|
[Main Tabs]
[Table of Contents - 2000]
[Index]
[Previous Page]
[Next Page]
[Search]
2000 - Rules and Regulations
{{4-28-06 p.3161}}
PART 363—ANNUAL INDEPENDENT AUDITS AND REPORTING
REQUIREMENTS
Sec.
363.0
OMB control number.
363.1
Scope.
363.2
Annual reporting requirements.
363.3
Independent public accountant.
363.4
Filing and notice requirements.
363.5
Audit committees.
Appendix A to Part
363—Guidelines and Interpretations
AUTHORITY: 12 U.S.C.
1831m.
SOURCE: The provisions of this Part 363 appear at 58 Fed. Reg.
31335, June 2, 1993, effective July 2, 1993, except as otherwise
noted.
§ 363.0 OMB control number.
The collecting of information requirements in this part have been
approved by the Office of Management and Budget under OMB control
number 3064--0113.
[Codified to 12 C.F.R. § 363.0]
§ 363.1 Scope.
(a) Applicability. This part applies with respect to
fiscal years of insured depository institutions which begin after
December 31, 1992. This part does not apply with respect to any fiscal
year of any insured depository institution, the total assets of which,
at the beginning of such fiscal year, are less than $500 million.
(b) Compliance by subsidiaries of holding companies.
(1) The audited financial statements requirement of § 363.2(a)
may be satisfied for an insured depository institution that is a
subsidiary of a holding company by audited financial statements of the
consolidated holding company.
(2) The other requirements of this part for an insured depository
institution that is a subsidiary of a holding company may be satisfied
by the holding company if:
(i) The services and functions comparable to those required of
the insured depository institution by this part are provided at the
holding company level; and
(ii) The insured depository institution has as of the beginning
of its fiscal year:
(A) Total assets of less than $5 billion; or
(B) Total assets of $5 billion or more and a composite CAMELS
rating of 1 or 2.
(3) The appropriate federal banking agency may revoke the
exception in paragraph (b)(2) of this section for any institution with
total assets in excess of $9 billion for any period of time during
which the appropriate federal banking agency determines that the
institution's exemption would create a significant risk to the Deposit
Insurance Fund.
[Codified to 12 C.F.R. § 363.1]
[Section 363.1 amended at 61 Fed. Reg. 6493, February 21,
1996, effective April 1, 1996; 71 Fed. Reg. 20527, April 21,
2006]
§ 363.2 Annual reporting requirements.
(a) Audited financial statements. Each insured
depository institution shall prepare annual financial statements in
accordance with generally accepted accounting principles which shall be
audited by an independent public accountant.
(b) Management report. Each insured depository
institution annually shall prepare, as of the end of the institution's
most recent fiscal year, a management report signed by its chief
executive officer and chief accounting or chief financial officer which
contains:
(1) A statement of management's responsibilities for preparing
the institution's annual financial statements, for establishing
and maintaining an adequate internal control structure and procedures
for financial reporting, and for complying with laws and
{{4-28-06 p.3162}}regulations relating to safety
and soundness which are designated by the FDIC and the appropriate
federal banking agency; and
(2) An assessment by management of the institution's compliance
with such laws and regulations during such fiscal year; and
(3) For an institution with total assets of $1 billion or more at
the beginning of such fiscal year, an assessment by management of the
effectiveness of such internal control structure and procedures as of
the end of such fiscal year.
[Codified to 12 C.F.R. § 363.2]
[Section 362.2 amended at 70 Fed. Reg. 71232, November 28, 2005,
effective December 28, 2005 and applies to part 363 annual reports with
a filing deadline (90 days after the end of an institution's fiscal
year) on or after the effective date of these
amendments]
§ 363.3 Independent public accountant.
(a) Annual audit of financial statement. Each insured
depository institution shall engage an independent public accountant to
audit and report on its annual financial statements in accordance with
generally accepted auditing standards and section 37 of the Federal
Deposit Insurance Act (12 U.S.C.
1831n). The scope of the audit engagement shall be sufficient
to permit such accountant to determine and report whether the financial
statements are presented fairly and in accordance with generally
accepted accounting principles.
(b) Additional reports. For each insured depository
institution with total assets of $1 billion or more at the beginning of
the institution's fiscal year, such independent public accountant
shall examine, attest to, and report separately on, the assertion of
management concerning the institution's internal control structure and
procedures for financial reporting. The attestation shall be made in
accordance with generally accepted standards for attestation
engagements.
(c) Notice by accountant of termination of services. An
independent public accountant performing an audit under this part who
ceases to be the accountant for an insured depository institution shall
notify the FDIC and the appropriate federal banking agency in writing
of such termination within 15 days after the occurrence of such event,
and set forth in reasonable detail the reasons for such termination.
[Codified to 12 C.F.R. § 363.3]
[Section 363.3 amended at 62 Fed. Reg. 63257, November 28, 1997,
effective January 1, 1998; 70 Fed. Reg. 71232, November 28, 2005,
effective December 28, 2005 and applies to part 363 annual reports with
a filing deadline (90 days after the end of an institution's fiscal
year) on or after the effective date of these
amendments]
§ 363.4 Filing and notice requirements.
(a) Annual reporting. Within 90 days after the end of
its fiscal year, each insured depository institution shall file with
each of the FDIC, the appropriate federal banking agency, and any
appropriate state bank supervisor, two copies of an annual report
containing audited annual financial statements, the independent public
accountant's report thereon, management's statements and assessments,
and the independent public accountant's attestation report concerning
the institution's internal control structure and procedures for
financial reporting as required by §§ 363.2(a), 363.3(a), 363.2(b),
and 363.3(b) respectively;
(b) Public availability. The annual report in paragraph
(a) of this section shall be available for public inspection.
(c) Independent accountant's reports. Each insured
depository institution shall file with the FDIC, the appropriate
federal banking agency, and any appropriate state bank supervisor, a
copy of any management letter, qualification, or other report issued by
its independent public accountant with respect to such institution and
the services provided by such accountant pursuant to this part within
15 days after receipt.
(d) Notice of engagement or change of accountants. Each
insured depository institution shall provide, within 15 days after the
occurrence of any such event, written notice to the
{{12-30-05 p.3162.01}}FDIC, the
appropriate federal banking agency, and any appropriate state bank
supervisor of the engagement of an independent public accountant, or
the resignation or dismissal of the independent public accountant
previously engaged. The notice shall include a statement of the reasons
for any such event in reasonable detail.
[Codified to 12 C.F.R. § 363.4]
[Section 363.4 amended at 61 Fed. Reg. 6493, February 21,
1996, effective April 1, 1996; 62 Fed. Reg. 63257, November 28, 1997,
effective January 1, 1998]
§ 363.5 Audit committees.
(a) Composition and duties. Each insured depository
institution shall establish an audit committee of its board of
directors, the composition of which complies with paragraphs (a)(1),
(2), and (3) of this section, and the duties of which shall include
reviewing with management and the independent public accountant the
basis for the reports issued under this part.
(1) Each insured depository institution with total assets of $1
billion or more as of the beginning of its fiscal year shall establish
an independent audit committee of its board of directors, the members
of which shall be outside directors who are independent of management
of the institution.
(2) Each insured depository institution with total assets of $500
million or more but less than $1 billion as of the beginning of its
fiscal year shall establish an audit committee of its board of
directors, the members of which shall be outside directors, the
majority of whom shall be independent of management of the institution.
The appropriate Federal banking agency may, by order or regulation,
permit the audit committee of such an insured depository institution to
be made up of less than a majority of outside directors who are
independent of management, if the agency determines that the
institution has encountered hardships in retaining and recruiting a
sufficient number of competent outside directors to serve on the audit
committee of the institution.
(3) An outside director is a director who is not, and within the
preceding fiscal year has not been, an officer or employee of the
institution or any affiliate of the institution.
(b) Committees of large institutions. The audit
committee of any insured depository institution that has total assets
of more than $3 billion, measured as of the beginning of each fiscal
year, shall include members with banking or related financial
management expertise, have access to its own outside counsel, and not
include any large customers of the institution. If a large institution
is a subsidiary of a holding company and relies on the audit committee
of the holding company to comply with this rule, the holding company
audit committee shall not include any members who are large customers
of the subsidiary institution.
[Codified to 12 C.F.R. § 363.5]
[Section 363.5 amended at 61 Fed. Reg. 6493, February 21, 1996,
effective April 1, 1996; 70 Fed. Reg. 71232, November 28, 2005,
effective December 28, 2005 and applies to part 363 annual reports with
a filing deadline (90 days after the end of an institution's fiscal
year) on or after the effective date of these
amendments]
Appendix A to Part 363—Guidelines and Interpretations
Table of Contents
Introduction
Scope of Rule (§ 363.1)
1. Measuring Total Assets
2. Insured Branches of Foreign Banks
3. Compliance by Holding Company Subsidiaries
4. Comparable Services and Functions
Annual Reporting Requirements (§ 363.2)
5. Annual Financial Statements
6. Holding Company Statements
{{12-30-05 p.3162.02}}
7. Insured Branches of Foreign Banks
8. Management Report
9. Safeguarding of Assets
10. Standards for Internal Controls
11. Service Organizations
12. Compliance with Laws and Regulations
Role of Independent Public Accountant (§ 363.3)
13. General Qualifications
14. Independence
15. Peer Reviews
16. Filing Peer Review Reports
17. Information to Independent Public Accountant
18. Attestation Report
19. Reviews with Audit Committee and Management
20. Notice of Termination
21. Reliance on Internal Auditors
Filing and Notice Requirements (§ 363.4)
22. Place for Filing
23. Relief From Filing Deadlines
24. Public Availability
25. Independent Public Accountant's Reports
26. Notices Concerning Accountants
Audit Committees (§ 363.5)
27. Composition
28. "Independent of Management" Considerations
29. Lack of Independence
30. Holding Company Audit Committees
31. Duties
32. Banking or Related Financial Management Expertise
33. Large Customers
34. Access to Counsel
35. Forming and Restructuring Audit Committees
Other
36. Modifications of Guidelines
Introduction
Congress added section 36, "Early Identification of Needed
Improvements in Financial Management" (section 36), to the Federal
Deposit Insurance Act (FDI Act) in 1991.
The FDIC Board of Directors adopted 12 CFR part 363 of its rules and
regulations (the Rule) to implement those provisions of section 36 that
require rulemaking. The FDIC also approved these "Guidelines and
Interpretations" (the Guidelines) and directed that they be
published with the Rule to facilitate a better understanding of, and
full compliance with, the provisions of section 36.
Although not contained in the Rule itself, some of the guidance
offered restates or refers to statutory requirements of section 36 and
is therefore mandatory. If that is the case, the statutory provision is
cited.
Furthermore, upon adopting the Rule, the FDIC reiterated its belief
that every insured depository institution, regardless of its size or
charter, should have an annual audit of its financial statements
performed by an independent public accountant, and should establish an
audit committee comprised entirely of outside directors.
The following Guidelines reflect the views of the FDIC concerning
the interpretation of section 36. The Guidelines are intended to assist
insured depository institutions (institu-
{{12-30-05 p.3162.03}}tions), their
boards of directors, and their advisors, including their independent
public accountants and legal counsel, and to clarify section 36 and the
Rule. It is recognized that reliance on the Guidelines may result in
compliance with section 36 and the Rule which may vary from institution
to institution. Terms which are not explained in the Guidelines have
the meanings given them in the Rule, the FDI Act, or professional
accounting and auditing literature.
Scope of Rule
(§ 363.1)
1. Measuring Total Assets. To determine whether this
part applies, an institution should use total assets as reported on its
most recent Report of Condition (Call Report) or Thrift Financial
Report (TFR), the date of which coincides with the end of its preceding
fiscal year. If its fiscal year ends on a date other than the end of a
calendar quarter, it should use its Call Report or TFR for the quarter
end immediately preceding the end of its fiscal year.
2. Insured Branches of Foreign Banks. Unlike other
institutions, insured branches of foreign banks are not separately
incorporated or capitalized. To determine whether this part applies, an
insured branch should measure claims on non-related parties reported on
its Report of Assets and Liabilities of U.S. Branches and Agencies of
Foreign Banks (form FFIEC 002).
3. Compliance by Holding Company Subsidiaries. Audited
consolidated financial statements and other reports or notices required
by this part which are submitted by a holding company for any
subsidiary institution, should be accompanied by a cover letter
identifying all subsidiary institutions to which they pertain. An
institution filing holding company consolidated financial statements as
permitted by § 363.1(b) also may report on changes in its independent
public accountant on a holding company basis. An institution that does
not meet the criteria in section 36(i) must satisfy the remaining
provisions of the statute and this part on an individual institution
basis, and maintain its own audit committee. Multi-tiered holding
companies may satisfy all requirements of this part at any level.
4. Comparable Services and Functions. Services and
functions will be considered "comparable" to those required by
this part if the holding company:
(a) Prepares reports used by the subsidiary institution to meet
the requirements of this part;
(b) Has an audit committee that meets the requirements of this
part appropriate to its largest subsidiary institution; and
(c) Prepares and submits the management assessments of the
effectiveness of the internal control structure and procedures for
financial reporting (internal controls), and compliance with the
designated laws defined in guideline 12 based on information concerning
the relevant activities and operations of those subsidiary institutions
within the scope of the rule.
Annual Reporting Requirements
(§ 363.2)
5. Annual Financial Statements. Each institution should
prepare comparative annual consolidated financial statements (balance
sheets, statements of income, changes in equity capital, and cash
flows, with accompanying footnote disclosures) in accordance with
generally accepted accounting principles (GAAP) for each of its two
most recent fiscal years. Statements for the earlier year may be
presented on an unaudited basis if the institution was not subject to
this part for that year and audited statements were not prepared.
6. Holding Company Statements. Subsidiary institutions
may file copies of their holding company's audited financial
statements filed with the Securities and Exchange Commission (SEC) or
prepared for their FR Y--6 Annual Report under the Bank Holding Company
Act of 1956.
7. Insured Branches of Foreign Banks. An insured branch
of a foreign bank should satisfy the financial statements requirement
by filing one of the following for the two preceding fiscal
years:
{{12-30-05 p.3162.04}}
(a) Audited balance sheets, disclosing information about
financial instruments with off-balance-sheet risk;
(b) Schedules RAL and L of form FFIEC 002, prepared and audited
on the basis of the instructions for its preparation; or
(c) With written approval of the appropriate federal banking
agency, consolidated financial statements of the parent bank.
8. Management Report. Management should perform its own
investigation and review of the effectiveness of internal controls and
compliance with the Designated Laws defined in Guideline 12. Management
also should maintain records of its determinations and assessments
until the next federal safety and soundness examination, or such later
date as specified by the FDIC or appropriate federal banking agency.
Management should provide in its assessment of the effectiveness of
internal controls, or supplementally, sufficient information to enable
the accountant to report on its assertions. The management report of an
insured branch of a foreign bank should be signed by the branch's
managing official if the branch does not have a chief executive or
financial officer.
9. Safeguarding of Assets. "Safeguarding of
assets," as the term relates to internal control policies and
procedures regarding financial reporting and which has precedent in
accounting literature, should be encompassed in the management report
and the independent public accountant's attestation discussed in
guideline 18. Testing the existence of and compliance with internal
controls on the management of assets, including loan underwriting and
documentation, represents a reasonable implementation of section 36.
The FDIC expects such internal controls to be encompassed by the
assertion in the management report, but the term "safeguarding of
assets" need not be specifically stated. The FDIC does not require
the accountant to attest to the adequacy of safeguards, but does
require the accountant to determine whether safeguarding policies
exist. 1
10. Standards for Internal Controls. Each institution
should determine its own standards for establishing, maintaining, and
assessing the effectiveness of its internal
controls. 2
11. Service Organizations. Although service
organizations should be considered in determining if internal controls
are adequate, an institution's independent public accountant, its
management, and its audit committee should exercise independent
judgment concerning that determination. Onsite reviews of service
organizations may not be necessary to prepare the report required by
the Rule, and the FDIC does not intend that the Rule establish any such
requirement.
12. Compliance with Laws and Regulations. The designated
laws and regulations are the federal laws and regulations concerning
loans to insiders and the federal and state laws and regulations
concerning dividend restrictions (the Designated Laws). Table 1 to this
Appendix A lists the designated federal laws and regulations pertaining
to insider loans and dividend restrictions that are applicable to each
type of institution.
Role of Independent Public Accountant
(§ 363.3)
13. General Qualifications. To provide audit and attest
services to insured depository institutions, an independent public
accountant should be registered or licensed to practice as
{{6-30-06 p.3162.05}}a public
accountant, and be in good standing, under the laws of the state or
other political subdivision of the United States in which the home
office of the institution (or the insured branch of a foreign bank) is
located. As required by section 36(g)3(A)(i), the accountant must agree
to provide copies of any workpapers, policies, and procedures relating
to services performed under this part.
14. Independence. The Independent public accountant also
should be in compliance with the AICPA's Code of Professional
Conduct and meet the independence requirements and interpretations
of the SEC and its staff.
15. Peer Reviews. As required by section 36(g)3(A)(ii),
the independent public accountant must have received, or be enrolled
in, a peer review that meets acceptable guidelines. The following peer
review guidelines are acceptable:
(a) The external peer review should be conducted by an
organization independent of the accountant or firm being reviewed, as
frequently as is consistent with professional accounting practices;
(b) The peer review should be generally consistent with AICPA
standards; 3
and
(c) The review should include, if available, at least one audit
on an insured depository institution or consolidated financial holding
company. Peer review working papers are to be retained for 120 days
after the peer review report is filed with the FDIC, and be made
available to the FDIC upon request, in a form consistent with the
SEC's agreement with the accounting profession.
16. Filing Peer Review Reports. Within 15 days of
receiving notification that the peer review has been accepted, or
before commencing any audit under the Rule, whichever is earlier, two
copies of the most recent peer review report, accompanied by any letter
of comments and letter of response, should be filed by the independent
public accountant (if not already on file) with the FDIC, Accounting
and Securities Disclosure Section, 550 17th Street N.W., Washington,
D.C. 20429, where they will be available for public inspection. All
corrective action required under any qualified peer review report
should have been taken before commencing services under this Rule.
17. Information to Independent Public Accountant.
Attention is directed to section 36(h) which requires institutions to
provide specified information to their accountants. An institution also
should provide its accountant with copies of any notice that the
institution's capital category is being changed or reclassified under
section 38 of the FDI Act,
and any correspondence from the appropriate federal banking agency
concerning compliance with this part.
18. Attestation Report. The independent public
accountant should provide the institution with an internal controls
attestation report and any management letter at the conclusion of the
audit as required by section 36(c)(1). If a holding company subsidiary
relies on its holding company management report, the accountant may
attest to and report on the management's assertions in one report,
without reporting separately on each subsidiary covered by the Rule.
The FDIC has determined that management letters are exempt from public
disclosure.
19. Reviews with Audit Committee and Management. The
independent public accountant should meet with the institution's audit
committee to review the accountant's reports required by this part
before they are filed. It also may be appropriate for the accountant to
review its findings with the institution's board of directors and
management.
20. Notice of Termination. The notice required by
§ 363.3(c) should state whether the independent public accountant
agrees with the assertions contained in any notice filed by the
institution under § 363.4(d), and whether the institution's notice
discloses all relevant reasons.
21. Reliance on Internal Auditors. Nothing in this part
or this appendix is intended to preclude the ability of the independent
public accountant to rely on the work of an institution's internal
auditor.
{{6-30-06 p.3162.06}}
Filing and Notice Requirements
(§ 363.4)
22. Place for Filing. Except for peer review reports
filed pursuant to Guideline 16, all reports and notices required by,
and other communications or requests made pursuant to, the Rule should
be filed as follows:
(a) FDIC: Appropriate FDIC Regional or Area
Office (Supervision and Consumer Protection), i.e., the FDIC
regional or area office in the FDIC region or area that is responsible
for monitoring the institution or, in the case of a subsidiary
institution of a holding company, the consolidated company. A filing
made on behalf of several covered institutions owned by the same parent
holding company should be accompanied by a transmittal letter
identifying all of the institutions covered.
(b) Office of the Comptroller of the Currency (OCC): appropriate
OCC Supervisory Office.
(c) Federal Reserve: Appropriate Federal Reserve Bank.
(d) Office of Thrift Supervision (OTS): appropriate OTS District
Office.
(e) State bank supervisor: the filing office of the appropriate
state bank supervisor.
23. Relief from Filing Deadlines. Although the
reasonable deadlines for filings and other notices established by this
part are specified, some institutions may occasionally be confronted
with extraordinary circumstances beyond their reasonable control that
may justify extensions of a deadline. In that event, upon written
application from an insured depository institution, setting forth the
reasons for a requested extension, the FDIC or appropriate federal
banking agency may, for good cause, extend a deadline in this part for
a period not to exceed 30 days.
24. Public Availability. Each institution's annual
report should be available for public inspection at its main and branch
offices no later than 15 days after it is filed with the FDIC.
Alternatively, an institution may elect to mail one copy of its annual
report to any person who requests it. The annual report should remain
available to the public until the annual report for the next year is
available. An institution may use its annual report under this part to
meet the annual disclosure statement required by
12 CFR 350.3, if the
institution satisfies all other requirements of 12 CFR Part 350.
25. Independent Public Accountant's Reports. Section
36(h)(2)(A) requires that, within 15 days of receipt by an institution
of any management letter or other report, such letter or other report
shall be filed with the FDIC, any appropriate federal banking agency,
and any appropriate state bank supervisor. Institutions and their
accountants are encouraged to coordinate preparation and delivery of
audit and attestation reports and filing the annual report, to avoid
duplicate filings.
26. Notices Concerning Accountants. Institutions should
review and satisfy themselves as to compliance with the required
qualifications set forth in guidelines 13--15 before engaging an
independent public accountant. With respect to any selection, change or
termination of an accountant, institutions should be familiar with the
notice requirements in guideline 21, and should send a copy of any
notice under § 363.4(d) to the accountant when it is filed with the
FDIC. An institution which files reports with its appropriate federal
banking agency under, or is a subsidiary of a holding company which
files reports with the SEC pursuant to, the Securities Exchange Act of
1934 may use its current report (e.g., SEC Form 8--K)
concerning a change in accountant to satisfy the similar notice
requirements of this part.
Audit Committees
(§ 363.5)
27. Composition. The board of directors of each
institution should determine if outside directors meet the requirements
of section 36 and this part. At least annually, the board of an
institution with $1 billion or more in total assets at the
beginning of its fiscal year should determine whether all existing
and potential audit committee members are "independent of
management of the institution" and the board of an institution
with total assets of $500 million or more but less than $1 billion
as of the beginning of its fiscal year should determine whether
the
{{12-30-05 p.3162.07}}majority of all
existing and potential audit committee members are "independent of
management of the institution." Because an insured branch of a
foreign bank does not have a separate board of directors, the FDIC will
not apply the audit committee requirements to such branch. However, any
such branch is encouraged to make a reasonable good faith effort to see
that similar duties are performed by persons whose experience is
generally consistent with the Rule's requirements for an institution
the size of the insured branch.
28. "Independent of Management" Considerations. In
determining whether an outside director is independent of management,
the board should consider all relevant information. This would include
considering whether the director:
(a) Has previously been an officer of the institution or any
affiliate of the institution;
(b) Serves or served as a consultant, advisor, promoter,
underwriter, legal counsel, or trustee of or to the institution or its
affiliates;
(c) Is a relative of an officer or other employee of the
institution or its affiliates;
(d) Holds or controls, or has held or controlled, a direct or
indirect financial interest in the institution or its affiliates; and
(e) Has outstanding extensions of credit from the institution or
its affiliates.
29. Lack of Independence. An outside director should not
be considered independent of management if such director owns or
controls, or has owned or controlled within the preceding fiscal year,
assets representing 10 percent or more of any outstanding class of
voting securities of the institution.
30. Holding Company Audit Committees. When an insured
depository institution subsidiary fails to meet the requirements for
the holding company exception in § 363.1(b)(2) or maintains its own
separate audit committee to satisfy the requirements of this part,
members of the independent audit committee of the holding company may
serve as the audit committee of the subsidiary institution if they are
otherwise independent of management of the subsidiary, and, if
applicable, meet any other requirements for a large subsidiary
institution covered by this part. However, this does not permit
officers or employees of a holding company to serve on the audit
committee of its subsidiary institutions. When the subsidiary
institution satisfies the requirements for the holding company
exception in § 363.1(b)(2), members of the audit committee of the
holding company should meet all the membership requirements applicable
to the largest subsidiary depository institution and may perform all
the duties of the audit committee of a subsidiary institution, even
though such holding company directors are not directors of the
institution.
31. Duties. The audit committee should perform all
duties determined by the institution's board of directors. The duties
should be appropriate to the size of the institution and the complexity
of its operations, and include reviewing with management and the
independent public accountant the basis for their respective reports
issued under §§ 363.2(a) and (b) and 363.3(a) and (b). Appropriate
additional duties could include:
(a) Reviewing with management and the independent public
accountant the scope of services required by the audit, significant
accounting policies, and audit conclusions regarding significant
accounting estimates;
(b) Reviewing with management and the accountant their
assessments of the adequacy of internal controls, and the resolution of
identified material weaknesses and reportable conditions in internal
controls, including the prevention or detection of management override
or compromise of the internal control system;
(c) Reviewing with management and the accountant the
institution's compliance with laws and regulations;
(d) Discussing with management the selection and termination of
the accountant and any significant disagreements between the accountant
and management; and
(e) Overseeing the internal audit function.
It is recommended that audit committees maintain minutes and other
relevant records of their meetings and decisions.
32. Banking or Related Financial Management Expertise.
At least two members of the audit committee of a large institution
shall have "banking or related financial management expertise" as
required by section 36(g)(1)(C)(i). This determination is to be made by
the
{{12-30-05 p.3162.08}}board of directors
of the insured depository institution. A person will be considered to
have such required expertise if the person has significant executive,
professional, educational, or regulatory experience in financial,
auditing, accounting, or banking matters as determined by the board of
directors. Significant experience as an officer or member of the board
of directors or audit committee of a financial services company would
satisfy these criteria.
33. Large Customers. Any individual or entity (including
a controlling person of any such entity) which, in the determination of
the board of directors, has such significant direct or indirect credit
or other relationships with the institution, the termination of which
likely would materially and adversely affect the institution's
financial condition or results of operations, should be considered a
"large customer" for purposes of § 363.5(b).
34. Access to Counsel. The audit committee should be
able to retain counsel at its discretion without prior permission of
the institution's board of directors or its management. Section 36
does not preclude advice from the institution's internal counsel or
regular outside counsel. It also does not require retaining or
consulting counsel, but if the committee elects to do either, it also
may elect to consider issues affecting the counsel's independence.
Such issues would include whether to retain or consult only counsel not
concurrently representing the institution or any affiliate, and whether
to place limitations on any counsel representing the institution
concerning matters in which such counsel previously participated
personally and substantially as outside counsel to the committee.
35. Forming and Restructuring Audit Committees. Audit
committees should be formed within four months of the effective date of
this part. Some institutions may have to restructure existing audit
committees to comply with this part. No regulatory action will be taken
if institutions restructure their audit committees by the earlier of
their next annual meeting of stockholders, or one year from the
effective date of this part.
Other
36. Modifications of Guidelines. The FDIC's Board of
Directors has delegated to the Director of the FDIC's Division of
Supervision and Consumer Protection (DSC) authority to make and publish
in the Federal Register minor technical amendments to the
Guidelines in this appendix, in consultation with the other appropriate
federal banking agencies, to reflect the practical experience gained
from implementation of this part. It is not anticipated any such
modification would be effective until affected institutions have been
given reasonable advance notice of the modification. Any material
modification or amendment will be subject to review and approval of the
FDIC Board of Directors.
Table 1 to Appendix
A
Designated
Federal Laws and Regulations Applicable
to
|
|
National banks |
State member
banks |
State non- member banks |
Savings associa- tions
|
|---|
| Insider Loans--Parts and/or Sections of Title
12 of the United States
Code |
| 375a |
Loans to
Executive Officers of
Banks. |
 |
|
(1) |
(1) |
| 375b |
Prohibitions
Respecting Loans and Extensions of Credit to Executive Officers and
Directors of Banks, Political Campaign, Committees,
etc. |
|
|
(1) |
(1) |
| 1468(b) |
Extensions
of Credit to Executive Officers, Directors, and Principal
Shareholders. |
|
|
|
|
| 1828(j)(2) |
Provisions
Relating to Loans, Extensions of Credit, and Other Dealings Between
Member Banks and Their Affiliates, Executive Officers, Directors,
etc. |
|
|
|
{{12-30-05 p.3162.09}}
|
| 1828(j)(3)(B) |
Extensions
of Credit Applicability of Provisions Relating to Loans, Extensions of
Credit, and Other Dealings Between Insured Branches of Foreign Banks
and Their
Insiders. |
(2) |
|
(3) |
|
| Parts
and/or Sections of Title 12 of the Code of Federal
Regulations |
| 23.5 |
Application of Legal Lending Limits;
Restrictions on Transactions With
Affiliates. |
|
|
|
|
| 31 |
Extensions of
Credit to National Bank
Insiders |
|
|
|
|
| 215 |
Subpart
A--Loans by Member Banks to Their Executive Officers, Directors, and
Principal
Shareholders. |
|
|
(4) |
(5) |
|
Subpart
B--Reports of Indebtedness of Executive Officers and Principal
Shareholders of Insured Nonmember
Banks. |
|
|
(4) |
(5) |
| 337.3 |
Limits
on Extensions of Credit to Executive Officers, Directors, and Principal
Shareholders of Insured Nonmember
Banks. |
|
|
|
|
| 349.3 |
Reports by
Executive Officers and Principal
Shareholders |
|
|
|
|
| 563.43 |
Loans
by Savings Associations to Their Executive Officers, Directors, and
Principal
Shareholders. |
|
|
|
|
| Dividend
Restrictions--Parts and/or Sections of Title 12 of the United States
Code |
| 56 |
Prohibition on Withdrawal of Capital and Unearned
Dividends |
|
|
|
|
| 60 |
Dividends and
Surplus
Funds |
|
|
|
|
| 1467a(f) |
Declaration
of
Dividends |
|
|
|
|
| 1831o |
Prompt
Corrective Action--Dividend
Restrictions |
|
|
|
|
| Parts
and/or Sections of Title 12 of the Code of Federal
Regulations |
| 5.61 |
Payment of dividends; capital
limitations |
|
|
|
|
| 5.62 |
Payment
of dividends; earnings
limitation |
|
|
|
|
| 6.6 |
Prompt
Corrective Action--Dividend
Restrictions |
|
|
|
|
| 7.6120 |
Dividends
Payable in Property Other Than
Cash |
|
|
|
|
| 208.19 |
Payments of
Dividends |
|
|
|
|
| 208.35 |
Prompt
Corrective
Action |
|
|
|
|
| 325.105 |
Prompt
Corrective
Action |
|
|
|
|
| 563.134 |
Capital
Distributions |
|
|
|
|
| 565 |
Prompt
Corrective Action |
|
|
|
| |
1Subsections (g) and (h) only.
2Applies only to insured federal branches of foreign banks.
3Applies only to insured state branches of foreign
banks.
{{12-30-05 p.3162.10}}
4See 12 CFR parts 337.3 and 349.3.
5See 12 CFR part 563.43.
[Codified to 12 C.F.R. Part 363, Appendix A]
[Appendix A to Part 363 amended at 61 Fed. Reg. 6494, February 21,
1996, effective April 1, 1996; 62 Fed. Reg. 63259, November 28, 1997,
effective January 1, 1998; 70 Fed. Reg. 71232, November 28, 2005,
effective December 28, 2005 and applies to part 363 annual reports with
a filing deadline (90 days after the end of an institution's fiscal
year) on or after the effective date of these
amendments]
NOTE
Preamble to Part 363
III. Background
In September 1992, the FDIC proposed regulations (57 FR 42516, Sept.
15, 1992) to implement the provisions of section 112 of FDICIA,
entitled "Independent Annual Audits of Insured Depository
Institutions." The requirements of section 112 apply to fiscal years
of insured depository institutions that begin after December 31, 1992.
The new statutory provision, contained in section 36, requires the
FDIC, in consultation with the appropriate federal banking agencies, to
promulgate regulations requiring institutions over a certain asset size
to have an annual independent audit of their financial statements in
accordance with generally accepted auditing standards and section 37of
the FDI Act, and the institution's independent public accountant to
notify the FDIC upon termination of services. Section 36 also requires
the federal banking agencies jointly to issue rules of practice
governing enforcement actions against independent public accountants.
IV. Discussion of Final Rule and Public Comments
Section 36 requires the FDIC, in consultation with the other
appropriate federal banking agencies, to prescribe regulations
concerning only a few specified provisions of the statute. It also
permits, but does not require, the FDIC to undertake rulemaking
pursuant to its general rulemaking authority concerning other
provisions of the statute.
The FDIC has elected to limit, with few exceptions, its rulemaking
to a final rule to implement those provisions of section 36 which
specifically require rulemaking. It is persuaded that the approach is
consistent with the letter and spirit of the law and with comments
received, with which the FDIC concurs, that the final rule not impose
unnecessary regulatory burdens, provide appropriate flexibility, and be
reasonably cost-effective.
Accordingly, the final rule implements the "Annual Independent
Audits of Financial Statements" requirement of section 36(d)(1) of
the FDI Act and the "Notice by Accountant of Termination of
Services" requirement of section 36(g)(5). The FDIC anticipates
that, jointly with the other appropriate federal banking agencies, it
promptly will issue rules of practice with respect to removal,
suspension or bar of an independent public accountant from performing
audit services for insured depository institutions as required by
section 36(g)(4).
The final rule also restates, by way of emphasis, selective
provisions of the statute. That is not intended, however, to imply that
the FDIC does not expect affected insured depository institutions to
comply with all provisions of the statute. Instead, it makes clear that
the final rule does not expand the scope of interpretation of the
statutory requirements.
The FDIC received over 305 comment letters concerning the proposed
rule. The largest group of comments, approximately 120, was from banks,
about eight percent of which were institutions that were exempt from
proposed Part 363. Another 23 percent were from bank holding companies,
including most of the 25 largest in the United States. Twenty-two
letters were from thrifts, four of which are among the ten largest in
the country.
The FDIC has reviewed the proposal in light of these comments. The
majority of the commenters criticized the proposed requirements, and
the cost to comply with the proposed rule. The comments are discussed
below.
A. Scope.
Section 36 left to the FDIC's discretion whether to exempt
institutions having total assets in excess of $150 million. The FDIC
has exercised its discretion to mitigate the financial burden of
compliance by raising
{{10-31-07 p.3162.11}}the threshold from
$150 million to $500 million, thereby exempting from the final rule
approximately two-thirds of institutions that would have been subject
to section 36, but which pose less of a risk to the deposit insurance
funds, while bringing approximately 75 percent of the banking assets in
the U.S. within the scope of the regulation.
More than 96 percent of institutions with $500 million or more in
total assets report they already engage an independent public
accountant to perform an annual audit of their financial statements or
that their parent company engages an independent public accountant to
do the same for its consolidated statements. All of the remaining
institutions in this asset range engage an independent public
accountant to provide some audit services. Many of these institutions
or their holding companies also have audit committees that comply with
the final rule. These facts suggest the final rule will not impose
unacceptable burdens on affected institutions.
Compliance by Subsidiaries of Holding Companies
The requirements for an independent audit may be satisfied for
subsidiaries of holding companies by an independent audit of the
holding company. The other requirements of section 36 may be satisfied
for subsidiaries if "services and functions" comparable to those
required by the statute are provided at the holding company level, and,
either the institution has total assets, as of the beginning of each
fiscal year, of less than $5 billion; or, total assets between $5
billion and $9 billion, and it received a CAMEL (or comparable) rating
of one or two at its most recent examination.
If a subsidiary meets the foregoing criteria, an independent public
accountant may examine and attest to the subsidiary's assertions on the
consolidated entity's internal control system, and would not be
required to examine and attest to the systems of each subsidiary.
B. Reporting Requirements
1. Definitions
Definitions in the proposed rule have been eliminated in the final
rule. Certain relevant terms are already defined in the FDI Act and
professional accounting and auditing literature.
2. Annual Report
The final rule requires each covered institution to prepare an
annual report containing financial statements prepared in accordance
with generally accepted accounting principles (GAAP) that have been
audited by an independent public accountant, and to file such report
within 90 days after the end of each fiscal year. The FDIC has adopted
commenters' suggestions that the language of the final rule more
closely track the statute.
The proposal that institutions may use Call Report items or an audit
of the Call Report schedules has been deleted as being unnecessarily
confusing, and because such schedules do not comply with GAAP. In
addition, a proposed provision on consolidation has been eliminated.
Many commenters requested that the FDIC delete the proposed
provision requiring an audited reconciliation of an institution's
capital reported under GAAP with the capital calculated under
regulatory capital standards. Because this reconciliation is not
specifically required by the statute, the FDIC eliminated it from the
final rule.
3. Management Report
Internal controls for financial reporting. Section 36
requires that each institution prepare an annual report containing a
statement of management's responsibility for establishing and
maintaining an adequate internal control structure and an assessment of
the effectiveness of internal controls for financial reporting.
To comply with the reporting and attestation requirements of the
final rule, both management and the independent public accountant
should refer to terms, including "internal control structure" and
"control procedures," in professional accounting and auditing
literature.
The FDIC sought comment on whether it should leave the development
of internal control criteria to institutions. After careful
consideration, the FDIC has decided that each institution should
determine its own standard for an internal control structure and
procedures for financial reporting, but that any assessment by
management should include sufficient information to enable the
independent public accountant separately to examine and report on
management's assessment.
In response to a number of suggestions, the FDIC has removed the
proposed requirement that "material matters" be as-
{{10-31-07 p.3162.12}}sessed. Nevertheless,
an assessment must include all significant items.
Compliance with laws and regulations. Section 36 requires
management to assess its own compliance with designated laws and
regulations, and to evaluate the effectiveness of the operation of its
internal control structure and procedures for compliance with such laws
and regulations.
The final rule also requires that a covered institution engage an
independent public accountant to report on procedures for compliance
with designated laws and regulations. In response to requests from many
commenters the proposed requirement that management provide a
description of its handling of material weaknesses and inadequacies and
other reportable conditions was deleted. Commenters correctly pointed
out that these matters should be resolved by the independent public
accountant and management working together to determine the appropriate
action to correct any deficiency. The proposal that institutions submit
the names and occupations of audit committee members also was deleted
because this information is available to examiners.
Many commenters addressed the proposal that an independent public
accountant provide negative assurance that an institution has complied
with FDIC assessment requirements. They noted section 36 does not
require this, and that to require FDIC assessment auditors and
independent public accountants to review the assessment calculations is
duplicative and would result in unjustifiable additional expense.
Accordingly, the FDIC has eliminated the requirement in the final
regulation.
Many commenters requested that the accountant's management letter be
eliminated from the filing requirement. However, section 36
specifically requires that the management letter, audit report, and any
other report provided by the independent public accountant during the
year be filed within 15 days of its receipt.
In the final rule, the proposed requirement that institutions retain
workpapers documenting management's review of its statements in the
management report has been eliminated because it is not required by
section 36, and is not essential to the rule.
Notice of engagement or change of accountants. The final
rule establishes notice requirements for institutions whenever there is
a change of accountant. Several commenters questioned whether
institutions had to notify the FDIC and appropriate federal banking
agency immediately after the final rule is effective. Those
institutions that have already notified the FDIC and the
appropriate federal banking agency of their accountant's identity
need make no additional notification until there is a change in
accountant.
C. Independent Public Accountant Reporting and Notice
Requirements
1. Internal Control Attestation
The final rule requires institutions to engage an independent public
accountant to perform an examination level attestation and report
separately on the assertions contained in management's report regarding
management's assessment of the effectiveness of the institution's
internal control structure and procedures for financial reporting. The
attestation should be as of the date of management's assertions and
should be in accordance with generally accepted standards for
attestation engagements.
2. Compliance With Laws and Regulations Attestation
The final rule requires that each institution engage an independent
public accountant to test the institution's compliance with designated
laws and regulations through the performance of agreed upon procedures.
The Guidelines set forth such procedures.
3. Other Duties of Independent Public Accountants
The proposal required the independent public accountant to inform
the appropriate federal banking agency of any apparent criminal
violation if management had not already done so. A number of commenters
objected to this requirement because it is not specifically mandated by
section 36, and it does not allow time for the institution to
investigate the alleged violation before it must be reported to
regulators. The comments are valid and the provision has been deleted.
4. Notice by Accountant of Termination of Services
The FDIC could not adopt the suggestion of some commenters that the
accountant notice provisions be deleted. Section 36 requires such
notice. However, the final rule extends from five days to 15 days the
period of time within which an independent public accountant must file
a termination of services report.
{{10-31-07 p.3162.13}}
D. Audit Committees
Section 36 requires that each institution have an independent audit
committee entirely made up of outside directors who are independent of
the institution. For large institutions, as defined in the final rule,
there are additional criteria: The large institution's audit committee
must include members with banking or related management experience,
have access to its own outside counsel, and not include any large
customers of the institution.
The final rule reiterates the requirements of the statute, but does
not include specific definitions of "independent person,"
"large customer," and "banking and financial management
expertise". The FDIC expects boards of directors to determine if an
outside director meets audit committee requirements. Such a
determination will be subject to review by examiners.
The FDIC requested comment on its proposed definition of
"large institution". A large majority of commenters
recommended that the proposed large institution asset threshold be
increased. After careful consideration, the FDIC has adopted an asset
threshold of $3 billion. With this threshold, fewer than 2 percent of
the nation's institutions will be defined as "large", yet more
than half of the assets insured by the Bank Insurance Fund and the
Savings Association Insurance Fund will receive the additional
protection afforded by the presence of independent directors who have
banking or financial management expertise, and are not large customers
of the institution.
E. Insured Branches of Foreign Banks
A few commenters noted that the proposal did not separately
address the responsibilities of insured branches of foreign banks.
Application of section 36 statutory requirements to such branches is
complicated because, unlike other institutions, they are not separately
incorporated or capitalized. The Guidelines facilitate compliance by
such branches.
[The page following this is 3165.]
1It is management's responsibility to establish policies
concerning underwriting and asset management and to make credit
decisions. The auditor's role is to test compliance with management's
policies relating to financial reporting. Go Back to Text
2In considering what information is needed on safeguarding of
assets and standards for internal controls, management may review
guidelines provided by its primary federal regulator; the FDIC's
Division of Supervision and Consumer Protection (DSC) Risk Management
Manual of Examination Policies; the Federal Reserve Board's Commercial
Bank Examination Manual and other relevant regulations; the Office of
Thrift Supervision's Thrift Activities Handbook; the Comptroller of
the Currency's Handbook for National Bank Examiners; and standards
published by professional accounting organizations, such as the
American Institute of Certified Public Accountants' (AICPA) Statement
on Auditing Standards No. 55, "Consideration of the Internal Control
Structure in a Financial Statement Audit," as amended by Statement
of Auditing Standards No. 78; the Committee of Sponsoring Organizations
(COSO) of the Treadway Commission's Internal Control--Integrated
Framework, including its addendum on safeguarding of assets; and
other internal control standards published by the AICPA, other
accounting or auditing professional associations, and financial
institution trade associations. Go Back to Text
3These would include Standards for Performing and Reporting on
Peer Reviews, codified in the SEC Practice Section Reference
Manual, and Standards for Performing and Reporting on Peer
Reviews, contained in Volume 2 of the AICPA's Professional
Standards. Go Back to Text
[Main Tabs]
[Table of Contents - 2000]
[Index]
[Previous Page]
[Next Page]
[Search]
|
