[Federal Register: November 28, 2005 (Volume 70, Number 227)]
[Rules and Regulations]
[Page 71226-71233]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr28no05-4]
-----------------------------------------------------------------------
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 363
RIN 3064-AC91
Independent Audits and Reporting Requirements
AGENCY: Federal Deposit Insurance Corporation (FDIC).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The FDIC is amending part 363 of its regulations concerning
annual independent audits and reporting requirements, which implement
section 36 of the Federal Deposit Insurance Act (FDI Act), as proposed,
but with modifications to the composition of the audit committee and
the effective date. The FDIC's amendments raise the asset-size
threshold from $500 million to $1 billion for internal control
assessments by management and external auditors. For institutions
between $500 million and $1 billion in assets, the amendments require
the majority, rather than all, of the members of the audit committee,
who must be outside directors, to be independent of management and
create a hardship exemption. The amendments also make certain technical
changes to part 363 to correct outdated titles, terms, and references
in the regulation and its appendix. As required by section 36, the FDIC
has consulted with the other federal banking agencies.
Effective Date: The final rule is effective December 28, 2005 and
applies to part 363 annual reports with a filing deadline (90 days
after the end of an institution's fiscal year) on or after the
effective date of these amendments.
FOR FURTHER INFORMATION CONTACT: Harrison E. Greene, Jr., Senior Policy
Analyst (Bank Accounting), Division of Supervision and Consumer
Protection, at hgreene@fdic.gov or (202) 898-8905; or Michelle
Borzillo, Counsel, Supervision and Legislation Section, Legal Division,
at mborzillo@fdic.gov or (202) 898-7400.
SUPPLEMENTARY INFORMATION:
I. Background
Section 112 of the Federal Deposit Insurance Corporation
Improvement Act of 1991 (FDICIA) added section 36, ``Early
Identification of Needed Improvements in Financial Management,'' to the
FDI Act (12 U.S.C. 1831m). Section 36 is generally intended to
facilitate early identification of problems in financial management at
insured depository institutions above a certain asset size threshold
(covered institutions) through annual independent audits, assessments
of the effectiveness of internal control over financial reporting and
compliance with designated laws and regulations, and related
requirements. Section 36 also includes requirements for audit
committees at these insured depository institutions. Section 36 grants
the FDIC discretion to set the asset size threshold for compliance with
these statutory requirements, but it states that the threshold cannot
be less than $150 million. Sections 36(d) and (f) also obligate the
FDIC to consult with the other Federal banking agencies in implementing
these sections of the FDI Act, and the FDIC has performed that
consultation requirement.
Part 363 of the FDIC's regulations (12 CFR part 363), which
implements section 36 of the FDI Act, requires each covered institution
to submit to the FDIC and other appropriate Federal and state
supervisory agencies an annual report that includes audited financial
statements, a statement of management's responsibilities, assessments
by management of the effectiveness of internal control over financial
reporting and compliance with designated laws and regulations, and an
auditor's attestation report on internal control over financial
reporting. In addition, part 363 provides that each covered institution
must establish an independent audit committee of its board of directors
comprised of outside directors who are independent of management of the
institution. Part 363 also includes Guidelines and Interpretations
(Appendix A to part 363), which are intended to assist institutions and
independent public accountants in understanding and complying with
section 36 and part 363.
When it adopted part 363 in 1993, the FDIC stated that it was
setting the asset size threshold at $500 million rather than the $150
million specified in section 36 to mitigate the financial burden of
compliance with section 36 consistent with safety and soundness. In
selecting $500 million in total assets as the size threshold, the FDIC
noted that approximately 1,000 of the then nearly 14,000 FDIC-insured
institutions would be subject to part 363. These covered institutions
held approximately 75 percent of the assets of insured institutions at
that time. By imposing the audit, reporting, and audit committee
requirements of part 363 on institutions with this percentage of the
industry's assets, the FDIC intended to ensure that the Congress's
objectives for achieving sound financial management at insured
institutions when it enacted section 36 would be focused on those
[[Page 71227]]
institutions posing the greatest potential risk to the insurance funds
administered by the FDIC. Today, due to consolidation in the banking
and thrift industry and the effects of inflation, more than 1,150 of
the 8,900 insured institutions have $500 million or more in total
assets and are therefore subject to part 363. These covered
institutions hold approximately 90 percent of the assets of insured
institutions.
II. Discussion of Proposed Amendments
On July 19, 2005, the FDIC's Board approved the publication of
proposed amendments to part 363 of the FDIC's regulations, which were
published in the Federal Register on August 2, 2005, for a 45-day
comment period (70 FR 44293). The comment period closed on September
16, 2005. As more fully discussed below, the FDIC proposed to raise the
asset-size threshold in part 363 from $500 million to $1 billion for
internal control assessments by management and external auditors and
for the members of the audit committee, who must be outside directors,
to be independent of management. The FDIC also proposed to make certain
technical changes to part 363 to correct outdated titles, terms, and
references in the regulation and its appendix. As proposed, the
effective date of these amendments was to be December 31, 2005.
In its proposal, the FDIC also noted that it had identified other
aspects of part 363 that may warrant revision in light of changes in
the industry and the passage of the Sarbanes-Oxley Act of 2002.
However, the FDIC stated that it had decided to proceed first with the
proposed amendments to the asset-size threshold in part 363 in order to
reduce compliance burdens and expenses for affected institutions in
2005. These further revisions to part 363 are expected to be proposed
as soon as practicable.
A. Increasing the Asset Size Threshold for Internal Control Assessments
An effective internal control structure is critical to the safety
and soundness of each insured institution. Given its importance,
internal control is evaluated as part of the supervision of individual
institutions and its adequacy is a factor in the management rating
assigned to an institution. Furthermore, in the audit of an
institution's financial statements, the external auditor must obtain an
understanding of internal control, including assessing control risk,
and must report certain matters regarding internal control to the
institution's audit committee.
An institution subject to part 363 has the added requirement that
its management perform an assessment of the internal control structure
and procedures for financial reporting and that its external auditor
examine, attest to, and report on management's assertion concerning the
institution's internal control over financial reporting. For purposes
of these internal control provisions of part 363, the FDIC has advised
covered institutions that the term ``financial reporting'' includes
both financial statements prepared in accordance with generally
accepted accounting principles and those prepared for regulatory
reporting purposes.\1\ Until year-end 2004, external auditors performed
their internal control assessments in accordance with an attestation
standard issued by the American Institute of Certified Public
Accountants (AICPA) known as ``AT 501.''
---------------------------------------------------------------------------
\1\ See FDIC Financial Institution Letter (FIL) 86-94, dated
December 23, 1994. FIL-86-94 indicates that financial statements
prepared for regulatory reporting purposes encompass the schedules
equivalent to the basic financial statements in an institution's
appropriate regulatory report, e.g., the bank Reports of Condition
and Income and the Thrift Financial Report.
---------------------------------------------------------------------------
The Sarbanes-Oxley Act was enacted into law on July 30, 2002.
Section 404 of this Act imposes a requirement for internal control
assessments by the management and external auditors of all public
companies that is similar to the FDICIA requirement. The Securities and
Exchange Commission's (SEC) rules implementing these requirements took
effect at year-end 2004 for ``accelerated filers,'' i.e., generally,
public companies whose common equity has an aggregate market value of
at least $75 million, but they will not take effect until 2007 for
``non-accelerated filers.'' For the section 404 auditor attestations,
the Public Company Accounting Oversight Board's (PCAOB) Auditing
Standard No. 2 (AS 2) applies. AS 2 replaces the AICPA's AT 501
internal control attestation standard for public companies, but AS 2
does not apply to nonpublic companies. The SEC's section 404 rules for
management and the provisions of AS 2 for section 404 audits of
internal control establish more robust documentation and testing
requirements than those that have been applied by covered institutions
and their auditors to satisfy the internal control reporting
requirements in part 363.
For internal control attestations of nonpublic companies, the AICPA
is currently developing proposed revisions to AT 501 that are expected
to bring it closer into line with the provisions of AS 2. The revisions
also are likely to have the effect of requiring greater documentation
and testing of internal control over financial reporting by an
institution's management in order for the auditor to perform his or her
attestation work.
As the environment has changed and continues to change since the
enactment of the Sarbanes-Oxley Act, the FDIC has observed that
compliance with the audit and reporting requirements of part 363 has
and will continue to become more burdensome and costly, particularly
for smaller nonpublic covered institutions. Thus, the FDIC reviewed the
current asset size threshold for compliance with part 363 in light of
the discretion granted by section 36 that permits the FDIC to determine
the appropriate size threshold (at or above $150 million) at which
insured institutions should be subject to the various provisions of
section 36. Based on this review, the FDIC proposed to amend part 363
to increase the asset size threshold for internal control assessments
by management and external auditors from $500 million to $1 billion.
Raising the threshold to $1 billion would achieve meaningful burden
reduction without sacrificing safety and soundness.
In reaching this decision, the FDIC concluded that raising the $500
million asset size threshold to $1 billion and exempting all
institutions below this higher size level from all of the reporting
requirements of part 363 would not be consistent with the objective of
the underlying statute, i.e., early identification of needed
improvements in financial management. In contrast, the FDIC believes
that relieving smaller covered institutions from the burden of internal
control assessments, while retaining the financial statement audit and
other reporting requirements for all institutions with $500 million or
more in total assets, strikes an appropriate balance in accomplishing
this objective. By raising the size threshold for internal control
assessments to $1 billion, about 600 of the largest insured
institutions with approximately 86 percent of industry assets would
continue to be covered by the internal control reporting requirements
of part 363. At the same time, the managements of all covered
institutions would remain responsible for establishing and maintaining
an adequate internal control structure and procedures for financial
reporting, and all institutions with $500 million or more in total
assets would continue to include a statement to that effect in their
part 363 annual report.
[[Page 71228]]
B. Composition of the Audit Committee
Currently, part 363 requires each covered institution to establish
an independent audit committee of its board of directors, comprised of
outside directors who are independent of management of the institution.
The duties of the audit committee include reviewing with management and
the institutions' independent public accountant the basis for the
reports included in the part 363 annual report submitted to the FDIC
and other appropriate Federal and state supervisory agencies. The
FDIC's Guidelines to part 363 provide that, at least annually, the
board of directors of a covered institution should determine whether
all existing and potential audit committee members are ``independent of
management of the institution.'' The guidelines also describe factors
to consider in making this determination.\2\
---------------------------------------------------------------------------
\2\ See Guidelines 27 through 29 of Appendix A to part 363.
---------------------------------------------------------------------------
Section 36 provides that an appropriate federal banking agency may
grant a hardship exemption to a covered institution that would permit
its independent audit committee to be made up of less than all, but no
fewer than a majority of, outside directors who are independent of
management. To grant the exemption, the agency must find that the
institution has encountered hardships in retaining and recruiting a
sufficient number of competent outside directors.
Notwithstanding this exemption provision of section 36, the FDIC
has observed that a number of smaller covered institutions,
particularly those with few shareholders that have recently exceeded
$500 million in total assets and become subject to part 363, have
encountered difficulty in satisfying the independent audit committee
requirement. To comply with this requirement, these institutions must
identify and attract qualified individuals in their communities who
would be willing to become a director and audit committee member and
who would be independent of management.
To relieve this burden, but also recognizing that the FDIC has long
held that individuals who serve as directors of any insured depository
institution should be persons of independent judgment, the FDIC
proposed to amend part 363 to increase from $500 million to $1 billion
the asset size threshold for requiring audit committee members to be
independent of management. Conforming changes were also proposed to be
made to Guidelines 27-29 of Appendix A to part 363. Each insured
depository institution with total assets of $500 million or more but
less than $1 billion would continue to be required to have an audit
committee comprised of outside directors. Consistent with Guideline 29
of Appendix A to part 363, an outside director would be defined as an
individual who is not, and within the preceding year has not been, an
officer or employee of the institution or any affiliate of the
institution.
The proposed amendment to the audit committee requirements for
institutions with between $500 million and $1 billion in total assets
would allow an outside director who is, for example, a consultant or
legal counsel to the institution, a relative of an officer or employee
of the institution or its affiliates, or the owner of 10 percent or
more of the stock of the institution to serve as an audit committee
member. Nevertheless, the FDIC indicated in the proposal that it would
encourage each institution with between $500 million and $1 billion in
assets to make a reasonable good faith effort to establish an audit
committee of outside directors who are independent of management.
III. Comments Received on Proposed Amendments
In response to its August 2, 2005, request for comment on the
proposed amendments to part 363, the FDIC received comment letters from
28 different respondents \3\: 15 banking and thrift organizations, 7
bankers' associations, 3 accountants and accounting firms, the
Conference of State Bank Supervisors (CSBS), the FDIC's Office of
Inspector General (FDIC-OIG), and one other party. Generally, the
comment letters expressed support for the proposed amendments. All but
one of the respondents favored the proposal to increase the asset-size
threshold for internal control assessments by management and external
auditors to $1 billion. As for the proposed increase to $1 billion in
the asset-size threshold for the members of the audit committee, who
must be outside directors, to be independent of management, 24 of the
28 respondents supported this aspect of the proposal, two respondents
opposed it, and two respondents did not directly comment on it.
Respondents also raised a number of other issues.
---------------------------------------------------------------------------
\3\ The FDIC received 58 comment letters, which included 20
identical letters from individuals at one institution and 12
identical letters from individuals at another institution.
---------------------------------------------------------------------------
The CSBS commented on the proposed change in the audit committee
provisions of part 363 for institutions with $500 million to $1 billion
in assets. The CSBS, on behalf of state banking departments, stated
that there is value in maintaining a significant level of independence
when fulfilling the important role of an audit committee member.
Although it saw benefit in alleviating some of the burden of a fully
independent audit committee, for safety and soundness considerations,
the CSBS recommended that the chairman and a majority of the audit
committee members at institutions in the $500 million to $1 billion
asset size range be required to be independent of management rather
than allowing all of the outside directors on the audit committee not
to be independent of management.
Five other commenters concurred with the FDIC's observation that
some smaller covered institutions have encountered difficulty in
establishing an audit committee, all of whose members are independent
of management. In this regard, the CSBS's comment letter also
acknowledged the difficulties in attaining and keeping a fully
independent audit committee, especially in smaller rural communities.
Individuals who serve as directors of insured institutions, whether
or not they serve on the audit committee, are expected to be persons of
independent judgment. In this regard, under the Uniform Financial
Institutions Rating System (62 FR 752, January 6, 1997), a factor that
the federal banking agencies' examiners assess when they evaluate the
capability and performance of an institution's management and board of
directors for purposes of assigning an appropriate Management component
rating is the extent to which the management and board members are
affected by, or susceptible to, dominant influence or concentration of
authority. Hence, the agencies' examination staffs are cognizant of the
heightened level of risk presented by the existence of a dominant
officer, whether or not outside directors, including those on the audit
committee, are independent of management.
After carefully considering the CSBS's recommendation, the FDIC has
decided to amend the proposal to require that a majority of the audit
committee members of institutions with $500 million to $1 billion in
assets, all of whom must be outside directors, be independent of
management. In addition, in recognition of the difficulties that some
individual institutions in this size range may have in attaining such
an audit committee, the final rule will provide an exemption under
which an appropriate Federal banking agency may, by order or
regulation, permit the audit committee of such an institution to be
made up of
[[Page 71229]]
less than a majority of outside directors who are independent of
management, if the agency determines that the institution has
encountered hardships in retaining and recruiting a sufficient number
of competent outside directors to serve on the audit committee of the
institution. The FDIC believes that this change to its proposal strikes
an appropriate balance of reducing regulatory burden without
jeopardizing safety and soundness.
Another commenter who addressed the audit committee portion of the
proposal suggested that the FDIC's recommendation that institutions
make a ``reasonable good faith effort'' to establish an audit committee
of outside directors who are independent of management was vague and
should be deleted from the proposal. This commenter added that, if the
recommendation were not deleted, the FDIC should include a definition
of, or list of criteria that would constitute, a ``reasonable good
faith effort'' and provide guidance on how an institution should
document that it has undertaken such an effort. While the FDIC
encourages each institution with between $500 million and $1 billion in
assets to make a reasonable good faith effort to establish an audit
committee comprised entirely of outside directors who are independent
of management, each institution faces a unique set of circumstances
when it seeks to attract competent individuals to be outside directors
who would be willing to serve on its audit committee. Because a list of
criteria that would constitute evidence of a ``reasonable good faith
effort'' could not consider all of the situations in which institutions
engaging in such a search might find themselves, the FDIC has chosen
not to restrict institutions and itself to a specific list.
In its comment letter on the proposal, the FDIC-OIG recommended
that insured institutions with total assets of $500 million or more,
but less than $1 billion, that have or receive either a composite
rating or Management component rating of 3, 4, or 5, i.e., 3 or lower,
under the Uniform Financial Institutions Rating System (also known as
the CAMELS rating system) be required to comply with all of the
requirements of Part 363 rather than being provided the proposed relief
for institutions in this size range. The FDIC-OIG indicated that, as of
September 12, 2005, 16 insured institutions with $500 million to $1
billion in assets had less than a satisfactory composite CAMELS rating.
Specifically, 11 institutions had a composite rating of 3 and 5
institutions had a 4 rating. The FDIC-OIG also noted that, over the
last several months, 15 other insured institutions in this size range
with a composite rating of 2 had a Management component rating of 3.
The FDIC-OIG indicated that, in reviewing past failures of insured
institutions, it had observed that weak corporate governance, including
financial reporting problems and the lack of independence of the board
of directors from institution management, was often a factor in the
failure of these institutions and contributed to material losses ($25
million or more) to the deposit insurance funds administered by the
FDIC. The FDIC-OIG also stated that maintaining the full requirements
of part 363 for less than satisfactory institutions would help to
address potential concerns about deficiencies by the board of directors
and in internal control, internal audit, and external audit and thereby
mitigate the possibility of institution failure.
As defined in the Uniform Financial Institutions Rating System,
institutions with a composite rating of 2 are fundamentally sound.
There are no material supervisory concerns and, as a result, the
supervisory response is informal and limited. Institutions with a
composite rating of 3 exhibit some degree of supervisory concern in one
or more of the six component areas (Capital Adequacy, Asset Quality,
Management, Earnings, Liquidity, and Sensitivity to Market Risk). These
financial institutions require more than normal supervision, which may
include formal or informal enforcement actions. Failure appears
unlikely, however, given the overall strength and financial capacity of
these institutions. Institutions with a composite rating of 4 generally
exhibit unsafe and unsound practices or conditions. There are serious
financial or managerial deficiencies that result in unsatisfactory
performance. Failure is a distinct possibility if the problems and
weaknesses are not satisfactorily addressed and resolved. Institutions
with a composite rating of 5 exhibit extremely unsafe and unsound
practices or conditions and a critically deficient performance. They
are of the greatest supervisory concern and ongoing supervisory
attention is necessary. These institutions pose a significant risk to
the deposit insurance funds and failure is highly probable.
A Management component rating of 3 indicates management and board
performance that need improvement or risk management practices that are
less than satisfactory given the nature of the institution's
activities. The capabilities of management or the board of directors
may be insufficient for the type, size, or condition of the
institution. Problems and significant risks may be inadequately
identified, measured, monitored, or controlled by management. Because
management's ability to respond to changing circumstances and address
risks is an important factor in evaluating an institution's overall
risk profile and the level of supervisory attention that should be
devoted to an institution, the Management component is given special
consideration when assigning the institution's composite rating.
Institutions that have a composite rating of 3 or lower are already
subject to increased supervisory scrutiny and are normally subject to
formal or informal supervisory actions (e.g., Memorandum of
Understanding or Cease and Desist Order) to address the need for
corrective actions for weaknesses and deficiencies cited in reports of
examination or otherwise identified through supervisory oversight. In
reviewing the institutions cited in the FDIC-OIG's comment letter, the
FDIC notes that all of the institutions with a composite rating of 3 or
lower are subject to formal and/or informal supervisory actions and all
of the institutions with a composite rating of 2 and a Management
component rating of 3 or lower are subject to supervisory actions. The
FDIC further notes that approximately half of these institutions are
public companies or subsidiaries of public companies that are subject
to the filing and reporting requirements of the Federal securities laws
as implemented by the SEC.
The examination staffs of the FDIC and the other Federal banking
agencies look to the assessments by management of internal control over
financial reporting and the independent auditors' attestation reports
on those assessments as one source of information on the existence of
any significant deficiencies and material weaknesses in this internal
control structure. Nevertheless, the agencies' examiners are expected
to perform their own evaluation of an institution's internal control
environment and audit programs when determining the condition of the
institution and the need for and degree of any supervisory action.
Moreover, the examiners' assessment of the internal control environment
encompasses not only internal control over financial reporting, but
also internal control as it relates to the effectiveness and efficiency
of the institution's operations and to its compliance with laws and
regulations.
The agencies' examination staffs consider many factors in
determining an institution's composite rating and
[[Page 71230]]
individual component ratings, including the Management component. While
these factors include the capability and performance of management and
the board of directors (including the board's committees such as the
audit committee), they also include the adequacy of, and conformance
with, appropriate internal policies and controls addressing the
operations and risks of significant activities; the accuracy,
timeliness, and effectiveness of management information and risk
monitoring systems; the adequacy of audits and internal control,
including internal control over financial reporting; compliance with
laws and regulations; and the overall performance of the institution
and its risk profile.
As a consequence, when an institution is assigned a composite
rating or a Management component rating of 3 or lower, its Federal
banking agency's supervisory response, which may include formal or
informal enforcement actions, is tailored to the specific weaknesses,
deficiencies, and problems identified by the examination staff and
seeks appropriate and timely corrective action by management and the
board of directors. The factors contributing to such a less than
satisfactory rating may or may not have included ineffective internal
control over financial reporting and/or unacceptable audit committee
oversight and performance. In this regard, although the FDIC-OIG
reported in its comment letter that 15 institutions with $500 million
to $1 billion in assets had recently been assigned a composite rating
of 2 and a Management component rating of 3, the majority of these
institutions received this Management rating for reasons unrelated to
deficiencies in internal control over financial reporting (e.g., the
reasons were related to compliance with the Bank Secrecy Act).
Nevertheless, in those cases where examiners detect such internal
control deficiencies at an institution with $500 million to $1 billion
in assets, if it is deemed necessary and appropriate for addressing
these deficiencies, the supervisory response by the institution's
Federal banking agency could include a requirement for management to
perform an assessment of internal control over financial reporting and
for the external auditor to attest to management's assertion or for the
external auditor to report directly on internal control over financial
reporting.
Given that each institution with $500 million to $1 billion in
assets with a composite rating or Management component rating of 3 or
lower is receiving closer than normal supervisory attention focused on
identified problem areas, imposing additional requirements for internal
control assessments by management and the external auditor and for the
replacement of all audit committee members who are not independent of
management would levy burdens on all such institutions, regardless of
whether this burden would address weaknesses identified in a given
institution. However, as previously noted, the FDIC believes that, in
response to comments from the CSBS, amending the proposal to require a
majority of the audit committee members to be independent of management
strikes an appropriate balance between reducing regulatory burden and
maintaining safety and soundness.
Additionally, as a practical matter, CAMELS ratings often change
during the year as a result of examination findings or other
supervisory oversight. The FDIC-OIG's recommendation would subject
institutions to uncertainty if the subject provisions of part 363 would
apply immediately during any given year in which an institution's
composite or Management component rating fell to 3 or lower. If applied
in the year following receipt of the 3 or lower rating, the
recommendation would often result in requiring compliance with the
subject provisions of part 363 after the institution had corrected its
problems and obtained a higher composite or Management rating. The
first of these approaches would be difficult, at best, to plan for and
implement on a timely basis, while the alternative (lagging) approach
would often impose burden after (the often unrelated) problems had been
addressed.
Furthermore, under the proposed amendments to part 363, each
institution with $500 million to $1 billion in assets must continue to
undergo an annual audit of its financial statements. In a financial
statement audit, the external auditor must obtain an understanding of
internal control and must report certain matters regarding internal
control to the institution's audit committee. In this regard, on
September 1, 2005, the AICPA Auditing Standards Board issued a proposed
Statement on Auditing Standards (SAS) on the ``Communication of
Internal Control Related Matters Noted in an Audit'' that will
supersede its current SAS on this topic, which is known as ``SAS 60.''
The comment period for this auditing proposal ended on October 31,
2005, with the final standard expected in the first quarter of 2006.
Among other things, the proposed SAS requires the auditor to
communicate, in writing, to management and those charged with
governance (the board of directors and/or the audit committee)
significant deficiencies and material weaknesses in internal control of
which the auditor becomes aware. Under current SAS 60, the auditor
should report such deficiencies and weaknesses to the audit committee,
preferably in writing, but oral communication of this information is
also permitted. As proposed, the improved communication provisions in
the SAS would be effective for audits of financial statements for
periods ending on or after December 15, 2006. Part 363 requires covered
institutions, regardless of size, to submit copies of reports related
to their audits that are issued by their external auditors, including
these written reports on significant weaknesses and material
weaknesses, to the FDIC and other appropriate Federal and state
supervisory agencies.
After fully considering the FDIC-OIG's comment and the agencies'
supervisory tools and processes for evaluating the soundness of
institutions, identifying institutions exhibiting financial and
operational weaknesses or adverse trends, and focusing appropriate
supervisory attention on such institutions, the FDIC has decided not to
revise its proposed increase in the asset-size threshold in the manner
proposed by the FDIC-OIG and accord a different treatment to
institutions with $500 million to $1 billion in assets that have a
composite rating or Management component rating of 3 or lower. However,
the FDIC believes that the change to the composition of the audit
committee that it is making in response to the comments from the CSBS,
which will require a majority of the members of the audit committee,
who must be outside directors, to be independent of management, will
help to address the FDIC-OIG's concerns about deficiencies in the
performance of the board and audit committee of institutions with less
than satisfactory ratings.
Six commenters urged the FDIC to approve the proposed amendments to
part 363 as soon as feasible because many procedures related to the
assessment of internal control over financial reporting are addressed
prior to an institution's fiscal year-end, particularly in the fourth
fiscal quarter. These commenters further recommended that the FDIC
either change the effective date of the amendments from December 31,
2005, as proposed, to September 30, 2005, or grant an institution's
primary Federal regulator the authority to waive the 2005 internal
control assessment requirements for institutions with total assets of
$500 million or more but less
[[Page 71231]]
than $1 billion that have fiscal year-ends other than December 31. The
FDIC concurs with these commenters' suggestion concerning the effective
date and, in response, is changing the effective date of the amendments
to part 363 from December 31, 2005, to December 28, 2005. The final
rule will apply to part 363 annual reports with a filing deadline (90
days after the end of an institution's fiscal year) on or after the
effective date of these amendments.
Four commenters recommended that the $1 billion asset-size
threshold be tied to an index that would automatically increase the
threshold annually. For reasons of practicality and to provide
certainty to institutions concerning the size at which full compliance
with part 363 is required, the FDIC has decided not to adopt this
indexing recommendation.
The FDIC also received several recommendations from commenters that
are outside the scope of the proposed amendments to part 363 and,
accordingly, the FDIC has decided not to implement these
recommendations as part of the final rule. These comments included the
following: (1) Increase the asset size threshold for applying the SEC
independence rules to external auditors, (2) have the FDIC adopt its
own independence rules for external auditors, (3) enhance the FDIC's
review of external audit reports, (4) make the standards for performing
audits of internal control over financial reporting the same for both
public and non-public companies, and (5) establish a fraud hotline for
both examiners and bank employees.
IV. Final Rule
The FDIC has considered the comments received on its proposed
amendments to part 363 and is adopting the amendments as proposed, but
with modifications to the composition of the audit committee and the
effective date. This final rule raises the asset-size threshold from
$500 million to $1 billion for internal control assessments by
management and external auditors. For institutions between $500 million
and $1 billion in assets, it also requires the majority, rather than
all, of the members of the audit committee, who must be outside
directors, to be independent of management and creates a hardship
exemption. In addition, the final rule makes certain technical changes
to part 363 to correct outdated titles, terms, and references in the
regulation and its appendix.
This final rule takes effect December 28, 2005, not on December 31,
2005, as proposed, and it applies to part 363 annual reports with a
filing deadline \4\ on or after the rule's effective date. For example,
for insured institutions (both public and non-public) with fiscal years
that ended on September 30, 2005, or that will end on December 31,
2005, that had $500 million or more in total assets, but less than $1
billion in total assets, at the beginning of the fiscal year, the final
rule means that the part 363 annual report that these institutions must
submit to the FDIC and other appropriate Federal and state supervisory
agencies within 90 days after the end of the fiscal year needs to
include only audited financial statements, statements of management's
responsibilities, management's assessment of the institution's
compliance with designated laws and regulations, and an auditor's
report on the financial statements.
---------------------------------------------------------------------------
\4\ Under section 363.4(a), an institution's filing deadline is
90 days after the end of the institution's fiscal year.
---------------------------------------------------------------------------
For insured depository institutions that are public companies or
subsidiaries of public companies, regardless of size, the FDIC's
amendments to part 363 do not relieve public companies of their
obligation to comply with the internal control assessment requirements
imposed by section 404 of the Sarbanes-Oxley Act in accordance with the
effective dates for compliance set forth in the SEC's implementing
rules.
Nevertheless, the FDIC reminds insured institutions with $1 billion
or more in total assets that are public companies or subsidiaries of
public companies that they have considerable flexibility in determining
how best to satisfy the internal control assessment requirements in the
SEC's section 404 rules and the FDIC's part 363. As indicated in the
preamble to the SEC's section 404 final rule release, the FDIC (and the
other Federal banking agencies) agreed with the SEC that insured
depository institutions that are subject to both part 363 (as well as
holding companies permitted under the holding company exception in part
363 to file an internal control report on behalf of their insured
depository institution subsidiaries) and the SEC's rules implementing
section 404 can choose either of the following two options:
They can prepare two separate reports of management on the
institution's or the holding company's internal control over financial
reporting to satisfy the FDIC's part 363 requirements and the SEC's
section 404 requirements; or
They can prepare a single report of management on internal
control over financial reporting that satisfies both the FDIC's
requirements and the SEC's requirements.\5\
---------------------------------------------------------------------------
\5\ Footnote 117 in the preamble to the SEC's section 404 final
rule releases states that ``[a]n insured depository institution
subject to both the FDIC's [internal control assessment]
requirements and our new requirements [i.e., a public depository
institution] choosing to file a single report to satisfy both sets
of requirements will file the report with its primary Federal
regulator under the Exchange Act and the FDIC, its primary Federal
regulator (if other than the FDIC), and any appropriate state
depository institution supervisor under part 363 of the FDIC's
regulations. A [public] holding company choosing to prepare a single
report to satisfy both sets of requirements will file the report
with the [Securities and Exchange] Commission under the Exchange Act
and the FDIC, the primary Federal regulator of the insured
depository institution subsidiary subject to the FDIC's
requirements, and any appropriate state depository institution
supervisor under part 363.''
---------------------------------------------------------------------------
For more complete information on these two options, institutions
(and holding companies) should refer to section II.H.4. of the preamble
to the SEC's section 404 final rule release (68 FR 36648, June 18,
2003).
Paperwork Reduction Act
This regulation contains modifications to a collection of
information that have been reviewed and approved by the Office of
Management and Budget under control number 3064-0113, pursuant to the
Paperwork Reduction Act (44 U.S.C. 3501 et seq.). The primary
modification increases the asset size threshold for compliance with
certain reporting requirements in part 363.
The estimated reporting burden for the collection of information
under part 363 is 65,612 hours per year.
Number of Respondents: 5,243.
Total Annual Responses: 15,684.
Total Annual Burden Hours: 65,612.
Regulatory Flexibility Act
The Regulatory Flexibility Act requires that each Federal agency
either certify that a proposed rule would not, if adopted in final
form, have a significant economic impact on a substantial number of
small entities or prepare an initial regulatory flexibility analysis of
the proposal and publish the analysis for comment. See 5 U.S.C. 603,
605. The Small Business Administration (SBA) defines small banks as
those with less than $150 million in assets. Because this rule
expressly exempts insured depository institutions having assets of less
than $500 million, it is inapplicable to small entities as defined by
the SBA. Therefore, it is certified that this proposed rule would not
have a significant economic impact on a substantial number of small
entities.
[[Page 71232]]
Small Business Regulatory Enforcement Fairness Act
The Small Business Regulatory Enforcement Fairness Act of 1996
(SBREFA) (Title II, Pub. L. 104-121) provides generally for agencies to
report rules to Congress and the General Accounting Office (GAO) for
review. The reporting requirement is triggered when a Federal agency
issues a final rule. The FDIC will file the appropriate reports with
Congress and the GAO as required by SBREFA. The Office of Management
and Budget has determined that the rule does not constitute a ``major
rule'' as defined by SBREFA.
List of Subjects in 12 CFR Part 363
Accounting, Administrative practice and procedure, Banks, Banking,
Reporting and recording keeping requirements.
0
For the reasons set forth in the preamble, the Board of Directors of
the FDIC hereby amends part 363 of title 12, chapter III, of the Code
of Federal Regulations as follows:
PART 363--ANNUAL INDEPENDENT AUDITS AND REPORTING REQUIREMENTS
0
1. The authority citation for part 363 continues to be read as follows:
Authority: 12 U.S.C. 1831m.
0
2. Section 363.1 is amended by revising paragraph (b)(2)(ii)(B) to read
as follows:
Sec. 363.1 Scope.
* * * * *
(b) * * *
(2) * * *
(ii) * * *
(B) Total assets of $5 billion or more and a composite CAMELS
rating of 1 or 2.
* * * * *
0
3. Section 363.2(b) is amended by revising paragraph (b)(2) and adding
paragraph (b)(3) to read as follows:
Sec. 363.2 Annual reporting requirements.
* * * * *
(b) * * *
(2) An assessment by management of the institution's compliance
with such laws and regulations during such fiscal year; and
(3) For an institution with total assets of $1 billion or more at
the beginning of such fiscal year, an assessment by management of the
effectiveness of such internal control structure and procedures as of
the end of such fiscal year.
0
4. Section 363.3 is amended by revising paragraph (b) to read as
follows:
Sec. 363.3 Independent public accountant.
* * * * *
(b) Additional reports. For each insured depository institution
with total assets of $1 billion or more at the beginning of the
institution's fiscal year, such independent public accountant shall
examine, attest to, and report separately on, the assertion of
management concerning the institution's internal control structure and
procedures for financial reporting. The attestation shall be made in
accordance with generally accepted standards for attestation
engagements.
* * * * *
0
5. Section 363.5 is amended by revising paragraph (a) to read as
follows:
Sec. 363.5 Audit committees.
(a) Composition and duties. Each insured depository institution
shall establish an audit committee of its board of directors, the
composition of which complies with paragraphs (a)(1), (2), and (3) of
this section, and the duties of which shall include reviewing with
management and the independent public accountant the basis for the
reports issued under this part.
(1) Each insured depository institution with total assets of $1
billion or more as of the beginning of its fiscal year shall establish
an independent audit committee of its board of directors, the members
of which shall be outside directors who are independent of management
of the institution.
(2) Each insured depository institution with total assets of $500
million or more but less than $1 billion as of the beginning of its
fiscal year shall establish an audit committee of its board of
directors, the members of which shall be outside directors, the
majority of whom shall be independent of management of the institution.
The appropriate Federal banking agency may, by order or regulation,
permit the audit committee of such an insured depository institution to
be made up of less than a majority of outside directors who are
independent of management, if the agency determines that the
institution has encountered hardships in retaining and recruiting a
sufficient number of competent outside directors to serve on the audit
committee of the institution.
(3) An outside director is a director who is not, and within the
preceding fiscal year has not been, an officer or employee of the
institution or any affiliate of the institution.
* * * * *
0
6. Appendix A to part 363 is amended as follows:
0
a. Footnote 2, Guideline 10, is amended by adding ``Risk Management''
after ``FDIC's Division of Supervision and Consumer Protection (DSC)'';
0
b. Guideline 16 is amended by removing ``Registration and Disclosure
Section'' and adding in its place ``Accounting and Securities
Disclosure Section'';
0
c. Guideline 22 is amended by revising the first sentence of paragraph
(a) to read as set forth below;
0
d. Guideline 27 is amended by revising the second sentence to read as
set forth below;
0
e. Guideline 28 is amended by revising paragraph (a) to read as set
forth below;
0
f. Guideline 29 is revised to read as set forth below; and
0
g. The first sentence of Guideline 36 is revised to read as set forth
below.
The revisions read as follows:
Appendix A to Part 363--Guidelines and Interpretations
* * * * *
Filing and Notice Requirements (Sec. 363.4)
22. * * *
(a) FDIC: Appropriate FDIC Regional or Area Office (Supervision
and Consumer Protection), i.e., the FDIC regional or area office in
the FDIC region or area that is responsible for monitoring the
institution or, in the case of a subsidiary institution of a holding
company, the consolidated company. * * *
* * * * *
Audit Committees (Sec. 363.5)
27. * * * At least annually, the board of an institution with $1
billion or more in total assets at the beginning of its fiscal year
should determine whether all existing and potential audit committee
members are ``independent of management of the institution'' and the
board of an institution with total assets of $500 million or more
but less than $1 billion as of the beginning of its fiscal year
should determine whether the majority of all existing and potential
audit committee members are ``independent of management of the
institution.'' * * *
28. * * *
(a) Has previously been an officer of the institution or any
affiliate of the institution;
* * * * *
29. Lack of independence. An outside director should not be
considered independent of management if such director owns or
controls, or has owned or controlled within the preceding fiscal
year, assets representing 10 percent or more of any outstanding
class of voting securities of the institution.
* * * * *
Other
36. Modifications of guidelines. The FDIC's Board of Directors
has delegated to the
[[Page 71233]]
Director of the FDIC's Division of Supervision and Consumer
Protection (DSC) authority to make and publish in the Federal
Register minor technical amendments to the Guidelines in this
appendix, in consultation with the other appropriate federal banking
agencies, to reflect the practical experience gained from
implementation of this part.* * *
* * * * *
By order of the Board of Directors.
Dated at Washington, DC, this 8th day of November, 2005.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
[FR Doc. 05-23310 Filed 11-25-05; 8:45 am]
BILLING CODE 6714-01-P