[Federal Register Volume 70, Number 227 (Monday, November 28, 2005)]
[Rules and Regulations]
[Pages 71226-71233]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-23310]


-----------------------------------------------------------------------

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 363

RIN 3064-AC91


Independent Audits and Reporting Requirements

AGENCY: Federal Deposit Insurance Corporation (FDIC).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The FDIC is amending part 363 of its regulations concerning 
annual independent audits and reporting requirements, which implement 
section 36 of the Federal Deposit Insurance Act (FDI Act), as proposed, 
but with modifications to the composition of the audit committee and 
the effective date. The FDIC's amendments raise the asset-size 
threshold from $500 million to $1 billion for internal control 
assessments by management and external auditors. For institutions 
between $500 million and $1 billion in assets, the amendments require 
the majority, rather than all, of the members of the audit committee, 
who must be outside directors, to be independent of management and 
create a hardship exemption. The amendments also make certain technical 
changes to part 363 to correct outdated titles, terms, and references 
in the regulation and its appendix. As required by section 36, the FDIC 
has consulted with the other federal banking agencies.

Effective Date: The final rule is effective December 28, 2005 and 
applies to part 363 annual reports with a filing deadline (90 days 
after the end of an institution's fiscal year) on or after the 
effective date of these amendments.

FOR FURTHER INFORMATION CONTACT: Harrison E. Greene, Jr., Senior Policy 
Analyst (Bank Accounting), Division of Supervision and Consumer 
Protection, at [email protected] or (202) 898-8905; or Michelle 
Borzillo, Counsel, Supervision and Legislation Section, Legal Division, 
at [email protected] or (202) 898-7400.

SUPPLEMENTARY INFORMATION: 

I. Background

    Section 112 of the Federal Deposit Insurance Corporation 
Improvement Act of 1991 (FDICIA) added section 36, ``Early 
Identification of Needed Improvements in Financial Management,'' to the 
FDI Act (12 U.S.C. 1831m). Section 36 is generally intended to 
facilitate early identification of problems in financial management at 
insured depository institutions above a certain asset size threshold 
(covered institutions) through annual independent audits, assessments 
of the effectiveness of internal control over financial reporting and 
compliance with designated laws and regulations, and related 
requirements. Section 36 also includes requirements for audit 
committees at these insured depository institutions. Section 36 grants 
the FDIC discretion to set the asset size threshold for compliance with 
these statutory requirements, but it states that the threshold cannot 
be less than $150 million. Sections 36(d) and (f) also obligate the 
FDIC to consult with the other Federal banking agencies in implementing 
these sections of the FDI Act, and the FDIC has performed that 
consultation requirement.
    Part 363 of the FDIC's regulations (12 CFR part 363), which 
implements section 36 of the FDI Act, requires each covered institution 
to submit to the FDIC and other appropriate Federal and state 
supervisory agencies an annual report that includes audited financial 
statements, a statement of management's responsibilities, assessments 
by management of the effectiveness of internal control over financial 
reporting and compliance with designated laws and regulations, and an 
auditor's attestation report on internal control over financial 
reporting. In addition, part 363 provides that each covered institution 
must establish an independent audit committee of its board of directors 
comprised of outside directors who are independent of management of the 
institution. Part 363 also includes Guidelines and Interpretations 
(Appendix A to part 363), which are intended to assist institutions and 
independent public accountants in understanding and complying with 
section 36 and part 363.
    When it adopted part 363 in 1993, the FDIC stated that it was 
setting the asset size threshold at $500 million rather than the $150 
million specified in section 36 to mitigate the financial burden of 
compliance with section 36 consistent with safety and soundness. In 
selecting $500 million in total assets as the size threshold, the FDIC 
noted that approximately 1,000 of the then nearly 14,000 FDIC-insured 
institutions would be subject to part 363. These covered institutions 
held approximately 75 percent of the assets of insured institutions at 
that time. By imposing the audit, reporting, and audit committee 
requirements of part 363 on institutions with this percentage of the 
industry's assets, the FDIC intended to ensure that the Congress's 
objectives for achieving sound financial management at insured 
institutions when it enacted section 36 would be focused on those

[[Page 71227]]

institutions posing the greatest potential risk to the insurance funds 
administered by the FDIC. Today, due to consolidation in the banking 
and thrift industry and the effects of inflation, more than 1,150 of 
the 8,900 insured institutions have $500 million or more in total 
assets and are therefore subject to part 363. These covered 
institutions hold approximately 90 percent of the assets of insured 
institutions.

II. Discussion of Proposed Amendments

    On July 19, 2005, the FDIC's Board approved the publication of 
proposed amendments to part 363 of the FDIC's regulations, which were 
published in the Federal Register on August 2, 2005, for a 45-day 
comment period (70 FR 44293). The comment period closed on September 
16, 2005. As more fully discussed below, the FDIC proposed to raise the 
asset-size threshold in part 363 from $500 million to $1 billion for 
internal control assessments by management and external auditors and 
for the members of the audit committee, who must be outside directors, 
to be independent of management. The FDIC also proposed to make certain 
technical changes to part 363 to correct outdated titles, terms, and 
references in the regulation and its appendix. As proposed, the 
effective date of these amendments was to be December 31, 2005.
    In its proposal, the FDIC also noted that it had identified other 
aspects of part 363 that may warrant revision in light of changes in 
the industry and the passage of the Sarbanes-Oxley Act of 2002. 
However, the FDIC stated that it had decided to proceed first with the 
proposed amendments to the asset-size threshold in part 363 in order to 
reduce compliance burdens and expenses for affected institutions in 
2005. These further revisions to part 363 are expected to be proposed 
as soon as practicable.

A. Increasing the Asset Size Threshold for Internal Control Assessments

    An effective internal control structure is critical to the safety 
and soundness of each insured institution. Given its importance, 
internal control is evaluated as part of the supervision of individual 
institutions and its adequacy is a factor in the management rating 
assigned to an institution. Furthermore, in the audit of an 
institution's financial statements, the external auditor must obtain an 
understanding of internal control, including assessing control risk, 
and must report certain matters regarding internal control to the 
institution's audit committee.
    An institution subject to part 363 has the added requirement that 
its management perform an assessment of the internal control structure 
and procedures for financial reporting and that its external auditor 
examine, attest to, and report on management's assertion concerning the 
institution's internal control over financial reporting. For purposes 
of these internal control provisions of part 363, the FDIC has advised 
covered institutions that the term ``financial reporting'' includes 
both financial statements prepared in accordance with generally 
accepted accounting principles and those prepared for regulatory 
reporting purposes.\1\ Until year-end 2004, external auditors performed 
their internal control assessments in accordance with an attestation 
standard issued by the American Institute of Certified Public 
Accountants (AICPA) known as ``AT 501.''
---------------------------------------------------------------------------

    \1\ See FDIC Financial Institution Letter (FIL) 86-94, dated 
December 23, 1994. FIL-86-94 indicates that financial statements 
prepared for regulatory reporting purposes encompass the schedules 
equivalent to the basic financial statements in an institution's 
appropriate regulatory report, e.g., the bank Reports of Condition 
and Income and the Thrift Financial Report.
---------------------------------------------------------------------------

    The Sarbanes-Oxley Act was enacted into law on July 30, 2002. 
Section 404 of this Act imposes a requirement for internal control 
assessments by the management and external auditors of all public 
companies that is similar to the FDICIA requirement. The Securities and 
Exchange Commission's (SEC) rules implementing these requirements took 
effect at year-end 2004 for ``accelerated filers,'' i.e., generally, 
public companies whose common equity has an aggregate market value of 
at least $75 million, but they will not take effect until 2007 for 
``non-accelerated filers.'' For the section 404 auditor attestations, 
the Public Company Accounting Oversight Board's (PCAOB) Auditing 
Standard No. 2 (AS 2) applies. AS 2 replaces the AICPA's AT 501 
internal control attestation standard for public companies, but AS 2 
does not apply to nonpublic companies. The SEC's section 404 rules for 
management and the provisions of AS 2 for section 404 audits of 
internal control establish more robust documentation and testing 
requirements than those that have been applied by covered institutions 
and their auditors to satisfy the internal control reporting 
requirements in part 363.
    For internal control attestations of nonpublic companies, the AICPA 
is currently developing proposed revisions to AT 501 that are expected 
to bring it closer into line with the provisions of AS 2. The revisions 
also are likely to have the effect of requiring greater documentation 
and testing of internal control over financial reporting by an 
institution's management in order for the auditor to perform his or her 
attestation work.
    As the environment has changed and continues to change since the 
enactment of the Sarbanes-Oxley Act, the FDIC has observed that 
compliance with the audit and reporting requirements of part 363 has 
and will continue to become more burdensome and costly, particularly 
for smaller nonpublic covered institutions. Thus, the FDIC reviewed the 
current asset size threshold for compliance with part 363 in light of 
the discretion granted by section 36 that permits the FDIC to determine 
the appropriate size threshold (at or above $150 million) at which 
insured institutions should be subject to the various provisions of 
section 36. Based on this review, the FDIC proposed to amend part 363 
to increase the asset size threshold for internal control assessments 
by management and external auditors from $500 million to $1 billion. 
Raising the threshold to $1 billion would achieve meaningful burden 
reduction without sacrificing safety and soundness.
    In reaching this decision, the FDIC concluded that raising the $500 
million asset size threshold to $1 billion and exempting all 
institutions below this higher size level from all of the reporting 
requirements of part 363 would not be consistent with the objective of 
the underlying statute, i.e., early identification of needed 
improvements in financial management. In contrast, the FDIC believes 
that relieving smaller covered institutions from the burden of internal 
control assessments, while retaining the financial statement audit and 
other reporting requirements for all institutions with $500 million or 
more in total assets, strikes an appropriate balance in accomplishing 
this objective. By raising the size threshold for internal control 
assessments to $1 billion, about 600 of the largest insured 
institutions with approximately 86 percent of industry assets would 
continue to be covered by the internal control reporting requirements 
of part 363. At the same time, the managements of all covered 
institutions would remain responsible for establishing and maintaining 
an adequate internal control structure and procedures for financial 
reporting, and all institutions with $500 million or more in total 
assets would continue to include a statement to that effect in their 
part 363 annual report.

[[Page 71228]]

B. Composition of the Audit Committee

    Currently, part 363 requires each covered institution to establish 
an independent audit committee of its board of directors, comprised of 
outside directors who are independent of management of the institution. 
The duties of the audit committee include reviewing with management and 
the institutions' independent public accountant the basis for the 
reports included in the part 363 annual report submitted to the FDIC 
and other appropriate Federal and state supervisory agencies. The 
FDIC's Guidelines to part 363 provide that, at least annually, the 
board of directors of a covered institution should determine whether 
all existing and potential audit committee members are ``independent of 
management of the institution.'' The guidelines also describe factors 
to consider in making this determination.\2\
---------------------------------------------------------------------------

    \2\ See Guidelines 27 through 29 of Appendix A to part 363.
---------------------------------------------------------------------------

    Section 36 provides that an appropriate federal banking agency may 
grant a hardship exemption to a covered institution that would permit 
its independent audit committee to be made up of less than all, but no 
fewer than a majority of, outside directors who are independent of 
management. To grant the exemption, the agency must find that the 
institution has encountered hardships in retaining and recruiting a 
sufficient number of competent outside directors.
    Notwithstanding this exemption provision of section 36, the FDIC 
has observed that a number of smaller covered institutions, 
particularly those with few shareholders that have recently exceeded 
$500 million in total assets and become subject to part 363, have 
encountered difficulty in satisfying the independent audit committee 
requirement. To comply with this requirement, these institutions must 
identify and attract qualified individuals in their communities who 
would be willing to become a director and audit committee member and 
who would be independent of management.
    To relieve this burden, but also recognizing that the FDIC has long 
held that individuals who serve as directors of any insured depository 
institution should be persons of independent judgment, the FDIC 
proposed to amend part 363 to increase from $500 million to $1 billion 
the asset size threshold for requiring audit committee members to be 
independent of management. Conforming changes were also proposed to be 
made to Guidelines 27-29 of Appendix A to part 363. Each insured 
depository institution with total assets of $500 million or more but 
less than $1 billion would continue to be required to have an audit 
committee comprised of outside directors. Consistent with Guideline 29 
of Appendix A to part 363, an outside director would be defined as an 
individual who is not, and within the preceding year has not been, an 
officer or employee of the institution or any affiliate of the 
institution.
    The proposed amendment to the audit committee requirements for 
institutions with between $500 million and $1 billion in total assets 
would allow an outside director who is, for example, a consultant or 
legal counsel to the institution, a relative of an officer or employee 
of the institution or its affiliates, or the owner of 10 percent or 
more of the stock of the institution to serve as an audit committee 
member. Nevertheless, the FDIC indicated in the proposal that it would 
encourage each institution with between $500 million and $1 billion in 
assets to make a reasonable good faith effort to establish an audit 
committee of outside directors who are independent of management.

III. Comments Received on Proposed Amendments

    In response to its August 2, 2005, request for comment on the 
proposed amendments to part 363, the FDIC received comment letters from 
28 different respondents \3\: 15 banking and thrift organizations, 7 
bankers' associations, 3 accountants and accounting firms, the 
Conference of State Bank Supervisors (CSBS), the FDIC's Office of 
Inspector General (FDIC-OIG), and one other party. Generally, the 
comment letters expressed support for the proposed amendments. All but 
one of the respondents favored the proposal to increase the asset-size 
threshold for internal control assessments by management and external 
auditors to $1 billion. As for the proposed increase to $1 billion in 
the asset-size threshold for the members of the audit committee, who 
must be outside directors, to be independent of management, 24 of the 
28 respondents supported this aspect of the proposal, two respondents 
opposed it, and two respondents did not directly comment on it. 
Respondents also raised a number of other issues.
---------------------------------------------------------------------------

    \3\ The FDIC received 58 comment letters, which included 20 
identical letters from individuals at one institution and 12 
identical letters from individuals at another institution.
---------------------------------------------------------------------------

    The CSBS commented on the proposed change in the audit committee 
provisions of part 363 for institutions with $500 million to $1 billion 
in assets. The CSBS, on behalf of state banking departments, stated 
that there is value in maintaining a significant level of independence 
when fulfilling the important role of an audit committee member. 
Although it saw benefit in alleviating some of the burden of a fully 
independent audit committee, for safety and soundness considerations, 
the CSBS recommended that the chairman and a majority of the audit 
committee members at institutions in the $500 million to $1 billion 
asset size range be required to be independent of management rather 
than allowing all of the outside directors on the audit committee not 
to be independent of management.
    Five other commenters concurred with the FDIC's observation that 
some smaller covered institutions have encountered difficulty in 
establishing an audit committee, all of whose members are independent 
of management. In this regard, the CSBS's comment letter also 
acknowledged the difficulties in attaining and keeping a fully 
independent audit committee, especially in smaller rural communities.
    Individuals who serve as directors of insured institutions, whether 
or not they serve on the audit committee, are expected to be persons of 
independent judgment. In this regard, under the Uniform Financial 
Institutions Rating System (62 FR 752, January 6, 1997), a factor that 
the federal banking agencies' examiners assess when they evaluate the 
capability and performance of an institution's management and board of 
directors for purposes of assigning an appropriate Management component 
rating is the extent to which the management and board members are 
affected by, or susceptible to, dominant influence or concentration of 
authority. Hence, the agencies' examination staffs are cognizant of the 
heightened level of risk presented by the existence of a dominant 
officer, whether or not outside directors, including those on the audit 
committee, are independent of management.
    After carefully considering the CSBS's recommendation, the FDIC has 
decided to amend the proposal to require that a majority of the audit 
committee members of institutions with $500 million to $1 billion in 
assets, all of whom must be outside directors, be independent of 
management. In addition, in recognition of the difficulties that some 
individual institutions in this size range may have in attaining such 
an audit committee, the final rule will provide an exemption under 
which an appropriate Federal banking agency may, by order or 
regulation, permit the audit committee of such an institution to be 
made up of

[[Page 71229]]

less than a majority of outside directors who are independent of 
management, if the agency determines that the institution has 
encountered hardships in retaining and recruiting a sufficient number 
of competent outside directors to serve on the audit committee of the 
institution. The FDIC believes that this change to its proposal strikes 
an appropriate balance of reducing regulatory burden without 
jeopardizing safety and soundness.
    Another commenter who addressed the audit committee portion of the 
proposal suggested that the FDIC's recommendation that institutions 
make a ``reasonable good faith effort'' to establish an audit committee 
of outside directors who are independent of management was vague and 
should be deleted from the proposal. This commenter added that, if the 
recommendation were not deleted, the FDIC should include a definition 
of, or list of criteria that would constitute, a ``reasonable good 
faith effort'' and provide guidance on how an institution should 
document that it has undertaken such an effort. While the FDIC 
encourages each institution with between $500 million and $1 billion in 
assets to make a reasonable good faith effort to establish an audit 
committee comprised entirely of outside directors who are independent 
of management, each institution faces a unique set of circumstances 
when it seeks to attract competent individuals to be outside directors 
who would be willing to serve on its audit committee. Because a list of 
criteria that would constitute evidence of a ``reasonable good faith 
effort'' could not consider all of the situations in which institutions 
engaging in such a search might find themselves, the FDIC has chosen 
not to restrict institutions and itself to a specific list.
    In its comment letter on the proposal, the FDIC-OIG recommended 
that insured institutions with total assets of $500 million or more, 
but less than $1 billion, that have or receive either a composite 
rating or Management component rating of 3, 4, or 5, i.e., 3 or lower, 
under the Uniform Financial Institutions Rating System (also known as 
the CAMELS rating system) be required to comply with all of the 
requirements of Part 363 rather than being provided the proposed relief 
for institutions in this size range. The FDIC-OIG indicated that, as of 
September 12, 2005, 16 insured institutions with $500 million to $1 
billion in assets had less than a satisfactory composite CAMELS rating. 
Specifically, 11 institutions had a composite rating of 3 and 5 
institutions had a 4 rating. The FDIC-OIG also noted that, over the 
last several months, 15 other insured institutions in this size range 
with a composite rating of 2 had a Management component rating of 3.
    The FDIC-OIG indicated that, in reviewing past failures of insured 
institutions, it had observed that weak corporate governance, including 
financial reporting problems and the lack of independence of the board 
of directors from institution management, was often a factor in the 
failure of these institutions and contributed to material losses ($25 
million or more) to the deposit insurance funds administered by the 
FDIC. The FDIC-OIG also stated that maintaining the full requirements 
of part 363 for less than satisfactory institutions would help to 
address potential concerns about deficiencies by the board of directors 
and in internal control, internal audit, and external audit and thereby 
mitigate the possibility of institution failure.
    As defined in the Uniform Financial Institutions Rating System, 
institutions with a composite rating of 2 are fundamentally sound. 
There are no material supervisory concerns and, as a result, the 
supervisory response is informal and limited. Institutions with a 
composite rating of 3 exhibit some degree of supervisory concern in one 
or more of the six component areas (Capital Adequacy, Asset Quality, 
Management, Earnings, Liquidity, and Sensitivity to Market Risk). These 
financial institutions require more than normal supervision, which may 
include formal or informal enforcement actions. Failure appears 
unlikely, however, given the overall strength and financial capacity of 
these institutions. Institutions with a composite rating of 4 generally 
exhibit unsafe and unsound practices or conditions. There are serious 
financial or managerial deficiencies that result in unsatisfactory 
performance. Failure is a distinct possibility if the problems and 
weaknesses are not satisfactorily addressed and resolved. Institutions 
with a composite rating of 5 exhibit extremely unsafe and unsound 
practices or conditions and a critically deficient performance. They 
are of the greatest supervisory concern and ongoing supervisory 
attention is necessary. These institutions pose a significant risk to 
the deposit insurance funds and failure is highly probable.
    A Management component rating of 3 indicates management and board 
performance that need improvement or risk management practices that are 
less than satisfactory given the nature of the institution's 
activities. The capabilities of management or the board of directors 
may be insufficient for the type, size, or condition of the 
institution. Problems and significant risks may be inadequately 
identified, measured, monitored, or controlled by management. Because 
management's ability to respond to changing circumstances and address 
risks is an important factor in evaluating an institution's overall 
risk profile and the level of supervisory attention that should be 
devoted to an institution, the Management component is given special 
consideration when assigning the institution's composite rating.
    Institutions that have a composite rating of 3 or lower are already 
subject to increased supervisory scrutiny and are normally subject to 
formal or informal supervisory actions (e.g., Memorandum of 
Understanding or Cease and Desist Order) to address the need for 
corrective actions for weaknesses and deficiencies cited in reports of 
examination or otherwise identified through supervisory oversight. In 
reviewing the institutions cited in the FDIC-OIG's comment letter, the 
FDIC notes that all of the institutions with a composite rating of 3 or 
lower are subject to formal and/or informal supervisory actions and all 
of the institutions with a composite rating of 2 and a Management 
component rating of 3 or lower are subject to supervisory actions. The 
FDIC further notes that approximately half of these institutions are 
public companies or subsidiaries of public companies that are subject 
to the filing and reporting requirements of the Federal securities laws 
as implemented by the SEC.
    The examination staffs of the FDIC and the other Federal banking 
agencies look to the assessments by management of internal control over 
financial reporting and the independent auditors' attestation reports 
on those assessments as one source of information on the existence of 
any significant deficiencies and material weaknesses in this internal 
control structure. Nevertheless, the agencies' examiners are expected 
to perform their own evaluation of an institution's internal control 
environment and audit programs when determining the condition of the 
institution and the need for and degree of any supervisory action. 
Moreover, the examiners' assessment of the internal control environment 
encompasses not only internal control over financial reporting, but 
also internal control as it relates to the effectiveness and efficiency 
of the institution's operations and to its compliance with laws and 
regulations.
    The agencies' examination staffs consider many factors in 
determining an institution's composite rating and

[[Page 71230]]

individual component ratings, including the Management component. While 
these factors include the capability and performance of management and 
the board of directors (including the board's committees such as the 
audit committee), they also include the adequacy of, and conformance 
with, appropriate internal policies and controls addressing the 
operations and risks of significant activities; the accuracy, 
timeliness, and effectiveness of management information and risk 
monitoring systems; the adequacy of audits and internal control, 
including internal control over financial reporting; compliance with 
laws and regulations; and the overall performance of the institution 
and its risk profile.
    As a consequence, when an institution is assigned a composite 
rating or a Management component rating of 3 or lower, its Federal 
banking agency's supervisory response, which may include formal or 
informal enforcement actions, is tailored to the specific weaknesses, 
deficiencies, and problems identified by the examination staff and 
seeks appropriate and timely corrective action by management and the 
board of directors. The factors contributing to such a less than 
satisfactory rating may or may not have included ineffective internal 
control over financial reporting and/or unacceptable audit committee 
oversight and performance. In this regard, although the FDIC-OIG 
reported in its comment letter that 15 institutions with $500 million 
to $1 billion in assets had recently been assigned a composite rating 
of 2 and a Management component rating of 3, the majority of these 
institutions received this Management rating for reasons unrelated to 
deficiencies in internal control over financial reporting (e.g., the 
reasons were related to compliance with the Bank Secrecy Act). 
Nevertheless, in those cases where examiners detect such internal 
control deficiencies at an institution with $500 million to $1 billion 
in assets, if it is deemed necessary and appropriate for addressing 
these deficiencies, the supervisory response by the institution's 
Federal banking agency could include a requirement for management to 
perform an assessment of internal control over financial reporting and 
for the external auditor to attest to management's assertion or for the 
external auditor to report directly on internal control over financial 
reporting.
    Given that each institution with $500 million to $1 billion in 
assets with a composite rating or Management component rating of 3 or 
lower is receiving closer than normal supervisory attention focused on 
identified problem areas, imposing additional requirements for internal 
control assessments by management and the external auditor and for the 
replacement of all audit committee members who are not independent of 
management would levy burdens on all such institutions, regardless of 
whether this burden would address weaknesses identified in a given 
institution. However, as previously noted, the FDIC believes that, in 
response to comments from the CSBS, amending the proposal to require a 
majority of the audit committee members to be independent of management 
strikes an appropriate balance between reducing regulatory burden and 
maintaining safety and soundness.
    Additionally, as a practical matter, CAMELS ratings often change 
during the year as a result of examination findings or other 
supervisory oversight. The FDIC-OIG's recommendation would subject 
institutions to uncertainty if the subject provisions of part 363 would 
apply immediately during any given year in which an institution's 
composite or Management component rating fell to 3 or lower. If applied 
in the year following receipt of the 3 or lower rating, the 
recommendation would often result in requiring compliance with the 
subject provisions of part 363 after the institution had corrected its 
problems and obtained a higher composite or Management rating. The 
first of these approaches would be difficult, at best, to plan for and 
implement on a timely basis, while the alternative (lagging) approach 
would often impose burden after (the often unrelated) problems had been 
addressed.
    Furthermore, under the proposed amendments to part 363, each 
institution with $500 million to $1 billion in assets must continue to 
undergo an annual audit of its financial statements. In a financial 
statement audit, the external auditor must obtain an understanding of 
internal control and must report certain matters regarding internal 
control to the institution's audit committee. In this regard, on 
September 1, 2005, the AICPA Auditing Standards Board issued a proposed 
Statement on Auditing Standards (SAS) on the ``Communication of 
Internal Control Related Matters Noted in an Audit'' that will 
supersede its current SAS on this topic, which is known as ``SAS 60.'' 
The comment period for this auditing proposal ended on October 31, 
2005, with the final standard expected in the first quarter of 2006. 
Among other things, the proposed SAS requires the auditor to 
communicate, in writing, to management and those charged with 
governance (the board of directors and/or the audit committee) 
significant deficiencies and material weaknesses in internal control of 
which the auditor becomes aware. Under current SAS 60, the auditor 
should report such deficiencies and weaknesses to the audit committee, 
preferably in writing, but oral communication of this information is 
also permitted. As proposed, the improved communication provisions in 
the SAS would be effective for audits of financial statements for 
periods ending on or after December 15, 2006. Part 363 requires covered 
institutions, regardless of size, to submit copies of reports related 
to their audits that are issued by their external auditors, including 
these written reports on significant weaknesses and material 
weaknesses, to the FDIC and other appropriate Federal and state 
supervisory agencies.
    After fully considering the FDIC-OIG's comment and the agencies' 
supervisory tools and processes for evaluating the soundness of 
institutions, identifying institutions exhibiting financial and 
operational weaknesses or adverse trends, and focusing appropriate 
supervisory attention on such institutions, the FDIC has decided not to 
revise its proposed increase in the asset-size threshold in the manner 
proposed by the FDIC-OIG and accord a different treatment to 
institutions with $500 million to $1 billion in assets that have a 
composite rating or Management component rating of 3 or lower. However, 
the FDIC believes that the change to the composition of the audit 
committee that it is making in response to the comments from the CSBS, 
which will require a majority of the members of the audit committee, 
who must be outside directors, to be independent of management, will 
help to address the FDIC-OIG's concerns about deficiencies in the 
performance of the board and audit committee of institutions with less 
than satisfactory ratings.
    Six commenters urged the FDIC to approve the proposed amendments to 
part 363 as soon as feasible because many procedures related to the 
assessment of internal control over financial reporting are addressed 
prior to an institution's fiscal year-end, particularly in the fourth 
fiscal quarter. These commenters further recommended that the FDIC 
either change the effective date of the amendments from December 31, 
2005, as proposed, to September 30, 2005, or grant an institution's 
primary Federal regulator the authority to waive the 2005 internal 
control assessment requirements for institutions with total assets of 
$500 million or more but less

[[Page 71231]]

than $1 billion that have fiscal year-ends other than December 31. The 
FDIC concurs with these commenters' suggestion concerning the effective 
date and, in response, is changing the effective date of the amendments 
to part 363 from December 31, 2005, to December 28, 2005. The final 
rule will apply to part 363 annual reports with a filing deadline (90 
days after the end of an institution's fiscal year) on or after the 
effective date of these amendments.
    Four commenters recommended that the $1 billion asset-size 
threshold be tied to an index that would automatically increase the 
threshold annually. For reasons of practicality and to provide 
certainty to institutions concerning the size at which full compliance 
with part 363 is required, the FDIC has decided not to adopt this 
indexing recommendation.
    The FDIC also received several recommendations from commenters that 
are outside the scope of the proposed amendments to part 363 and, 
accordingly, the FDIC has decided not to implement these 
recommendations as part of the final rule. These comments included the 
following: (1) Increase the asset size threshold for applying the SEC 
independence rules to external auditors, (2) have the FDIC adopt its 
own independence rules for external auditors, (3) enhance the FDIC's 
review of external audit reports, (4) make the standards for performing 
audits of internal control over financial reporting the same for both 
public and non-public companies, and (5) establish a fraud hotline for 
both examiners and bank employees.

IV. Final Rule

    The FDIC has considered the comments received on its proposed 
amendments to part 363 and is adopting the amendments as proposed, but 
with modifications to the composition of the audit committee and the 
effective date. This final rule raises the asset-size threshold from 
$500 million to $1 billion for internal control assessments by 
management and external auditors. For institutions between $500 million 
and $1 billion in assets, it also requires the majority, rather than 
all, of the members of the audit committee, who must be outside 
directors, to be independent of management and creates a hardship 
exemption. In addition, the final rule makes certain technical changes 
to part 363 to correct outdated titles, terms, and references in the 
regulation and its appendix.
    This final rule takes effect December 28, 2005, not on December 31, 
2005, as proposed, and it applies to part 363 annual reports with a 
filing deadline \4\ on or after the rule's effective date. For example, 
for insured institutions (both public and non-public) with fiscal years 
that ended on September 30, 2005, or that will end on December 31, 
2005, that had $500 million or more in total assets, but less than $1 
billion in total assets, at the beginning of the fiscal year, the final 
rule means that the part 363 annual report that these institutions must 
submit to the FDIC and other appropriate Federal and state supervisory 
agencies within 90 days after the end of the fiscal year needs to 
include only audited financial statements, statements of management's 
responsibilities, management's assessment of the institution's 
compliance with designated laws and regulations, and an auditor's 
report on the financial statements.
---------------------------------------------------------------------------

    \4\ Under section 363.4(a), an institution's filing deadline is 
90 days after the end of the institution's fiscal year.
---------------------------------------------------------------------------

    For insured depository institutions that are public companies or 
subsidiaries of public companies, regardless of size, the FDIC's 
amendments to part 363 do not relieve public companies of their 
obligation to comply with the internal control assessment requirements 
imposed by section 404 of the Sarbanes-Oxley Act in accordance with the 
effective dates for compliance set forth in the SEC's implementing 
rules.
    Nevertheless, the FDIC reminds insured institutions with $1 billion 
or more in total assets that are public companies or subsidiaries of 
public companies that they have considerable flexibility in determining 
how best to satisfy the internal control assessment requirements in the 
SEC's section 404 rules and the FDIC's part 363. As indicated in the 
preamble to the SEC's section 404 final rule release, the FDIC (and the 
other Federal banking agencies) agreed with the SEC that insured 
depository institutions that are subject to both part 363 (as well as 
holding companies permitted under the holding company exception in part 
363 to file an internal control report on behalf of their insured 
depository institution subsidiaries) and the SEC's rules implementing 
section 404 can choose either of the following two options:
     They can prepare two separate reports of management on the 
institution's or the holding company's internal control over financial 
reporting to satisfy the FDIC's part 363 requirements and the SEC's 
section 404 requirements; or
     They can prepare a single report of management on internal 
control over financial reporting that satisfies both the FDIC's 
requirements and the SEC's requirements.\5\
---------------------------------------------------------------------------

    \5\ Footnote 117 in the preamble to the SEC's section 404 final 
rule releases states that ``[a]n insured depository institution 
subject to both the FDIC's [internal control assessment] 
requirements and our new requirements [i.e., a public depository 
institution] choosing to file a single report to satisfy both sets 
of requirements will file the report with its primary Federal 
regulator under the Exchange Act and the FDIC, its primary Federal 
regulator (if other than the FDIC), and any appropriate state 
depository institution supervisor under part 363 of the FDIC's 
regulations. A [public] holding company choosing to prepare a single 
report to satisfy both sets of requirements will file the report 
with the [Securities and Exchange] Commission under the Exchange Act 
and the FDIC, the primary Federal regulator of the insured 
depository institution subsidiary subject to the FDIC's 
requirements, and any appropriate state depository institution 
supervisor under part 363.''
---------------------------------------------------------------------------

    For more complete information on these two options, institutions 
(and holding companies) should refer to section II.H.4. of the preamble 
to the SEC's section 404 final rule release (68 FR 36648, June 18, 
2003).

Paperwork Reduction Act

    This regulation contains modifications to a collection of 
information that have been reviewed and approved by the Office of 
Management and Budget under control number 3064-0113, pursuant to the 
Paperwork Reduction Act (44 U.S.C. 3501 et seq.). The primary 
modification increases the asset size threshold for compliance with 
certain reporting requirements in part 363.
    The estimated reporting burden for the collection of information 
under part 363 is 65,612 hours per year.
    Number of Respondents: 5,243.
    Total Annual Responses: 15,684.
    Total Annual Burden Hours: 65,612.

Regulatory Flexibility Act

    The Regulatory Flexibility Act requires that each Federal agency 
either certify that a proposed rule would not, if adopted in final 
form, have a significant economic impact on a substantial number of 
small entities or prepare an initial regulatory flexibility analysis of 
the proposal and publish the analysis for comment. See 5 U.S.C. 603, 
605. The Small Business Administration (SBA) defines small banks as 
those with less than $150 million in assets. Because this rule 
expressly exempts insured depository institutions having assets of less 
than $500 million, it is inapplicable to small entities as defined by 
the SBA. Therefore, it is certified that this proposed rule would not 
have a significant economic impact on a substantial number of small 
entities.

[[Page 71232]]

Small Business Regulatory Enforcement Fairness Act

    The Small Business Regulatory Enforcement Fairness Act of 1996 
(SBREFA) (Title II, Pub. L. 104-121) provides generally for agencies to 
report rules to Congress and the General Accounting Office (GAO) for 
review. The reporting requirement is triggered when a Federal agency 
issues a final rule. The FDIC will file the appropriate reports with 
Congress and the GAO as required by SBREFA. The Office of Management 
and Budget has determined that the rule does not constitute a ``major 
rule'' as defined by SBREFA.

List of Subjects in 12 CFR Part 363

    Accounting, Administrative practice and procedure, Banks, Banking, 
Reporting and recording keeping requirements.

0
For the reasons set forth in the preamble, the Board of Directors of 
the FDIC hereby amends part 363 of title 12, chapter III, of the Code 
of Federal Regulations as follows:

PART 363--ANNUAL INDEPENDENT AUDITS AND REPORTING REQUIREMENTS

0
1. The authority citation for part 363 continues to be read as follows:

    Authority: 12 U.S.C. 1831m.


0
2. Section 363.1 is amended by revising paragraph (b)(2)(ii)(B) to read 
as follows:


Sec.  363.1  Scope.

* * * * *
    (b) * * *
    (2) * * *
    (ii) * * *
    (B) Total assets of $5 billion or more and a composite CAMELS 
rating of 1 or 2.
* * * * *

0
3. Section 363.2(b) is amended by revising paragraph (b)(2) and adding 
paragraph (b)(3) to read as follows:


Sec.  363.2  Annual reporting requirements.

* * * * *
    (b) * * *
    (2) An assessment by management of the institution's compliance 
with such laws and regulations during such fiscal year; and
    (3) For an institution with total assets of $1 billion or more at 
the beginning of such fiscal year, an assessment by management of the 
effectiveness of such internal control structure and procedures as of 
the end of such fiscal year.

0
4. Section 363.3 is amended by revising paragraph (b) to read as 
follows:


Sec.  363.3  Independent public accountant.

* * * * *
    (b) Additional reports. For each insured depository institution 
with total assets of $1 billion or more at the beginning of the 
institution's fiscal year, such independent public accountant shall 
examine, attest to, and report separately on, the assertion of 
management concerning the institution's internal control structure and 
procedures for financial reporting. The attestation shall be made in 
accordance with generally accepted standards for attestation 
engagements.
* * * * *

0
5. Section 363.5 is amended by revising paragraph (a) to read as 
follows:


Sec.  363.5  Audit committees.

    (a) Composition and duties. Each insured depository institution 
shall establish an audit committee of its board of directors, the 
composition of which complies with paragraphs (a)(1), (2), and (3) of 
this section, and the duties of which shall include reviewing with 
management and the independent public accountant the basis for the 
reports issued under this part.
    (1) Each insured depository institution with total assets of $1 
billion or more as of the beginning of its fiscal year shall establish 
an independent audit committee of its board of directors, the members 
of which shall be outside directors who are independent of management 
of the institution.
    (2) Each insured depository institution with total assets of $500 
million or more but less than $1 billion as of the beginning of its 
fiscal year shall establish an audit committee of its board of 
directors, the members of which shall be outside directors, the 
majority of whom shall be independent of management of the institution. 
The appropriate Federal banking agency may, by order or regulation, 
permit the audit committee of such an insured depository institution to 
be made up of less than a majority of outside directors who are 
independent of management, if the agency determines that the 
institution has encountered hardships in retaining and recruiting a 
sufficient number of competent outside directors to serve on the audit 
committee of the institution.
    (3) An outside director is a director who is not, and within the 
preceding fiscal year has not been, an officer or employee of the 
institution or any affiliate of the institution.
* * * * *

0
6. Appendix A to part 363 is amended as follows:
0
a. Footnote 2, Guideline 10, is amended by adding ``Risk Management'' 
after ``FDIC's Division of Supervision and Consumer Protection (DSC)'';
0
b. Guideline 16 is amended by removing ``Registration and Disclosure 
Section'' and adding in its place ``Accounting and Securities 
Disclosure Section'';
0
c. Guideline 22 is amended by revising the first sentence of paragraph 
(a) to read as set forth below;
0
d. Guideline 27 is amended by revising the second sentence to read as 
set forth below;
0
e. Guideline 28 is amended by revising paragraph (a) to read as set 
forth below;
0
f. Guideline 29 is revised to read as set forth below; and
0
g. The first sentence of Guideline 36 is revised to read as set forth 
below.
    The revisions read as follows:

Appendix A to Part 363--Guidelines and Interpretations

* * * * *

Filing and Notice Requirements (Sec.  363.4)

    22. * * *
    (a) FDIC: Appropriate FDIC Regional or Area Office (Supervision 
and Consumer Protection), i.e., the FDIC regional or area office in 
the FDIC region or area that is responsible for monitoring the 
institution or, in the case of a subsidiary institution of a holding 
company, the consolidated company. * * *
* * * * *

Audit Committees (Sec.  363.5)

    27. * * * At least annually, the board of an institution with $1 
billion or more in total assets at the beginning of its fiscal year 
should determine whether all existing and potential audit committee 
members are ``independent of management of the institution'' and the 
board of an institution with total assets of $500 million or more 
but less than $1 billion as of the beginning of its fiscal year 
should determine whether the majority of all existing and potential 
audit committee members are ``independent of management of the 
institution.'' * * *
    28. * * *
    (a) Has previously been an officer of the institution or any 
affiliate of the institution;
* * * * *
    29. Lack of independence. An outside director should not be 
considered independent of management if such director owns or 
controls, or has owned or controlled within the preceding fiscal 
year, assets representing 10 percent or more of any outstanding 
class of voting securities of the institution.
* * * * *

Other

    36. Modifications of guidelines. The FDIC's Board of Directors 
has delegated to the

[[Page 71233]]

Director of the FDIC's Division of Supervision and Consumer 
Protection (DSC) authority to make and publish in the Federal 
Register minor technical amendments to the Guidelines in this 
appendix, in consultation with the other appropriate federal banking 
agencies, to reflect the practical experience gained from 
implementation of this part.* * *
* * * * *

    By order of the Board of Directors.

    Dated at Washington, DC, this 8th day of November, 2005.

Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
[FR Doc. 05-23310 Filed 11-25-05; 8:45 am]
BILLING CODE 6714-01-P