This section of the FEDERAL REGISTER
contains notices to the public of the proposed
issuance of rules and regulations. The
purpose of these notices is to give interested
persons an opportunity to participate in the
rule making prior to the adoption of the final
rules.
Proposed Rules Federal Register
44293
Vol. 70, No. 147
Tuesday, August 2, 2005
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Part 363
RIN 3064–AC91
Annual Independent Audits and
Reporting Requirements
AGENCY: Federal Deposit Insurance
Corporation (FDIC).
ACTION: Notice of proposed rulemaking.
SUMMARY: The FDIC is proposing to
amend its regulations concerning
annual independent audits and
reporting requirements, which
implement Section 36 of the Federal
Deposit Insurance Act (FDI Act). Section
36 and the FDIC’s implementing
regulations are generally intended to
facilitate early identification of
problems in financial management at
insured depository institutions with
total assets above a certain threshold
(currently $500 million) through annual
independent audits, assessments of the
effectiveness of internal control over
financial reporting and compliance with
designated laws and regulations, and
related reporting requirements. Section
36 also includes requirements for audit
committees at these insured depository
institutions. The FDIC’s amendments
would raise the asset size threshold
from $500 million to $1 billion for
internal control assessments by
management and external auditors and
for the members of the audit committee,
who must be outside directors, to be
independent of management. As
required by section 36, the FDIC has
consulted with the other Federal
banking agencies. These amendments
are proposed to take effect December 31,
2005.
DATES: Comments must be received on
or before September 16, 2005.
ADDRESSES: Interested parties are
invited to submit written comments to
the FDIC by any of the following
methods:
• Federal eRulemaking Portal: http://
www.regulations.gov. Follow the
instructions for submitting comments.
• Agency Web site: http://
www.fdic.gov/regulations/laws/federal/
propose.html. Follow the instructions
for submitting comments on the FDIC
Web site.
• E-mail: Comments@FDIC.gov.
Include RIN number in the subject line
of the message.
• Mail: Robert E. Feldman, Executive
Secretary, Attention: Comments, Federal
Deposit Insurance Corporation, 550 17th
Street, NW., Washington, DC 20429.
• Hand Delivery/Courier: Guard
station at the rear of the 550 17th Street
building (located on F Street) on
business days between 7 a.m. and 5 p.m.
Instructions: All submissions received
must include the agency name and RIN
number for this rulemaking. All
comments received will be posted
without change to http://www.fdic.gov/
regulations/laws/federal/propose.html
including any personal information
provided. Comments may be inspected
and photocopied in the FDIC Public
Information Center, Room 100, 801 17th
Street, NW., Washington, DC, between 9
a.m. and 4:30 p.m. on business days.
FOR FURTHER INFORMATION CONTACT:
Harrison E. Greene, Jr., Senior Policy
Analyst (Bank Accounting), Division of
Supervision and Consumer Protection,
at hgreene@fdic.gov or (202) 898–8905;
or Michelle Borzillo, Counsel,
Supervision and Legislation Section,
Legal Division, at mborzillo@fdic.gov or
(202) 898–7400.
SUPPLEMENTARY INFORMATION:
A. Background
Section 112 of the Federal Deposit
Insurance Corporation Improvement Act
of 1991 (FDICIA) added Section 36,
‘‘Early Identification of Needed
Improvements in Financial
Management,’’ to the FDI Act (12 U.S.C.
1831m). Section 36 is generally
intended to facilitate early identification
of problems in financial management at
insured depository institutions above a
certain asset size threshold through
annual independent audits, assessments
of the effectiveness of internal control
over financial reporting and compliance
with designated laws and regulations,
and related requirements. Section 36
also includes requirements for audit
committees at these insured depository
institutions. Section 36 grants the FDIC
discretion to set the asset size threshold
for compliance with these statutory
requirements, but it states that the
threshold cannot be less than $150
million. Sections 36(d) and (f) also
obligate the FDIC to consult with the
other Federal banking agencies in
implementing these sections of the FDI
Act, and the FDIC has performed that
consultation requirement.
In June 1993, the FDIC published 12
CFR part 363 (58 FR 31332, June 2,
1993) to implement the provisions of
section 36 of the FDI Act. Under part
363, the requirements of section 36
apply to each insured depository
institution with $500 million or more in
total assets at the beginning of its fiscal
year (covered institution). Often referred
to as the ‘‘FDICIA reporting
requirements,’’ part 363 requires each
covered institution to submit to the
FDIC and other appropriate Federal and
state supervisory agencies an annual
report that includes audited financial
statements, a statement of management’s
responsibilities, assessments by
management of the effectiveness of
internal control over financial reporting
and compliance with designated laws
and regulations, and an auditor’s
attestation report on internal control
over financial reporting. In addition,
part 363 provides that each covered
institution must establish an
independent audit committee of its
board of directors comprised of outside
directors who are independent of
management of the institution. Part 363
also includes Guidelines and
Interpretations (Appendix A to part
363), which are intended to assist
institutions and independent public
accountants in understanding and
complying with section 36 and part 363.
A covered institution may satisfy the
audited financial statements
requirement of part 363 at the holding
company level. Subject to certain
conditions, the other requirements of
part 363 may be satisfied at the holding
company level. Members of the
independent audit committee of a
holding company may serve as the audit
committee of a subsidiary covered
institution provided they are otherwise
independent of the subsidiary’s
management and meet the other criteria
set forth in part 363.
When it adopted part 363 in 1993, the
FDIC stated that it was setting the asset
size threshold at $500 million rather
VerDate jul<14>2003 15:36 Aug 01, 2005 Jkt 205001 PO 00000 Frm 00001 Fmt 4702 Sfmt 4702 E:\FR\FM\02AUP1.SGM 02AUP1
contains notices to the public of the proposed
issuance of rules and regulations. The
purpose of these notices is to give interested
persons an opportunity to participate in the
rule making prior to the adoption of the final
rules.
Proposed Rules Federal Register
44293
Vol. 70, No. 147
Tuesday, August 2, 2005
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Part 363
RIN 3064–AC91
Annual Independent Audits and
Reporting Requirements
AGENCY: Federal Deposit Insurance
Corporation (FDIC).
ACTION: Notice of proposed rulemaking.
SUMMARY: The FDIC is proposing to
amend its regulations concerning
annual independent audits and
reporting requirements, which
implement Section 36 of the Federal
Deposit Insurance Act (FDI Act). Section
36 and the FDIC’s implementing
regulations are generally intended to
facilitate early identification of
problems in financial management at
insured depository institutions with
total assets above a certain threshold
(currently $500 million) through annual
independent audits, assessments of the
effectiveness of internal control over
financial reporting and compliance with
designated laws and regulations, and
related reporting requirements. Section
36 also includes requirements for audit
committees at these insured depository
institutions. The FDIC’s amendments
would raise the asset size threshold
from $500 million to $1 billion for
internal control assessments by
management and external auditors and
for the members of the audit committee,
who must be outside directors, to be
independent of management. As
required by section 36, the FDIC has
consulted with the other Federal
banking agencies. These amendments
are proposed to take effect December 31,
2005.
DATES: Comments must be received on
or before September 16, 2005.
ADDRESSES: Interested parties are
invited to submit written comments to
the FDIC by any of the following
methods:
• Federal eRulemaking Portal: http://
www.regulations.gov. Follow the
instructions for submitting comments.
• Agency Web site: http://
www.fdic.gov/regulations/laws/federal/
propose.html. Follow the instructions
for submitting comments on the FDIC
Web site.
• E-mail: Comments@FDIC.gov.
Include RIN number in the subject line
of the message.
• Mail: Robert E. Feldman, Executive
Secretary, Attention: Comments, Federal
Deposit Insurance Corporation, 550 17th
Street, NW., Washington, DC 20429.
• Hand Delivery/Courier: Guard
station at the rear of the 550 17th Street
building (located on F Street) on
business days between 7 a.m. and 5 p.m.
Instructions: All submissions received
must include the agency name and RIN
number for this rulemaking. All
comments received will be posted
without change to http://www.fdic.gov/
regulations/laws/federal/propose.html
including any personal information
provided. Comments may be inspected
and photocopied in the FDIC Public
Information Center, Room 100, 801 17th
Street, NW., Washington, DC, between 9
a.m. and 4:30 p.m. on business days.
FOR FURTHER INFORMATION CONTACT:
Harrison E. Greene, Jr., Senior Policy
Analyst (Bank Accounting), Division of
Supervision and Consumer Protection,
at hgreene@fdic.gov or (202) 898–8905;
or Michelle Borzillo, Counsel,
Supervision and Legislation Section,
Legal Division, at mborzillo@fdic.gov or
(202) 898–7400.
SUPPLEMENTARY INFORMATION:
A. Background
Section 112 of the Federal Deposit
Insurance Corporation Improvement Act
of 1991 (FDICIA) added Section 36,
‘‘Early Identification of Needed
Improvements in Financial
Management,’’ to the FDI Act (12 U.S.C.
1831m). Section 36 is generally
intended to facilitate early identification
of problems in financial management at
insured depository institutions above a
certain asset size threshold through
annual independent audits, assessments
of the effectiveness of internal control
over financial reporting and compliance
with designated laws and regulations,
and related requirements. Section 36
also includes requirements for audit
committees at these insured depository
institutions. Section 36 grants the FDIC
discretion to set the asset size threshold
for compliance with these statutory
requirements, but it states that the
threshold cannot be less than $150
million. Sections 36(d) and (f) also
obligate the FDIC to consult with the
other Federal banking agencies in
implementing these sections of the FDI
Act, and the FDIC has performed that
consultation requirement.
In June 1993, the FDIC published 12
CFR part 363 (58 FR 31332, June 2,
1993) to implement the provisions of
section 36 of the FDI Act. Under part
363, the requirements of section 36
apply to each insured depository
institution with $500 million or more in
total assets at the beginning of its fiscal
year (covered institution). Often referred
to as the ‘‘FDICIA reporting
requirements,’’ part 363 requires each
covered institution to submit to the
FDIC and other appropriate Federal and
state supervisory agencies an annual
report that includes audited financial
statements, a statement of management’s
responsibilities, assessments by
management of the effectiveness of
internal control over financial reporting
and compliance with designated laws
and regulations, and an auditor’s
attestation report on internal control
over financial reporting. In addition,
part 363 provides that each covered
institution must establish an
independent audit committee of its
board of directors comprised of outside
directors who are independent of
management of the institution. Part 363
also includes Guidelines and
Interpretations (Appendix A to part
363), which are intended to assist
institutions and independent public
accountants in understanding and
complying with section 36 and part 363.
A covered institution may satisfy the
audited financial statements
requirement of part 363 at the holding
company level. Subject to certain
conditions, the other requirements of
part 363 may be satisfied at the holding
company level. Members of the
independent audit committee of a
holding company may serve as the audit
committee of a subsidiary covered
institution provided they are otherwise
independent of the subsidiary’s
management and meet the other criteria
set forth in part 363.
When it adopted part 363 in 1993, the
FDIC stated that it was setting the asset
size threshold at $500 million rather
VerDate jul<14>2003 15:36 Aug 01, 2005 Jkt 205001 PO 00000 Frm 00001 Fmt 4702 Sfmt 4702 E:\FR\FM\02AUP1.SGM 02AUP1
44294 Federal Register / Vol. 70, No. 147 / Tuesday, August 2, 2005 / Proposed Rules
1 See FDIC Financial Institution Letter (FIL) 86–
94, dated December 23, 1994. FIL–86–94 indicates
that financial statements prepared for regulatory
reporting purposes encompass the schedules
equivalent to the basic financial statements in an
institution’s appropriate regulatory report, e.g., the
bank Reports of Conditions and Income and the
Thrift Financial Report.
than the $150 million specified in
section 36 to mitigate the financial
burden of compliance with section 36
consistent with safety and soundness. In
selecting $500 million in total assets as
the size threshold, the FDIC noted that
approximately 1,000 of the then nearly
14,000 FDIC-insured institutions would
be subject to part 363. These covered
institutions held approximately 75
percent of the assets of insured
institutions at that time. By imposing
the audit, reporting, and audit
committee requirements of part 363 on
institutions with this percentage of the
industry’s assets, the FDIC intended to
ensure that the Congress’s objectives for
achieving sound financial management
at insured institutions when it enacted
section 36 would be focused on those
institutions posing the greatest risk to
the insurance funds administered by the
FDIC. Today, due to consolidation in
the banking and thrift industry and the
effects of inflation, approximately 1,150
of the 8,900 insured institutions have
$500 million or more in total assets and
are therefore subject to part 363. These
covered institutions hold approximately
90 percent of the assets of insured
institutions.
B. Increasing the Asset Size Threshold
for Internal Control Assessments
An effective internal control structure
is critical to the safety and soundness of
each insured institution. Given its
importance, internal control is
evaluated as part of the supervision of
individual institutions and its adequacy
is a factor in the management rating
assigned to an institution. Furthermore,
in the audit of an institution’s financial
statements, the external auditor must
obtain an understanding of internal
control, including assessing control risk,
and must report certain matters
regarding internal control to the
institution’s audit committee.
An institution subject to part 363 has
the added requirement that its
management perform an assessment of
the internal control structure and
procedures for financial reporting and
that its external auditor examine, attest
to, and report on management’s
assertion concerning the institution’s
internal control over financial reporting.
For purposes of these internal control
provisions of part 363, the FDIC has
advised covered institutions that the
term ‘‘financial reporting’’ includes both
financial statements prepared in
accordance with generally accepted
accounting principles and those
prepared for regulatory reporting
purposes.1 Until year-end 2004, external
auditors performed their internal
control assessments in accordance with
an attestation standard issued by the
American Institute of Certified Public
Accountants (AICPA) known as ‘‘AT
501.’’
The Sarbanes-Oxley Act was enacted
into law on July 30, 2002. Section 404
of this Act imposes a requirement for
internal control assessments by the
management and external auditors of all
public companies that is similar to the
FDICIA requirement. The Securities and
Exchange Commission’s (SEC) rules
implementing these requirements took
effect at year-end 2004 for ‘‘accelerated
filers,’’ i.e., generally, public companies
whose common equity has an aggregate
market value of at least $75 million, but
they will not take effect until 2006 for
‘‘non-accelerated filers.’’ For the section
404 auditor attestations, the Public
Company Accounting Oversight Board’s
(PCAOB) Auditing Standard No. 2 (AS
2) applies. AS 2 replaces the AICPA’s
AT 501 internal control attestation
standard for public companies, but AS
2 does not apply to nonpublic
companies. The SEC’s section 404 rules
for management and the provisions of
AS 2 for section 404 audits of internal
control establish more robust
documentation and testing requirements
than those that have been applied by
covered institutions and their auditors
to satisfy the internal control reporting
requirements in part 363.
For internal control attestations of
nonpublic companies, the AICPA is
currently developing proposed revisions
to AT 501 that are expected to bring it
closer into line with the provisions of
AS 2. The revisions also are likely to
have the effect of requiring greater
documentation and testing of internal
control over financial reporting by an
institution’s management in order for
the auditor to perform his or her
attestation work.
As the environment has changed and
continues to change since the enactment
of the Sarbanes-Oxley Act, the FDIC has
observed that compliance with the audit
and reporting requirements of part 363
has and will continue to become more
burdensome and costly, particularly for
smaller nonpublic covered institutions.
Thus, the FDIC has reviewed the current
asset size threshold for compliance with
part 363 in light of the discretion
granted by Section 36 that permits the
FDIC to determine the appropriate size
threshold (at or above $150 million) at
which insured institutions should be
subject to the various provisions of
section 36. Based on this review, the
FDIC is proposing to amend part 363 to
increase the asset size threshold for
internal control assessments by
management and external auditors from
$500 million to $1 billion. Raising the
threshold to $1 billion would achieve
meaningful burden reduction without
sacrificing safety and soundness.
In reaching this decision, the FDIC
concluded that raising the $500 million
asset size threshold to $1 billion and
exempting all institutions below this
higher size level from all of the
reporting requirements of part 363
would not be consistent with the
objective of the underlying statute, i.e.,
early identification of needed
improvements in financial management.
In contrast, the FDIC believes that
relieving smaller covered institutions
from the burden of internal control
assessments, while retaining the
financial statement audit and other
reporting requirements for all
institutions with $500 million or more
in total assets, strikes an appropriate
balance in accomplishing this objective.
If the FDIC were to raise the size
threshold for internal control
assessments to $1 billion, about 600 of
the largest insured institutions with
approximately 86 percent of industry
assets would continue to be covered by
the internal control reporting
requirements of part 363. At the same
time, the managements of covered
institutions would remain responsible
for establishing and maintaining an
adequate internal control structure and
procedures for financial reporting, and
all institutions with $500 million or
more in total assets would continue to
include a statement to that effect in their
part 363 annual report.
Accordingly, the FDIC is seeking
comments on the proposed amendment
to part 363 to increase the asset size
threshold for internal control
assessments by management and
external auditors to $1 billion. This
amendment is proposed to take effect
December 31, 2005. For insured
institutions (both public and non-
public) with calendar year fiscal years
that had $500 million or more in total
assets, but less than $1 billion in total
assets, on January 1, 2005, this proposal
would mean that the part 363 annual
report for 2005 that they submit to the
FDIC and other appropriate Federal and
state supervisory agencies would need
to include only audited financial
statements, statements of management’s
VerDate jul<14>2003 15:36 Aug 01, 2005 Jkt 205001 PO 00000 Frm 00002 Fmt 4702 Sfmt 4702 E:\FR\FM\02AUP1.SGM 02AUP1
1 See FDIC Financial Institution Letter (FIL) 86–
94, dated December 23, 1994. FIL–86–94 indicates
that financial statements prepared for regulatory
reporting purposes encompass the schedules
equivalent to the basic financial statements in an
institution’s appropriate regulatory report, e.g., the
bank Reports of Conditions and Income and the
Thrift Financial Report.
than the $150 million specified in
section 36 to mitigate the financial
burden of compliance with section 36
consistent with safety and soundness. In
selecting $500 million in total assets as
the size threshold, the FDIC noted that
approximately 1,000 of the then nearly
14,000 FDIC-insured institutions would
be subject to part 363. These covered
institutions held approximately 75
percent of the assets of insured
institutions at that time. By imposing
the audit, reporting, and audit
committee requirements of part 363 on
institutions with this percentage of the
industry’s assets, the FDIC intended to
ensure that the Congress’s objectives for
achieving sound financial management
at insured institutions when it enacted
section 36 would be focused on those
institutions posing the greatest risk to
the insurance funds administered by the
FDIC. Today, due to consolidation in
the banking and thrift industry and the
effects of inflation, approximately 1,150
of the 8,900 insured institutions have
$500 million or more in total assets and
are therefore subject to part 363. These
covered institutions hold approximately
90 percent of the assets of insured
institutions.
B. Increasing the Asset Size Threshold
for Internal Control Assessments
An effective internal control structure
is critical to the safety and soundness of
each insured institution. Given its
importance, internal control is
evaluated as part of the supervision of
individual institutions and its adequacy
is a factor in the management rating
assigned to an institution. Furthermore,
in the audit of an institution’s financial
statements, the external auditor must
obtain an understanding of internal
control, including assessing control risk,
and must report certain matters
regarding internal control to the
institution’s audit committee.
An institution subject to part 363 has
the added requirement that its
management perform an assessment of
the internal control structure and
procedures for financial reporting and
that its external auditor examine, attest
to, and report on management’s
assertion concerning the institution’s
internal control over financial reporting.
For purposes of these internal control
provisions of part 363, the FDIC has
advised covered institutions that the
term ‘‘financial reporting’’ includes both
financial statements prepared in
accordance with generally accepted
accounting principles and those
prepared for regulatory reporting
purposes.1 Until year-end 2004, external
auditors performed their internal
control assessments in accordance with
an attestation standard issued by the
American Institute of Certified Public
Accountants (AICPA) known as ‘‘AT
501.’’
The Sarbanes-Oxley Act was enacted
into law on July 30, 2002. Section 404
of this Act imposes a requirement for
internal control assessments by the
management and external auditors of all
public companies that is similar to the
FDICIA requirement. The Securities and
Exchange Commission’s (SEC) rules
implementing these requirements took
effect at year-end 2004 for ‘‘accelerated
filers,’’ i.e., generally, public companies
whose common equity has an aggregate
market value of at least $75 million, but
they will not take effect until 2006 for
‘‘non-accelerated filers.’’ For the section
404 auditor attestations, the Public
Company Accounting Oversight Board’s
(PCAOB) Auditing Standard No. 2 (AS
2) applies. AS 2 replaces the AICPA’s
AT 501 internal control attestation
standard for public companies, but AS
2 does not apply to nonpublic
companies. The SEC’s section 404 rules
for management and the provisions of
AS 2 for section 404 audits of internal
control establish more robust
documentation and testing requirements
than those that have been applied by
covered institutions and their auditors
to satisfy the internal control reporting
requirements in part 363.
For internal control attestations of
nonpublic companies, the AICPA is
currently developing proposed revisions
to AT 501 that are expected to bring it
closer into line with the provisions of
AS 2. The revisions also are likely to
have the effect of requiring greater
documentation and testing of internal
control over financial reporting by an
institution’s management in order for
the auditor to perform his or her
attestation work.
As the environment has changed and
continues to change since the enactment
of the Sarbanes-Oxley Act, the FDIC has
observed that compliance with the audit
and reporting requirements of part 363
has and will continue to become more
burdensome and costly, particularly for
smaller nonpublic covered institutions.
Thus, the FDIC has reviewed the current
asset size threshold for compliance with
part 363 in light of the discretion
granted by Section 36 that permits the
FDIC to determine the appropriate size
threshold (at or above $150 million) at
which insured institutions should be
subject to the various provisions of
section 36. Based on this review, the
FDIC is proposing to amend part 363 to
increase the asset size threshold for
internal control assessments by
management and external auditors from
$500 million to $1 billion. Raising the
threshold to $1 billion would achieve
meaningful burden reduction without
sacrificing safety and soundness.
In reaching this decision, the FDIC
concluded that raising the $500 million
asset size threshold to $1 billion and
exempting all institutions below this
higher size level from all of the
reporting requirements of part 363
would not be consistent with the
objective of the underlying statute, i.e.,
early identification of needed
improvements in financial management.
In contrast, the FDIC believes that
relieving smaller covered institutions
from the burden of internal control
assessments, while retaining the
financial statement audit and other
reporting requirements for all
institutions with $500 million or more
in total assets, strikes an appropriate
balance in accomplishing this objective.
If the FDIC were to raise the size
threshold for internal control
assessments to $1 billion, about 600 of
the largest insured institutions with
approximately 86 percent of industry
assets would continue to be covered by
the internal control reporting
requirements of part 363. At the same
time, the managements of covered
institutions would remain responsible
for establishing and maintaining an
adequate internal control structure and
procedures for financial reporting, and
all institutions with $500 million or
more in total assets would continue to
include a statement to that effect in their
part 363 annual report.
Accordingly, the FDIC is seeking
comments on the proposed amendment
to part 363 to increase the asset size
threshold for internal control
assessments by management and
external auditors to $1 billion. This
amendment is proposed to take effect
December 31, 2005. For insured
institutions (both public and non-
public) with calendar year fiscal years
that had $500 million or more in total
assets, but less than $1 billion in total
assets, on January 1, 2005, this proposal
would mean that the part 363 annual
report for 2005 that they submit to the
FDIC and other appropriate Federal and
state supervisory agencies would need
to include only audited financial
statements, statements of management’s
VerDate jul<14>2003 15:36 Aug 01, 2005 Jkt 205001 PO 00000 Frm 00002 Fmt 4702 Sfmt 4702 E:\FR\FM\02AUP1.SGM 02AUP1