[Federal Register Volume 72, Number 212 (Friday, November 2, 2007)]
[Proposed Rules]
[Pages 62310-62335]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-21168]



[[Page 62309]]

-----------------------------------------------------------------------

Part II





Federal Deposit Insurance Corporation





-----------------------------------------------------------------------



12 CFR Parts 308 and 363



Annual Independent Audits and Reporting Requirements; Proposed Rule

  Federal Register / Vol. 72, No. 212 / Friday, November 2, 2007 / 
Proposed Rules  

[[Page 62310]]


-----------------------------------------------------------------------

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Parts 308 and 363

RIN 3064-AD21


Annual Independent Audits and Reporting Requirements

AGENCY: Federal Deposit Insurance Corporation (FDIC).

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: Section 36 of the Federal Deposit Insurance Act (FDI Act) and 
the FDIC's implementing regulations (part 363) set forth annual 
independent audit and reporting requirements for insured depository 
institutions with $500 million or more in total assets. Given changes 
in the industry, certain sound audit, reporting, and audit committee 
practices incorporated in the Sarbanes-Oxley Act of 2002 (SOX); and the 
FDIC's experience in administering part 363, the FDIC is proposing to 
amend part 363 of its regulations. These amendments are designed to 
further the objectives of section 36 by incorporating these sound 
practices into part 363 and to provide clearer and more complete 
guidance to institutions and independent public accountants concerning 
compliance with the requirements of section 36 and part 363. As 
required by section 36, the FDIC has consulted with the other federal 
banking agencies. The FDIC is also proposing a technical amendment to 
its rules and procedures (part 308, subpart U) for the removal, 
suspension, or debarment of accountants and accounting firms.

DATES: Comments must be received on or before January 31, 2008.

ADDRESSES: You may submit comments by any of the following methods:
     Agency Web Site: http://www.fdic.gov/regulations/laws/federal. Follow instructions for submitting comments on the Agency Web 
Site.
     E-mail: [email protected]. Include ``Part 363--Independent 
Audits and Reporting Requirements'' in the subject line of the message.
     Mail: Robert E. Feldman, Executive Secretary, Attention: 
Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429.
     Hand Delivery/Courier: Guard station at the rear of the 
550 17th Street Building (located on F Street) on business days between 
7 a.m. and 5 p.m.
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
    Public Inspection: All comments received will be posted without 
change to http://www.fdic.gov/regulations/laws/federal including any 
personal information provided. Comments may be inspected and 
photocopied in the FDIC Public Information Center, 3501 North Fairfax 
Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5 p.m. on 
business days. Paper copies of public comments may be ordered from the 
Public Information Center by telephone at (877) 275-3342 or (703) 562-
2200.

FOR FURTHER INFORMATION CONTACT: Harrison E. Greene, Jr., Senior Policy 
Analyst (Bank Accounting), Division of Supervision and Consumer 
Protection, at [email protected] or (202) 898-8905; or Michelle 
Borzillo, Counsel, Supervision and Legislation Section, Legal Division, 
at [email protected] or (202) 898-7400.

SUPPLEMENTARY INFORMATION:

I. Executive Summary

    Section 36 of the Federal Deposit Insurance Act (FDI Act) and the 
FDIC's implementing regulations (part 363) are generally intended to 
facilitate early identification of problems in financial management at 
insured depository institutions with total assets above certain 
thresholds through annual independent audits, assessments of the 
effectiveness of internal control over financial reporting and 
compliance with designated laws and regulations, the establishment of 
independent audit committees, and related reporting requirements. The 
asset-size threshold for internal control assessments is $1 billion and 
the threshold for the other requirements is $500 million. Given changes 
in the industry, certain sound audit, reporting, and audit committee 
practices incorporated in the Sarbanes-Oxley Act of 2002 (SOX); and the 
FDIC's experience in administering part 363, the FDIC is proposing to 
amend part 363 of its regulations. These amendments are designed to 
further the objectives of section 36 by incorporating these sound 
practices into part 363 and to provide clearer and more complete 
guidance to institutions and independent public accountants concerning 
compliance with the requirements of section 36 and part 363.
    The most significant revisions included in the proposed amendments 
would: (1) Require management and the independent public accountant to 
identify the internal control framework used to evaluate internal 
control over financial reporting and disclose all identified material 
weaknesses; (2) extend the time period for a non-public institution to 
file its Part 363 Annual Report by 30 days and replace the 30-day 
extensions of the filing deadline that may be granted if an institution 
(public or non-public) is confronted with extraordinary circumstances 
beyond its reasonable control with a late filing notification 
requirement that would have general applicability; (3) provide relief 
from the annual reporting requirements for institutions that are merged 
out of existence before the filing deadline; (4) provide relief from 
reporting on internal control over financial reporting for businesses 
acquired during the fiscal year; (5) require management's assessment of 
compliance with designated safety and soundness laws and regulations to 
state management's conclusion regarding compliance and disclose any 
noncompliance with such laws and regulations; (6) clarify the 
independence standards with which independent public accountants must 
comply and enhance the enforceability of compliance with these 
standards; (7) specify that the duties of the audit committee include 
the appointment, compensation, and oversight of the independent public 
accountant; (8) require audit committees to ensure that audit 
engagement letters do not contain unsafe and unsound limitation of 
liability provisions and require institutions to file copies of these 
letters; (9) require certain communications by independent public 
accountants to audit committees and establish retention requirements 
for audit working papers; (10) require boards of directors to adopt 
written criteria for evaluating an audit committee member's 
independence and provide expanded guidance for boards of directors to 
use in determining independence; (11) require the total assets of a 
holding company's insured depository institution subsidiaries to 
comprise 75 percent or more of the holding company's consolidated total 
assets in order for an institution to comply with part 363 at the 
holding company level; and (12) provide illustrative management reports 
to assist institutions in complying with the annual reporting 
requirements.
    The FDIC is also proposing to amend its rules and procedures (part 
308, subpart U) for the removal, suspension, or debarment of 
accountants and accounting firms from performing audit services 
required by section 36 of the FDI Act by specifying where an accountant 
or accounting firm should file required notices of orders and actions 
with the FDIC.

II. Background

    Section 112 of the Federal Deposit Insurance Corporation 
Improvement Act of 1991 (FDICIA) added section 36, ``Early 
Identification of Needed

[[Page 62311]]

Improvements in Financial Management,'' to the FDI Act (12 U.S.C. 
1831m). Section 36 is generally intended to facilitate early 
identification of problems in financial management at insured 
depository institutions above a certain asset size threshold (covered 
institutions) through annual independent audits, assessments of the 
effectiveness of internal control over financial reporting and 
compliance with designated laws and regulations, and related reporting 
requirements. Section 36 also includes requirements for audit 
committees at these insured depository institutions. Section 36 grants 
the FDIC discretion to set the asset size threshold for compliance with 
these statutory requirements, but it states that the threshold cannot 
be less than $150 million. Sections 36(d) and (f) also obligate the 
FDIC to consult with the other federal banking agencies in implementing 
these sections of the FDI Act, and the FDIC has performed the required 
consultation.
    Part 363 of the FDIC's regulations (12 CFR part 363) implements 
section 36 of the FDI Act. When it adopted part 363 in 1993, the FDIC 
stated that it was setting the asset size threshold at $500 million 
rather than the $150 million specified in section 36 to mitigate the 
financial burden of compliance with section 36 consistent with safety 
and soundness. In selecting $500 million in total assets as the size 
threshold, the FDIC noted that approximately 1,000 of the then nearly 
14,000 FDIC-insured institutions would be subject to part 363. These 
covered institutions held approximately 75 percent of the assets of 
insured institutions at that time. By imposing the audit, reporting, 
and audit committee requirements of part 363 on institutions with this 
percentage of the industry's assets, the FDIC intended to ensure that 
the Congress's objectives for achieving sound financial management at 
insured institutions when it enacted section 36 would be focused on 
those institutions posing the greatest potential risk to the insurance 
funds then administered by the FDIC. Today, due to consolidation in the 
banking and thrift industry and the effects of inflation, approximately 
1,300 of the more than 8,600 insured institutions have $500 million or 
more in total assets and are therefore subject to part 363. These 
covered institutions hold approximately 91 percent of the assets of 
insured institutions.
    Until its most recent amendments, part 363 required each covered 
institution to submit to the FDIC and other appropriate federal and 
state supervisory agencies an annual report comprised of audited 
financial statements, a statement of management's responsibilities, 
assessments by management of the effectiveness of internal control over 
financial reporting and compliance with designated laws and 
regulations, and an independent public accountant's attestation report 
on internal control over financial reporting. In addition, part 363 
provided that each covered institution must establish an independent 
audit committee of its board of directors comprised of outside 
directors who are independent of management of the institution. Part 
363 also includes Guidelines and Interpretations (Appendix A to part 
363), which are intended to assist institutions and independent public 
accountants in understanding and complying with section 36 and part 
363.
    In November 2005, the FDIC amended its part 363 annual audit and 
reporting requirements and audit committee requirements. The amendments 
raised the asset-size threshold from $500 million to $1 billion for the 
assessments of internal control over financial reporting by management 
and the independent public accountant. All of the other audit and 
reporting requirements of part 363 continued to apply to all 
institutions with $500 million or more in total assets. Also, for 
covered institutions with between $500 million and $1 billion in total 
assets, the amendments required only a majority, rather than all, of 
the members of the audit committee, who must be outside directors, to 
be independent of management.

III. Discussion and Section-by-Section Analysis of Proposed Amendments

    When it amended part 363 in November 2005, the FDIC noted that it 
had identified other aspects of part 363 that may warrant revision in 
light of changes in the industry and the passage of SOX.
    Given the number of proposed changes to part 363 and its Guidelines 
and Interpretations and to enable readers and commenters to more easily 
understand the context of these proposed changes, this notice includes 
the entire text of part 363 as it is proposed to be amended, not just 
the text of proposed amendments. Also, the following ``Table of 
Proposed Changes to Part 363 and Appendices'' is intended to assist 
readers and commenters in determining which sections of part 363 would 
be affected by this proposal.

                              Table of Proposed Changes to Part 363 and Appendices
----------------------------------------------------------------------------------------------------------------
                                                            Unchanged      Revised         New        Reserved
----------------------------------------------------------------------------------------------------------------
                         Part 363--Annual Independent Audits and Reporting Requirements
----------------------------------------------------------------------------------------------------------------
Table of Contents.......................................  ............            X   ............  ............
----------------------------------------------------------------------------------------------------------------
                                               OMB Control Number
----------------------------------------------------------------------------------------------------------------
Sec.   363.0............................................            X   ............  ............  ............
----------------------------------------------------------------------------------------------------------------
                                                      Scope
----------------------------------------------------------------------------------------------------------------
Sec.   363.1(a).........................................  ............            X   ............  ............
Sec.   363.1(b)(1)......................................  ............            X   ............  ............
Sec.   363.1(b)(2)......................................  ............            X   ............  ............
Sec.   363.1(b)(3)......................................            X   ............  ............  ............
Sec.   363.1(c).........................................  ............  ............            X   ............
Sec.   363.1(d).........................................  ............  ............            X   ............
----------------------------------------------------------------------------------------------------------------
                                          Annual Reporting Requirements
----------------------------------------------------------------------------------------------------------------
Sec.   363.2(a).........................................  ............            X   ............  ............
Sec.   363.2(b).........................................  ............            X   ............  ............
Sec.   363.2(b)(1)......................................  ............            X   ............  ............

[[Page 62312]]

 
Sec.   363.2(b)(2)......................................  ............            X   ............  ............
Sec.   363.2(b)(3)......................................  ............            X   ............  ............
Sec.   363.2(c).........................................  ............  ............            X   ............
----------------------------------------------------------------------------------------------------------------
                                          Independent Public Accountant
----------------------------------------------------------------------------------------------------------------
Sec.   363.3(a).........................................            X   ............  ............  ............
Sec.   363.3(b).........................................  ............            X   ............  ............
Sec.   363.3(c).........................................            X   ............  ............  ............
Sec.   363.3(d).........................................  ............  ............            X   ............
Sec.   363.3(e).........................................  ............  ............            X   ............
Sec.   363.3(f).........................................  ............  ............            X   ............
Sec.   363.3(g).........................................  ............  ............            X   ............
----------------------------------------------------------------------------------------------------------------
                                         Filing and Notice Requirements
----------------------------------------------------------------------------------------------------------------
Sec.   363.4(a).........................................  ............            X   ............  ............
Sec.   363.4(b).........................................            X   ............  ............  ............
Sec.   363.4(c).........................................  ............            X   ............  ............
Sec.   363.4(d).........................................            X   ............  ............  ............
Sec.   363.4(e).........................................  ............  ............            X   ............
Sec.   363.4(f).........................................  ............  ............            X   ............
----------------------------------------------------------------------------------------------------------------
                                                Audit Committees
----------------------------------------------------------------------------------------------------------------
Sec.   363.5(a).........................................  ............            X   ............  ............
Sec.   363.5(b).........................................            X   ............  ............  ............
Sec.   363.5(c).........................................  ............  ............            X   ............
----------------------------------------------------------------------------------------------------------------
                             Appendix A to Part 363--Guidelines and Interpretations
----------------------------------------------------------------------------------------------------------------
Table of Contents.......................................  ............            X   ............  ............
Introduction............................................            X   ............  ............  ............
----------------------------------------------------------------------------------------------------------------
                                              Scope (Sec.   363.1)
----------------------------------------------------------------------------------------------------------------
Guideline 1.............................................            X   ............  ............  ............
Guideline 2.............................................            X   ............  ............  ............
Guideline 3.............................................  ............            X   ............  ............
Guideline 4.............................................  ............            X   ............  ............
Guideline 4A............................................  ............  ............            X   ............
----------------------------------------------------------------------------------------------------------------
                                  Annual Reporting Requirements (Sec.   363.2)
----------------------------------------------------------------------------------------------------------------
Guideline 5.............................................  ............            X   ............  ............
Guideline 5A............................................  ............  ............            X   ............
Guideline 6.............................................  ............            X   ............  ............
Guideline 7.............................................            X   ............  ............  ............
Guideline 8.............................................            X   ............  ............  ............
Guideline 8A............................................  ............  ............            X   ............
Guideline 8B............................................  ............  ............            X   ............
Guideline 9.............................................  ............            X   ............  ............
Guideline 10............................................  ............            X   ............  ............
Guideline 11............................................            X   ............  ............  ............
Guideline 12............................................            X   ............  ............  ............
----------------------------------------------------------------------------------------------------------------
                              Role of Independent Public Accountant (Sec.   363.3)
----------------------------------------------------------------------------------------------------------------
Guideline 13............................................  ............            X   ............  ............
Guideline 14............................................  ............  ............  ............            X
Guideline 15............................................  ............            X   ............  ............
Guideline 16............................................  ............  ............  ............            X
Guideline 17............................................            X   ............  ............  ............
Guideline 18............................................  ............            X   ............  ............
Guideline 19............................................            X   ............  ............  ............
Guideline 20............................................  ............            X   ............  ............
Guideline 21............................................            X   ............  ............  ............
----------------------------------------------------------------------------------------------------------------
                                  Filing and Notice Requirements (Sec.   363.4)
----------------------------------------------------------------------------------------------------------------
Guideline 22............................................  ............  ............  ............            X
Guideline 23............................................  ............            X   ............  ............
Guideline 24............................................            X   ............  ............  ............

[[Page 62313]]

 
Guideline 25............................................  ............  ............  ............            X
Guideline 26............................................  ............            X   ............  ............
----------------------------------------------------------------------------------------------------------------
                                         Audit Committees (Sec.   363.5)
----------------------------------------------------------------------------------------------------------------
Guideline 27............................................  ............            X   ............  ............
Guideline 28............................................  ............            X   ............  ............
Guideline 29............................................  ............  ............  ............            X
Guideline 30............................................  ............            X   ............  ............
Guideline 31............................................  ............            X   ............  ............
Guideline 32............................................            X   ............  ............  ............
Guideline 33............................................            X   ............  ............  ............
Guideline 34............................................            X   ............  ............  ............
Guideline 35............................................  ............            X   ............  ............
----------------------------------------------------------------------------------------------------------------
                                                      Other
----------------------------------------------------------------------------------------------------------------
Guideline 36............................................            X   ............  ............  ............
Table 1 to Appendix A--Designated Federal Laws and        ............            X   ............  ............
 Regulations............................................
Appendix B--Illustrative Management Reports.............  ............  ............            X   ............
----------------------------------------------------------------------------------------------------------------

A. Scope (Sec.  363.1 and Guidelines 1-4A)

1. Applicability
    The FDIC is proposing to amend Sec.  363.1(a) to more clearly state 
that part 363 applies to any insured depository institution that has 
consolidated total assets of $500 million or more at the beginning of 
its fiscal year. For example, if an institution has a December 31 
fiscal year end and its consolidated total assets were $600 million as 
January 1, 2007, the institution would be subject to the annual 
reporting requirements of part 363 and would have to file a Part 363 
Annual Report for the fiscal year ending December 31, 2007. Also, the 
institution would become subject to the other reporting requirements as 
well as the audit committee requirements of part 363 on January 1, 
2007.
2. Compliance by Subsidiaries of Holding Companies
    At present, an insured depository institution that is a subsidiary 
of a holding company may use consolidated holding company financial 
statements to satisfy the audited financial statements requirement of 
part 363 regardless of whether the assets of the insured depository 
institution subsidiary or subsidiaries of the holding company represent 
substantially all or only a minor portion of the holding company's 
consolidated total assets. When the assets of insured depository 
institution subsidiaries do not comprise a substantial portion of a 
holding company's consolidated total assets, the FDIC staff has found 
that the holding company's consolidated financial statements, including 
the accompanying notes to the financial statements, do not tend to 
provide sufficient information that is indicative of the financial 
position and results of operations of these institutions. Also, when 
the insured depository institution subsidiaries do not contribute 
significantly to the holding company's financial position and results 
of operations, the extent of audit coverage given to these institutions 
in the audit of the consolidated holding company may be limited. Such 
limited audit coverage would not be consistent with the purpose and 
intent of section 36 of the FDI Act, which focuses on insured 
depository institutions rather than holding companies. In this 
situation, the assurance that would be provided by an independent audit 
performed substantially at the level of the insured depository 
institution subsidiaries is not otherwise available.
    Therefore, given the differing characteristics of the holding 
companies that own insured depository institutions as well as the 
relationship of an insured depository institution's total assets to the 
consolidated total assets of its parent holding company, and in keeping 
with the intent and purpose of section 36 of the FDI Act, the FDIC is 
proposing to amend Sec. Sec.  363.1(b)(1) and (2) by revising the 
criteria for determining whether the audited financial statements 
requirement and the other requirements of part 363 may be satisfied at 
a holding company level. More specifically, to comply with the 
requirements of part 363 at the top-tier or any other mid-tier holding 
company level, the consolidated total assets of the insured depository 
institution (or the consolidated total assets of all insured depository 
institutions, regardless of size, if the top-tier or mid-tier holding 
company owns or controls more than one insured depository institution) 
would have to comprise 75 percent or more of the consolidated total 
assets of the top-tier or mid-tier holding company. The FDIC believes 
that this percentage-of-assets threshold should ensure that the extent 
of independent audit work performed at the insured depository 
institution level is sufficient to satisfy the intent of section 36 of 
the FDI Act, that is, the early identification of needed improvements 
in financial management at insured institutions. At the same time, this 
threshold would continue to provide flexibility to the vast majority of 
covered institutions that are part of a holding company structure with 
respect to the level at which they may comply with part 363.
    When determining an appropriate percentage-of-assets threshold for 
compliance with part 363 at a holding company level, the FDIC 
considered the range of percentage-of-assets ratios for insured 
institutions that are part of a holding company structure. The vast 
majority of insured institutions subject to part 363 that are in a 
holding company structure are subsidiaries of organizations where the 
assets of the insured depository institution subsidiaries of the 
holding company comprise 90 percent or more of the holding company's 
consolidated total assets. Of the remaining institutions subject to 
part 363 that are in a holding company structure, most are subsidiaries 
of organizations where the assets of the insured institutions comprise 
either between 75 and 90 percent or less than 25 percent of the top-
tier parent company's consolidated total assets. Smaller numbers of

[[Page 62314]]

institutions are subsidiaries of organizations where the assets of the 
insured institutions comprise from 25 to 50 percent or from 50 to 75 
percent of the top-tier parent company's consolidated total assets. 
However, in a number of cases where the insured institution 
subsidiaries comprise less than 75 percent of the top-tier holding 
company's consolidated total assets, the insured institution 
subsidiaries that are subject to part 363 currently comply with the 
regulation at a mid-tier holding company level where the assets of the 
insured institution subsidiaries comprise 90 percent or more of the 
mid-tier holding company's consolidated total assets. Thus, these 
institutions would not need to change how they comply with part 363 in 
response to the establishment of the proposed 75 percent threshold, 
provided they continue to comply at the same mid-tier holding company 
level and this holding company continues to meet the 75 percent 
threshold.
    The FDIC recognizes that those institutions currently complying 
with part 363 at the holding company level that will not meet the 
proposed 75 percent of consolidated total assets threshold will incur 
additional costs from having to comply with the regulation at the 
institution level or at a suitable mid-tier holding company level. 
Nevertheless, the FDIC believes that the introduction of this 
percentage-of-assets threshold strikes an appropriate balance between 
insured institution financial data and audit coverage and the cost of 
compliance with part 363.
    As a related matter, guideline 3 to part 363, Compliance by Holding 
Company Subsidiaries, states that when a holding company submits 
audited consolidated financial statements and other reports or notices 
required by part 363 on behalf of any subsidiary institution, an 
accompanying cover letter should identify all subsidiary institutions 
to which the statements, reports, or other notices pertain. Because 
many cover letters received by the FDIC have not sufficiently 
identified these subsidiary institutions, the FDIC is proposing to 
amend guideline 3 to clarify what information should be included in the 
cover letter. For example, for a Part 363 Annual Report, the cover 
letter should identify the subsidiary institutions subject to part 363 
included in the holding company's consolidated financial statements and 
state whether the other annual report requirements are being satisfied 
for these institutions at the holding company level or at the 
institution level.
3. Financial Reporting
    The FDIC is proposing to add a new Sec.  363.1(c) and a new 
guideline 4A, Financial Reporting, to specify that ``financial 
reporting'' includes both financial statements prepared in accordance 
with generally accepted accounting principles and those prepared for 
regulatory reporting purposes. Also, as proposed, guideline 4A would 
clarify that financial statements prepared for regulatory reporting 
purposes consist of the schedules equivalent to the basic financial 
statements that are included in an institution's appropriate regulatory 
report and that financial statements prepared for regulatory reporting 
purposes do not include regulatory reports prepared by a non-bank 
subsidiary of a holding company or an institution. For example, if a 
bank holding company or an insured depository institution owns an 
insurance subsidiary, financial statements prepared for regulatory 
reporting purposes would not include any regulatory reports that the 
insurance subsidiary is required to submit to its appropriate insurance 
regulatory agency. These proposed amendments are consistent with 
explanatory guidance issued by the FDIC on this subject in December 
1994 after reviewing the Part 363 Annual Reports submitted earlier that 
year, which was the first time these annual reports were required to be 
filed with the FDIC.\1\
---------------------------------------------------------------------------

    \1\ See FDIC Financial Institution Letter (FIL) 86-94, dated 
December 23, 1994.
---------------------------------------------------------------------------

4. Definitions
    The FDIC is proposing to add Sec.  363.1(d), Definitions, to define 
several common terms used in part 363 and the guidelines.

B. Annual Reporting Requirements (Sec.  363.2 and Guidelines 5-12)

1. Audited Financial Statements
    Consistent with sound management practices and the objective of 
internal control over financial reporting, the FDIC is proposing to 
amend Sec.  363.2(a) to require that the annual financial statements 
reflect all material correcting adjustments identified by the 
independent public accountant. Financial statements issued by insured 
depository institutions that are public companies or by their parent 
holding companies that are public companies are already subject to such 
a requirement pursuant to section 401 of SOX. The FDIC believes this 
requirement should also apply to institutions subject to part 363 that 
are not public companies.
2. Management Report Contents
    Based on its review of management reports filed pursuant to part 
363, the FDIC has noted differences in the content of these reports and 
insufficient information regarding the results of the assessments that 
management must perform. When management has identified material 
weaknesses in internal control over financial reporting or 
noncompliance with designated safety and soundness laws and 
regulations, these weaknesses and noncompliance have not always been 
disclosed.
    In addition, management's assessment of internal control over 
financial reporting has often failed to disclose the internal control 
framework used to perform the assessment of the effectiveness of these 
controls. It is not always evident from management's report whether 
controls over the preparation of the regulatory financial statements 
have been included within the scope of management's assessment. The 
omission of this information from an institution's management report 
reduces the usefulness of the report as a means of identifying needed 
improvements in financial management, which is the objective of section 
36 of the FDI Act. The FDIC notes that the regulations adopted by the 
Securities and Exchange Commission (SEC) in 2003 implementing the 
requirement in section 404 of SOX for a management report on internal 
control over financial reporting requires the identification of the 
internal control framework management used to evaluate the 
effectiveness of these controls and the disclosure of any identified 
material weakness.
    Accordingly, to provide clearer guidance on what should be included 
in the management report, the FDIC is proposing to expand Sec.  
363.2(b). As proposed, Sec.  363.2(b) would require management's 
assessment of compliance with the designated safety and soundness laws 
and regulations to include a clear statement as to management's 
conclusion regarding compliance and disclose any noncompliance with 
such laws and regulations. In addition, amended Sec.  363.2(b) would 
require management's assessment of internal control over financial 
reporting to identify the internal control framework that management 
used to make its evaluation, include a statement that the evaluation 
included controls over the preparation of regulatory financial 
statements, include a clear statement as

[[Page 62315]]

to management's conclusion regarding the effectiveness of internal 
control over financial reporting, disclose all material weaknesses 
identified by management, and preclude management from concluding that 
internal control over financial reporting is effective if there are any 
material weaknesses.
    Because part 363 and its guidelines provide only limited guidance 
concerning the contents of the management report and the related 
signature requirements for this report, institutions and auditors have 
expressed interest in examples of acceptable reports. Therefore, to 
assist management of insured depository institutions in complying with 
the annual reporting requirements of Sec.  363.2, the FDIC is proposing 
to add ``Appendix B to Part 363--Illustrative Management Reports.'' 
Proposed Appendix B would provide guidance regarding reporting 
scenarios that satisfy the annual reporting requirements of part 363, 
illustrative management reports, and an illustrative cover letter for 
use when an institution complies with the annual reporting requirements 
at the holding company level. The use of the wording in the 
illustrative management reports and cover letter would not be required.
    Regarding management's responsibility for assessing compliance with 
the designated safety and soundness laws and regulations, the FDIC is 
proposing to revise and update Table 1 to Appendix A of part 363 to 
reflect changes in these safety and soundness laws and regulations that 
have occurred since this table was last revised in 1997.
3. Management Report Signatures
    Section 36(b)(2) of the FDI Act requires an institution's 
management report to be signed by the chief executive officer and the 
chief accounting officer or chief financial officer. In its reviews of 
management reports, the FDIC has encountered inconsistencies between 
the level at which the management report components are being satisfied 
(insured depository institution level versus holding company level) and 
the corporate level of the officers who are signing the management 
report. More specifically, management reports are often not signed by 
the officers at the appropriate corporate level when the audited 
financial statements requirement is satisfied at the holding company 
level or when one or more of the components of the management report is 
satisfied at the holding company level and the remaining components of 
the management report are satisfied at the insured depository 
institution level. As a result, the FDIC believes institutions would 
benefit from clearer guidance regarding who must sign the management 
report. Therefore, the FDIC is proposing to add Sec.  363.2(c) to 
specify which corporate officers must sign the management report and 
also the level of the corporate signers (i.e., insured depository 
institution level or the holding company level).
4. Institutions Merged Out of Existence
    Currently, part 363 does not exempt an institution that is merged 
out of existence after the end of its fiscal year but before the 
deadline for filing its Part 363 Annual Report from filing an annual 
report. Such institutions typically submit a written request for relief 
from the annual report filing requirement and the request is approved 
by the FDIC. To reduce regulatory burden and provide certainty for 
merging institutions, the FDIC is proposing to add guideline 5A, 
Institutions Merged Out of Existence, to explicitly provide relief from 
filing a Part 363 Annual Report to an institution that is merged out of 
existence after the end of its fiscal year, but before the deadline for 
filing its Part 363 Annual Report. However, a covered institution that 
is acquired after the end of its fiscal year, but retains its separate 
corporate existence rather than being merged out of existence, would 
continue to be required to file a part 363 Annual Report for that 
fiscal year.
5. Management's Assessment of the Effectiveness of Internal Control 
Over Financial Reporting
    The FDIC has publicly advised institutions with $1 billion or more 
in total assets that are public companies or subsidiaries of public 
companies that they have considerable flexibility in determining how 
best to satisfy the SEC's requirements for management's assessment of 
internal control over financial reporting which implement section 404 
of SOX, and the FDIC's requirements in part 363.\2\ The reporting 
flexibility available to institutions subject to both the section 404 
and the part 363 requirements was initially described in the preamble 
to the SEC's section 404 final rule release (68 FR 36642, June 18, 
2003). This final rule release explained that the flexible reporting 
approach described in the preamble had been developed by the SEC staff 
in consultation with the staff of the federal banking agencies. To 
codify this reporting flexibility in part 363, the FDIC is proposing to 
add guideline 8A, Management's Assessment of the Effectiveness of 
Internal Control Over Financial Reporting. For an institution with $1 
billion or more in total assets that is subject to both part 363 and 
the SEC's rules implementing section 404 of SOX (or whose parent 
holding company is subject to section 404 provided the condition in 
Sec.  363.1(b)(2) is met), the proposed guideline describes two options 
for complying with the filing requirements regarding management's 
report on internal control over financial reporting. These options are 
to prepare (1) a separate report to satisfy the FDIC's part 363 
requirements and prepare a separate report to satisfy the SEC's section 
404 requirements, or (2) a single report that satisfies all of the 
FDIC's part 363 requirements and all of the SEC's section 404 
requirements.
---------------------------------------------------------------------------

    \2\ 70 FR 71231, November 28, 2005; 70 FR 44295, August 2, 2005; 
FDIC Financial Institution Letter (FIL) 137-2004, December 21, 2004.
---------------------------------------------------------------------------

6. Internal Control Reports for Acquired Businesses
    Currently, under the reporting requirements of part 363, both 
management's and the related independent public accountant's evaluation 
of an institution's internal control over financial reporting must 
include controls at an institution in its entirety, including all of 
its consolidated businesses, including businesses that were recently 
acquired. However, the FDIC recognizes that it may not always be 
possible for management to conduct an evaluation of the internal 
control over financial reporting of an acquired business in the period 
between the consummation date of the acquisition and the due date of 
management's internal control evaluation. For public companies subject 
to the internal control reporting requirements of section 404 of SOX, 
the SEC staff has also acknowledged that conducting an internal control 
evaluation of such an acquired business may not always be possible. 
This led the SEC staff to provide guidance to public companies stating 
that the staff would not object to the exclusion of the acquired 
business from management's evaluation of internal control over 
financial reporting, provided certain disclosures are made and other 
conditions are met.\3\ The FDIC has received several written requests 
from institutions subject to the internal control reporting 
requirements of part 363 concerning their ability to exclude

[[Page 62316]]

recently acquired businesses from the scope of management's internal 
control evaluation as of the end of the year of the acquisition. The 
FDIC staff has granted such requests for relief subject to the same 
disclosure parameters and other conditions that are laid out in the SEC 
staff's guidance on this matter.
---------------------------------------------------------------------------

    \3\ See Question 3 in the SEC staff's Frequently Asked Questions 
on Management's Report on Internal Control Over Financial Reporting 
and Certification of Disclosure in Exchange Act Periodic Reports at 
http://www.sec.gov/info/accountants/controlfaq1004.htm.
---------------------------------------------------------------------------

    To reduce regulatory burden, including the burden of submitting 
written requests to the FDIC, and provide certainty to institutions, 
the FDIC is proposing to add guideline 8B, Internal Control Reports for 
Acquired Businesses, to explicitly provide relief from the reporting 
requirements regarding internal control over financial reporting 
related to business acquisitions made by an institution during its 
fiscal year. As proposed and consistent with the SEC staff's guidance, 
guideline 8B would permit management's evaluation of internal control 
over financial reporting to exclude internal control over financial 
reporting for the acquired business, provided management's report 
identifies the acquired business, states that the acquired business is 
excluded from management's evaluation of internal control over 
financial reporting, and indicates the significance of the acquired 
business to the institution's consolidated financial statements. Also, 
proposed guideline 8B would clarify that if the acquired business is an 
insured depository institution that is subject to part 363 and it is 
not merged out of existence before the deadline for filing its Part 363 
Annual Report, the acquired business (institution) must continue to 
comply with all of the applicable requirements of part 363.
7. Standards for Internal Control
    At present, guideline 10, Standards for Internal Control, provides 
that each institution should determine its own standards for 
establishing, maintaining, and assessing the effectiveness of its 
internal control over financial reporting. However, the guideline does 
not describe the characteristics of a suitable internal control 
framework. Accordingly, the FDIC is proposing to amend guideline 10 to 
provide guidance regarding the attributes of a suitable internal 
control framework to be used by management in its evaluation of an 
institution's internal control over financial reporting. Recognizing 
that a significant percentage of institutions subject to part 363 or 
their parent holding companies are also subject to the internal control 
reporting requirements of section 404 of SOX, the attributes described 
in amended guideline 10 are consistent with the attributes the SEC 
described in the preamble to the SEC's section 404 final rule release 
(68 FR 36648, June 18, 2003). The FDIC believes that a framework with 
these attributes is appropriate for all institutions whether or not 
they are public companies.

C. Independent Public Accountant (Sec.  363.3 and Guidelines 13-21)

1. Internal Control Over Financial Reporting
    As with its experience in reviewing the portion of the management 
report in which management provides its assessment of the effectiveness 
of the institution's internal control over financial reporting, the 
FDIC has found some independent public accountants' internal control 
attestation reports to be less than sufficiently informative. Such 
attestation reports are, therefore, inconsistent with the objectives of 
section 36 of the FDI Act. As a consequence, the FDIC is proposing to 
amend Sec.  363.3(b), which governs the independent public accountant's 
report on internal control over financial reporting, to specify that, 
consistent with generally accepted standards for attestation 
engagements, the Public Company Accounting Oversight Board's (PCAOB) 
auditing standards, and related PCAOB staff implementation guidance, 
the accountant's report must:
     Not be dated prior to the date of management's report on 
its assessment of the effectiveness of internal control over financial 
reporting;
     Identify the internal control framework that the 
accountant used to make the evaluation (which must be the same as the 
internal control framework used by management);
     Include a statement that the accountant's evaluation 
included controls over the preparation of regulatory financial 
statements;
     Include a clear statement as to the accountant's 
conclusion regarding the effectiveness of internal control over 
financial reporting;
     Disclose all material weaknesses identified by the 
accountant; and
     Conclude that internal control is ineffective if there are 
any material weaknesses.
    The FDIC is also proposing to amend guideline 18, Attestation 
Report, to be consistent with Sec.  363.3(b)(2) by reiterating that the 
attestation report on internal control over financial reporting should 
include a statement as to regulatory reporting.
2. Communications With Audit Committee
    According to section 204 of SOX, an accountant who audits a public 
company's financial statements should report on a timely basis to the 
company's audit committee: (1) All critical accounting policies, (2) 
alternative accounting treatments discussed with management, and (3) 
written communications provided to management, such as a management 
letter or schedule of unadjusted differences. These reporting 
requirements are intended to strengthen the relationship between the 
audit committee and the accountant. The FDIC has previously stated that 
effective communication between the accountant who audits the 
institution's financial statements and the institution's audit 
committee assists the audit committee in carrying out its 
responsibilities. For this reason, the FDIC encouraged institutions, 
regardless of whether they are public companies or not, to arrange with 
their accountant to institute these reporting practices.\4\ 
Requirements that are similar, but not identical, to those set forth in 
section 204 apply to accountants who audit the financial statements of 
entities that are not public.\5\ Therefore, consistent with current 
best practices and standards for audits of both public and non-public 
entities, the FDIC is proposing to amend part 363 by adding Sec.  
363.3(d), Communications with audit committee, to set a uniform minimum 
requirement for such communication. As proposed, Sec.  363.3(d) would 
require the independent public accountant to report the information 
identified in section 204 of SOX to the audit committee.
---------------------------------------------------------------------------

    \4\ See FDIC Financial Institution Letter (FIL) 17-2003, dated 
March 5, 2003.
    \5\ See Statement on Auditing Standards No. 114, The Auditor's 
Communication With Those Charged With Governance, December 2006.
---------------------------------------------------------------------------

3. Retention of Working Papers
    Section 36(g)(3)(A) of the FDI Act states that an independent 
public accountant who performs audit services required by section 36 
must agree to provide related working papers to the FDIC, any 
appropriate federal banking agency, and any state bank supervisor. 
However, when seeking to review audit working papers, the FDIC has 
previously encountered situations where the working papers had been 
retained for only a limited number of years. The SEC's rules and the 
PCAOB's auditing standards implementing sections 802 and 103 of SOX, 
respectively, now specify a 7-year retention period for audit working 
papers. The American Institute of Certified Public Accountants' (AICPA) 
auditing standards provide that the retention period for audit working

[[Page 62317]]

papers should not be shorter than five years.\6\ Since the retention 
period applicable to audits of public companies is seven years, the 
FDIC believes that a uniform retention period should apply to audits of 
all institutions subject to part 363. Accordingly, consistent with the 
current practices and professional standards for audits of both public 
and non-public entities, the FDIC is proposing to amend part 363 by 
adding Sec.  363.3(e), Retention of working papers. As proposed, Sec.  
363.3(e) would require the independent public accountant to retain the 
working papers related to its audit of the financial statements and, if 
applicable, its evaluation of internal control over financial reporting 
for seven years.
---------------------------------------------------------------------------

    \6\ See Statement on Auditing Standards No. 103, Audit 
Documentation, December 2006.
---------------------------------------------------------------------------

4. Independence
    Section 36 of the FDI Act states that an ``independent public 
accountant'' must perform the audit and attestation services required 
by section 36 but it does not define ``independent,'' leaving this to 
the FDIC's rulemaking authority. As adopted by the FDIC in 1993, part 
363 includes guideline 14, Independence, which identifies the 
independence standards applicable to accountants performing services 
under section 36 and part 363. In 2003, the agencies jointly issued 
rules of practice to implement the enforcement provisions of section 
36(g)(4), which authorize the FDIC or an appropriate federal banking 
agency to remove, suspend, or bar an accountant, for good cause, from 
performing audit and attestation services for institutions subject to 
section 36 and part 363.\7\ To enhance the enforceability of the 
independence standards with which an accountant must comply for 
purposes of part 363, the FDIC is proposing to move the independence 
requirements for independent public accountants from guideline 14, 
Independence, to new Sec.  363.3(f), Independence. As proposed, Sec.  
363.3(f) would also clarify that the independent public accountant must 
comply with the independence standards and interpretations of the PCAOB 
that have been approved by the SEC in addition to the independence 
standards and interpretations of the AICPA and the SEC.
---------------------------------------------------------------------------

    \7\ 68 FR 48256, August 13, 2003.
---------------------------------------------------------------------------

5. Peer Reviews
    Section 36(g)(3)(A)(ii) of the FDI Act requires an independent 
public accountant to have received a peer review or be enrolled in a 
peer review program that meets acceptable guidelines. At present, 
guideline 15 to part 363 provides that to be acceptable, a peer review 
should, among other things, be generally consistent with AICPA 
standards. Since part 363 was originally adopted, the PCAOB has been 
created and conducts inspections of registered public accounting firms, 
some of which audit insured depository institutions subject to part 363 
or their parent holding companies. These inspections serve a similar 
purpose as peer reviews. In addition, the PCAOB issues reports on its 
inspections of these accounting firms.
    In response to this development and in light of the agencies' 
issuance of rules of practice implementing the enforcement provisions 
of section 36, as mentioned above, the FDIC is proposing to add new 
Sec.  363.3(g) on peer reviews. The FDIC would move the requirements 
for peer reviews and retention of the peer review working papers from 
guideline 15, Peer Reviews, to Sec.  363.3(g). In addition, the 
requirements for filing peer review reports would be moved to new Sec.  
363.3(g) from guideline 16, Filing Peer Review Reports. As proposed, 
Sec.  363.3(g) would also clarify that acceptable peer reviews include 
peer reviews performed in accordance with the AICPA's Peer Review 
Standards and inspections conducted by the PCAOB. It would also provide 
that the FDIC would not make available for public inspection the 
portion of any peer review report and inspection report determined to 
be nonpublic by the AICPA and the PCAOB, respectively. Finally, the 
FDIC is proposing to revise guideline 15 to explain that a peer review, 
other than a PCAOB inspection, should be generally consistent with 
AICPA Peer Review Standards.
6. Notice of Termination
    Guideline 26, Notices Concerning Accountants, permits an 
institution that is a public company or a subsidiary of a public 
company to satisfy the requirement for filing a notice of termination 
of its independent public accountant by using its current report (e.g., 
SEC Form 8-K) concerning a change in accountant to satisfy the similar 
notice requirements of part 363. To reduce regulatory burden and 
provide flexibility to the independent public accountant of such an 
institution, the FDIC is proposing to amend guideline 20, Notice of 
Termination, to permit the independent public accountant to satisfy the 
requirement to file a notice of termination of its services in a 
similar manner. As proposed, the independent public accountant 
generally could satisfy the part 363 notice requirement by (1) 
submitting the letter it provided to management to be filed with the 
institution's or the holding company's current report filed with the 
SEC or the appropriate federal banking agency or (2) relying on the 
institution's or the holding company's current report filed by 
management with the FDIC that includes the independent public 
accountant's notice of termination of its services, provided the 
independent public accountant confirms that management has filed a 
current report that includes the accountant's letter to satisfy the 
requirements of Sec.  363.3(c).

D. Filing and Notice Requirements (Sec.  363.4 and Guidelines 22-26)

1. Annual Reporting
    Currently, the annual reporting requirements of part 363 require 
each insured depository institution to file its Part 363 Annual Report 
within 90 days after the end of its fiscal year. Part 363 also requires 
each institution to file the independent public accountant's report on 
the audited financial statements and, if applicable, the accountant's 
attestation report on management's assessment of internal control over 
financial reporting, both of which are components of the Part 363 
Annual Report, within 15 days of receipt by the institution, which can 
present a conflict with the annual report filing requirement. The FDIC 
is also aware of the impact that earlier filing deadlines established 
by the SEC for annual reports filed by certain public companies under 
the federal securities laws (e.g., SEC Form 10-K) and more robust 
auditing standards related to internal control over financial reporting 
have had on the management of institutions, on the resources of 
independent public accountants, and on auditing costs. To reduce cost 
and burden, the FDIC is proposing to amend Sec.  363.4(a) by extending 
the time period within which an insured depository institution that is 
not a public company or a subsidiary of a public company must file its 
Part 363 Annual Report from within 90 days to within 120 days after the 
end of its fiscal year. An insured depository institution that is a 
public company, or that is a subsidiary of a public company that meets 
certain criteria, would continue to be required to file its Part 363 
Annual Report within 90 days after the end of its fiscal year, which is 
consistent with the maximum time frame that public companies have for 
filing annual reports under the federal securities laws. The FDIC would 
also eliminate the ambiguity in Sec.  363.4 concerning the filing 
deadline for the components of the Part 363 Annual

[[Page 62318]]

Report that are prepared by the independent public accountant.
    An insured depository institution with consolidated total assets of 
less than $1 billion that is a public company or a subsidiary of a 
public company is required to file management's assessment of the 
effectiveness of internal control over financial reporting with the SEC 
or the appropriate federal banking agency in accordance with the 
compliance dates of the SEC's rules implementing section 404 of SOX. 
Management's findings and conclusions with respect to internal control 
over financial reporting, as disclosed in the assessment that 
management files with the SEC or the appropriate federal banking 
agency, provide information that would aid in meeting the objective of 
section 36 of the FDI Act.
    Therefore, the FDIC is proposing to add a provision to Sec.  
363.4(a) that would require an institution of this size to submit a 
copy of management's section 404 internal control assessment with its 
Part 363 Annual Report, but this assessment will not be considered part 
of the institution's Part 363 Annual Report.
2. Independent Public Accountant's Reports
    Section 36(h)(2)(A) of the FDI Act and Sec.  363.4(c) require an 
institution to file a copy of any management letter or other report 
issued by its independent public accountant that pertains to the 
financial statement audit and the attestation on internal control over 
financial reporting within 15 days after receipt by the institution. 
The FDIC's experience in administering part 363 indicates that 
institutions are often uncertain as to which types of reports they 
receive from their independent public accountant must be submitted to 
the FDIC, the appropriate federal banking agency, and any appropriate 
state bank supervisor pursuant to this filing requirement. As stated 
above, this uncertainty extends to this 15-day filing requirement and 
its relationship to the filing deadline for the Part 363 Annual Report. 
To clarify the requirements for the filing of accountants' reports, the 
FDIC is proposing to amend Sec.  363.4(c), Independent public 
accountant's letters and reports, by providing examples of the types of 
reports issued by an institution's independent public accountant, 
except for the accountant's reports that are required to be included in 
the institution's Part 363 Annual Report, that are to be filed within 
15 days after receipt. Guideline 25, Independent Accountant's Reports, 
would be deleted because it would be redundant and no longer needed.
    In the Interagency Advisory on the Unsafe and Unsound Use of 
Limitation of Liability Provisions in External Audit Engagement 
Letters, the federal banking agencies expressed their concerns about 
limitation of liability provisions included in external audit 
engagement letters and advised institutions against entering into 
engagement letters containing such provisions.\8\ To enable the FDIC to 
timely review institutions' engagement letters with their independent 
public accountants, the FDIC is also proposing to amend Sec.  363.4(c) 
to require institutions to file copies of audit engagement letters, 
including any related agreements and amendments, with the FDIC, the 
appropriate federal banking agency, and any appropriate state bank 
supervisor within 15 days of acceptance by the institution.
---------------------------------------------------------------------------

    \8\ 71 FR 6847, February 9, 2006.
---------------------------------------------------------------------------

3. Notification of Late Filing
    Guideline 23, Relief from Filing Deadlines, currently provides that 
in the occasional event that an institution is confronted with 
extraordinary circumstances beyond its reasonable control that 
justifies an extension of the deadline for filing its Part 363 Annual 
Report or another required report or notice, the institution may submit 
a written request for an extension of the filing deadline of not more 
than 30 days that explains the reasons for the request. Such a request 
may be granted for good cause. Over the last several years, the reasons 
set forth in the requests for extensions of time for filing Part 363 
Annual Reports that have been submitted to the FDIC generally did not 
represent extraordinary circumstances beyond the institution's 
reasonable control, the standard currently set forth in guideline 23. 
Also, several extension requests were repeats of requests from the same 
institutions from the previous year.
    Based upon this experience and given the proposed amendment to 
Sec.  363.4(a) to extend the filing deadline for Part 363 Annual 
Reports for non-public institutions from 90 to 120 days, the FDIC is 
proposing to replace the extensions of time for filing reports that are 
available only in extraordinary circumstances under guideline 23 with a 
new Sec.  363.4(e),
    Notification of late filing. In place of filing extensions that 
have limited applicability, this new section would be applicable to all 
institutions and would require an institution that is unable to timely 
file all or any portion of its Part 363 Annual Report or any other 
report or notice to submit a written notice of late filing before the 
filing deadline for the report or notice. The late filing notice shall 
disclose the institution's inability to timely file all or specified 
portions of its Part 363 Annual Report or other report or notice, the 
reasons therefore in reasonable detail, and the date when the report or 
notice will be filed.
    The FDIC is also proposing to amend guideline 23 by changing its 
focus from extension requests to late filing notices consistent with 
the approach taken in new Sec.  363.4(e). Amended guideline 23 would 
explain that submitting a late filing notice would not cure the 
apparent violation of part 363 arising from an institution's failure to 
timely file a Part 363 Annual Report or any other required report or 
notice. The supervisory response to such an apparent violation would 
take into account the facts and circumstances surrounding an 
institution's delay in filing. As proposed, guideline 23 would also 
provide that, if the late filing applies to only a portion of the Part 
363 Annual Report or any other report or notice, the components of the 
report or notice that have been completed should be filed within the 
prescribed filing period accompanied by either a cover letter that 
indicates which components are omitted or a combined late filing notice 
and cover letter.
4. Place for Filing
    Current guideline 22 identifies the office of the FDIC, the 
appropriate federal banking agency, and the appropriate state bank 
supervisor to which reports and notices (other than peer review 
reports) required by part 363 are to be filed. Nevertheless, the FDIC 
has found that some institutions submit required reports and notices to 
incorrect locations. The FDIC staff also receives questions from 
institutions asking where reports and notices should be filed. To make 
the information as to where Part 363 Annual Reports, written notices of 
late filing, and other reports and notices (except peer review reports) 
are to be filed more prominent, the FDIC is proposing to move this 
information from guideline 22, Place for Filing, to a new Sec.  
363.4(f), Place for filing.

E. Audit Committees (Sec.  363.5 and Guidelines 27-35)

1. Composition
    Section 36(g)(1) of the FDI Act and Sec.  363.5(a) require each 
insured depository institution subject to part 363 to have an 
independent audit committee comprised entirely of outside directors. As 
defined in Sec.  363.5(a)(3), in general, an outside director is a 
director

[[Page 62319]]

who is not an officer or employee of the institution or any affiliate 
of the institution. In addition, the outside directors who serve on the 
audit committee must be ``independent of management,'' although a 
minority of the audit committee members of institutions with $500 
million or more but less than $1 billion in total assets need not be 
``independent of management.'' According to guideline 27, Composition, 
each institution's board of directors is responsible for determining at 
least annually whether existing and potential audit committee members 
satisfy the requirements governing audit committee composition. 
Guidelines 28 and 29 set forth certain factors for boards of directors 
to consider in determining whether an outside director is ``independent 
of management.''
    In order for a board of directors to perform its evaluation of 
audit committee members in a consistent, effective, and reviewable 
manner, the FDIC believes the board should be guided by an approved 
policy or set of criteria that identifies the factors to be taken into 
account by the board. Accordingly, the FDIC is proposing to amend 
guideline 27 to state that an institution's board of directors should 
maintain and use an approved set of written criteria for evaluating 
audit committee member independence and that the results of and basis 
for the board's determination with respect to each existing and 
potential audit committee member should be recorded in the board's 
minutes.
    Guideline 30, Holding Company Audit Committees, provides guidance 
for complying with the audit committee requirements of part 363 at the 
holding company level. The FDIC is proposing to amend guideline 30 for 
consistency with the proposed revisions to the holding company 
provisions of Sec.  363.1(b) and to reflect the difference in the audit 
committee composition requirements in Sec.  363.5(a) for institutions 
with more than and less than $1 billion in total assets.
2. ``Independent of Management'' Considerations
    Guideline 28, ``Independent of Management'' Considerations, 
identifies five factors for a board of directors to consider when 
determining the independence of an outside director. Guideline 29, Lack 
of Independence, states that a director who owns or controls 10 percent 
or more of any class of the institution's voting securities should not 
be considered ``independent of management.'' The FDIC has found that 
some of the factors in guideline 28 are so general that they fail to 
provide meaningful guidance to boards of directors. At the same time, 
many of the institutions subject to part 363 or their parent holding 
companies are public companies with securities listed on a national 
securities exchange. Under the SEC's Rule 10A-3 (17 CFR Sec.  240.10A-
3), each audit committee member of a listed issuer must be a director 
of the issuer and must otherwise be independent. The listing standards 
of the national securities exchange must set forth the criteria for 
determining the independence of directors who are to serve on a listed 
issuer's audit committee.
    Based on its review, the FDIC believes that the independence 
criteria for audit committee members included in the listing standards 
of the national securities exchanges, together with the FDIC's existing 
stock ownership criterion in guideline 29, represent an appropriate 
framework for determining whether an outside director is ``independent 
of management'' for purposes of part 363. Furthermore, for an 
institution whose audit committee members or whose parent holding 
company's audit committee members, if the holding company meets the 
holding company provisions of Sec.  363.1(b), are subject to the 
listing standards of a national securities exchange, allowing the 
institution to use these standards for part 363 purposes will reduce 
the institution's burden.
    Therefore, the FDIC is proposing to combine guidelines 28 and 29 
and provide expanded guidance for an institution's board of directors 
to use in its assessment of an outside director's relationship to the 
institution for the purposes of making ``independent of management'' 
determinations regarding audit committee members. For example, the 
proposed amendment to guideline 28 includes a list of criteria that an 
institution's board of directors should consider when determining 
whether an outside director would be considered ``independent of 
management.'' In developing the proposed list of criteria, the FDIC 
considered the portion of the listing standards of the national 
securities exchanges that apply to audit committees. An institution's 
board of directors may also conclude that it should consider additional 
criteria that may be appropriate in its particular circumstances. As an 
alternative to the listed criteria, proposed guideline 28 would permit 
an institution that is a public company or that is a subsidiary of a 
public company, when the holding company provisions of Sec.  363.1(b) 
are met, to apply the audit committee provisions of the listing 
standards of the national securities exchange on which the public 
institution or its public parent company is listed for purposes of 
determining audit committee member independence. Similarly, all other 
institutions, including those that are not public companies, may elect 
to use the audit committee provisions of the listing standards of a 
national securities exchange or association for determining audit 
committee member independence.
3. Duties
    According to section 36(g)(1)(B) of the FDI Act and Sec.  363.5(a), 
an audit committee's duties include reviewing the basis for the Part 
363 Annual Report with both management and the independent public 
accountant. Guideline 31 further provides that the audit committee's 
duties should be appropriate to the size of the institution and the 
complexity of its operations and it identifies additional duties that 
could be appropriate for the audit committee. These additional duties 
include discussing with management the selection and termination of the 
institution's independent public accountant. In addition, guideline 26 
provides that, before engaging an independent public accountant, an 
institution should review and satisfy itself that the accountant is in 
compliance with the required qualifications set forth in guidelines 13 
through 15, including the accountant's independence and receipt of a 
peer review.
    Under section 301 of SOX, the audit committee of each public 
company listed on a national securities exchange or association must be 
responsible for the appointment, compensation, and oversight of the 
accounting firm engaged to prepare or issue an audit report or perform 
related work. As the SEC noted when it adopted its final rule 
implementing section 301, ``the auditing process may be compromised 
when a company's outside auditors view their responsibility as serving 
the company's management rather than its full board of directors or 
audit committee. This may occur if the auditor views management as the 
employer with hiring, firing and compensating powers. Under these 
conditions, the auditor may not have the appropriate incentive to raise 
concerns and conduct an objective review. * * * One way to help promote 
auditor independence, then, is for the auditor to be hired, evaluated 
and, if necessary, terminated by the audit committee.'' Because the 
intent and purpose of section 36 of the FDI Act is the early 
identification of needed improvements in financial management, it is 
critical for the accountants that perform audit

[[Page 62320]]

and attestation services for insured depository institutions subject to 
section 36 to have an appropriate incentive to raise concerns and 
conduct an objective review. In this regard, the FDIC believes it is a 
sound corporate governance practice for an institution's audit 
committee, rather than its management, to be responsible for the 
appointment, compensation, and oversight of the accountant, regardless 
of whether the institution is a public company.
    Therefore, the FDIC is proposing to amend Sec.  363.5(a), 
Composition and duties, and guideline 31, Duties, to specify that, in 
addition to reviewing with management and the independent public 
accountant the basis for the reports issued under part 363, the duties 
of the audit committee include the appointment, compensation, and 
oversight of the independent public accountant who performs services 
required under part 363. In order to discharge these duties with 
respect to the independent public accountant, the audit committee 
should also review and satisfy itself as to the independent public 
accountant's compliance with the independence, peer review, and other 
qualifications under part 363. Additionally, the audit committee should 
be familiar with and ensure management's compliance with the 
requirement to file notices concerning the engagement, resignation, or 
dismissal of an independent public accountant. The FDIC is proposing to 
include these duties in guideline 31.
4. Independent Public Accountant Engagement Letters
    In response to an observed increase in the types and frequency of 
provisions in financial institutions' external audit engagement letters 
that limit the auditors' liability, the federal banking agencies issued 
an Interagency Advisory on the Unsafe and Unsound Use of Limitation of 
Liability Provisions in External Audit Engagement Letters (Interagency 
Advisory) in February 2006.\9\ When they issued the Interagency 
Advisory, the agencies stated their belief that when institutions agree 
to limit their external auditors' liability in provisions in engagement 
letters, such provisions may weaken the external auditors' objectivity, 
impartiality, and performance, which may reduce the reliability of 
audits and thereby raise safety and soundness concerns. The reliability 
of audits is central to achieving the intent and purpose of section 36 
of the FDI Act. Therefore, the FDIC is proposing to add Sec.  363.5(c), 
Independent public accountant engagement letters, and amend guideline 
31, Duties, to incorporate the principal provisions of the Interagency 
Advisory.
---------------------------------------------------------------------------

    \9\ See 71 FR 6847, February 9, 2006, and FDIC Financial 
Institution Letter (FIL) 13-2006, issued on the same date. The 
Federal Financial Institutions Examination Council on behalf of the 
agencies issued the Interagency Advisory in proposed form for public 
comment on May 10, 2005 (70 FR 24576).
---------------------------------------------------------------------------

    As proposed, Sec.  363.5(c) and guideline 31 would require the 
audit committee to ensure that audit engagement letters and any related 
agreements with the independent public accountant for services to be 
performed under part 363 do not contain any limitation of liability 
provisions that: (1) Indemnify the independent public accountant 
against claims made by third parties; (2) hold harmless or release the 
independent public accountant from liability for claims or potential 
claims that might be asserted by the client insured depository 
institution, other than claims for punitive damages; or (3) limit the 
remedies available to the client insured depository institution. 
Consistent with the Interagency Advisory, the proposed amendment would 
not preclude the use of alternative dispute resolution agreements and 
jury trial waivers.
5. Transition Period for Forming and Restructuring Audit Committees
    When an insured depository institution first exceeds the $500 
million total assets threshold and becomes subject to part 363, 
particularly an institution with few shareholders, the FDIC has 
observed that, in some cases, such an institution encounters difficulty 
in satisfying the requirements governing the composition of the 
independent audit committee. If the board of directors lacks a 
sufficient number of outside directors who are independent of 
management to serve on the audit committee, the board members must 
identify and attract qualified individuals in their community who would 
be willing to become directors and audit committee members and who 
would be ``independent of management.'' The lack of guidance in part 
363 on the amount of time in which an institution must bring its audit 
committee into compliance with the requirements governing its 
composition when an institution first becomes subject to part 363 
further complicates this process. This lack of guidance on the time 
frame for attaining compliance also affects the other two asset-size 
thresholds applicable to audit committee composition.
    To provide both clarity and regulatory relief, the FDIC is 
proposing to replace outdated guideline 35, which dealt with compliance 
with the audit committee requirements of part 363 when the regulation 
took effect in 1993, with a revised guideline 35, ``Transition Period 
for Forming and Restructuring Audit Committees.'' As proposed, 
guideline 35 would provide a one-year transition period for forming or 
restructuring the audit committee when an institution first becomes 
subject to part 363, when an institution's assets first reach the $1 
billion asset-size threshold, and when an institution's assets first 
reach the $3 billion asset-size threshold. The proposed revised 
guideline would state that, when an institution first crosses one of 
these three thresholds based on its total assets at the beginning of 
its fiscal year, no regulatory action would be taken if the institution 
forms or restructures its audit committee to comply with the applicable 
requirements governing the composition of the committee by the end of 
that fiscal year, provided the institution complied with any applicable 
audit committee requirements for its preceding fiscal year.

F. Other Changes to Part 363

    The FDIC also proposes to make other changes to part 363 to improve 
its clarity, readability, and consistency of language, and to correct 
or eliminate outdated terms, references, and provisions in the 
regulation and appendix A.

G. Proposed Amendment to Part 308, Subpart U

    In August 2003, pursuant to section 36(g)(4) of the FDI Act, the 
FDIC and the other federal banking agencies jointly issued final rules 
governing their authority to take disciplinary actions against 
independent public accountants and accounting firms that perform audit 
and attestation services required by section 36.\10\ Under the final 
rules, certain violations of law, negligent conduct, reckless violation 
of professional standards, or lack of qualifications to perform 
auditing services may be considered good cause to remove, suspend, or 
bar an accountant or firm from providing audit and attestation services 
for institutions subject to section 36. The rules also prohibit an 
accountant or accounting firm from performing these services if the 
accountant or firm has been removed, suspended, or debarred by one of 
the agencies, or if the SEC or PCAOB takes certain disciplinary actions 
against the accountant or firm. Additionally, the final rules require 
an accountant or an accounting firm to provide the agencies

[[Page 62321]]

with written notification of the accountant's or firm's removal, 
suspension, or debarment. Part 308, subpart U, of the FDIC's rules and 
regulations implements the requirements of section 36(g)(4) of the FDI 
Act for institutions that are supervised by the FDIC. The FDIC is 
proposing to amend Sec.  308.604(c) to identify the FDIC location where 
an accountant or accounting firm should file required notices of orders 
and actions regarding removal, suspension, or debarment.
---------------------------------------------------------------------------

    \10\ See 68 FR 48256, April 13, 2003, and the FDIC's Financial 
Institution Letter (FIL) FIL-66-2006, dated August 18, 2003.
---------------------------------------------------------------------------

IV. Request for Comments

    The FDIC welcomes comments on all aspects of this proposal. In 
particular, the FDIC invites comments on the following:
    1. As proposed, the rule would require management's assessment of 
compliance with designated safety and soundness laws and regulations to 
include a clear statement as to management's conclusion regarding 
compliance and disclose any noncompliance with such laws and 
regulations. The designated safety and soundness laws and regulations 
relate to loans to insiders and dividend restrictions. Management's 
assessment of compliance is included in the management report within 
the Part 363 Annual Report, which is available for public inspection. 
Should the disclosure of instances of noncompliance with these 
designated laws and regulations be made available for public inspection 
or should the FDIC designate such disclosure as privileged and 
confidential and not available to the public?
    2. As proposed, the rule would require the total assets of a 
holding company's insured depository institution subsidiaries to 
comprise 75 percent or more of the holding company's consolidated total 
assets as of the beginning of its fiscal year in order for an 
institution to comply with part 363 at the holding company level. The 
holding company could be the institution's top-tier or any mid-tier 
holding company that meets the 75 percent threshold. Considering the 
costs and benefits of a threshold, is 75 percent or more of 
consolidated total assets an appropriate threshold? If not, what would 
be an appropriate threshold to use for compliance with part 363 at a 
holding company level?

V. Solicitation of Comments on Use of Plain Language

    Section 722 of the Gramm-Leach-Bliley Act, Pub. L. 106-102, sec. 
722, 113 Stat. 1338, 1471 (Nov. 12, 1999), requires the federal banking 
agencies to use plain language in all proposed and final rules 
published after January 1, 2000. We invite your comments on how to make 
this proposal easier to understand. For example:
     Have we organized the material to suit your needs? If not, 
how could this material be better organized?
     Are the requirements in the proposed regulation clearly 
stated? If not, how could the regulation be more clearly stated?
     Does the proposed regulation contain language or jargon 
that is not clear? If so, which language requires clarification?
     Would a different format (grouping and order of sections, 
use of headings, paragraphing) make the regulation easier to 
understand? If so, what changes to the format would make the regulation 
easier to understand?
     What else could we do to make the regulation easier to 
understand?

VI. Solicitation of Comments on Impact on Community Banks

    The FDIC seeks comments on the impact of this proposal on community 
banks. The FDIC recognizes that community banks operate with more 
limited resources than larger institutions and may present a different 
risk profile. Thus, the FDIC specifically requests comments on the 
impact of the proposal on community banks' current resources, including 
personnel, and whether the goals of the proposed rule could be 
achieved, for community banks, through an alternative approach.

VII. Regulatory Flexibility Act Analysis

    The Regulatory Flexibility Act (RFA) requires that each federal 
agency either certify that a proposed rule would not, if adopted in 
final form, have a significant economic impact on a substantial number 
of small entities or prepare an initial regulatory flexibility analysis 
(IRFA) of the proposal and publish the analysis for comment. See 5 
U.S.C. 603, 605. The Small Business Administration (SBA) defines small 
banks as those with less than $165 million in assets. Because this rule 
expressly exempts insured depository institutions having assets of less 
than $500 million, it is inapplicable to small entities as defined by 
the SBA. Therefore, it is certified that this proposed rule would not 
have a significant economic impact on a substantial number of small 
entities.

VIII. Paperwork Reduction Act

    This proposed rule would revise a collection of information that 
has been reviewed and approved by the Office of Management and Budget 
(OMB) under control number 3064-0113, pursuant to the Paperwork 
Reduction Act (44 U.S.C. 3501 et seq). The principal revisions that 
bear on the collection of information under part 363 are the extension 
of the filing deadline for the Part 363 Annual Report from 90 to 120 
days after the end of the fiscal year for an institution that is not a 
public company or a subsidiary of a public company, the replacement of 
30-day extension requests (when an institution is confronted with 
extraordinary circumstances beyond its reasonable control) with late 
filing notices (regardless of the reason), the modification of the 
criteria governing the acceptability of reports at the holding company 
level rather than at the institution level, the expanded guidance on 
the content of the management report and the independent public 
accountant's internal control attestation report, the board of 
directors' use of an approved set of written criteria for determining 
whether an audit committee member is an outside director and is 
``independent of management,'' and the new guidelines for institutions 
merged out of existence and for internal control reports for acquired 
businesses. It is anticipated that the overall effect of these changes 
will be a small burden increase for affected insured institutions. 
Comments are invited on: (a) Whether this collection of information is 
necessary for the proper performance of the FDIC's functions, including 
whether the information has practical utility; (b) the accuracy of the 
estimates of the burden of the information collection; (c) ways to 
enhance the quality, utility, and clarity of the information to be 
collected; and (d) ways to minimize the burden of the information 
collection on respondents, including through the use of automated 
collection techniques or other forms of information technology.
    Comments should be addressed to Steven F. Hanft, Paperwork 
Clearance Officer, Room F-1062, Federal Deposit Insurance Corporation, 
550 17th Street, NW., Washington, DC 20429, with copies to the OMB desk 
officer for the FDIC by mail to the Office of Information and 
Regulatory Affairs, U.S. Office of Management and Budget, New Executive 
Office Building, Room 10235, 725 17th Street, NW., Washington, DC 20503 
or by fax to (202) 395-6974.
    The paperwork burden associated with this rule was last reviewed in 
2005. At that time, the FDIC estimated the burden of this information 
collection to be 65,612 hours for FDIC-supervised institutions. Before 
giving effect to the proposed amendments, the estimated

[[Page 62322]]

burden would be 79,721 hours, an adjustment of 14,109 hours 
attributable to an increase in the number of FDIC-supervised 
institutions subject to part 363. If the revisions in this proposed 
rule are implemented, the resulting estimated reporting burden for the 
collection of information would be 83,599 hours, a program increase of 
3,878 hours over the adjusted burden of 79,721 hours. The most 
significant component of the increase is attributable to the proposed 
revised requirements related to audit committee composition.
    Number of Respondents: 5,230.
    Total Annual Responses: 16,231.
    Total Annual Burden Hours: 83,599.

List of Subjects

12 CFR Part 308

    Administrative practice and procedure, Bank deposit insurance, 
Banks, banking, Claims, Crime, Equal access to justice, Investigations, 
Lawyers, Penalties, State nonmember banks.

12 CFR Part 363

    Accounting, Administrative practice and procedure, Banks, banking, 
Reporting and recordkeeping requirements.

    For the reasons set forth in the preamble, the Board of Directors 
of the FDIC proposes to amend title 12, chapter III, of the Code of 
Federal Regulations as follows:

PART 308--RULES OF PRACTICE AND PROCEDURE

    1. The authority citation for part 308 continues to read as 
follows:

    Authority: 5 U.S.C. 504, 554-557; 12 U.S.C. 93(b), 164, 505, 
1815(e), 1817, 1818, 1820, 1828, 1829, 1829b, 1831i, 1831m(g)(4), 
1831o, 1831p-1, 1832(c), 1884(b), 1972, 3102, 3108(a), 3349, 3909, 
4717; 15 U.S.C. 78(h) and (i), 78o-4(c), 78o-5, 78q-1, 78s, 78u, 
78u-2, 78u-3 and 78w, 6801(b), 6805(b)(1); 28 U.S.C. 2461 note; 31 
U.S.C. 330, 5321; 42 U.S.C. 4012a; Sec. 3100(s), Pub. L. 104-134, 
110 Stat. 1321-358.

Subpart U--Removal, Suspension, and Debarment of Accountants From 
Performing Audit Services

    2. Revise Sec.  308.604(c) to read as follows:


Sec.  308.604  Notice of removal, suspension, or debarment.

* * * * *
    (c) Timing and place of notice. Written notice required by this 
paragraph shall be given no later than 15 calendar days following the 
effective date of an order or action, or 15 calendar days before an 
accountant or accounting firm accepts an engagement to provide audit 
services, whichever date is earlier. The written notice must be filed 
by the independent public accountant or accounting firm with the FDIC, 
Accounting and Securities Disclosure Section, 550 17th Street, NW., 
Washington, DC 20429.
    3. Revise part 363 to read as follows:

PART 363--ANNUAL INDEPENDENT AUDITS AND REPORTING REQUIREMENTS

Sec.
363.0 OMB control number.
363.1 Scope and definitions.
363.2 Annual reporting requirements.
363.3 Independent public accountant.
363.4 Filing and notice requirements.
363.5 Audit committees.
Appendix A to Part 363--Guidelines and Interpretations
Appendix B to Part 363--Illustrative Management Reports

    Authority: 12 U.S.C. 1831m.


Sec.  363.0  OMB control number.

    The information collection requirements in this part have been 
approved by the Office of Management and Budget under OMB control 
number 3064-0113.


Sec.  363.1  Scope and definitions.

    (a) Applicability. This part applies to any insured depository 
institution with respect to any fiscal year in which its consolidated 
total assets at the beginning of such fiscal year are $500 million or 
more. The requirements specified in this part are in addition to any 
other statutory and regulatory requirements otherwise applicable to an 
insured depository institution.
    (b) Compliance by subsidiaries of holding companies. (1) The 
audited financial statements requirement of Sec.  363.2(a) for any 
fiscal year may be satisfied for an insured depository institution that 
is a subsidiary of a holding company by audited consolidated financial 
statements of the top-tier or any mid-tier holding company provided 
that the consolidated total assets of the insured depository 
institution (or the consolidated total assets of all insured depository 
institutions, regardless of size, if the holding company owns or 
controls more than one insured depository institution) comprise 75 
percent or more of the consolidated total assets of the holding company 
at the beginning of its fiscal year.
    (2) The other requirements of this part for an insured depository 
institution that is a subsidiary of a holding company may be satisfied 
by the top-tier or any mid-tier holding company if the insured 
depository institution meets the criterion specified in Sec.  
363.1(b)(1) and if:
    (i) The services and functions comparable to those required of the 
insured depository institution by this part are provided at the holding 
company level; and
    (ii) The insured depository institution has as of the beginning of 
its fiscal year:
    (A) Total assets of less than $5 billion; or
    (B) Total assets of $5 billion or more and a composite CAMELS 
rating of 1 or 2.
    (3) The appropriate federal banking agency may revoke the exception 
in paragraph (b)(2) of this section for any institution with total 
assets in excess of $9 billion for any period of time during which the 
appropriate federal banking agency determines that the institution's 
exemption would create a significant risk to the Deposit Insurance 
Fund.
    (c) Financial reporting. For purposes of the management report 
requirement of Sec.  363.2(b) and the internal control reporting 
requirement of Sec.  363.3(b), ``financial reporting'' includes both 
financial statements prepared in accordance with generally accepted 
accounting principles and those prepared for regulatory reporting 
purposes.
    (d) Definitions. For purposes of this part, the following 
definitions apply:
    (1) AICPA means the American Institute of Certified Public 
Accountants.
    (2) GAAP means generally accepted accounting principles.
    (3) PCAOB means the Public Company Accounting Oversight Board.
    (4) Public company means an insured depository institution or other 
company that has a class of securities registered with the U.S. 
Securities and Exchange Commission or the appropriate federal banking 
agency under Section 12 of the Securities Exchange Act of 1934.
    (5) SEC means the U.S. Securities and Exchange Commission.
    (6) SOX means the Sarbanes-Oxley Act of 2002.


Sec.  363.2  Annual reporting requirements.

    (a) Audited financial statements. Each insured depository 
institution shall prepare annual financial statements in accordance 
with GAAP, which shall be audited by an independent public accountant. 
The annual financial statements must reflect all material correcting 
adjustments identified by the independent public accountant.
    (b) Management report. Each insured depository institution annually 
shall prepare, as of the end of the institution's

[[Page 62323]]

most recent fiscal year, a management report that must contain the 
following:
    (1) A statement of management's responsibilities for preparing the 
institution's annual financial statements, for establishing and 
maintaining an adequate internal control structure and procedures for 
financial reporting, and for complying with laws and regulations 
relating to safety and soundness that are designated by the FDIC and 
the appropriate federal banking agency;
    (2) An assessment by management of the insured depository 
institution's compliance with such laws and regulations during such 
fiscal year. The assessment must state management's conclusion as to 
whether the insured depository institution has complied with the 
designated safety and soundness laws and regulations during the fiscal 
year and disclose any noncompliance with these laws and regulations; 
and
    (3) For an insured depository institution with consolidated total 
assets of $1 billion or more at the beginning of such fiscal year, an 
assessment by management of the effectiveness of such internal control 
structure and procedures as of the end of such fiscal year that must 
include the following:
    (i) A statement identifying the internal control framework \1\ used 
by management to evaluate the effectiveness of the insured depository 
institution's internal control over financial reporting;
---------------------------------------------------------------------------

    \1\ In the United States, the Committee of Sponsoring 
Organizations (COSO) of the Treadway Commission has published 
Internal Control--Integrated Framework, including an addendum on 
safeguarding assets. Known as the COSO report, this publication 
provides a suitable and available framework for purposes of 
management's assessment.
---------------------------------------------------------------------------

    (ii) A statement that the assessment included controls over the 
preparation of regulatory financial statements in accordance with 
regulatory reporting instructions including identification of such 
regulatory reporting instructions; and
    (iii) A statement expressing management's conclusion as to whether 
the insured depository institution's internal control over financial 
reporting is effective. Management must disclose all material 
weaknesses in internal control over financial reporting, if any, that 
it has identified. Management is precluded from concluding that the 
insured depository institution's internal control over financial 
reporting is effective if there are one or more material weaknesses.
    (c) Management report signatures. Subject to the criteria specified 
in Sec.  363.1(b):
    (1) If the audited financial statements requirement specified in 
Sec.  363.2(a) is satisfied at the insured depository institution level 
and the management report requirement specified in Sec.  363.2(b) is 
satisfied in its entirety at the insured depository institution level, 
the management report must be signed by the chief executive officer and 
the chief accounting officer or chief financial officer of the insured 
depository institution;
    (2) If the audited financial statements requirement specified in 
Sec.  363.2(a) is satisfied at the holding company level and the 
management report requirement specified in Sec.  363.2(b) is satisfied 
in its entirety at the holding company level, the management report 
must be signed by the chief executive officer and the chief accounting 
officer or chief financial officer of the holding company; and
    (3) If the audited financial statements requirement specified in 
Sec.  363.2(a) is satisfied at the holding company level and:
    (i) The management report requirement specified in Sec.  363.2(b) 
is satisfied in its entirety at the insured depository institution 
level; or
    (ii) One or more of the components of the management report 
specified in Sec.  363.2(b) is satisfied at the holding company level 
and the remaining components of the management report are satisfied at 
the insured depository institution level, the management report must be 
signed by the chief executive officers and the chief accounting 
officers or chief financial officers of both the holding company and 
the insured depository institution and the management report must 
clearly indicate the level (institution or holding company) at which 
each of its components is being satisfied.


Sec.  363.3  Independent public accountant.

    (a) Annual audit of financial statements. Each insured depository 
institution shall engage an independent public accountant to audit and 
report on its annual financial statements in accordance with GAAP and 
section 37 of the Federal Deposit Insurance Act (12 U.S.C. 1831n). The 
scope of the audit engagement shall be sufficient to permit such 
accountant to determine and report whether the financial statements are 
presented fairly and in accordance with GAAP.
    (b) Internal control over financial reporting. For each insured 
depository institution with total assets of $1 billion or more at the 
beginning of the institution's fiscal year, the independent public 
accountant who audits the institution's financial statements shall 
examine, attest to, and report separately on, the assertion of 
management concerning the effectiveness of the institution's internal 
control structure and procedures for financial reporting. The 
attestation and report shall be made in accordance with generally 
accepted standards for attestation engagements or the PCAOB's auditing 
standards, if applicable. The accountant's report must not be dated 
prior to the date of the management report and management's assessment 
of the effectiveness of internal control over financial reporting. The 
accountant's report must include the following:
    (1) A statement identifying the internal control framework used by 
the independent public accountant, which must be the same as the 
internal control framework used by management, to evaluate the 
effectiveness of the insured depository institution's internal control 
over financial reporting;
    (2) A statement that the independent public accountant's evaluation 
included controls over the preparation of regulatory financial 
statements in accordance with regulatory reporting instructions 
including identification of such regulatory reporting instructions; and
    (3) A statement expressing the independent public accountant's 
conclusion as to whether the insured depository institution's internal 
control over financial reporting is effective. The report must disclose 
all material weaknesses in internal control over financial reporting 
that the independent public accountant has identified. The independent 
public accountant is precluded from concluding that the insured 
depository institution's internal control over financial reporting is 
effective if there are one or more material weaknesses.
    (c) Notice by accountant of termination of services. An independent 
public accountant performing an audit under this part who ceases to be 
the accountant for an insured depository institution shall notify the 
FDIC and the appropriate federal banking agency in writing of such 
termination within 15 days after the occurrence of such event, and set 
forth in reasonable detail the reasons for such termination. The 
written notice shall be filed at the place identified in Sec.  
363.4(f).
    (d) Communications with audit committee. The independent public 
accountant must report the following on a timely basis to the audit 
committee:

[[Page 62324]]

    (1) All critical accounting policies used by the insured depository 
institution,
    (2) Alternative accounting treatments the independent public 
accountant has discussed with management, and
    (3) Other written communications the independent public accountant 
has provided to management, such as a management letter or schedule of 
unadjusted differences.
    (e) Retention of working papers. The independent public accountant 
must retain the working papers related to the audit of the insured 
depository institution's financial statements and, if applicable, the 
evaluation of the institution's internal control over financial 
reporting for seven years, unless a longer period of time is required 
by law.
    (f) Independence. The independent public accountant must comply 
with the independence standards and interpretations of the AICPA, the 
SEC, and the PCAOB.
    (g) Peer reviews. (1) Prior to commencing any services for an 
insured depository institution under this part, the independent public 
accountant must have received a peer review, or be enrolled in a peer 
review program, that meets acceptable guidelines. Acceptable peer 
reviews include peer reviews performed in accordance with the AICPA's 
Peer Review Standards and inspections conducted by the PCAOB.
    (2) Within 15 days of receiving notification that a peer review has 
been accepted or a PCAOB inspection report has been issued, or before 
commencing any audit under this part, whichever is earlier, the 
independent public accountant must file two copies of the most recent 
peer review report and the most recent PCAOB inspection report, if any, 
accompanied by any letters of comments, response, and acceptance, with 
the FDIC, Accounting and Securities Disclosure Section, 550 17th Street 
NW., Washington, DC 20429, if the report has not already been filed. 
Except for the portions of any peer review report and inspection report 
determined to be nonpublic by the AICPA and the PCAOB, respectively, 
the report will be made available for public inspection by the FDIC.


Sec.  363.4  Filing and notice requirements.

    (a) Part 363 Annual Report. (1) Each insured depository institution 
shall file with each of the FDIC, the appropriate federal banking 
agency, and any appropriate state bank supervisor, two copies of its 
Part 363 Annual Report. A Part 363 Annual Report must contain audited 
comparative annual financial statements, the independent public 
accountant's report thereon, a management report, and, if applicable, 
the independent public accountant's attestation report on management's 
assessment concerning the institution's internal control structure and 
procedures for financial reporting as required by Sec. Sec.  363.2(a), 
363.3(a), 363.2(b), and 363.3(b), respectively.
    (2) Subject to the criteria specified in Sec.  363.1(b), each 
insured depository institution with consolidated total assets of less 
than $1 billion as of the beginning of its fiscal year that is required 
to file, or whose parent holding company is required to file, 
management's assessment of the effectiveness of internal control over 
financial reporting with the SEC or the appropriate federal banking 
agency in accordance with section 404 of SOX must submit a copy of such 
assessment to the FDIC, the appropriate federal banking agency, and any 
appropriate state bank supervisor with its Part 363 Annual Report as 
additional information. This assessment will not be considered part of 
the institution's Part 363 Annual Report.
    (3) (i) Each insured depository institution that is neither a 
public company nor a subsidiary of a public company that meets the 
criterion specified in Sec.  363.1(b)(1) shall file its Part 363 Annual 
Report within 120 days after the end of its fiscal year.
    (ii) Each insured depository institution that is a public company 
or a subsidiary of public company that meets the criterion specified in 
Sec.  363.1(b)(1) shall file its Part 363 Annual Report within 90 days 
after the end of its fiscal year.
    (b) Public availability. The annual report in paragraph (a)(1) of 
this section shall be available for public inspection.
    (c) Independent public accountant's letters and reports. (1) Except 
for the independent public accountant's reports that are included in 
its Part 363 Annual Report, each insured depository institution shall 
file with the FDIC, the appropriate federal banking agency, and any 
appropriate state bank supervisor, a copy of any management letter or 
other report issued by its independent public accountant with respect 
to such institution and the services provided by such accountant 
pursuant to this part within 15 days after receipt. Such reports 
include, but are not limited to:
    (i) Any written communication regarding matters that are required 
to be communicated to the audit committee (for example, critical 
accounting policies, alternative accounting treatments discussed with 
management, and any schedule of unadjusted differences),
    (ii) Any written communication of significant deficiencies and 
material weaknesses in internal control required by the AICPA's or the 
PCAOB's auditing standards;
    (iii) For institutions with total assets of less than $1 billion as 
of the beginning of their fiscal year that are public companies or 
subsidiaries of public companies that meet the criterion specified in 
Sec.  363.1(b)(1), any independent public accountant's report on the 
audit of internal control over financial reporting required by section 
404 of SOX and the PCAOB's auditing standards; and
    (iv) For all institutions that are public companies or subsidiaries 
of public companies that meet the criterion specified in Sec.  
363.1(b)(1), any independent public accountant's written communication 
of all deficiencies in internal control over financial reporting that 
are of a lesser magnitude than significant deficiencies required by the 
PCAOB's auditing standards.
    (2) Each insured depository institution shall file with the FDIC, 
the appropriate federal banking agency, and any appropriate state bank 
supervisor, a copy of any audit engagement letter, including any 
related agreements and amendments, within 15 days of acceptance by the 
institution.
    (d) Notice of engagement or change of accountants. Each insured 
depository institution shall provide, within 15 days after the 
occurrence of any such event, written notice to the FDIC, the 
appropriate federal banking agency, and any appropriate state bank 
supervisor of the engagement of an independent public accountant, or 
the resignation or dismissal of the independent public accountant 
previously engaged. The notice shall include a statement of the reasons 
for any such resignation or dismissal in reasonable detail.
    (e) Notification of late filing. No extensions of time for filing 
reports required by Sec.  363.4 shall be granted. An insured depository 
institution that is unable to timely file all or any portion of its 
Part 363 Annual Report or any other report or notice required by Sec.  
363.4 shall submit a written notice of late filing to the FDIC, the 
appropriate federal banking agency, and any appropriate state bank 
supervisor. The notice shall disclose the institution's inability to 
timely file all or specified portions of its Part 363 Annual Report or 
any other report or notice and the reasons therefore in reasonable 
detail. The late filing notice shall also state the date when the 
report or notice will be filed. The written notice shall be filed on or 
before the deadline for filing the

[[Page 62325]]

Part 363 Annual Report or any other report or notice, as appropriate.
    (f) Place for filing. The Part 363 Annual Report, any written 
notification of late filing, and any other report or notice required by 
Sec.  363.4 should be filed as follows:
    (1) FDIC: Appropriate FDIC Regional or Area Office (Division of 
Supervision and Consumer Protection), i.e., the FDIC regional or area 
office in the FDIC region or area that is responsible for monitoring 
the institution or, in the case of a subsidiary institution of a 
holding company, the consolidated company. A filing made on behalf of 
several covered institutions owned by the same parent holding company 
should be accompanied by a transmittal letter identifying all of the 
institutions covered.
    (2) Office of the Comptroller of the Currency (OCC): Appropriate 
OCC Supervisory Office.
    (3) Federal Reserve: Appropriate Federal Reserve Bank.
    (4) Office of Thrift Supervision (OTS): Appropriate OTS District 
Office.
    (5) State bank supervisor: The filing office of the appropriate 
state bank supervisor.


Sec.  363.5  Audit committees.

    (a) Composition and duties. Each insured depository institution 
shall establish an audit committee of its board of directors, the 
composition of which complies with paragraphs (a)(1), (2), and (3) of 
this section. The duties of the audit committee shall include the 
appointment, compensation, and oversight of the independent public 
accountant who performs services required under this part, and 
reviewing with management and the independent public accountant the 
basis for the reports issued under this part.
    (1) Each insured depository institution with total assets of $1 
billion or more as of the beginning of its fiscal year shall establish 
an independent audit committee of its board of directors, the members 
of which shall be outside directors who are independent of management 
of the institution.
    (2) Each insured depository institution with total assets of $500 
million or more but less than $1 billion as of the beginning of its 
fiscal year shall establish an audit committee of its board of 
directors, the members of which shall be outside directors, the 
majority of whom shall be independent of management of the institution. 
The appropriate Federal banking agency may, by order or regulation, 
permit the audit committee of such an insured depository institution to 
be made up of less than a majority of outside directors who are 
independent of management, if the agency determines that the 
institution has encountered hardships in retaining and recruiting a 
sufficient number of competent outside directors to serve on the audit 
committee of the institution.
    (3) An outside director is a director who is not, and within the 
preceding fiscal year has not been, an officer or employee of the 
institution or any affiliate of the institution.
    (b) Committees of large institutions. The audit committee of any 
insured depository institution that has total assets of more than $3 
billion, measured as of the beginning of each fiscal year, shall 
include members with banking or related financial management expertise, 
have access to its own outside counsel, and not include any large 
customers of the institution. If a large institution is a subsidiary of 
a holding company and relies on the audit committee of the holding 
company to comply with this rule, the holding company's audit committee 
shall not include any members who are large customers of the subsidiary 
institution.
    (c) Independent public accountant engagement letters. (1) In 
performing its duties with respect to the appointment of the 
institution's independent public accountant, the audit committee shall 
ensure that engagement letters and any related agreements with the 
independent public accountant for services to be performed under this 
part do not contain any limitation of liability provisions that:
    (i) Indemnify the independent public accountant against claims made 
by third parties;
    (ii) Hold harmless or release the independent public accountant 
from liability for claims or potential claims that might be asserted by 
the client insured depository institution, other than claims for 
punitive damages; or
    (iii) Limit the remedies available to the client insured depository 
institution.
    (2) Alternative dispute resolution agreements and jury trial waiver 
provisions are not precluded provided that they do not incorporate any 
limitation of liability provisions set forth in paragraph (c)(1) of 
this section.

Appendix A to Part 363--Guidelines and Interpretations

Table of Contents

Introduction

Scope of Rule (Sec.  363.1)

1. Measuring Total Assets
2. Insured Branches of Foreign Banks
3. Compliance by Holding Company Subsidiaries
4. Comparable Services and Functions
4A. Financial Reporting

Annual Reporting Requirements (Sec.  363.2)

5. Annual Financial Statements
5A. Institutions Merged out of Existence
6. Holding Company Statements
7. Insured Branches of Foreign Banks
8. Management Report
8A. Management's Assessment of the Effectiveness of Internal Control 
over Financial Reporting
8B. Internal Control Reports for Acquired Businesses
9. Safeguarding of Assets
10. Standards for Internal Control
11. Service Organizations
12. Compliance with Laws and Regulations

Role of Independent Public Accountant (Sec.  363.3)

13. General Qualifications
14. Reserved
15. Peer Review Guidelines
16. Reserved
17. Information to be Provided to the Independent Public Accountant
18. Attestation Report and Management Letter
19. Reviews with Audit Committee and Management
20. Notice of Termination
21. Reliance on Internal Auditors

Filing and Notice Requirements (Sec.  363.4)

22. Reserved
23. Notification of Late Filing
24. Public Availability
25. Reserved
26. Notices Concerning Accountants

Audit Committees (Sec.  363.5)

27. Composition
28. ``Independent of Management'' Considerations
29. Reserved
30. Holding Company Audit Committees
31. Duties
32. Banking or Related Financial Management Expertise
33. Large Customers
34. Access to Counsel
35. Transition Period for Forming and Restructuring Audit Committees

Other

36. Modifications of Guidelines

Introduction

    Congress added section 36, ``Early Identification of Needed 
Improvements in Financial Management'' (section 36), to the Federal 
Deposit Insurance Act (FDI Act) in 1991.
    The FDIC Board of Directors adopted 12 CFR part 363 of its rules 
and regulations (the Rule) to implement those provisions of section 
36 that require rulemaking. The FDIC also approved these 
``Guidelines and Interpretations'' (the Guidelines) and directed 
that they be published with the Rule to facilitate a better 
understanding of, and full compliance with, the provisions of 
section 36.
    Although not contained in the Rule itself, some of the guidance 
offered restates or refers to statutory requirements of section 36 
and is therefore mandatory. If that is the case, the statutory 
provision is cited.

[[Page 62326]]

    Furthermore, upon adopting the Rule, the FDIC reiterated its 
belief that every insured depository institution, regardless of its 
size or charter, should have an annual audit of its financial 
statements performed by an independent public accountant, and should 
establish an audit committee comprised entirely of outside 
directors.
    The following Guidelines reflect the views of the FDIC 
concerning the interpretation of section 36. The Guidelines are 
intended to assist insured depository institutions (institutions), 
their boards of directors, and their advisors, including their 
independent public accountants and legal counsel, and to clarify 
section 36 and the Rule. It is recognized that reliance on the 
Guidelines may result in compliance with section 36 and the Rule 
which may vary from institution to institution. Terms which are not 
explained in the Guidelines have the meanings given them in the 
Rule, the FDI Act, or professional accounting and auditing 
literature.

Scope of Rule (Sec.  363.1)

    1. Measuring Total Assets. To determine whether this part 
applies, an institution should use total assets as reported on its 
most recent Report of Condition (Call Report) or Thrift Financial 
Report (TFR), the date of which coincides with the end of its 
preceding fiscal year. If its fiscal year ends on a date other than 
the end of a calendar quarter, it should use its Call Report or TFR 
for the quarter end immediately preceding the end of its fiscal 
year.
    2. Insured Branches of Foreign Banks. Unlike other institutions, 
insured branches of foreign banks are not separately incorporated or 
capitalized. To determine whether this part applies, an insured 
branch should measure claims on non-related parties reported on its 
Report of Assets and Liabilities of U.S. Branches and Agencies of 
Foreign Banks (form FFIEC 002).
    3. Compliance by Holding Company Subsidiaries. Audited 
consolidated financial statements and other reports or notices 
required by this part that are submitted by a holding company for 
any subsidiary institution should be accompanied by a cover letter 
identifying all subsidiary institutions subject to part 363 that are 
included in the holding company's submission. When submitting a Part 
363 Annual Report, the cover letter should identify all subsidiary 
institutions subject to part 363 included in the consolidated 
financial statements and state whether the other annual report 
requirements (i.e., management's statement of responsibilities, 
management's assessment of compliance with designated safety and 
soundness laws and regulations, and, if applicable, management's 
assessment of the effectiveness of internal control over financial 
reporting and the independent public accountant's attestation report 
on management's internal control assessment) are being satisfied for 
these institutions at the holding company level or at the 
institution level. An institution filing holding company 
consolidated financial statements as permitted by Sec.  363.1(b)(1) 
also may report on changes in its independent public accountant on a 
holding company basis. An institution that does not meet the 
criteria in Sec.  363.1(b)(2) must satisfy the remaining provisions 
of this part on an individual institution basis and maintain its own 
audit committee. Subject to the criteria in Sec. Sec.  363.1(b)(1) 
and (2), a multi-tiered holding company may satisfy all of the 
requirements of this part at the top-tier or any mid-tier holding 
company level.
    4. Comparable Services and Functions. Services and functions 
will be considered ``comparable'' to those required by this part if 
the holding company:
    (a) Prepares reports used by the subsidiary institution to meet 
the requirements of this part;
    (b) Has an audit committee that meets the requirements of this 
part appropriate to its largest subsidiary institution; and
    (c) Prepares and submits management's assessment of compliance 
with the Designated Laws defined in guideline 12 and, if applicable, 
management's assessment of the effectiveness of internal control 
over financial reporting based on information concerning the 
relevant activities and operations of those subsidiary institutions 
within the scope of the Rule.
    4A. Financial Reporting. (a) For purposes of this part, 
``financial reporting'' includes financial statements prepared under 
GAAP and those prepared for regulatory reporting purposes. Financial 
statements prepared for regulatory reporting purposes consist of the 
schedules equivalent to the basic financial statements that are 
included in an institution's appropriate regulatory report, e.g., 
the bank Consolidated Reports of Condition and Income (Call Report) 
and the Thrift Financial Report (TFR).
    (b) Financial statements prepared for regulatory reporting 
purposes do not include regulatory reports prepared by a non-bank 
subsidiary of a holding company or an institution. For example, if a 
bank holding company or an insured depository institution owns an 
insurance subsidiary, financial statements prepared for regulatory 
reporting purposes would not include any regulatory reports that the 
insurance subsidiary is required to submit to its appropriate 
insurance regulatory agency.

Annual Reporting Requirements (Sec.  363.2)

    5. Annual Financial Statements. Each institution should prepare 
comparative annual consolidated financial statements (balance sheets 
and statements of income, changes in equity capital, and cash flows, 
with accompanying footnote disclosures) in accordance with GAAP for 
each of its two most recent fiscal years. Statements for the earlier 
year may be presented on an unaudited basis if the institution was 
not subject to this part for that year and audited statements were 
not prepared.
    5A. Institutions Merged Out of Existence. An institution that is 
merged out of existence after the end of its fiscal year, but before 
the deadline for filing its Part 363 Annual Report (120 days after 
the end of its fiscal year for an institution that is neither a 
public company nor a subsidiary of a public company that meets the 
criterion specified in Sec.  363.1(b)(1), and 90 days after the end 
of its fiscal year for an institution that is a public company or a 
subsidiary of a public company that meets the criterion specified in 
Sec.  363.1(b)(1)), is not required to file a Part 363 Annual Report 
for the last fiscal year of its existence.
    6. Holding Company Statements. Subject to the criterion 
specified in Sec.  363.1(b)(1), subsidiary institutions may file 
copies of their holding company's audited financial statements filed 
with the SEC or prepared for their FR Y-6 Annual Report under the 
Bank Holding Company Act of 1956 to satisfy the audited financial 
statements requirement of Sec.  363.2(a).
    7. Insured Branches of Foreign Banks. An insured branch of a 
foreign bank should satisfy the financial statements requirement by 
filing one of the following for the two preceding fiscal years:
    (a) Audited balance sheets, disclosing information about 
financial instruments with off-balance-sheet risk;
    (b) Schedules RAL and L of form FFIEC 002, prepared and audited 
on the basis of the instructions for its preparation; or
    (c) With written approval of the appropriate federal banking 
agency, consolidated financial statements of the parent bank.
    8. Management Report. Management should perform its own 
investigation and review of the effectiveness of internal controls 
and compliance with the Designated Laws defined in guideline 12. 
Management also should maintain records of its determinations and 
assessments until the next federal safety and soundness examination, 
or such later date as specified by the FDIC or appropriate federal 
banking agency. Management should provide in its assessment of the 
effectiveness of internal controls, or supplementally, sufficient 
information to enable the accountant to report on its assertions. 
The management report of an insured branch of a foreign bank should 
be signed by the branch's managing official if the branch does not 
have a chief executive or financial officer.
    8A. Management's Assessment of the Effectiveness of Internal 
Control over Financial Reporting. An institution with $1 billion or 
more in total assets as of the beginning of its fiscal year that is 
subject to both part 363 and the SEC's rules implementing section 
404 of SOX (as well as a public holding company permitted under the 
holding company exception in Sec.  363.1(b)(2) to file an internal 
control report on behalf of a subsidiary institution or institutions 
with $1 billion or more in total assets) can choose either of the 
following two options for filing management's report on internal 
control over financial reporting.
    (i) Management can prepare two separate reports on the 
institution's or the holding company's internal control over 
financial reporting to satisfy the FDIC's part 363 requirements and 
the SEC's section 404 requirements; or
    (ii) Management can prepare a single report on internal control 
over financial reporting provided that it satisfies all of the 
FDIC's part 363 requirements and all of the SEC's section 404 
requirements.
    8B. Internal Control Reports for Acquired Businesses. Generally, 
the FDIC expects management's and the related independent public 
accountant's report on an institution's

[[Page 62327]]

internal control over financial reporting to include controls at an 
institution in its entirety, including all of its consolidated 
entities. However, it may not always be possible for management to 
conduct an assessment of the internal control over financial 
reporting of an acquired business in the period between the 
consummation date of the acquisition and the due date of 
management's internal control assessment.
    (a) In such instances, the acquired business's internal control 
structure and procedures for financial reporting may be excluded 
from management's assessment report and the accountant's attestation 
report on internal control over financial reporting. However, the 
FDIC expects management's assessment report to identify the acquired 
business, state that the acquired business is excluded, and indicate 
the significance of this business to the institution's consolidated 
financial statements. Notwithstanding management's exclusion of the 
acquired business's internal control from its assessment, management 
should disclose any material change to the institution's internal 
control over financial reporting due to the acquisition of this 
business. Also, management may not omit the assessment of the 
acquired business's internal control from more than one annual part 
363 assessment report on internal control over financial reporting. 
When the acquired business's internal control over financial 
reporting is excluded from management's assessment, the independent 
public accountant may likewise exclude this acquired business's 
internal control over financial reporting from the accountant's 
evaluation of internal control over financial reporting.
    (b) If the acquired business is or has a consolidated subsidiary 
that is an insured depository institution subject to part 363 and 
the institution is not merged out of existence before the deadline 
for filing its Part 363 Annual Report (120 days after the end of its 
fiscal year for an institution that is neither a public company nor 
a subsidiary of a public company that meets the criterion specified 
in Sec.  363.1(b)(1), and 90 days after the end of its fiscal year 
for an institution that is a public company or a subsidiary of a 
public company that meets the criterion specified in Sec.  
363.1(b)(1)), the acquired institution must continue to comply with 
all of the applicable requirements of part 363, including filing its 
Part 363 Annual Report.
    9. Safeguarding of Assets. ``Safeguarding of assets,'' as the 
term relates to internal control policies and procedures regarding 
financial reporting and which has precedent in accounting and 
auditing literature, should be encompassed in the management report 
and the independent public accountant's attestation discussed in 
guideline 18. Testing the existence of and compliance with internal 
controls on the management of assets, including loan underwriting 
and documentation, represents a reasonable implementation of section 
36. The FDIC expects such internal controls to be encompassed by the 
assertion in the management report, but the term ``safeguarding of 
assets'' need not be specifically stated. The FDIC does not require 
the accountant to attest to the adequacy of safeguards, but does 
require the accountant to determine whether safeguarding policies 
exist.\2\
---------------------------------------------------------------------------

    \2\ It is management's responsibility to establish policies 
concerning underwriting and asset management and to make credit 
decisions. The auditor's role is to test compliance with 
management's policies relating to financial report.
---------------------------------------------------------------------------

    10. Standards for Internal Control. The management of each 
insured depository institution with $1 billion or more in total 
assets as of the beginning of its fiscal year should base its 
assessment of the effectiveness of the institution's internal 
control over financial reporting on a suitable, recognized control 
framework established by a body of experts that followed due-process 
procedures, including the broad distribution of the framework for 
public comment. In addition to being available to users of 
management's reports, a framework is suitable only when it:
     Is free from bias;
     Permits reasonably consistent qualitative and 
quantitative measurements of an insured depository institution's 
internal control over financial reporting;
     Is sufficiently complete so that those relevant factors 
that would alter a conclusion about the effectiveness of an insured 
depository institution's internal control over financial reporting 
are not omitted; and
     Is relevant to an evaluation of internal control over 
financial reporting.
    In the United States, Internal Control--Integrated Framework, 
including its addendum on safeguarding assets, which was published 
by the Committee of Sponsoring Organizations of the Treadway 
Commission, and is known as the COSO report, provides a suitable and 
recognized framework for purposes of management's assessment. Other 
suitable frameworks have been published in other countries or may be 
developed in the future. Such other suitable frameworks may be used 
by management and the institution's independent public accountant in 
assessments, attestations, and audits of internal control over 
financial reporting.
    11. Service Organizations. Although service organizations should 
be considered in determining if internal controls are adequate, an 
institution's independent public accountant, its management, and its 
audit committee should exercise independent judgment concerning that 
determination. Onsite reviews of service organizations may not be 
necessary to prepare the report required by the Rule, and the FDIC 
does not intend that the Rule establish any such requirement.
    12. Compliance with Laws and Regulations. The designated laws 
and regulations are the federal laws and regulations concerning 
loans to insiders and the federal and state laws and regulations 
concerning dividend restrictions (the Designated Laws). Table 1 to 
this Appendix A lists the designated federal laws and regulations 
pertaining to insider loans and dividend restrictions that are 
applicable to each type of institution.

Role of Independent Public Accountant (Sec.  363.3)

    13. General Qualifications. To provide audit and attest services 
to insured depository institutions, an independent public accountant 
should be registered or licensed to practice as a public accountant, 
and be in good standing, under the laws of the state or other 
political subdivision of the United States in which the home office 
of the institution (or the insured branch of a foreign bank) is 
located. As required by section 36(g)(3)(A)(i), the accountant must 
agree to provide copies of any working papers, policies, and 
procedures relating to services performed under this part.
    14. [Reserved.]
    15. Peer Review Guidelines. The following peer review guidelines 
are acceptable:
    (a) The external peer review should be conducted by an 
organization independent of the accountant or firm being reviewed, 
as frequently as is consistent with professional accounting 
practices;
    (b) The peer review (other than a PCAOB inspection) should be 
generally consistent with AICPA Peer Review Standards; and
    (c) The review should include, if available, at least one audit 
on an insured depository institution or consolidated depository 
institution holding company.
    16. [Reserved.]
    17. Information to be Provided to the Independent Public 
Accountant. Attention is directed to section 36(h) which requires 
institutions to provide specified information to their accountants. 
An institution also should provide its accountant with copies of any 
notice that the institution's capital category is being changed or 
reclassified under section 38 of the FDI Act, and any correspondence 
from the appropriate federal banking agency concerning compliance 
with this part.
    18. Attestation Report and Management Report. The independent 
public accountant should provide the institution with any management 
letter and, if applicable, an internal control attestation report 
(as required by section 36(c)(1)) at the conclusion of the audit. 
The independent public accountant's attestation report on internal 
control over financial reporting must specifically include a 
statement as to regulatory reporting. If a holding company 
subsidiary relies on its holding company management report, the 
accountant may attest to and report on the management's assertions 
in one report, without reporting separately on each subsidiary 
covered by the Rule. The FDIC has determined that management letters 
are exempt from public disclosure.
    19. Reviews with Audit Committee and Management. The independent 
public accountant should meet with the institution's audit committee 
to review the accountant's reports required by this part before they 
are filed. It also may be appropriate for the accountant to review 
its findings with the institution's board of directors and 
management.
    20. Notice of Termination. The notice of termination required by 
Sec.  363.3(c) should state whether the independent public 
accountant agrees with the assertions contained in any notice filed 
by the

[[Page 62328]]

institution under Sec.  363.4(d), and whether the institution's 
notice discloses all relevant reasons for the accountant's 
termination. Subject to the criteria specified in Sec.  363.1(b)(1) 
regarding compliance with the audited financial statements 
requirement at the holding company level, the independent public 
accountant for an insured depository institution that is a public 
company and files reports with its appropriate federal banking 
agency, or is a subsidiary of a public company that files reports 
with the SEC, may submit the letter it furnished to management to be 
filed with the institution's or the holding company's current report 
(e.g., SEC Form 8-K) concerning a change in accountant to satisfy 
the notice requirements of Sec.  363.3(c). Alternatively, if the 
independent public accountant confirms that management has filed a 
current report (e.g., SEC Form 8-K) concerning a change in 
accountant that satisfies the notice requirements of Sec.  363.4(d) 
and includes an independent public accountant's letter that 
satisfies the requirements of Sec.  363.3(c), the independent public 
accountant may rely on the current report (e.g., SEC Form 8-K) filed 
with the FDIC by management concerning a change in accountant to 
satisfy the notice requirements of Sec.  363.3(c).
    21. Reliance on Internal Auditors. Nothing in this part or this 
appendix is intended to preclude the ability of the independent 
public accountant to rely on the work of an institution's internal 
auditor.

Filing and Notice Requirements (Sec.  363.4)

    22. [Reserved.]
    23. Notification of Late Filing. (a) An institution's submission 
of a written notice of late filing does not cure the requirement to 
timely file the Part 363 Annual Report or other reports or notices 
required by Sec.  363.4. An institution's failure to timely file is 
considered an apparent violation of part 363.
    (b) If the late filing notice submitted pursuant to Sec.  
363.4(e) relates only to a portion of a Part 363 Annual Report or 
any other report or notice, the insured depository institution 
should file the other components of the report or notice within the 
prescribed filing period together with a cover letter that indicates 
which components of its Part 363 Annual Report or other report or 
notice are omitted. An institution may combine the written late 
filing notice and the cover letter into a single notice that is 
submitted together with the other components of the report or notice 
that are being timely filed.
    24. Public Availability. Each institution's Part 363 Annual 
Report should be available for public inspection at its main and 
branch offices no later than 15 days after it is filed with the 
FDIC. Alternatively, an institution may elect to mail one copy of 
its Part 363 Annual Report to any person who requests it. The Part 
363 Annual Report should remain available to the public until the 
Part 363 Annual Report for the next year is available. An 
institution may use its Part 363 Annual Report under this part to 
meet the annual disclosure statement required by 12 CFR 350.3, if 
the institution satisfies all other requirements of 12 CFR part 350.
    25. [Reserved.]
    26. Notices Concerning Accountants. With respect to any 
selection, change, or termination of an independent public 
accountant, an institution's management and audit committee should 
be familiar with the notice requirements in Sec.  363.4(d) and 
guideline 20, and management should send a copy of any notice 
required under Sec.  363.4(d) to the independent public accountant 
when it is filed with the FDIC. An insured depository institution 
that is a public company and files reports required under the 
federal securities laws with its appropriate federal banking agency, 
or is a subsidiary of a public company that files such reports with 
the SEC, may use its current report (e.g., SEC Form 8-K) concerning 
a change in accountant to satisfy the notice requirements of Sec.  
363.4(d) subject to the criterion of Sec.  363.1(b)(1) regarding 
compliance with the audited financial statements requirement at the 
holding company level.

Audit Committees (Sec.  363.5)

    27. Composition. The board of directors of each institution 
should determine whether each existing or potential audit committee 
member meets the requirements of section 36 and this part. To do so, 
the board of directors should maintain an approved set of written 
criteria for determining whether a director who is to serve on the 
audit committee is an outside director (as defined in Sec.  
363.5(a)(3)) and is independent of management. At least annually, 
the board of each institution should apply these criteria and 
determine whether each existing or potential audit committee member 
is an outside director. In addition, at least annually, the board of 
an institution with $1 billion or more in total assets at the 
beginning of its fiscal year should determine whether all existing 
and potential audit committee members are ``independent of 
management of the institution'' and the board of an institution with 
total assets of $500 million or more but less than $1 billion as of 
the beginning of its fiscal year should determine whether the 
majority of all existing and potential audit committee members are 
``independent of management of the institution.'' The minutes of the 
board of directors should contain the results of and the basis for 
its determinations with respect to each existing and potential audit 
committee member. Because an insured branch of a foreign bank does 
not have a separate board of directors, the FDIC will not apply the 
audit committee requirements to such branch. However, any such 
branch is encouraged to make a reasonable good faith effort to see 
that similar duties are performed by persons whose experience is 
generally consistent with the Rule's requirements for an institution 
the size of the insured branch.
    28. ``Independent of Management'' Considerations. It is not 
possible to anticipate, or explicitly provide for, all circumstances 
that might signal potential conflicts of interest in, or that might 
bear on, an outside director's relationship to an insured depository 
institution and whether the outside director should be deemed 
``independent of management.'' When assessing an outside director's 
relationship with an institution, the board of directors should 
consider the issue not merely from the standpoint of the director 
himself or herself, but also from the standpoint of persons or 
organizations with which the director has an affiliation. These 
relationships can include, but are not limited to, commercial, 
banking, consulting, charitable, and family relationships. The board 
of directors should apply its approved set of written criteria for 
determining whether existing and potential members of the audit 
committee are outside directors and whether they are ``independent 
of management.'' To assist boards of directors in fulfilling this 
requirement, paragraphs (a) through (d) of this guideline provide 
guidance for determining whether audit committee members are 
``independent of management.'' (a) Notwithstanding the criteria set 
forth in paragraphs (b), (c), and (d) of this guideline, if an 
outside director, either directly or indirectly, owns or controls, 
or has owned or controlled within the preceding fiscal year, 10 
percent or more of any outstanding class of voting securities of the 
institution, the outside director will not be considered 
``independent of management.''
    (b) The following list sets forth additional criteria, that, at 
a minimum, a board of directors should consider when determining 
whether an outside director is ``independent of management.'' The 
board of directors may conclude that additional criteria are also 
relevant to this determination in light of the particular 
circumstances of its institution. Accordingly, an outside director 
will not be considered ``independent of management'' if:
    (1) The director serves, or has served within the last three 
years, as a consultant, advisor, promoter, underwriter, legal 
counsel, or trustee of or to the institution or its affiliates.
    (2) The director has been, within the last three years, an 
employee of the institution or any of its affiliates or an immediate 
family member is, or has been within the last three years, an 
executive officer of the institution or any of its affiliates.
    (3) The director has participated in the preparation of the 
financial statements of the institution or any of its affiliates at 
any time during the last three years.
    (4) The director has received, or has an immediate family member 
who has received, during any twelve-month period within the last 
three years, more than $60,000 in direct or indirect compensation 
from the institution or any of its affiliates other than director 
and committee fees and pension or other forms of deferred 
compensation for prior service (provided such compensation is not 
contingent in any way on continued service). Direct compensation 
also would not include compensation received by the director for 
former service as an interim chairman or interim chief executive 
officer. Indirect compensation includes payments to spouses and 
children as well as organizations that provide financial services to 
the institution or any of its affiliates in which the director is a 
partner or principal.
    (5) The director or an immediate family member is a current 
partner of a firm that performs internal or external auditing 
services for the institution or any of its affiliates; the director 
is a current employee of such a firm; the director has an immediate 
family member who is a current employee of

[[Page 62329]]

such a firm and who participates in the firm's audit, assurance, or 
tax compliance practice; or the director or an immediate family 
member was within the last three years (but no longer is) a partner 
or employee of such a firm and personally worked on the audit of the 
insured depository institution or any of its affiliates within that 
time.
    (6) The director or an immediate family member is, or has been 
within the last three years, employed as an executive officer of 
another entity where any of the present executive officers of the 
institution or any of its affiliates at the same time serves or 
served on that entity's compensation committee.
    (7) The director is a current employee, or an immediate family 
member is a current executive officer, of an entity that has made 
payments to, or received payments from, the institution or any of 
its affiliates for property or services in an amount which, in any 
of the last three fiscal years, exceeds the greater of $200 
thousand, or 5 percent of such entity's consolidated gross revenues. 
This would include payments made by the institution or any of its 
affiliates to not-for-profit entities where the director is an 
executive officer or where an immediate family member of the 
director is an executive officer.
    (8) For purposes of paragraph (b) of this guideline, the 
following definitions apply:
    (i) An ``immediate family member'' includes a person's spouse, 
parents, children, siblings, mothers and fathers-in-law, sons and 
daughters-in-law, brothers and sisters-in-law, and anyone (other 
than domestic employees) who shares such person's home.
    (ii) The term affiliate of, or a person affiliated with, a 
specified person, means a person or entity that directly, or 
indirectly through one or more intermediaries, controls, or is 
controlled by, or is under common control with, the person 
specified.
    (c) An insured depository institution that is a public company 
and a listed issuer (as defined in Rule 10A-3 of the Securities 
Exchange Act of 1934 (Exchange Act)), or is a subsidiary of a public 
company that meets the criterion specified in Sec.  363.1(b)(1) and 
is a listed issuer, may use the definition of audit committee member 
independence set forth in the listing standards applicable to the 
public institution or its public company parent.
    (d) All other insured depository institutions may use the 
definition of audit committee member independence set forth in the 
listing standards of a national securities exchange that is 
registered with the SEC pursuant to section 6 of the Exchange Act or 
a national securities association that is registered with the SEC 
pursuant to section 15A(a) of the Exchange Act.
    29. [Reserved.]
    30. Holding Company Audit Committees. (a) When an insured 
depository institution satisfies the requirements for the holding 
company exception specified in Sec. Sec.  363.1(b)(1) and (2), the 
audit committee requirement of this part may be satisfied by the 
audit committee of the top-tier or any mid-tier holding company. 
Members of the audit committee of the holding company should meet 
all the membership requirements applicable to the largest subsidiary 
depository institution subject to part 363 and should perform all 
the duties of the audit committee of a subsidiary institution 
subject to part 363, even if the holding company directors are not 
directors of the institution.
    (b) When an insured depository institution subsidiary with total 
assets of $1 billion or more as of the beginning of its fiscal year 
does not meet the requirements for the holding company exception 
specified in Sec. Sec.  363.1(b)(1) and (2) or maintains its own 
separate audit committee to satisfy the requirements of this part, 
the members of the audit committee of the top-tier or any mid-tier 
holding company may serve on the audit committee of the subsidiary 
institution if they are otherwise independent of management of the 
subsidiary institution, and, if applicable, meet any other 
requirements for a large subsidiary institution covered by this 
part.
    (c) When an insured depository institution with total assets of 
$500 million or more but less than $1 billion as of the beginning of 
its fiscal year does not meet the requirements for the holding 
company exception specified in Sec. Sec.  363.1(b)(1) and (2) or 
maintains its own separate audit committee to satisfy the 
requirements of this part, the members of the audit committee of the 
top-tier or any mid-tier holding company may serve on the audit 
committee of the subsidiary institution provided a majority of its 
audit committee members are independent of management of the 
subsidiary institution.
    (d) Officers and employees of a top-tier or any mid-tier holding 
company may not serve on the audit committee of its subsidiary 
institutions.
    31. Duties. The audit committee should perform all duties 
determined by the institution's board of directors, and it should 
maintain minutes and other relevant records of its meetings and 
decisions. The duties of the audit committee should be appropriate 
to the size of the institution and the complexity of its operations, 
and, at a minimum, should include the appointment, compensation, and 
oversight of the independent public accountant; reviewing with 
management and the independent public accountant the basis for their 
respective reports issued under Sec. Sec.  363.2(a) and (b) and 
Sec. Sec.  363.3(a) and (b); reviewing and satisfying itself as to 
the independent public accountant's compliance with the required 
qualifications for independent public accountants set forth in 
Sec. Sec.  363.3(f) and (g) and guidelines 13 through16; ensuring 
that audit engagement letters comply with the provisions of Sec.  
363.5(c) before engaging an independent public accountant; being 
familiar with the notice requirements in Sec.  363.4(d) and 
guideline 20 regarding the selection, change, or termination of an 
independent public accountant; and ensuring that management sends a 
copy of any notice required under Sec.  363.4(d) to the independent 
public accountant when it is filed with the FDIC. Appropriate 
additional duties could include:
    (a) Reviewing with management and the independent public 
accountant the scope of services required by the audit, significant 
accounting policies, and audit conclusions regarding significant 
accounting estimates;
    (b) Reviewing with management and the accountant their 
assessments of the effectiveness of internal control over financial 
reporting, and the resolution of identified material weaknesses and 
significant deficiencies in internal control over financial 
reporting, including the prevention or detection of management 
override or compromise of the internal control system;
    (c) Reviewing with management the institution's compliance with 
the designated laws and regulations identified in guideline 12;
    (d) Discussing with management and the independent public 
accountant any significant disagreements between management and the 
independent public accountant; and
    (e) Overseeing the internal audit function.
    32. Banking or Related Financial Management Expertise. At least 
two members of the audit committee of a large institution shall have 
``banking or related financial management expertise'' as required by 
section 36(g)(1)(C)(i). This determination is to be made by the 
board of directors of the insured depository institution. A person 
will be considered to have such required expertise if the person has 
significant executive, professional, educational, or regulatory 
experience in financial, auditing, accounting, or banking matters as 
determined by the board of directors. Significant experience as an 
officer or member of the board of directors or audit committee of a 
financial services company would satisfy these criteria.
    33. Large Customers. Any individual or entity (including a 
controlling person of any such entity) which, in the determination 
of the board of directors, has such significant direct or indirect 
credit or other relationships with the institution, the termination 
of which likely would materially and adversely affect the 
institution's financial condition or results of operations, should 
be considered a ``large customer'' for purposes of Sec.  363.5(b).
    34. Access to Counsel. The audit committee should be able to 
retain counsel at its discretion without prior permission of the 
institution's board of directors or its management. Section 36 does 
not preclude advice from the institution's internal counsel or 
regular outside counsel. It also does not require retaining or 
consulting counsel, but if the committee elects to do either, it 
also may elect to consider issues affecting the counsel's 
independence. Such issues would include whether to retain or consult 
only counsel not concurrently representing the institution or any 
affiliate, and whether to place limitations on any counsel 
representing the institution concerning matters in which such 
counsel previously participated personally and substantially as 
outside counsel to the committee.
    35. Transition Period for Forming and Restructuring Audit 
Committees.
    (a) When an insured depository institution's total assets at the 
beginning of its fiscal year are $500 million or more for the first 
time and it thereby becomes subject to part 363, no regulatory 
action will be taken if the institution forms or restructures its 
audit committee to comply with Sec.  363.5(a)(2) by the end of that 
fiscal year.
    (b) When an insured depository institution's total assets at the 
beginning of

[[Page 62330]]

its fiscal year are $1 billion or more for the first time, no 
regulatory action will be taken if the institution forms or 
restructures its audit committee to comply with Sec.  363.5(a)(1) by 
the end of that fiscal year, provided that the composition of its 
audit committee meets the requirements specified in Sec.  
363.5(a)(2) at the beginning of that fiscal year, if such 
requirements were applicable.
    (c) When an insured depository institution's total assets at the 
beginning of its fiscal year are $3 billion or more for the first 
time, no regulatory action will be taken if the institution forms or 
restructures its audit committee to comply with Sec.  363.5(b) by 
the end of that fiscal year, provided that the composition of its 
audit committee meets the requirements specified in Sec.  
363.5(a)(1) at the beginning of that fiscal year, if such 
requirements were applicable.

Other

    36. Modifications of Guidelines. The FDIC's Board of Directors 
has delegated to the Director of the FDIC's Division of Supervision 
and Consumer Protection authority to make and publish in the Federal 
Register minor technical amendments to the Guidelines in this 
appendix, in consultation with the other appropriate federal banking 
agencies, to reflect the practical experience gained from 
implementation of this part. It is not anticipated any such 
modification would be effective until affected institutions have 
been given reasonable advance notice of the modification. Any 
material modification or amendment will be subject to review and 
approval of the FDIC Board of Directors.

                                              Table 1 to Appendix A
                              Designated Federal Laws and Regulations Applicable to
----------------------------------------------------------------------------------------------------------------
                                                                            State
                                                            National       member      State  non-     Savings
                                                              banks         banks     member banks  associations
----------------------------------------------------------------------------------------------------------------
                   Insider Loans--Parts and/or Sections of Title 12 of the United States Code
----------------------------------------------------------------------------------------------------------------
375a..............................  Loans to Executive        [radic]       [radic]           (A)           (A)
                                     Officers of Banks.
375b..............................  Extensions of Credit      [radic]       [radic]           (A)           (A)
                                     to Executive
                                     Officers,
                                     Directors, and
                                     Principal
                                     Shareholders of
                                     Banks.
1468(b)...........................  Extensions of Credit  ............  ............  ............      [radic]
                                     to Executive
                                     Officers,
                                     Directors, and
                                     Principal
                                     Shareholders.
1828(j)(2)........................  Extensions of Credit  ............  ............      [radic]   ............
                                     to Officers,
                                     Directors, and
                                     Principal
                                     Shareholders.
1828(j)(3)(B).....................  Extensions of Credit          (B)   ............            (C) ............
                                     to Officers,
                                     Directors, and
                                     Principal
                                     Shareholders.
----------------------------------------------------------------------------------------------------------------
                      Parts and/or Sections of Title 12 of the Code of Federal Regulations
----------------------------------------------------------------------------------------------------------------
31................................  Extensions of Credit      [radic]   ............  ............  ............
                                     to Insiders.
32................................  Lending Limits......      [radic]
215...............................  Loans to Executive        [radic]       [radic]           (D)           (E)
                                     Officers,
                                     Directors, and
                                     Principal
                                     Shareholders of
                                     Member Banks.
337.3.............................  Limits on Extensions  ............  ............      [radic]   ............
                                     of Credit to
                                     Executive Officers,
                                     Directors, and
                                     Principal
                                     Shareholders of
                                     Insured Nonmember
                                     Banks.
563.43............................  Loans by Savings      ............  ............  ............      [radic]
                                     Associations to
                                     Their Executive
                                     Officers,
                                     Directors, and
                                     Principal
                                     Shareholders.
----------------------------------------------------------------------------------------------------------------
               Dividend Restrictions--Parts and/or Sections of Title 12 of the United States Code
----------------------------------------------------------------------------------------------------------------
56................................  Prohibition on            [radic]       [radic]   ............  ............
                                     Withdrawal of
                                     Capital and
                                     Unearned Dividends.
60................................  Dividends and             [radic]       [radic]   ............  ............
                                     Surplus Fund.
1467a(f)..........................  Declaration of        ............  ............  ............      [radic]
                                     Dividend.
1831o(d)(1).......................  Prompt Corrective         [radic]       [radic]       [radic]       [radic]
                                     Action--Capital
                                     Distributions
                                     Restricted.
----------------------------------------------------------------------------------------------------------------
                      Parts and/or Sections of Title 12 of the Code of Federal Regulations
----------------------------------------------------------------------------------------------------------------
5 Subpart E.......................  Payment of Dividends      [radic]   ............  ............  ............
6.6...............................  Prompt Corrective         [radic]   ............  ............  ............
                                     Action--Restriction
                                     s on
                                     Undercapitalized
                                     Institutions.
208.5.............................  Dividends and Other   ............      [radic]   ............  ............
                                     Distributions.
208.45............................  Prompt Corrective     ............      [radic]   ............  ............
                                     Action--Restriction
                                     s on
                                     Undercapitalized
                                     Institutions.
325.105...........................  Prompt Corrective     ............  ............      [radic]   ............
                                     Action--Restriction
                                     s on
                                     Undercapitalized
                                     Institutions.
563 Subpart E.....................  Capital               ............  ............  ............      [radic]
                                     Distributions.
565.6.............................  Prompt Corrective     ............  ............  ............     [radic]
                                     Action--Restriction
                                     s on
                                     Undercapitalized
                                     Institutions.
----------------------------------------------------------------------------------------------------------------
A. Subsections (g) and (h) of section 22 of the Federal Reserve Act [12 U.S.C. 375a, 375b].
B. Applies only to insured federal branches of foreign banks.
C. Applies only to insured state branches of foreign banks.
D. See 12 CFR 337.3.
E. See 12 CFR 563.43.


[[Page 62331]]

Appendix B to Part 363--Illustrative Management Reports

Table of Contents

1. General
2. Reporting Scenarios for Institutions that are Holding Company 
Subsidiaries
3. Illustrative Management Report--Statement of Management's 
Responsibilities
4. Illustrative Management Report--Management's Assessment of 
Compliance with Laws and Regulations
5. Illustrative Management Report--Management's Assessment of 
Internal Control Over Financial Reporting
6. Illustrative Management Report--Combined Statement of 
Management's Responsibilities, Management's Assessment of Compliance 
with Laws and Regulations, and Management's Assessment of the 
Effectiveness of Internal Control Over Financial Reporting
7. Illustrative Cover Letter--Compliance by Holding Company 
Subsidiaries
    1. General. The reporting scenarios, illustrative management 
reports, and the cover letter (when complying at the holding company 
level) in Appendix B to part 363 are intended to assist managements 
of insured depository institutions in complying with the annual 
reporting requirements of Sec.  363.2 and guideline 3, Compliance by 
Holding Company Subsidiaries, of Appendix A to part 363. However, 
use of the wording in the illustrative management reports and cover 
letter is not required. The managements of insured depository 
institutions are encouraged to tailor their management reports and 
cover letters to fit their particular circumstances and avoid the 
use of ``boilerplate'' language. Terms that are not explained in 
Appendix B have the meanings given them in part 363, the FDI Act, or 
professional accounting and auditing literature. Instructions to the 
preparer of the management reports are shown in brackets within the 
illustrative reports.
    2. Reporting Scenarios for Institutions that are Holding Company 
Subsidiaries. (a) Subject to the criteria specified in Sec.  
363.1(b), an insured depository institution that is a subsidiary of 
a holding company has flexibility in satisfying the reporting 
requirements of part 363. When reporting at the holding company 
level, the management report should identify those subsidiary 
institutions that are subject to part 363 and the extent to which 
they are included in the scope of the management report. The 
following reporting scenarios reflect how an insured depository 
institution that meets the criteria set forth in Sec.  363.1(b) 
could satisfy the annual reporting requirements of Sec.  363.2. 
Other reporting scenarios are possible.
    (i) An institution that is a subsidiary of a holding company may 
satisfy the requirements for audited financial statements, 
management's statement of responsibilities, management's assessment 
of the institution's compliance with laws and regulations, 
management's assessment of the effectiveness of internal control 
over financial reporting (if applicable), and the independent public 
accountant's attestation on management's assertion as to the 
effectiveness of internal control over financial reporting (if 
applicable) at the insured depository institution level.
    (ii) An institution that is a subsidiary of a holding company 
may satisfy the requirements for audited financial statements, 
management's statement of responsibilities, management's assessment 
of the institution's compliance with laws and regulations, 
management's assessment of the effectiveness of internal control 
over financial reporting (if applicable), and the independent public 
accountant's attestation on management's assertion as to the 
effectiveness of internal control over financial reporting (if 
applicable) at the holding company level.
    (iii) An institution that is a subsidiary of a holding company 
may satisfy the requirement for audited financial statements at the 
holding company level and may satisfy the requirements for 
management's statement of responsibilities, management's assessment 
of the institution's compliance with laws and regulations, 
management's assessment of the effectiveness of internal control 
over financial reporting (if applicable), and the independent public 
accountant's attestation on management's assertion as to the 
effectiveness of internal control over financial reporting (if 
applicable) at the insured depository institution level.
    (iv) An institution that is a subsidiary of a holding company 
may satisfy the requirements for audited financial statements, 
management's statement of responsibilities, and management's 
assessment of the institution's compliance with laws and regulations 
at the insured depository institution level and may satisfy the 
requirements for the assessment by management of the effectiveness 
of internal control over financial reporting (if applicable), and 
the independent public accountant's attestation on management's 
assertion as to the effectiveness of internal control over financial 
reporting (if applicable) at the holding company level.
    (b) For an institution with total assets of $1 billion or more 
as of the beginning of its fiscal year, the assessment by management 
of the effectiveness of internal control over financial reporting 
and the independent public accountant's attestation on management's 
assertion as to the effectiveness of internal control over financial 
reporting (if applicable) must both be performed at the same level, 
i.e., either at the insured depository institution level or at the 
holding company level.
    (c) Financial statements prepared for regulatory reporting 
purposes encompass the schedules equivalent to the basic financial 
statements in an institution's appropriate regulatory report, e.g., 
the bank Consolidated Reports of Condition and Income (Call Report) 
and the Thrift Financial Report (TFR). When internal control 
assessments and attestations are performed at the holding company 
level, the FDIC believes that holding companies have flexibility in 
interpreting ``financial reporting'' as it relates to ``regulatory 
reporting'' and has not objected to several reporting approaches 
employed by holding companies to cover ``regulatory reporting.'' 
Certain holding companies have had management's assessment and the 
accountant's attestation cover the schedules equivalent to the basic 
financial statements that are included in the appropriate regulatory 
report, e.g., Call Report and the TFR, of each subsidiary 
institution subject to part 363. Other holding companies have had 
management's assessment and the accountant's attestation cover the 
schedules equivalent to the basic financial statements that are 
included in the holding company's year-end regulatory report (FR Y-
9C report) to the Federal Reserve Board.
    3. Illustrative Management Report--Statement of Management's 
Responsibilities. The following illustrative statements of 
management's responsibilities satisfy the requirements of Sec.  
363.2(b)(1).
(a) Statement Made at Insured Depository Institution Level
To: The Board of Directors and Audit Committee, ABC Depository 
Institution
Re: Statement of Management's Responsibilities

    The management of ABC Depository Institution (the 
``Institution'') is responsible for preparing the Institution's 
annual financial statements in accordance with generally accepted 
accounting principles; for establishing and maintaining an adequate 
internal control structure and procedures for financial reporting, 
including controls over the preparation of regulatory financial 
statements in accordance with the instructions for regulatory 
reporting [specify the regulatory reporting instructions]; and for 
complying with laws and regulations relating to safety and soundness 
that are designated by the FDIC and the appropriate federal banking 
agency [specify the appropriate federal banking agency, if 
applicable].

ABC Depository Institution
-----------------------------------------------------------------------
John Doe, Chief Executive Officer
Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer
Date:------------------------------------------------------------------

(b) Statement Made at Holding Company Level
To: The Board of Directors and Audit Committee BCD Holding Company
Re: Statement of Management's Responsibilities
    The management of BCD Holding Company (the ``Company'') is 
responsible for preparing the Company's annual financial statements 
in accordance with generally accepted accounting principles; for 
establishing and maintaining an adequate internal control structure 
and procedures for financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for regulatory reporting [specify the regulatory 
reporting instructions]; and for complying with laws and regulations 
relating to safety and soundness that are designated by the FDIC and 
the appropriate federal banking agency [specify the appropriate 
federal banking agency, if applicable]. The following subsidiary 
institutions of the Company that are subject to Part 363 are 
included in the scope of this management report: [Identify the 
subsidiary institutions.]

[[Page 62332]]

BCD Holding Company
-----------------------------------------------------------------------
John Doe, Chief Executive Officer
Date:------------------------------------------------------------------
-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer
Date:------------------------------------------------------------------

    4. Illustrative Management Report--Management's Assessment of 
Compliance with Laws and Regulations. The following illustrative 
reports of management's assessment of compliance with laws and 
regulations satisfy the requirements of Sec.  363.2(b)(2).

(a) Statement Made at Insured Depository Institution Level--
Compliance
To: The Board of Directors and Audit Committee, ABC Depository 
Institution
Re: Management's Assessment of Compliance with Laws and Regulations

    The management of ABC Depository Institution (the 
``Institution'') has assessed the Institution's compliance with the 
laws and regulations relating to safety and soundness that are 
designated by the FDIC and the appropriate federal banking agency 
[specify the appropriate federal banking agency, if applicable] 
during the fiscal year that ended on December 31, 20XX. Based upon 
its assessment, management has concluded that the Institution 
complied with the laws and regulations relating to safety and 
soundness that are designated by the FDIC and the appropriate 
federal banking agency [specify the appropriate federal banking 
agency, if applicable] during the fiscal year that ended on December 
31, 20XX.

ABC Depository Institution
-----------------------------------------------------------------------
John Doe, Chief Executive Officer
Date:------------------------------------------------------------------
-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer
Date:------------------------------------------------------------------

(b) Statement Made at Insured Depository Institution Level--
Noncompliance
To: The Board of Directors and Audit Committee, ABC Depository 
Institution
Re: Management's Assessment of Compliance with Laws and Regulations
    The management of ABC Depository Institution (the 
``Institution'') has assessed the Institution's compliance with the 
laws and regulations relating to safety and soundness that are 
designated by the FDIC and the appropriate federal banking agency 
[specify the appropriate federal banking agency, if applicable] 
during the fiscal year that ended on December 31, 20XX. Because of 
the noncompliance during the fiscal year that ended on December 31, 
20XX, with the laws and regulations relating to safety and soundness 
noted below, management has determined that the Institution did not 
comply with the laws and regulations relating to safety and 
soundness that are designated by the FDIC and the appropriate 
federal banking agency [specify the appropriate federal banking 
agency, if applicable] during the fiscal year that ended on December 
31, 20XX.
[Identify and describe the instance or instances of noncompliance 
with the laws and regulations relating to safety and soundness.]

ABC Depository Institution
-----------------------------------------------------------------------
John Doe, Chief Executive Officer
Date:------------------------------------------------------------------
-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer
Date:------------------------------------------------------------------

(c) Statement Made at Holding Company Level--Compliance
To: The Board of Directors and Audit Committee, BCD Holding Company
Re: Management's Assessment of Compliance with Laws and Regulations

    The management of BCD Holding Company (the ``Company'') has 
assessed the Company's compliance with the laws and regulations 
relating to safety and soundness that are designated by the FDIC and 
the appropriate federal banking agency [specify the appropriate 
federal banking agency, if applicable] during the fiscal year that 
ended on December 31, 20XX. Based upon its assessment, management 
has concluded that the Company complied with the laws and 
regulations relating to safety and soundness that are designated by 
the FDIC and the appropriate federal banking agency [specify 
appropriate federal banking agency, if applicable] during the fiscal 
year that ended on December 31, 20XX. The following subsidiary 
institutions of the Company that are subject to Part 363 are 
included in the scope of management's assessment of compliance with 
laws and regulations: [Identify the subsidiary institutions.]

BCD Holding Company
-----------------------------------------------------------------------
John Doe, Chief Executive Officer
Date:------------------------------------------------------------------
-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer
Date:------------------------------------------------------------------

(d) Statement Made at Holding Company Level--Noncompliance
To: The Board of Directors and Audit Committee, BCD Holding Company
Re: Management's Assessment of Compliance with Laws and Regulations

    The management of BCD Holding Company (the ``Company'') has 
assessed the Company's compliance with the laws and regulations 
relating to safety and soundness that are designated by the FDIC and 
the appropriate federal banking agency [specify the appropriate 
federal banking agency, if applicable] during the fiscal year that 
ended on December 31, 20XX. The following subsidiary institutions of 
the Company that are subject to Part 363 are included in the scope 
of management's assessment of compliance with laws and regulations: 
[Identify the subsidiary institutions.]
    Because of the noncompliance during the fiscal year that ended 
on December 31, 20XX, with the laws and regulations relating to 
safety and soundness noted below, management has determined that the 
Company did not comply with the laws and regulations relating to 
safety and soundness that are designated by the FDIC and the 
appropriate federal banking agency [specify the appropriate federal 
banking agency, if applicable] during the fiscal year that ended on 
December 31, 20XX.
    [Identify and describe the instance or instances of 
noncompliance with the laws and regulations relating to safety and 
soundness.]

BCD Holding Company
-----------------------------------------------------------------------
John Doe, Chief Executive Officer
Date:------------------------------------------------------------------
-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer
Date:------------------------------------------------------------------

    5. Illustrative Management Report--Management's Assessment of 
Internal Control Over Financial Reporting. The following 
illustrative reports of management's assessment of internal control 
over financial reporting satisfy the requirements of Sec.  
363.2(b)(3).
    (a) Statement Made at Insured Depository Institution Level--No 
Material Weaknesses

To: The Board of Directors and Audit Committee, ABC Depository 
Institution
Re: Management's Assessment of Internal Control Over Financial 
Reporting
    ABC Depository Institution's (the ``Institution'') internal 
control over financial reporting is a process designed to provide 
reasonable assurance regarding the reliability of financial 
reporting and the preparation of financial statements in accordance 
with accounting principles generally accepted in the United States 
of America, including those prepared for regulatory reporting 
purposes [specify the regulatory reports]. The Institution's 
internal control over financial reporting includes those policies 
and procedures that (1) pertain to the maintenance of records that, 
in reasonable detail, accurately and fairly reflect the transactions 
and dispositions of the assets of the Institution; (2) provide 
reasonable assurance that transactions are recorded as necessary to 
permit preparation of financial statements in accordance with 
accounting principles generally accepted in the United States of 
America, and that receipts and expenditures of the Institution are 
being made only in accordance with authorizations of management and 
directors of the Institution; and (3) provide reasonable assurance 
regarding prevention or timely detection of unauthorized 
acquisition, use, or disposition of the Institution's assets that 
could have a material effect on the financial statements.
    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies and procedures may deteriorate.
    Management assessed the effectiveness of the Institution's 
internal control over financial reporting, including controls over 
preparation of regulatory financial statements in accordance with 
the instructions for regulatory reporting [specify the regulatory 
reporting instructions], as of December 31, 20XX, based on the 
framework set forth by the Committee of Sponsoring Organizations of 
the Treadway Commission in Internal Control--Integrated Framework. 
Based on that assessment, management concluded that, as of December 
31, 20XX, the Institution's internal control over financial 
reporting,

[[Page 62333]]

including controls over preparation of regulatory financial 
statements in accordance with the instructions for regulatory 
reporting [specify the regulatory reporting instructions], is 
effective based on the criteria established in Internal Control--
Integrated Framework.
    Management's assessment of the effectiveness of internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for regulatory reporting [specify the regulatory reporting 
instructions], as of December 31, 20XX, has been audited by [name of 
auditing firm], an independent public accounting firm, as stated in 
their report dated March XX, 20XX.

ABC Depository Institution
-----------------------------------------------------------------------
John Doe, Chief Executive Officer
Date:------------------------------------------------------------------
-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer
Date:------------------------------------------------------------------

(b) Statement Made at Insured Depository Institution Level--One or 
More Material Weaknesses
To: The Board of Directors and Audit Committee, ABC Depository 
Institution
Re: Management's Assessment of Internal Control Over Financial 
Reporting

    ABC Depository Institution's (the ``Institution'') internal 
control over financial reporting is a process designed to provide 
reasonable assurance regarding the reliability of financial 
reporting and the preparation of financial statements in accordance 
with accounting principles generally accepted in the United States 
of America, including those prepared for regulatory reporting 
purposes [specify the regulatory reports]. The Institution's 
internal control over financial reporting includes those policies 
and procedures that (1) pertain to the maintenance of records that, 
in reasonable detail, accurately and fairly reflect the transactions 
and dispositions of the assets of the Institution; (2) provide 
reasonable assurance that transactions are recorded as necessary to 
permit preparation of financial statements in accordance with 
accounting principles generally accepted in the United States of 
America, and that receipts and expenditures of the Institution are 
being made only in accordance with authorizations of management and 
directors of the Institution; and (3) provide reasonable assurance 
regarding prevention or timely detection of unauthorized 
acquisition, use, or disposition of the Institution's assets that 
could have a material effect on the financial statements.
    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies and procedures may deteriorate.
    Management assessed the effectiveness of the Institution's 
internal control over financial reporting, including controls over 
the preparation of regulatory financial statements in accordance 
with the instructions for regulatory reporting [specify the 
regulatory reporting instructions], as of December 31, 20XX, based 
on the framework set forth by the Committee of Sponsoring 
Organizations of the Treadway Commission in Internal Control--
Integrated Framework. Because of the material weakness (or 
weaknesses) noted below, management determined that the 
Institution's internal control over financial reporting, including 
controls over the preparation of regulatory financial statements in 
accordance with the instructions for regulatory reporting [specify 
the regulatory reporting instructions], was not effective as of 
December 31, 20XX.
    [Identify and describe the material weakness or weaknesses.]
    Management's assessment of the effectiveness of internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for regulatory reporting [specify the regulatory reporting 
instructions], as of December 31, 20XX, has been audited by [name of 
auditing firm], an independent public accounting firm, as stated in 
their report dated March XX, 20XX.

ABC Depository Institution
-----------------------------------------------------------------------
John Doe, Chief Executive Officer
Date:------------------------------------------------------------------
-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer
Date:------------------------------------------------------------------

(c) Statement Made at Holding Company Level--No Material Weaknesses
To: The Board of Directors and Audit Committee, BCD Holding Company
Re: Management's Assessment of Internal Control Over Financial 
Reporting

    BCD Holding Company's (the ``Company'') internal control over 
financial reporting is a process designed to provide reasonable 
assurance regarding the reliability of financial reporting and the 
preparation of financial statements in accordance with accounting 
principles generally accepted in the United States of America, 
including those prepared for regulatory reporting purposes [specify 
the regulatory reports]. The Company's internal control over 
financial reporting includes those policies and procedures that (1) 
pertain to the maintenance of records that, in reasonable detail, 
accurately and fairly reflect the transactions and dispositions of 
the assets of the Company; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with accounting principles 
generally accepted in the United States of America, and that 
receipts and expenditures of the Company are being made only in 
accordance with authorizations of management and directors of the 
Company; and (3) provide reasonable assurance regarding prevention 
or timely detection of unauthorized acquisition, use, or disposition 
of the Company's assets that could have a material effect on the 
financial statements.
    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies and procedures may deteriorate.
    Management assessed the effectiveness of the Company's internal 
control over financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for regulatory reporting [specify the regulatory 
reporting instructions], as of December 31, 20XX, based on the 
framework set forth by the Committee of Sponsoring Organizations of 
the Treadway Commission in Internal Control--Integrated Framework. 
Based on that assessment, management concluded that, as of December 
31, 20XX, the Company's internal control over financial reporting, 
including controls over the preparation of regulatory financial 
statements in accordance with the instructions for regulatory 
reporting [specify the regulatory reporting instructions], is 
effective based on the criteria established in Internal Control--
Integrated Framework. The following subsidiary institutions of the 
Company that are subject to Part 363 are included in the scope of 
this assessment of internal control over financial reporting: 
[Identify the subsidiary institutions.]
    Management's assessment of the effectiveness of internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for regulatory reporting [specify the regulatory reporting 
instructions], as of December 31, 20XX, has been audited by [name of 
auditing firm], an independent public accounting firm, as stated in 
their report dated March XX, 20XX.

BCD Holding Company
-----------------------------------------------------------------------
John Doe, Chief Executive Officer
Date:------------------------------------------------------------------
-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer
Date:------------------------------------------------------------------

(d) Statement Made at Holding Company Level--One or More Material 
Weaknesses
To: The Board of Directors and Audit Committee, BCD Holding Company
Re: Management's Assessment of Internal Control Over Financial 
Reporting

    BCD Holding Company's (the ``Company'') internal control over 
financial reporting is a process designed to provide reasonable 
assurance regarding the reliability of financial reporting and the 
preparation of financial statements in accordance with accounting 
principles generally accepted in the United States of America, 
including those prepared for regulatory reporting purposes [specify 
the regulatory reports]. The Company's internal control over 
financial reporting includes those policies and procedures that (1) 
pertain to the maintenance of records that, in reasonable detail, 
accurately and fairly reflect the transactions and dispositions of 
the assets of the Company; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with accounting principles 
generally accepted in the United

[[Page 62334]]

States of America, and that receipts and expenditures of the Company 
are being made only in accordance with authorizations of management 
and directors of the Company; and (3) provide reasonable assurance 
regarding prevention or timely detection of unauthorized 
acquisition, use, or disposition of the Company's assets that could 
have a material effect on the financial statements.
    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies and procedures may deteriorate.
    Management assessed the effectiveness of the Company's internal 
control over financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for regulatory reporting [specify the regulatory 
reporting instructions], as of December 31, 20XX, based on the 
framework set forth by the Committee of Sponsoring Organizations of 
the Treadway Commission in Internal Control--Integrated Framework. 
Because of the material weakness (or weaknesses) noted below, 
management determined that the Company's internal control over 
financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for regulatory reporting [specify the regulatory reporting 
instructions], was not effective as of December 31, 20XX. The 
following subsidiary institutions of the Company that are subject to 
Part 363 are included in the scope of this assessment of internal 
control over financial reporting: [Identify the subsidiary 
institutions.]
    [Identify and describe the material weakness or weaknesses.]
    Management's assessment of the effectiveness of internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for regulatory reporting [specify the regulatory reporting 
instructions], as of December 31, 20XX, has been audited by [name of 
auditing firm], an independent public accounting firm, as stated in 
their report dated March XX, 20XX.

BCD Holding Company
-----------------------------------------------------------------------
John Doe, Chief Executive Officer
Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer
Date:------------------------------------------------------------------

    6. Illustrative Management Report--Combined Statement of 
Management's Responsibilities, Management's Assessment of Compliance 
with Laws and Regulations, and Management's Assessment of the 
Effectiveness of Internal Control Over Financial Reporting, if 
applicable. The following illustrative management reports satisfy 
the requirements of Sec. Sec.  363.2(b)(1), (2), and (3).

    (a) Management Report Made at Insured Depository Institution 
Level--Compliance with Laws and Regulations and No Material 
Weaknesses in Internal Control Over Financial Reporting

To: The Board of Directors and Audit Committee, ABC Depository 
Institution
Re: Management Report

Statement of Management's Responsibilities

    The management of ABC Depository Institution (the 
``Institution'') is responsible for preparing the Institution's 
annual financial statements in accordance with generally accepted 
accounting principles; for establishing and maintaining an adequate 
internal control structure and procedures for financial reporting, 
including controls over the preparation of regulatory financial 
statements in accordance with the instructions for regulatory 
reporting [specify the regulatory reporting instructions]; and for 
complying with laws and regulations relating to safety and soundness 
that are designated by the FDIC and the appropriate federal banking 
agency [specify the appropriate federal banking agency, if 
applicable].

Management's Assessment of Compliance With Laws and Regulations

    Management of ABC Depository Institution (the ``Institution'') 
has assessed the Institution's compliance with the laws and 
regulations relating to safety and soundness that are designated by 
the FDIC and the appropriate federal banking agency [specify the 
appropriate federal banking agency, if applicable] during the fiscal 
year that ended on December 31, 20XX. Based upon its assessment, 
management has concluded that the Institution complied with the laws 
and regulations relating to safety and soundness that are designated 
by the FDIC and the appropriate federal banking agency (specify the 
appropriate federal banking agency, if applicable) during the fiscal 
year that ended on December 31, 20XX.

Management's Assessment of Internal Control Over Financial 
Reporting

    ABC Depository Institution's (the ``Institution'') internal 
control over financial reporting is a process designed to provide 
reasonable assurance regarding the reliability of financial 
reporting and the preparation of financial statements in accordance 
with accounting principles generally accepted in the United States 
of America, including those prepared for regulatory reporting 
purposes [specify the regulatory reports]. The Institution's 
internal control over financial reporting includes those policies 
and procedures that (1) pertain to the maintenance of records that, 
in reasonable detail, accurately and fairly reflect the transactions 
and dispositions of the assets of the Institution; (2) provide 
reasonable assurance that transactions are recorded as necessary to 
permit preparation of financial statements in accordance with 
accounting principles generally accepted in the United States of 
America, and that receipts and expenditures of the Institution are 
being made only in accordance with authorizations of management and 
directors of the Institution; and (3) provide reasonable assurance 
regarding prevention or timely detection of unauthorized 
acquisition, use, or disposition of the Institution's assets that 
could have a material effect on the financial statements.
    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies and procedures may deteriorate.
    Management assessed the effectiveness of the Institution's 
internal control over financial reporting, including controls over 
the preparation of regulatory financial statements in accordance 
with the instructions for regulatory reporting [specify the 
regulatory reporting instructions], as of December 31, 20XX, based 
on the framework set forth by the Committee of Sponsoring 
Organizations of the Treadway Commission in Internal Control--
Integrated Framework. Based on that assessment, management concluded 
that, as of December 31, 20XX, the Institution's internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for regulatory reporting [specify the regulatory reporting 
instructions], is effective based on the criteria established in 
Internal Control--Integrated Framework.
    Management's assessment of the effectiveness of internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for regulatory reporting [specify the regulatory reporting 
instructions], as of December 31, 20XX, has been audited by [name of 
auditing firm], an independent public accounting firm, as stated in 
their report dated March XX, 20XX.

ABC Depository Institution
-----------------------------------------------------------------------
John Doe, Chief Executive Officer
Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer
Date:------------------------------------------------------------------

    (b) Management Report Made at Holding Company Level--Compliance 
with Laws and Regulations and No Material Weaknesses in Internal 
Control Over Financial Reporting
To: The Board of Directors and Audit Committee, BCD Holding Company
Re: Management Report

Statement of Management's Responsibilities

    The management of BCD Holding Company (the ``Company'') is 
responsible for preparing the Company's annual financial statements 
in accordance with generally accepted accounting principles; for 
establishing and maintaining an adequate internal control structure 
and procedures for financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for regulatory reporting [specify the regulatory 
reporting instructions]; and for complying with laws and regulations 
relating to safety and soundness that are designated by the FDIC and 
the appropriate federal banking agency [specify the appropriate

[[Page 62335]]

federal banking agency, if applicable]. The following subsidiary 
institutions of the Company that are subject to Part 363 are 
included in the scope of this management report, management's 
assessment of compliance with laws and regulations, and management's 
assessment of internal control over financial reporting: [Identify 
the subsidiary institutions.]

Management's Assessment of Compliance With Laws and Regulations

    Management of BCD Holding Company (the ``Company'') has assessed 
the Company's compliance with the laws and regulations relating to 
safety and soundness that are designated by the FDIC and the 
appropriate federal banking agency [specify the appropriate federal 
banking agency, if applicable] during the fiscal year that ended on 
December 31, 20XX. Based upon its assessment, management has 
concluded that the Company complied with the laws and regulations 
relating to safety and soundness that are designated by the FDIC and 
the appropriate federal banking agency [specify appropriate federal 
banking agency, if applicable] during the fiscal year that ended on 
December 31, 20XX.

Management's Assessment of Internal Control Over Financial 
Reporting

    BCD Holding Company's (the ``Company'') internal control over 
financial reporting is a process designed to provide reasonable 
assurance regarding the reliability of financial reporting and the 
preparation of financial statements in accordance with accounting 
principles generally accepted in the United States of America, 
including those prepared for regulatory reporting purposes [specify 
the regulatory reports]. The Company's internal control over 
financial reporting includes those policies and procedures that (1) 
pertain to the maintenance of records that, in reasonable detail, 
accurately and fairly reflect the transactions and dispositions of 
the assets of the Company; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with accounting principles 
generally accepted in the United States of America, and that 
receipts and expenditures of the Company are being made only in 
accordance with authorizations of management and directors of the 
Company; and (3) provide reasonable assurance regarding prevention 
or timely detection of unauthorized acquisition, use, or disposition 
of the Company's assets that could have a material effect on the 
financial statements.
    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies and procedures may deteriorate.
    Management assessed the effectiveness of the Company's internal 
control over financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for regulatory reporting [specify the regulatory 
reporting instructions], as of December 31, 20XX, based on the 
framework set forth by the Committee of Sponsoring Organizations of 
the Treadway Commission in Internal Control--Integrated Framework. 
Based on that assessment, management concluded that, as of December 
31, 20XX, the Company's internal control over financial reporting, 
including controls over the preparation of regulatory financial 
statements in accordance with the instructions for regulatory 
reporting [specify the regulatory reporting instructions], is 
effective based on the criteria established in Internal Control--
Integrated Framework.
    Management's assessment of the effectiveness of internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for regulatory reporting [specify the regulatory reporting 
instructions], as of December 31, 20XX, has been audited by [name of 
auditing firm], an independent public accounting firm, as stated in 
their report dated March XX, 20XX.

BCD Holding Company
-----------------------------------------------------------------------
John Doe, Chief Executive Officer
Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer
Date:------------------------------------------------------------------

    7. Illustrative Cover Letter--Compliance by Holding Company 
Subsidiaries. The following illustrative cover letter satisfies the 
requirements of guideline 3, Compliance by Holding Company 
Subsidiaries, of Appendix A to part 363.

To: (Appropriate FDIC Regional or Area Office) Division of 
Supervision and Consumer Protection, FDIC, and (Appropriate District 
or Regional Office of the Primary Federal Regulator(s), if not the 
FDIC), and (Appropriate State Bank Supervisor(s), if applicable)
    Dear [Insert addressees]:
    BCD Holding Company (the ``Company'') is filing two copies of 
the Part 363 Annual Report for the fiscal year ended December 31, 
20XX, on behalf of its insured depository institution subsidiaries 
listed in the chart below that are subject to Part 363. The Part 363 
Annual Report contains audited comparative annual financial 
statements, the independent public accountant's report on the 
audited financial statements, management's statement of 
responsibilities, management's assessment of compliance with laws 
and regulations, and [if applicable] management's assessment of and 
the independent public accountant's attestation report on internal 
controls over financial reporting. The chart below also indicates 
the level (institution or holding company) at which the requirements 
of Part 363 are being satisfied. The Company's insured depository 
institution subsidiary that complies with all of the Part 363 annual 
reporting requirements at the institution level has filed [or will 
file] its Part 363 Annual Report separately.

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                          Management's
                                        Audited financial         Management's           assessment of           Management's      Independent auditor's
  Institutions subject to part 363         statements             statement of        compliance with laws     internal control       internal control
                                                                responsibilities        and regulations           assessment         attestation report
--------------------------------------------------------------------------------------------------------------------------------------------------------
ABC Depository Institution.........  HC Level..............  HC Level..............  HC Level.............  HC Level.............  HC Level.
DEF Depository Institution.........  HC Level..............  Institution Level.....  Institution Level....  Institution Level....  Institution Level.
--------------------------------------------------------------------------------------------------------------------------------------------------------

    If you have any questions regarding the annual report [or 
reports] of the Company's insured depository institution 
subsidiaries subject to part 363 or if you need any further 
information, you may contact me at 987-654-3210.

BCD Holding Company

Date:------------------------------------------------------------------
[Insert officer's name and title.]

    By order of the Board of Directors.

    Dated at Washington, DC, this 16th day of October, 2007.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.

 [FR Doc. E7-21168 Filed 11-1-07; 8:45 am]
BILLING CODE 6714-01-P