies an annual report that includes audited financial statements, a statement of management's responsibilities, assessments by management of the effectiveness of internal control over financial reporting and compliance with designated laws and regulations, and an auditor's attestation report on internal control over financial reporting. In addition, part 363 provides that each covered institution must establish an independent audit committee of its board of directors comprised of outside directors who are independent of management of the institution. Part 363 also includes Guidelines and Interpretations (Appendix A to part 363), which are intended to assist institutions and independent public accountants in understanding and complying with section 36 and part 363.

    When it adopted part 363 in 1993, the FDIC stated that it was setting the asset size threshold at $500 million rather than the $150 million specified in section 36 to mitigate the financial burden of compliance with section 36 consistent with safety and soundness. In selecting $500 million in total assets as the size threshold, the FDIC noted that approximately 1,000 of the then nearly 14,000 FDIC-insured institutions would be subject to part 363. These covered institutions held approximately 75 percent of the assets of insured institutions at that time. By imposing the audit, reporting, and audit committee requirements of part 363 on institutions with this percentage of the industry's assets, the FDIC intended to ensure that the Congress's objectives for achieving sound financial management at insured institutions when it enacted section 36 would be focused on those

    [[Page 71227]]

    institutions posing the greatest potential risk to the insurance funds administered by the FDIC. Today, due to consolidation in the banking and thrift industry and the effects of inflation, more than 1,150 of the 8,900 insured institutions have $500 million or more in total assets and are therefore subject to part 363. These covered institutions hold approximately 90 percent of the assets of insured institutions.

  2. Discussion of Proposed Amendments

    On July 19, 2005, the FDIC's Board approved the publication of proposed amendments to part 363 of the FDIC's regulations, which were published in the Federal Register on August 2, 2005, for a 45-day comment period (70 FR 44293). The comment period closed on September 16, 2005. As more fully discussed below, the FDIC proposed to raise the asset-size threshold in part 363 from $500 million to $1 billion for internal control assessments by management and external auditors and for the members of the audit committee, who must be outside directors, to be independent of management. The FDIC also proposed to make certain technical changes to part 363 to correct outdated titles, terms, and references in the regulation and its appendix. As proposed, the effective date of these amendments was to be December 31, 2005.

    In its proposal, the FDIC also noted that it had identified other aspects of part 363 that may warrant revision in light of changes in the industry and the passage of the Sarbanes-Oxley Act of 2002. However, the FDIC stated that it had decided to proceed first with the proposed amendments to the asset-size threshold in part 363 in order to reduce compliance burdens and expenses for affected institutions in 2005. These further revisions to part 363 are expected to be proposed as soon as practicable.

    1. Increasing the Asset Size Threshold for Internal Control Assessments

      An effective internal control structure is critical to the safety and soundness of each insured institution. Given its importance, internal control is evaluated as part of the supervision of individual institutions and its adequacy is a factor in the management rating assigned to an institution. Furthermore, in the audit of an institution's financial statements, the external auditor must obtain an understanding of internal control, including assessing control risk, and must report certain matters regarding internal control to the institution's audit committee.

      An institution subject to part 363 has the added requirement that its management perform an assessment of the internal control structure and procedures for financial reporting and that its external auditor examine, attest to, and report on management's assertion concerning the institution's internal control over financial reporting. For purposes of these internal control provisions of part 363, the FDIC has advised covered institutions that the term ``financial reporting'' includes both financial statements prepared in accordance with generally accepted accounting principles and those prepared for regulatory reporting purposes.\1\ Until year-end 2004, external auditors performed their internal control assessments in accordance with an attestation standard issued by the American Institute of Certified Public Accountants (AICPA) known as ``AT 501.''

      \1\ See FDIC Financial Institution Letter (FIL) 86-94, dated December 23, 1994. FIL-86-94 indicates that financial statements prepared for regulatory reporting purposes encompass the schedules equivalent to the basic financial statements in an institution's appropriate regulatory report, e.g., the bank Reports of Condition and Income and the Thrift Financial Report.

      The Sarbanes-Oxley Act was enacted into law on July 30, 2002. Section 404 of this Act imposes a requirement for internal control assessments by the management and external auditors of all public companies that is similar to the FDICIA requirement. The Securities and Exchange Commission's (SEC) rules implementing these requirements took effect at year-end 2004 for ``accelerated filers,'' i.e., generally, public companies whose common equity has an aggregate market value of at least $75 million, but they will not take effect until 2007 for ``non-accelerated filers.'' For the section 404 auditor attestations, the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard No. 2 (AS 2) applies. AS 2 replaces the AICPA's AT 501 internal control attestation standard for public companies, but AS 2 does not apply to nonpublic companies. The SEC's section 404 rules for management and the provisions of AS 2 for section 404 audits of internal control establish more robust documentation and testing requirements than those that have been applied by covered institutions and their auditors to satisfy the internal control reporting requirements in part 363.

      For internal control attestations of nonpublic companies, the AICPA is currently developing proposed revisions to AT 501 that are expected to bring it closer into line with the provisions of AS 2. The revisions also are likely to have the effect of requiring greater documentation and testing of internal control over financial reporting by an institution's management in order for the auditor to perform his or her attestation work.

      As the environment has changed and continues to change since the enactment of the Sarbanes-Oxley Act, the FDIC has observed that compliance with the audit and reporting requirements of part 363 has and will continue to become more burdensome and costly, particularly for smaller nonpublic covered institutions. Thus, the FDIC reviewed the current asset size threshold for compliance with part 363 in light of the discretion granted by section 36 that permits the FDIC to determine the appropriate size threshold (at or above $150 million) at which insured institutions should be subject to the various provisions of section 36. Based on this review, the FDIC proposed to amend part 363 to increase the asset size threshold for internal control assessments by management and external auditors from $500 million to $1 billion. Raising the threshold to $1 billion would achieve meaningful burden reduction without sacrificing safety and soundness.

      In reaching this decision, the FDIC concluded that raising the $500 million asset size threshold to $1 billion and exempting all institutions below this higher size level from all of the reporting requirements of part 363 would not be consistent with the objective of the underlying statute, i.e., early identification of needed improvements in financial management. In contrast, the FDIC believes that relieving smaller covered institutions from the burden of internal control assessments, while retaining the financial statement audit and other reporting requirements for all institutions with $500 million or more in total assets, strikes an appropriate balance in accomplishing this objective. By raising the size threshold for internal control assessments to $1 billion, about 600 of the largest insured institutions with approximately 86 percent of industry assets would continue to be covered by the internal control reporting requirements of part 363. At the same time, the managements of all covered institutions would remain responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and all institutions with $500 million or more in total assets would continue to include a statement to that effect in their part 363 annual report.

      [[Page 71228]]

    2. Composition of the Audit Committee

      Currently, part 363 requires each covered institution to establish an independent audit committee of its board of directors, comprised of outside directors who are independent of management of the institution. The duties of the audit committee include reviewing with management and the institutions' independent public accountant the basis for the reports included in the part 363 annual report submitted to the FDIC and other appropriate Federal and state supervisory agencies. The FDIC's Guidelines to part 363 provide that, at least annually, the board of directors of a covered institution should determine whether all existing and potential audit committee members are ``independent of management of the institution.'' The guidelines also describe factors to consider in making this determination.\2\

      \2\ See Guidelines 27 through 29 of Appendix A to part 363.

      Section 36 provides that an appropriate federal banking agency may grant a hardship exemption to a covered institution that would permit its independent audit committee to be made up of less than all, but no fewer than a majority of, outside directors who are independent of management. To grant the exemption, the agency must find that the institution has encountered hardships in retaining and recruiting a sufficient number of competent outside directors.

      Notwithstanding this exemption provision of section 36, the FDIC has observed that a number of smaller covered institutions, particularly those with few shareholders that have recently exceeded $500 million in total assets and become subject to part 363, have encountered difficulty in satisfying the independent audit committee requirement. To comply with this requirement, these institutions must identify and attract qualified individuals in their communities who would be willing to become a director and audit committee member and who would be independent of management.

      To relieve this burden, but also recognizing that the FDIC has long held that individuals who serve as directors of any insured depository institution should be persons of independent judgment, the FDIC proposed to amend part 363 to increase from $500 million to $1 billion the asset size threshold for requiring audit committee members to be independent of management. Conforming changes were also proposed to be made to Guidelines 27-29 of Appendix A to part 363. Each insured depository institution with total assets of $500 million or more but less than $1 billion would continue to be required to have an audit committee comprised of outside directors. Consistent with Guideline 29 of Appendix A to part 363, an outside director would be defined as an individual who is not, and within the preceding year has not been, an officer or employee of the institution or any affiliate of the institution.

      The proposed amendment to the audit committee requirements for institutions with between $500 million and $1 billion in total assets would allow an outside director who is, for example, a consultant or legal counsel to the institution, a relative of an officer or employee of the institution or its affiliates, or the owner of 10 percent or more of the stock of the institution to serve as an audit committee member. Nevertheless, the FDIC indicated in the proposal that it would encourage each institution with between $500 million and $1 billion in assets to make a reasonable good faith effort to establish an audit committee of outside directors who are independent of management.

  3. Comments Received on Proposed Amendments

    In response to its August 2, 2005, request for comment on the proposed amendments to part 363, the FDIC received comment letters from 28 different respondents \3\: 15 banking and thrift organizations, 7 bankers' associations, 3 accountants and accounting firms, the Conference of State Bank Supervisors (CSBS), the FDIC's Office of Inspector General (FDIC-OIG), and one other party. Generally, the comment letters expressed support for the proposed amendments. All but one of the respondents favored the proposal to increase the asset-size threshold for internal control assessments by management and external auditors to $1 billion. As for the proposed increase to $1 billion in the asset-size threshold for the members of the audit committee, who must be outside directors, to be independent of management, 24 of the 28 respondents supported this aspect of the proposal, two respondents opposed it, and two respondents did not directly comment on it. Respondents also raised a number of other issues.

    \3\ The FDIC received 58 comment letters, which included 20 identical letters from individuals at one institution and 12 identical letters from individuals at another institution.

    The CSBS commented on the proposed change in the audit committee provisions of part 363 for institutions with $500 million to $1 billion in assets. The CSBS, on behalf of state banking departments, stated that there is value in maintaining a significant level of independence when fulfilling the important role of an audit committee member. Although it saw benefit in alleviating some of the burden of a fully independent audit committee, for safety and soundness considerations, the CSBS recommended that the chairman and a majority of the audit committee members at institutions in the $500 million to $1 billion asset size range be required to be independent of management rather than allowing all of the outside directors on the audit committee not to be independent of management.

    Five other commenters concurred with the FDIC's observation that some smaller covered institutions have encountered difficulty in establishing an audit committee, all of whose members are independent of management. In this regard, the CSBS's comment letter also acknowledged the difficulties in attaining and keeping a fully independent audit committee, especially in smaller rural communities.

    Individuals who serve as directors of insured institutions, whether or not they serve on the audit committee, are expected to be persons of independent judgment. In this regard, under the Uniform Financial Institutions Rating System (62 FR 752, January 6, 1997), a factor that the federal banking agencies' examiners assess when they evaluate the capability and performance of an institution's management and board of directors for purposes of assigning an appropriate Management component rating is the extent to which the management and board members are affected by, or susceptible to, dominant influence or concentration of authority. Hence, the agencies' examination staffs are cognizant of the heightened level of risk presented by the existence of a dominant officer, whether or not outside directors, including those on the audit committee, are independent of management.

    After carefully considering the CSBS's recommendation, the FDIC has decided to amend the proposal to require that a majority of the audit committee members of institutions with $500 million to $1 billion in assets, all of whom must be outside directors, be independent of management. In addition, in recognition of the difficulties that some individual institutions in this size range may have in attaining such an audit committee, the final rule will provide an exemption under which an appropriate Federal banking agency may, by order or regulation, permit the audit committee of such an institution to be made up of

    [[Page 71229]]

    less than a majority of outside directors who are independent of management, if the agency determines that the institution has encountered hardships in retaining and recruiting a sufficient number of competent outside directors to serve on the audit committee of the institution. The FDIC believes that this change to its proposal strikes an appropriate balance of reducing regulatory burden without jeopardizing safety and soundness.

    Another commenter who addressed the audit committee portion of the proposal suggested that the FDIC's recommendation that institutions make a ``reasonable good faith effort'' to establish an audit committee of outside directors who are independent of management was vague and should be deleted from the proposal. This commenter added that, if the recommendation were not deleted, the FDIC should include a definition of, or list of criteria that would constitute, a ``reasonable good faith effort'' and provide guidance on how an institution should document that it has undertaken such an effort. While the FDIC encourages each institution with between $500 million and $1 billion in assets to make a reasonable good faith effort to establish an audit committee comprised entirely of outside directors who are independent of management, each institution faces a unique set of circumstances when it seeks to attract competent individuals to be outside directors who would be willing to serve on its audit committee. Because a list of criteria that would constitute evidence of a ``reasonable good faith effort'' could not consider all of the situations in which institutions engaging in such a search might find themselves, the FDIC has chosen not to restrict institutions and itself to a specific list.

    In its comment letter on the proposal, the FDIC-OIG recommended that insured institutions with total assets of $500 million or more, but less than $1 billion, that have or receive either a composite rating or Management component rating of 3, 4, or 5, i.e., 3 or lower, under the Uniform Financial Institutions Rating System (also known as the CAMELS rating system) be required to comply with all of the requirements of Part 363 rather than being provided the proposed relief for institutions in this size range. The FDIC-OIG indicated that, as of September 12, 2005, 16 insured institutions with $500 million to $1 billion in assets had less than a satisfactory composite CAMELS rating. Specifically, 11 institutions had a composite rating of 3 and 5 institutions had a 4 rating. The FDIC-OIG also noted that, over the last several months, 15 other insured institutions in this size range with a composite rating of 2 had a Management component rating of 3.

    The FDIC-OIG indicated that, in reviewing past failures of insured institutions, it had observed that weak corporate governance, including financial reporting problems and the lack of independence of the board of directors from institution management, was often a factor in the failure of these institutions and contributed to material losses ($25 million or more) to the deposit insurance funds administered by the FDIC. The FDIC-OIG also stated that maintaining the full requirements of part 363 for less than satisfactory institutions would help to address potential concerns about deficiencies by the board of directors and in internal control, internal audit, and external audit and thereby mitigate the possibility of institution failure.

    As defined in the Uniform Financial Institutions Rating System, institutions with a composite rating of 2 are fundamentally sound. There are no material supervisory concerns and, as a result, the supervisory response is informal and limited. Institutions with a composite rating of 3 exhibit some degree of supervisory concern in one or more of the six component areas (Capital Adequacy, Asset Quality, Management, Earnings, Liquidity, and Sensitivity to Market Risk). These financial institutions require more than normal supervision, which may include formal or informal enforcement actions. Failure appears unlikely, however, given the overall strength and financial capacity of these institutions. Institutions with a composite rating of 4 generally exhibit unsafe and unsound practices or conditions. There are serious financial or managerial deficiencies that result in unsatisfactory performance. Failure is a distinct possibility if the problems and weaknesses are not satisfactorily addressed and resolved. Institutions with a composite rating of 5 exhibit extremely unsafe and unsound practices or conditions and a critically deficient performance. They are of the greatest supervisory concern and ongoing supervisory attention is necessary. These institutions pose a significant risk to the deposit insurance funds and failure is highly probable.

    A Management component rating of 3 indicates management and board performance that need improvement or risk management practices that are less than satisfactory given the nature of the institution's activities. The capabilities of management or the board of directors may be insufficient for the type, size, or condition of the institution. Problems and significant risks may be inadequately identified, measured, monitored, or controlled by management. Because management's ability to respond to changing circumstances and address risks is an important factor in evaluating an institution's overall risk profile and the level of supervisory attention that should be devoted to an institution, the Management component is given special consideration when assigning the institution's composite rating.

    Institutions that have a composite rating of 3 or lower are already subject to increased supervisory scrutiny and are normally subject to formal or informal supervisory actions (e.g., Memorandum of Understanding or Cease and Desist Order) to address the need for corrective actions for weaknesses and deficiencies cited in reports of examination or otherwise identified through supervisory oversight. In reviewing the institutions cited in the FDIC-OIG's comment letter, the FDIC notes that all of the institutions with a composite rating of 3 or lower are subject to formal and/or informal supervisory actions and all of the institutions with a composite rating of 2 and a Management component rating of 3 or lower are subject to supervisory actions. The FDIC further notes that approximately half of these institutions are public companies or subsidiaries of public companies that are subject to the filing and reporting requirements of the Federal securities laws as implemented by the SEC.

    The examination staffs of the FDIC and the other Federal banking agencies look to the assessments by management of internal control over financial reporting and the independent auditors' attestation reports on those assessments as one source of information on the existence of any significant deficiencies and material weaknesses in this internal control structure. Nevertheless, the agencies' examiners are expected to perform their own evaluation of an institution's internal control environment and audit programs when determining the condition of the institution and the need for and degree of any supervisory action. Moreover, the examiners' assessment of the internal control environment encompasses not only internal control over financial reporting, but also internal control as it relates to the effectiveness and efficiency of the institution's operations and to its compliance with laws and regulations.

    The agencies' examination staffs consider many factors in determining an institution's composite rating and

    [[Page 71230]]

    individual component ratings, including the Management component. While these factors include the capability and performance of management and the board of directors (including the board's committees such as the audit committee), they also include the adequacy of, and conformance with, appropriate internal policies and controls addressing the operations and risks of significant activities; the accuracy, timeliness, and effectiveness of management information and risk monitoring systems; the adequacy of audits and internal control, including internal control over financial reporting; compliance with laws and regulations; and the overall performance of the institution and its risk profile.

    As a consequence, when an institution is assigned a composite rating or a Management component rating of 3 or lower, its Federal banking agency's supervisory response, which may include formal or informal enforcement actions, is tailored to the specific weaknesses, deficiencies, and problems identified by the examination staff and seeks appropriate and timely corrective action by management and the board of directors. The factors contributing to such a less than satisfactory rating may or may not have included ineffective internal control over financial reporting and/or unacceptable audit committee oversight and performance. In this regard, although the FDIC-OIG reported in its comment letter that 15 institutions with $500 million to $1 billion in assets had recently been assigned a composite rating of 2 and a Management component rating of 3, the majority of these institutions received this Management rating for reasons unrelated to deficiencies in internal control over financial reporting (e.g., the reasons were related to compliance with the Bank Secrecy Act). Nevertheless, in those cases where examiners detect such internal control deficiencies at an institution with $500 million to $1 billion in assets, if it is deemed necessary and appropriate for addressing these deficiencies, the supervisory response by the institution's Federal banking agency could include a requirement for management to perform an assessment of internal control over financial reporting and for the external auditor to attest to management's assertion or for the external auditor to report directly on internal control over financial reporting.

    Given that each institution with $500 million to $1 billion in assets with a composite rating or Management component rating of 3 or lower is receiving closer than normal supervisory attention focused on identified problem areas, imposing additional requirements for internal control assessments by management and the external auditor and for the replacement of all audit committee members who are not independent of management would levy burdens on all such institutions, regardless of whether this burden would address weaknesses identified in a given institution. However, as previously noted, the FDIC believes that, in response to comments from the CSBS, amending the proposal to require a majority of the audit committee members to be independent of management strikes an appropriate balance between reducing regulatory burden and maintaining safety and soundness.

    Additionally, as a practical matter, CAMELS ratings often change during the year as a result of examination findings or other supervisory oversight. The FDIC-OIG's recommendation would subject institutions to uncertainty if the subject provisions of part 363 would apply immediately during any given year in which an institution's composite or Management component rating fell to 3 or lower. If applied in the year following receipt of the 3 or lower rating, the recommendation would often result in requiring compliance with the subject provisions of part 363 after the institution had corrected its problems and obtained a higher composite or Management rating. The first of these approaches would be difficult, at best, to plan for and implement on a timely basis, while the alternative (lagging) approach would often impose burden after (the often unrelated) problems had been addressed.

    Furthermore, under the proposed amendments to part 363, each institution with $500 million to $1 billion in assets must continue to undergo an annual audit of its financial statements. In a financial statement audit, the external auditor must obtain an understanding of internal control and must report certain matters regarding internal control to the institution's audit committee. In this regard, on September 1, 2005, the AICPA Auditing Standards Board issued a proposed Statement on Auditing Standards (SAS) on the ``Communication of Internal Control Related Matters Noted in an Audit'' that will supersede its current SAS on this topic, which is known as ``SAS 60.'' The comment period for this auditing proposal ended on October 31, 2005, with the final standard expected in the first quarter of 2006. Among other things, the proposed SAS requires the auditor to communicate, in writing, to management and those charged with governance (the board of directors and/or the audit committee) significant deficiencies and material weaknesses in internal control of which the auditor becomes aware. Under current SAS 60, the auditor should report such deficiencies and weaknesses to the audit committee, preferably in writing, but oral communication of this information is also permitted. As proposed, the improved communication provisions in the SAS would be effective for audits of financial statements for periods ending on or after December 15, 2006. Part 363 requires covered institutions, regardless of size, to submit copies of reports related to their audits that are issued by their external auditors, including these written reports on significant weaknesses and material weaknesses, to the FDIC and other appropriate Federal and state supervisory agencies.

    After fully considering the FDIC-OIG's comment and the agencies' supervisory tools and processes for evaluating the soundness of institutions, identifying institutions exhibiting financial and operational weaknesses or adverse trends, and focusing appropriate supervisory attention on such institutions, the FDIC has decided not to revise its proposed increase in the asset-size threshold in the manner proposed by the FDIC-OIG and accord a different treatment to institutions with $500 million to $1 billion in assets that have a composite rating or Management component rating of 3 or lower. However, the FDIC believes that the change to the composition of the audit committee that it is making in response to the comments from the CSBS, which will require a majority of the members of the audit committee, who must be outside directors, to be independent of management, will help to address the FDIC-OIG's concerns about deficiencies in the performance of the board and audit committee of institutions with less than satisfactory ratings.

    Six commenters urged the FDIC to approve the proposed amendments to part 363 as soon as feasible because many procedures related to the assessment of internal control over financial reporting are addressed prior to an institution's fiscal year-end, particularly in the fourth fiscal quarter. These commenters further recommended that the FDIC either change the effective date of the amendments from December 31, 2005, as proposed, to September 30, 2005, or grant an institution's primary Federal regulator the authority to waive the 2005 internal control assessment requirements for institutions with total assets of $500 million or more but less

    [[Page 71231]]

    than $1 billion that have fiscal year-ends other than December 31. The FDIC concurs with these commenters' suggestion concerning the effective date and, in response, is changing the effective date of the amendments to part 363 from December 31, 2005, to December 28, 2005. The final rule will apply to part 363 annual reports with a filing deadline (90 days after the end of an institution's fiscal year) on or after the effective date of these amendments.

    Four commenters recommended that the $1 billion asset-size threshold be tied to an index that would automatically increase the threshold annually. For reasons of practicality and to provide certainty to institutions concerning the size at which full compliance with part 363 is required, the FDIC has decided not to adopt this indexing recommendation.

    The FDIC also received several recommendations from commenters that are outside the scope of the proposed amendments to part 363 and, accordingly, the FDIC has decided not to implement these recommendations as part of the final rule. These comments included the following: (1) Increase the asset size threshold for applying the SEC independence rules to external auditors, (2) have the FDIC adopt its own independence rules for external auditors, (3) enhance the FDIC's review of external audit reports, (4) make the standards for performing audits of internal control over financial reporting the same for both public and non-public companies, and (5) establish a fraud hotline for both examiners and bank employees.

  4. Final Rule

    The FDIC has considered the comments received on its proposed amendments to part 363 and is adopting the amendments as proposed, but with modifications to the composition of the audit committee and the effective date. This final rule raises the asset-size threshold from $500 million to $1 billion for internal control assessments by management and external auditors. For institutions between $500 million and $1 billion in assets, it also requires the majority, rather than all, of the members of the audit committee, who must be outside directors, to be independent of management and creates a hardship exemption. In addition, the final rule makes certain technical changes to part 363 to correct outdated titles, terms, and references in the regulation and its appendix.

    This final rule takes effect December 28, 2005, not on December 31, 2005, as proposed, and it applies to part 363 annual reports with a filing deadline \4\ on or after the rule's effective date. For example, for insured institutions (both public and non-public) with fiscal years that ended on September 30, 2005, or that will end on December 31, 2005, that had $500 million or more in total assets, but less than $1 billion in total assets, at the beginning of the fiscal year, the final rule means that the part 363 annual report that these institutions must submit to the FDIC and other appropriate Federal and state supervisory agencies within 90 days after the end of the fiscal year needs to include only audited financial statements, statements of management's responsibilities, management's assessment of the institution's compliance with designated laws and regulations, and an auditor's report on the financial statements.

    \4\ Under section 363.4(a), an institution's filing deadline is 90 days after the end of the institution's fiscal year.

    For insured depository institutions that are public companies or subsidiaries of public companies, regardless of size, the FDIC's amendments to part 363 do not relieve public companies of their obligation to comply with the internal control assessment requirements imposed by section 404 of the Sarbanes-Oxley Act in accordance with the effective dates for compliance set forth in the SEC's implementing rules.

    Nevertheless, the FDIC reminds insured institutions with $1 billion or more in total assets that are public companies or subsidiaries of public companies that they have considerable flexibility in determining how best to satisfy the internal control assessment requirements in the SEC's section 404 rules and the FDIC's part 363. As indicated in the preamble to the SEC's section 404 final rule release, the FDIC (and the other Federal banking agencies) agreed with the SEC that insured depository institutions that are subject to both part 363 (as well as holding companies permitted under the holding company exception in part 363 to file an internal control report on behalf of their insured depository institution subsidiaries) and the SEC's rules implementing section 404 can choose either of the following two options:

    They can prepare two separate reports of management on the institution's or the holding company's internal control over financial reporting to satisfy the FDIC's part 363 requirements and the SEC's section 404 requirements; or

    They can prepare a single report of management on internal control over financial reporting that satisfies both the FDIC's requirements and the SEC's requirements.\5\

    \5\ Footnote 117 in the preamble to the SEC's section 404 final rule releases states that ``[a]n insured depository institution subject to both the FDIC's [internal control assessment] requirements and our new requirements [i.e., a public depository institution] choosing to file a single report to satisfy both sets of requirements will file the report with its primary Federal regulator under the Exchange Act and the FDIC, its primary Federal regulator (if other than the FDIC), and any appropriate state depository institution supervisor under part 363 of the FDIC's regulations. A [public] holding company choosing to prepare a single report to satisfy both sets of requirements will file the report with the [Securities and Exchange] Commission under the Exchange Act and the FDIC, the primary Federal regulator of the insured depository institution subsidiary subject to the FDIC's requirements, and any appropriate state depository institution supervisor under part 363.''

    For more complete information on these two options, institutions (and holding companies) should refer to section II.H.4. of the preamble to the SEC's section 404 final rule release (68 FR 36648, June 18, 2003).

    Paperwork Reduction Act

    This regulation contains modifications to a collection of information that have been reviewed and approved by the Office of Management and Budget under control number 3064-0113, pursuant to the Paperwork Reduction Act (44 U.S.C. 3501 et seq.). The primary modification increases the asset size threshold for compliance with certain reporting requirements in part 363.

    The estimated reporting burden for the collection of information under part 363 is 65,612 hours per year.

    Number of Respondents: 5,243.

    Total Annual Responses: 15,684.

    Total Annual Burden Hours: 65,612.

    Regulatory Flexibility Act

    The Regulatory Flexibility Act requires that each Federal agency either certify that a proposed rule would not, if adopted in final form, have a significant economic impact on a substantial number of small entities or prepare an initial regulatory flexibility analysis of the proposal and publish the analysis for comment. See 5 U.S.C. 603, 605. The Small Business Administration (SBA) defines small banks as those with less than $150 million in assets. Because this rule expressly exempts insured depository institutions having assets of less than $500 million, it is inapplicable to small entities as defined by the SBA. Therefore, it is certified that this proposed rule would not have a significant economic impact on a substantial number of small entities.

    [[Page 71232]]

    Small Business Regulatory Enforcement Fairness Act

    The Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA) (Title II, Pub. L. 104-121) provides generally for agencies to report rules to Congress and the General Accounting Office (GAO) for review. The reporting requirement is triggered when a Federal agency issues a final rule. The FDIC will file the appropriate reports with Congress and the GAO as required by SBREFA. The Office of Management and Budget has determined that the rule does not constitute a ``major rule'' as defined by SBREFA.

    List of Subjects in 12 CFR Part 363

    Accounting, Administrative practice and procedure, Banks, Banking, Reporting and recording keeping requirements.

    0 For the reasons set forth in the preamble, the Board of Directors of the FDIC hereby amends part 363 of title 12, chapter III, of the Code of Federal Regulations as follows:

    PART 363--ANNUAL INDEPENDENT AUDITS AND REPORTING REQUIREMENTS

    0 1. The authority citation for part 363 continues to be read as follows:

    Authority: 12 U.S.C. 1831m.

    0 2. Section 363.1 is amended by revising paragraph (b)(2)(ii)(B) to read as follows:

    Sec. 363.1 Scope.

    * * * * *

    (b) * * *

    (2) * * *

    (ii) * * *

    (B) Total assets of $5 billion or more and a composite CAMELS rating of 1 or 2. * * * * *

    0 3. Section 363.2(b) is amended by revising paragraph (b)(2) and adding paragraph (b)(3) to read as follows:

    Sec. 363.2 Annual reporting requirements.

    * * * * *

    (b) * * *

    (2) An assessment by management of the institution's compliance with such laws and regulations during such fiscal year; and

    (3) For an institution with total assets of $1 billion or more at the beginning of such fiscal year, an assessment by management of the effectiveness of such internal control structure and procedures as of the end of such fiscal year.

    0 4. Section 363.3 is amended by revising paragraph (b) to read as follows:

    Sec. 363.3 Independent public accountant.

    * * * * *

    (b) Additional reports. For each insured depository institution with total assets of $1 billion or more at the beginning of the institution's fiscal year, such independent public accountant shall examine, attest to, and report separately on, the assertion of management concerning the institution's internal control structure and procedures for financial reporting. The attestation shall be made in accordance with generally accepted standards for attestation engagements. * * * * *

    0 5. Section 363.5 is amended by revising paragraph (a) to read as follows:

    Sec. 363.5 Audit committees.

    (a) Composition and duties. Each insured depository institution shall establish an audit committee of its board of directors, the composition of which complies with paragraphs (a)(1), (2), and (3) of this section, and the duties of which shall include reviewing with management and the independent public accountant the basis for the reports issued under this part.

    (1) Each insured depository institution with total assets of $1 billion or more as of the beginning of its fiscal year shall establish an independent audit committee of its board of directors, the members of which shall be outside directors who are independent of management of the institution.

    (2) Each insured depository institution with total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year shall establish an audit committee of its board of directors, the members of which shall be outside directors, the majority of whom shall be independent of management of the institution. The appropriate Federal banking agency may, by order or regulation, permit the audit committee of such an insured depository institution to be made up of less than a majority of outside directors who are independent of management, if the agency determines that the institution has encountered hardships in retaining and recruiting a sufficient number of competent outside directors to serve on the audit committee of the institution.

    (3) An outside director is a director who is not, and within the preceding fiscal year has not been, an officer or employee of the institution or any affiliate of the institution. * * * * *

    0 6. Appendix A to part 363 is amended as follows: 0 a. Footnote 2, Guideline 10, is amended by adding ``Risk Management'' after ``FDIC's Division of Supervision and Consumer Protection (DSC)''; 0 b. Guideline 16 is amended by removing ``Registration and Disclosure Section'' and adding in its place ``Accounting and Securities Disclosure Section''; 0 c. Guideline 22 is amended by revising the first sentence of paragraph (a) to read as set forth below; 0 d. Guideline 27 is amended by revising the second sentence to read as set forth below; 0 e. Guideline 28 is amended by revising paragraph (a) to read as set forth below; 0 f. Guideline 29 is revised to read as set forth below; and 0 g. The first sentence of Guideline 36 is revised to read as set forth below.

    The revisions read as follows:

    Appendix A to Part 363--Guidelines and Interpretations

    * * * * *

    Filing and Notice Requirements (Sec. 363.4)

    22. * * *

    (a) FDIC: Appropriate FDIC Regional or Area Office (Supervision and Consumer Protection), i.e., the FDIC regional or area office in the FDIC region or area that is responsible for monitoring the institution or, in the case of a subsidiary institution of a holding company, the consolidated company. * * * * * * * *

    Audit Committees (Sec. 363.5)

    27. * * * At least annually, the board of an institution with $1 billion or more in total assets at the beginning of its fiscal year should determine whether all existing and potential audit committee members are ``independent of management of the institution'' and the board of an institution with total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year should determine whether the majority of all existing and potential audit committee members are ``independent of management of the institution.'' * * *

    28. * * *

    (a) Has previously been an officer of the institution or any affiliate of the institution; * * * * *

    29. Lack of independence. An outside director should not be considered independent of management if such director owns or controls, or has owned or controlled within the preceding fiscal year, assets representing 10 percent or more of any outstanding class of voting securities of the institution. * * * * *

    Other

    36. Modifications of guidelines. The FDIC's Board of Directors has delegated to the

    [[Page 71233]]

    Director of the FDIC's Division of Supervision and Consumer Protection (DSC) authority to make and publish in the Federal Register minor technical amendments to the Guidelines in this appendix, in consultation with the other appropriate federal banking agencies, to reflect the practical experience gained from implementation of this part.* * * * * * * *

    By order of the Board of Directors.

    Dated at Washington, DC, this 8th day of November, 2005.

    Federal Deposit Insurance Corporation. Robert E. Feldman, Executive Secretary.

    [FR Doc. 05-23310 Filed 11-25-05; 8:45 am]

    BILLING CODE 6714-01-P

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT