[Federal Register Volume 74, Number 137 (Monday, July 20, 2009)]
[Rules and Regulations]
[Pages 35726-35761]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-17009]



[[Page 35725]]

-----------------------------------------------------------------------

Part III





Federal Deposit Insurance Corporation





-----------------------------------------------------------------------



12 CFR Parts 308 and 363



Annual Independent Audits and Reporting Requirements; Final Rule

  Federal Register / Vol. 74, No. 137 / Monday, July 20, 2009 / Rules 
and Regulations  

[[Page 35726]]


-----------------------------------------------------------------------

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Parts 308 and 363

RIN 3064-AD21


Annual Independent Audits and Reporting Requirements

AGENCY: Federal Deposit Insurance Corporation (FDIC).

ACTION: Final rule; correction.

-----------------------------------------------------------------------

SUMMARY: The FDIC is amending part 363 of its regulations concerning 
annual independent audits and reporting requirements for certain 
insured depository institutions, which implements section 36 of the 
Federal Deposit Insurance Act (FDI Act), largely as proposed, but with 
certain modifications made in response to the comments received. The 
amendments are designed to further the objectives of section 36 by 
incorporating certain sound audit, reporting, and audit committee 
practices from the Sarbanes-Oxley Act of 2002 (SOX) into part 363 and 
they also reflect the FDIC's experience in administering part 363. The 
amendments will provide clearer and more complete guidance to 
institutions and independent public accountants concerning compliance 
with the requirements of section 36 and part 363. As required by 
section 36, the FDIC has consulted with the other Federal banking 
agencies. The FDIC is also making a technical amendment to its rules 
and procedures (part 308, subpart U) for the removal, suspension, or 
debarment of accountants and accounting firms.
    The FDIC previously published this final rule in the Federal 
Register on July 7, 2009, however the document is being republished in 
its entirety in order to correct an error in the DATES section which 
caused the applicability date to be incorrect and to correct language 
relating to holding company depository institution subsidiaries.

DATES: Effective Dates: The final rule is effective August 6, 2009. 
Part 363 Annual Reports with a filing deadline on or after the 
effective date of these amendments should be prepared in accordance 
with the final rule.
    The compliance date for the provision of the final rule that 
directs covered institutions' boards of directors to develop and adopt 
an approved set of written criteria for determining whether a director 
who is to serve on the audit committee is an outside director and is 
independent of management (guideline 27) is delayed until December 31, 
2009. The provision of the final rule that requires the total assets of 
a holding company's insured depository institution subsidiaries to 
comprise 75 percent or more of the holding company's consolidated total 
assets in order for an institution to be eligible to comply with part 
363 at the holding company level (Sec.  363.1(b)(1)(ii)) is effective 
for fiscal years ending on or after June 15, 2010.

FOR FURTHER INFORMATION CONTACT: Harrison E. Greene, Jr., Senior Policy 
Analyst (Bank Accounting), Division of Supervision and Consumer 
Protection, at [email protected] or (202) 898-8905; or Michelle 
Borzillo, Senior Counsel, Corporate and Legal Operations Section, Legal 
Division, at [email protected] or (202) 898-7400.

SUPPLEMENTARY INFORMATION:

I. Executive Summary

    Section 36 of the Federal Deposit Insurance Act (FDI Act) and the 
FDIC's implementing regulations (part 363) are generally intended to 
facilitate early identification of problems in financial management at 
insured depository institutions with total assets above certain 
thresholds through annual independent audits, assessments of the 
effectiveness of internal control over financial reporting and 
compliance with laws and regulations pertaining to insider loans and 
dividend restrictions, the establishment of independent audit 
committees, and related reporting requirements. The asset-size 
threshold for an institution for internal control assessments is $1 
billion and the threshold for the other requirements generally is $500 
million. Given changes in the industry; certain sound audit, reporting, 
and audit committee practices incorporated in the Sarbanes-Oxley Act of 
2002 (SOX); and the FDIC's experience in administering part 363, the 
FDIC is amending part 363 of its regulations. These amendments are 
designed to further the objectives of section 36 by incorporating these 
sound practices into part 363 and to provide clearer and more complete 
guidance to institutions and independent public accountants concerning 
compliance with the requirements of section 36 and part 363.
    After making certain modifications to the proposed amendments to 
part 363 \1\ in response to the comments received, the most significant 
revisions to existing part 363 that are included in the final rule 
will: (1) Extend the time period for a non-public institution to file 
its Part 363 Annual Report by 30 days and replace the 30-day extension 
of the filing deadline that may be granted if an institution (public or 
non-public) is confronted with extraordinary circumstances beyond its 
reasonable control with a late filing notification requirement that 
would have general applicability; (2) provide relief from the annual 
reporting requirements for institutions that are merged out of 
existence before the filing deadline; (3) provide relief from reporting 
on internal control over financial reporting for businesses acquired 
during the fiscal year; (4) require management's assessment of 
compliance with the laws and regulations pertaining to insider loans 
and dividend restrictions to state management's conclusion regarding 
compliance and disclose any noncompliance with such laws and 
regulations; (5) require an institution's management and the 
independent public accountant to identify the internal control 
framework used to evaluate internal control over financial reporting 
and disclose all identified material weaknesses that have not been 
remediated prior to the institution's most recent fiscal year-end; (6) 
clarify the independence standards with which independent public 
accountants must comply and enhance the enforceability of compliance 
with these standards; (7) specify that the duties of the audit 
committee include the appointment, compensation, and oversight of the 
independent public accountant, including ensuring that audit engagement 
letters do not contain unsafe and unsound limitation of liability 
provisions; (8) require certain communications by independent public 
accountants to audit committees; (9) establish retention requirements 
for audit working papers; (10) require boards of directors to adopt 
written criteria for evaluating an audit committee member's 
independence and provide expanded guidance for boards of directors to 
use in determining independence; (11) provide that ownership of 10 
percent or more of any class of voting securities of an institution is 
not an automatic bar for considering an outside director to be 
independent of management; (12) require the total assets of a holding 
company's insured depository institution subsidiaries to comprise 75 
percent or more of the holding company's consolidated total assets in 
order for an institution to be eligible to comply with part 363 at the 
holding company level; and (13) provide illustrative management reports 
to assist institutions in complying with the annual reporting 
requirements.
---------------------------------------------------------------------------

    \1\ 72 FR 62310, November 2, 2007.
---------------------------------------------------------------------------

    The FDIC is also amending its rules and procedures (part 308, 
subpart U) for

[[Page 35727]]

the removal, suspension, or debarment of accountants and accounting 
firms from performing audit services required by section 36 of the FDI 
Act to specify where an accountant or accounting firm should file 
required notices of orders and actions with the FDIC.

II. Background

    Section 112 of the Federal Deposit Insurance Corporation 
Improvement Act of 1991 (FDICIA) added section 36, ``Early 
Identification of Needed Improvements in Financial Management,'' to the 
FDI Act (12 U.S.C. 1831m). Section 36 is generally intended to 
facilitate early identification of problems in financial management at 
insured depository institutions above a certain asset size threshold 
through annual independent audits, assessments of the effectiveness of 
internal control over financial reporting and compliance with 
designated laws and regulations, and related reporting requirements. 
Section 36 also includes requirements for audit committees at these 
insured depository institutions. Section 36 grants the FDIC discretion 
to set the asset size threshold for compliance with these statutory 
requirements, but it states that the threshold cannot be less than $150 
million. Sections 36(d) and (f) also obligate the FDIC to consult with 
the other Federal banking agencies in implementing these sections of 
the FDI Act, and the FDIC has performed the required consultation.
    Part 363 of the FDIC's regulations (12 CFR part 363), which 
implements section 36 of the FDI Act, was initially adopted by the 
FDIC's Board of Directors in 1993. At present, part 363 requires each 
insured depository institution with $500 million or more in total 
assets (covered institution) to submit to the FDIC and other 
appropriate Federal and State supervisory agencies an annual report 
(Part 363 Annual Report) comprised of audited financial statements, and 
a management report containing a statement of management's 
responsibilities and an assessment by management of compliance with 
laws and regulations pertaining to insider loans and dividend 
restrictions. The management report component of the annual report for 
an institution with $1 billion or more in total assets must also 
include an assessment by management of the effectiveness of internal 
control over financial reporting and an independent public accountant's 
attestation report on internal control over financial reporting. In 
addition, part 363 provides that each covered institution's board of 
directors must establish an independent audit committee comprised of 
outside directors. For an institution with between $500 million and $1 
billion in total assets, part 363 requires a majority of the members of 
the audit committee to be independent of management of the institution. 
For a larger institution, all of the members of the audit committee 
must be independent of management. Part 363 also includes Guidelines 
and Interpretations (Appendix A to part 363), which are intended to 
assist institutions and independent public accountants in understanding 
and complying with section 36 and part 363.

III. Discussion of Proposed Amendments and Comments Received

    On October 16, 2007, the FDIC's Board approved the publication of 
proposed amendments to part 363 and part 308, subpart U, of the FDIC's 
regulations, which were published in the Federal Register on November 
2, 2007, for a 90-day comment period (72 FR 62310). The comment period 
closed on January 31, 2008.
    Given the number and extent of changes to part 363 and its 
Guidelines and Interpretations and to enable readers to more easily 
understand the context of the changes, this notice includes the entire 
text of part 363 as amended, not just the amended text. Also, the 
following ``Table of Changes to Part 363 and Appendices'' is intended 
to assist readers in determining which sections of part 363 are 
affected by the final rule.

                                   Table of Changes to Part 363 and Appendices
----------------------------------------------------------------------------------------------------------------
                                                 Unchanged         Revised            New            Reserved
----------------------------------------------------------------------------------------------------------------
Part 363--Annual Independent Audits and
 Reporting Requirements:
    Table of Contents.......................  ...............               X   ...............  ...............
    OMB Control Number: Sec.   363.0........               X   ...............  ...............  ...............
    Scope and Definitions:
        Sec.   363.1(a).....................  ...............               X   ...............  ...............
        Sec.   363.1(b)(1)..................  ...............               X   ...............  ...............
        Sec.   363.1(b)(2)..................  ...............               X   ...............  ...............
        Sec.   363.1(b)(3)..................               X   ...............  ...............  ...............
        Sec.   363.1(c).....................  ...............  ...............               X   ...............
        Sec.   363.1(d).....................  ...............  ...............               X   ...............
    Annual Reporting Requirements:            ...............  ...............  ...............  ...............
        Sec.   363.2(a).....................  ...............               X   ...............  ...............
        Sec.   363.2(b).....................  ...............               X   ...............  ...............
        Sec.   363.2(b)(1)..................  ...............               X   ...............  ...............
        Sec.   363.2(b)(2)..................  ...............               X   ...............  ...............
        Sec.   363.2(b)(3)..................  ...............               X   ...............  ...............
        Sec.   363.2(c).....................  ...............  ...............               X   ...............
    Independent Public Accountant:
        Sec.   363.3(a).....................               X   ...............  ...............  ...............
        Sec.   363.3(b).....................  ...............               X   ...............  ...............
        Sec.   363.3(c).....................  ...............               X   ...............  ...............
        Sec.   363.3(d).....................  ...............  ...............               X   ...............
        Sec.   363.3(e).....................  ...............  ...............               X   ...............
        Sec.   363.3(f).....................  ...............  ...............               X   ...............
        Sec.   363.3(g).....................  ...............  ...............               X   ...............
    Filing and Notice Requirements:
        Sec.   363.4(a).....................  ...............               X   ...............  ...............
        Sec.   363.4(b).....................  ...............               X   ...............  ...............
        Sec.   363.4(c).....................  ...............               X   ...............  ...............
        Sec.   363.4(d).....................               X   ...............  ...............  ...............
        Sec.   363.4(e).....................  ...............  ...............               X   ...............

[[Page 35728]]

 
        Sec.   363.4(f).....................  ...............  ...............               X   ...............
    Audit Committees:
        Sec.   363.5(a).....................  ...............               X   ...............  ...............
        Sec.   363.5(b).....................  ...............               X   ...............  ...............
        Sec.   363.5(c).....................  ...............  ...............               X   ...............
Appendix A to Part 363--Guidelines and
 Interpretations:
    Table of Contents.......................  ...............               X   ...............  ...............
    Introduction............................               X   ...............  ...............  ...............
    Scope (Sec.   363.1):
        Guideline 1.........................               X   ...............  ...............  ...............
        Guideline 2.........................               X   ...............  ...............  ...............
        Guideline 3.........................  ...............               X   ...............  ...............
        Guideline 4.........................  ...............               X   ...............  ...............
        Guideline 4A........................  ...............  ...............               X   ...............
    Annual Reporting Requirements (Sec.
     363.2):
        Guideline 5.........................  ...............               X   ...............  ...............
        Guideline 5A........................  ...............  ...............               X   ...............
        Guideline 6.........................  ...............               X   ...............  ...............
        Guideline 7.........................  ...............               X   ...............  ...............
        Guideline 7A........................  ...............  ...............               X   ...............
        Guideline 8.........................  ...............               X   ...............  ...............
        Guideline 8A........................  ...............  ...............               X   ...............
        Guideline 8B........................  ...............  ...............               X   ...............
        Guideline 8C........................  ...............  ...............               X   ...............
        Guideline 9.........................  ...............               X   ...............  ...............
        Guideline 10........................  ...............               X   ...............  ...............
        Guideline 11........................  ...............               X   ...............  ...............
        Guideline 12........................  ...............  ...............  ...............               X
    Role of Independent Public Accountant
     (Sec.   363.3):
        Guideline 13........................  ...............               X   ...............  ...............
        Guideline 14........................  ...............  ...............  ...............               X
        Guideline 15........................  ...............               X   ...............  ...............
        Guideline 16........................  ...............  ...............  ...............               X
        Guideline 17........................               X   ...............  ...............  ...............
        Guideline 18........................  ...............               X   ...............  ...............
        Guideline 18A.......................  ...............  ...............               X   ...............
        Guideline 19........................               X   ...............  ...............  ...............
        Guideline 20........................  ...............               X   ...............  ...............
        Guideline 21........................               X   ...............  ...............  ...............
    Filing and Notice Requirements (Sec.
     363.4):
        Guideline 22........................  ...............  ...............  ...............               X
        Guideline 23........................  ...............               X   ...............  ...............
        Guideline 24........................               X   ...............  ...............  ...............
        Guideline 25........................  ...............  ...............  ...............               X
        Guideline 26........................  ...............               X   ...............  ...............
    Audit Committees (Sec.   363.5):
        Guideline 27........................  ...............               X   ...............  ...............
        Guideline 28........................  ...............               X   ...............  ...............
        Guideline 29........................  ...............  ...............  ...............               X
        Guideline 30........................  ...............               X   ...............  ...............
        Guideline 31........................  ...............               X   ...............  ...............
        Guideline 32........................  ...............               X   ...............  ...............
        Guideline 33........................               X   ...............  ...............  ...............
        Guideline 34........................               X   ...............  ...............  ...............
        Guideline 35........................  ...............               X   ...............  ...............
    Other: Guideline 36                       ...............               X   ...............  ...............
Table 1 to Appendix A--Designated Federal     ...............               X   ...............  ...............
 Laws and Regulations.......................
Appendix B--Illustrative Management Reports.  ...............  ...............               X   ...............
----------------------------------------------------------------------------------------------------------------

    In response to its request for comments, the FDIC received 23 
comment letters that addressed the proposed amendments to part 363. 
These commenters represented 12 financial institutions; 3 bankers' 
trade organizations; 4 accounting firms; 1 accountants' trade 
organization; 1 State regulatory organization; and 2 law firms.
    Regarding the technical amendment to part 308, Subpart U, the FDIC 
did not receive any comments on its proposal to specify the location 
where an accountant or accounting firm should file required notices of 
orders and actions regarding removal, suspension, or debarment.
    With respect to the comments received on the proposed amendments to 
part 363, eight commenters expressed general support for the proposal, 
seven commenters were generally not supportive, and eight commenters 
did not express an overall view on the proposal. While comments were 
received on almost every aspect of the proposed amendments, no 
commenter specifically commented on each aspect.

[[Page 35729]]

However, eleven commenters expressed concerns regarding the regulatory 
burden associated with various aspects of the proposal. In addition, 
commenters expressed concerns about the following aspects of the 
proposed amendments:
     Disclosure of noncompliance with the designated laws and 
regulations,
     Insured depository institution percentage-of-consolidated-
total-assets threshold for eligibility to comply with part 363 at a 
holding company level,
     Management's report on internal control over financial 
reporting,
     Independent public accountant's report on internal control 
over financial reporting,
     Independent public accountant's communications with audit 
committees,
     Time period for the retention of the independent public 
accountant's working papers,
     Independence standards applicable to independent public 
accountants,
     Filing requirement for and public availability of AICPA 
peer review reports and PCAOB inspection reports on independent public 
accountants,
     Filing requirement for and public availability of audit 
engagement letters, and
     Audit committee member independence.

The following sections discuss the proposed amendments and the comments 
and concerns raised by the commenters, including the responses received 
on two specific aspects of the proposed amendments for which the FDIC 
specifically requested comments: (1) Disclosure of noncompliance with 
the designated safety and soundness laws and regulations pertaining to 
insider loans and dividend restrictions, and (2) the 75 percent of 
total assets threshold for eligibility to comply with the requirements 
of part 363 at the holding company level.

A. Scope and Definitions (Sec.  363.1 and Guidelines 1-4A)

1. Applicability
    The FDIC proposed to amend Sec.  363.1(a) to more clearly state 
that part 363 applies to any insured depository institution that has 
consolidated total assets of $500 million or more at the beginning of 
its fiscal year.
    One commenter that represents over 30 community banks recommended 
that the FDIC raise the asset size threshold from $500 million to $1 
billion for requiring compliance with part 363. In November 2005, when 
the FDIC increased the asset size threshold for assessments of internal 
control over financial reporting from $500 million to $1 billion, it 
concluded that exempting all institutions below this higher size level 
from all of the requirements of part 363 would not be consistent with 
the objective of the underlying statute, i.e., early identification of 
needed improvements in financial management. The Federal banking 
agencies rely upon financial information to evaluate the condition of 
insured depository institutions and to determine the adequacy of 
regulatory capital. Accurate and reliable measurement of an 
institution's loans, other assets, and earnings has a direct bearing on 
the determination of regulatory capital. The agencies are able to place 
greater reliance on measurements contained in financial statements that 
have been subject to an independent audit. Independent audits help to 
identify weaknesses in internal control over financial reporting and 
risk management at institutions and reinforce corrective measures, thus 
complementing supervisory efforts in contributing to the safety and 
soundness of insured depository institutions. Therefore, after 
considering this comment, the FDIC has determined that, except where a 
$1 billion or higher asset threshold already applies, the $500 million 
asset size threshold continues to be the appropriate level for 
requiring compliance with part 363.
2. Compliance by Subsidiaries of Holding Companies
    At present, an insured depository institution that is a subsidiary 
of a holding company may use consolidated holding company financial 
statements to satisfy the audited financial statements requirement of 
part 363 regardless of whether the assets of the insured depository 
institution subsidiary or subsidiaries of the holding company represent 
substantially all or only a minor portion of the holding company's 
consolidated total assets. When the assets of insured depository 
institution subsidiaries do not comprise a substantial portion of a 
holding company's consolidated total assets, the FDIC staff has found 
that the holding company's consolidated financial statements, including 
the accompanying notes to the financial statements, do not tend to 
provide sufficient information that is indicative of the financial 
position and results of operations of these institutions. Also, when 
the insured depository institution subsidiaries do not contribute 
significantly to the holding company's financial position and results 
of operations, the extent of audit coverage given to these institutions 
in the audit of the consolidated holding company may be limited. Such 
limited audit coverage would not be consistent with the purpose and 
intent of section 36 of the FDI Act, which focuses on insured 
depository institutions rather than holding companies. In this 
situation, the assurance that would be provided by an independent audit 
performed substantially at the level of the insured depository 
institution subsidiaries is not otherwise available.
    Therefore, given the differing characteristics of the holding 
companies that own insured depository institutions as well as the 
relationship of an insured depository institution's total assets to the 
consolidated total assets of its parent holding company, and in keeping 
with the intent and purpose of section 36 of the FDI Act, the FDIC 
proposed to amend Sec. Sec.  363.1(b)(1) and (2) by revising the 
criteria for determining whether the audited financial statements 
requirement and the other requirements of part 363 may be satisfied at 
a holding company level. More specifically, in order for a covered 
institution to be eligible to comply with the requirements of part 363 
at the top-tier or any other mid-tier holding company level, the FDIC 
proposed that the consolidated total assets of the insured depository 
institution (or the consolidated total assets of all of the holding 
company's insured depository institution subsidiaries, regardless of 
size, if the top-tier or mid-tier holding company owns or controls more 
than one insured depository institution) must comprise 75 percent or 
more of the consolidated total assets of the top-tier or mid-tier 
holding company. The FDIC believes that this percentage-of-assets 
threshold should ensure that the extent of independent audit work 
performed at the insured depository institution level is sufficient to 
satisfy the intent of section 36 of the FDI Act, that is, the early 
identification of needed improvements in financial management at 
insured institutions. The FDIC also believes that this threshold will 
continue to provide flexibility to the vast majority of covered 
institutions that are part of a holding company structure with respect 
to the level at which they may comply with part 363.
    When determining an appropriate percentage-of-assets threshold for 
compliance with part 363 at a holding company level, the FDIC 
considered the range of percentage-of-assets ratios for covered 
institutions that are part of a holding company structure. The vast 
majority of insured institutions subject to part 363 that are in a 
holding company structure are subsidiaries of organizations where the 
assets of the insured depository institution

[[Page 35730]]

subsidiaries of the holding company comprise 90 percent or more of the 
holding company's consolidated total assets. Of the remaining 
institutions subject to part 363 that are in a holding company 
structure, most are subsidiaries of organizations where the assets of 
the insured institutions comprise either from 75 to 90 percent or less 
than 25 percent of the top-tier parent company's consolidated total 
assets. Smaller numbers of institutions are subsidiaries of 
organizations where the assets of the insured institutions comprise 
from 25 to 50 percent or from 50 to 75 percent of the top-tier parent 
company's consolidated total assets. However, in a number of cases 
where the insured institution subsidiaries comprise less than 75 
percent of the top-tier holding company's consolidated total assets, 
the insured institution subsidiaries that are subject to part 363 
currently comply with the regulation at a mid-tier holding company 
level where the assets of the insured institution subsidiaries comprise 
90 percent or more of the mid-tier holding company's consolidated total 
assets. Thus, these institutions would not need to change how they 
comply with part 363 in response to the establishment of the proposed 
75 percent threshold, provided they continue to comply at the same mid-
tier holding company level and this holding company continues to meet 
the 75 percent threshold.
    To assist it in considering the costs and benefits of a threshold, 
the FDIC specifically requested comment as to whether 75 percent or 
more of consolidated total assets is an appropriate threshold. Six 
commenters expressed views that the 75 percent threshold is reasonable, 
is in the public's best interest, and provides ease of application 
while obtaining appropriate audit coverage of the insured depository 
institutions.
    Three commenters were opposed to the proposed 75 percent threshold. 
These commenters expressed the following concerns:
     The goal is reasonable but the proposed 75 percent 
threshold may not be appropriate. Instead, lower the threshold and 
require institutions that are below the threshold to consult with the 
FDIC prior to reporting at the holding company level.
     Compliance at the holding company level should not be 
dependent on the aggregate size of the subsidiary insured depository 
institutions relative to the holding company.
     Institutions should have until the end of their first full 
fiscal year after the FDIC promulgates the final rule to comply with 
the proposed change.
     The 75 percent threshold is arbitrary and may result in 
treating very similar institutions differently. An objectives-based 
approach should be used.

The FDIC continues to recognize that those institutions currently 
complying with part 363 at the holding company level that will not meet 
the proposed 75-percent-of-consolidated-total-assets threshold will 
incur additional costs from having to comply with the regulation at the 
institution level or at a suitable mid-tier holding company level. 
Requiring institutions that do meet the 75 percent threshold, or a 
lower percentage threshold, to consult with the FDIC prior to reporting 
at a holding company level would add a new element of regulatory burden 
and would not provide certainty nor contribute to the ease of 
application of the 75 percent threshold. The FDIC has concluded that 
the 75-percent-of-assets threshold strikes an appropriate balance 
between insured institution financial data and audit coverage and the 
cost of compliance with part 363.
    The FDIC agrees with the comment that institutions that currently 
report at the holding company level, but do not meet the 75-percent-of-
consolidated-total-assets threshold, should be afforded sufficient time 
to comply with this new requirement. Accordingly, the FDIC has decided 
to delay the effective date for implementing this threshold until 
fiscal years ending on or after June 15, 2010. Thus, for fiscal years 
ending on or before June 14, 2010, all insured depository institutions 
may continue to satisfy the audited financial statements requirement of 
part 363 at a holding company level whether or not the institution's 
consolidated total assets (or the consolidated total assets of all of 
its parent holding company's insured institutions) comprise 75 percent 
or more of the holding company's consolidated total assets at the 
beginning of the fiscal year.
    Guideline 3 to part 363, Compliance by Holding Company 
Subsidiaries, states that when a holding company submits audited 
consolidated financial statements and other reports or notices required 
by part 363 on behalf of any subsidiary institution, an accompanying 
cover letter should identify all subsidiary institutions to which the 
statements, reports, or other notices pertain. Because many cover 
letters received by the FDIC have not sufficiently identified these 
subsidiary institutions, the FDIC proposed to amend guideline 3 to 
clarify what information should be included in the cover letter. No 
comments were received on this aspect of the proposal.
3. Financial Reporting
    The FDIC proposed to add a new Sec.  363.1(c) and a new guideline 
4A, Financial Reporting, to specify that ``financial reporting'' 
includes both financial statements prepared in accordance with 
generally accepted accounting principles and those prepared for 
regulatory reporting purposes. Also, as proposed, guideline 4A 
clarifies that financial statements prepared for regulatory reporting 
purposes consist of the schedules equivalent to the basic financial 
statements that are included in an institution's appropriate regulatory 
report and that financial statements prepared for regulatory reporting 
purposes do not include regulatory reports prepared by a non-bank 
subsidiary of a holding company or an institution.
    One commenter recommended that the FDIC further clarify the 
definition of financial reporting for purposes of part 363 to more 
clearly align it with current reporting practices. This commenter also 
stated that, when reporting at a holding company level, ``regulatory 
reporting'' would not extend to assertions about internal control over 
financial reporting at the subsidiary institution level. Another 
commenter, an accountants' trade organization, stated that the proposed 
amendment seems to imply that institutions' regulatory reports may not 
be prepared in conformity with generally accepted accounting principles 
(GAAP). This commenter recommended that the FDIC clarify the definition 
of financial reporting to state that both financial statements and the 
regulatory reports be prepared in accordance with GAAP to make it 
consistent with current practice.
    While the FDIC believes that the proposed amendments are consistent 
with explanatory guidance it issued on this subject in December 
1994,\2\ the FDIC has decided to modify the proposed definition of 
financial reporting set forth in Sec.  363.1(c) and guideline 4A, 
Financial Reporting, to state more clearly that, when reporting at a 
holding company level, it includes the financial statements and 
regulatory reports of an institution's holding company. The modified 
definition would also state that, for recognition and measurement 
purposes, regulatory reporting requirements shall conform to GAAP.
---------------------------------------------------------------------------

    \2\ See FDIC Financial Institution Letter (FIL) 86-94, dated 
December 23, 1994.

---------------------------------------------------------------------------

[[Page 35731]]

4. Definitions
    The FDIC proposed to add Sec.  363.1(d), Definitions, to define 
several common terms used in part 363 and the guidelines and received 
no comments on these definitions.

B. Annual Reporting Requirements (Sec.  363.2 and Guidelines 5-12)

1. Audited Financial Statements
    Consistent with sound management practices and the objective of 
internal control over financial reporting, the FDIC proposed to amend 
Sec.  363.2(a) to require that the annual financial statements reflect 
all material correcting adjustments identified by the independent 
public accountant. Financial statements issued by insured depository 
institutions that are public companies or by their parent holding 
companies that are public companies are already subject to such a 
requirement pursuant to section 401 of SOX. The FDIC believes this 
requirement should also apply to institutions subject to part 363 that 
are not public companies.
    In response to a commenter's recommendation, the FDIC revised this 
proposed requirement to provide additional context regarding the phrase 
``material correcting adjustments identified by the independent public 
accountant'' by explaining that these adjustments should be those that 
are necessary for the financial statements to conform with GAAP.
2. Part 363 Management Report Contents
    The FDIC has noted differences in the content of the management 
reports included in Part 363 Annual Reports and the adequacy of the 
information in these management reports regarding the results of 
management's assessments of the effectiveness of internal control over 
financial reporting and compliance with the laws and regulations 
pertaining to insider loans and dividend restrictions. Identified 
material weaknesses in internal control over financial reporting and 
instances of noncompliance with insider lending requirements and 
dividend restrictions have not always been disclosed.
    In addition, management's assessment of internal control over 
financial reporting has often failed to disclose the internal control 
framework used to perform the assessment of the effectiveness of these 
controls and to clearly state whether controls over the preparation of 
the regulatory financial statements have been included within the scope 
of management's assessment. The omission of this information from an 
institution's management report reduces the usefulness of the report as 
a means of identifying needed improvements in financial management, 
which is the objective of section 36 of the FDI Act. The regulations 
adopted by the Securities and Exchange Commission (SEC) in 2003 
implementing the requirement in section 404 of SOX for a management 
report on internal control over financial reporting requires management 
to identify the internal control framework it used to evaluate the 
effectiveness of these controls and to disclose any identified material 
weakness.
    To provide clearer guidance on the information that should be 
included in the management report, the FDIC proposed to expand Sec.  
363.2(b) to require management's assessment of compliance with the laws 
and regulations pertaining to insider loans and dividend restrictions 
to include a clear statement as to management's conclusion regarding 
compliance and to disclose any noncompliance with such laws and 
regulations. In addition, the proposed amendment to Sec.  363.2(b) 
would require management's assessment of internal control over 
financial reporting to identify the internal control framework that 
management used to make its evaluation, include a statement that the 
evaluation included controls over the preparation of regulatory 
financial statements, include a clear statement as to management's 
conclusion regarding the effectiveness of internal control over 
financial reporting, disclose all material weaknesses identified by 
management, and preclude management from concluding that internal 
control over financial reporting is effective if there are any material 
weaknesses.
    The FDIC specifically requested comment as to whether the 
disclosure in the management report of instances of noncompliance with 
the laws and regulations pertaining to insider loans and dividend 
restrictions should be made available for public inspection or be 
designated as privileged and confidential and not be made available to 
the public by the FDIC. Three commenters supported public availability 
only for disclosures of ``material'' noncompliance and twelve 
commenters were not supportive of public availability of disclosures of 
noncompliance. These commenters were concerned that minor errors may be 
mistaken for a systemic compliance failure and stated that 
noncompliance should be addressed through the examination process.
    The FDIC has considered these comments and notes that all insured 
depository institutions, regardless of size, are required to comply 
with the designated safety and soundness laws and regulations that deal 
with insider loans and dividend restrictions. Moreover, these laws and 
regulations have not substantially changed since part 363 was first 
implemented in 1993. Thus, well before an insured depository 
institution reaches $500 million in total assets and becomes subject to 
part 363, it should already have appropriate policies, procedures, 
controls, and systems in place to monitor insider lending activities 
and assess its dividend-paying capacity and thereby ensure compliance 
with the safety and soundness laws and regulations in these two 
designated areas. Public availability of disclosures of instances of 
noncompliance with these designated laws and regulations should act as 
a further stimulus to management's efforts to ensure that its policies, 
procedures, controls, and systems are sound and operating effectively. 
Therefore, the FDIC has concluded that, to reinforce the importance of 
management's responsibility for complying with the laws and regulations 
pertaining to insider loans and dividend restrictions, instances of 
noncompliance with these laws and regulations should be disclosed in 
management's assessment (that is included in the management report) and 
made available to the public.
    Nevertheless, based on the comments it received on this issue, the 
FDIC believes it would be useful to provide further guidance regarding 
disclosure of noncompliance with the designated safety and soundness 
laws and regulations. Accordingly, the FDIC is adding guideline 8C, 
Management's Disclosure of Noncompliance with Designated Laws and 
Regulations, to Appendix A to part 363. This guideline states that 
management is not required to specifically identify the individual or 
individuals (e.g., officers or directors) who were responsible for or 
were the subject of any such noncompliance and provides general 
parameters for making the disclosure. For example, the disclosure 
should include appropriate qualitative and quantitative information to 
describe the nature, type, and severity of the noncompliance. Also, 
similar instances of noncompliance may be aggregated.
    While the majority of commenters did not comment on the proposed 
revisions applicable to management's report on internal control over 
financial reporting, four commenters expressed concerns or made 
recommendations as follows:
     The report is not necessary, its costs exceed the benefits 
derived, and it is difficult for small community banks to

[[Page 35732]]

recruit personnel with the level of training and experience necessary 
to implement the accounting and reporting rules.
     Consider a ``delayed phase-in'' of the requirements for 
assessing internal control over financial reporting similar to the 
phase-in utilized by the SEC in its rules implementing section 404 of 
SOX.
     Raise the asset size threshold for this requirement from 
$1 billion to $3 billion to ease regulatory burden.
     The requirement to disclose all identified material 
weaknesses in internal control over financial reporting in management's 
report should be clarified as to whether the disclosure covers all 
identified material weaknesses, regardless of their status as of the 
institution's fiscal year-end, or only those in existence as of the end 
of the fiscal year that have not been remediated prior to that date.
    Management has been required to assess and report on the 
effectiveness of an institution's internal control over financial 
reporting since part 363 was first implemented in 1993. In November 
2005, when the FDIC increased the asset size threshold for internal 
control assessments from $500 million to $1 billion, it concluded, and 
continues to believe, that the $1 billion asset size threshold is 
appropriate for requiring assessments and reports on internal control 
over financial reporting. Therefore, the FDIC has decided to retain the 
$1 billion asset size threshold for requiring assessments and reports 
on internal control over financial reporting. Also, for the reasons 
previously stated, the FDIC does not believe that a ``delayed phase-
in'' of the requirement for assessing and reporting on internal control 
over financial reporting is necessary or appropriate. Moreover, a 
phase-in of the requirement for management to assess and report on 
internal control over financial reporting in effect already exists 
because this requirement takes effect only when an institution's total 
assets exceed $1 billion, not when the institution first becomes 
subject to the other audit and reporting requirements of section 36 and 
part 363 when its assets reach $500 million.
    With respect to management's reporting on the material weaknesses 
it has identified in the management report component of its Part 363 
Annual Report, the FDIC notes that section 36 of the FDI Act requires 
management to perform an assessment of internal control over financial 
reporting as of year-end. Therefore, to clarify management's reporting 
responsibility, the FDIC has revised Sec.  363.2(b)(3)(iii) to explain 
that management must disclose all material weaknesses in internal 
control over financial reporting that it has identified and that have 
not been remediated prior to the end of the institution's fiscal year.
    Because part 363 and its guidelines provide only limited guidance 
concerning the contents of the management report and the related 
signature requirements for this report, institutions and auditors have 
expressed interest in examples of acceptable reports. Therefore, to 
assist managements of insured depository institutions in complying with 
the annual reporting requirements of Sec.  363.2, the FDIC proposed to 
add Appendix B to Part 363--Illustrative Management Reports. Appendix B 
provides guidance regarding reporting scenarios that satisfy the annual 
reporting requirements of part 363, illustrative management reports, 
and an illustrative cover letter for use when an institution complies 
with the annual reporting requirements at the holding company level. 
The FDIC also states in Appendix B that the use of the illustrative 
management reports and cover letter is not required. The FDIC 
encourages the managements of insured depository institutions to tailor 
the wording of their management reports to fit their particular 
circumstances, especially when reporting on material weaknesses in 
internal control over financial reporting or noncompliance with 
designated laws and regulations.
    Two commenters stated that the illustrative management reports are 
helpful and will mitigate regulatory burden. Another commenter 
suggested that the illustrative management reports would be better 
suited in an accounting and auditing guide that could be updated 
regularly to reflect changes in professional standards or other 
requirements that would affect these reports and that the accounting 
and auditing guide could illustrate the differences in reporting under 
AICPA and PCAOB standards. This commenter also stated that the 
illustrative management report on internal control over financial 
reporting at the holding company level is inconsistent with current 
practice and that it does not clearly and appropriately describe the 
scope of the internal control assessments by management or the 
independent public accountant. This commenter added that the language 
in the illustrative management report on internal control at the 
holding company level does not make it clear to a reader whether 
management has separately assessed the effectiveness of internal 
control over financial reporting at each subsidiary institution listed 
in the report.
    The FDIC has considered this commenter's suggestion that the 
illustrative management reports would be better suited in an accounting 
and auditing guide. In this regard, the FDIC notes that auditing and 
attestation standards require auditors to evaluate the elements that 
management is required to present in its report on its assessment of 
internal control over financial reporting, but these standards do not 
fully address the requirements of part 363 for management reports on 
internal control nor do they provide guidance to management regarding 
the preparation of management reports for part 363 purposes. Given the 
varying degrees of familiarity of institution management with 
professional auditing and attestation standards as well as the lack of 
availability of illustrative management reports that satisfy the 
requirements of part 363, the FDIC has determined that the illustrative 
management reports should be provided in Appendix B to part 363. 
However, in response to this commenter's statements concerning the 
illustrative management reports on internal control over financial 
reporting at the holding company level, the FDIC has revised the text 
of these illustrative management reports, which are presented in 
sections 5(c) and (d) and 6(b) of Appendix B. More specifically, the 
sample text in these illustrative reports that identifies the 
subsidiary institutions that are subject to part 363 has been revised 
by removing the language stating that these institutions are included 
in the scope of management's assessment of internal control over 
financial reporting. The FDIC believes that the revised illustrative 
management reports on internal control over financial reporting at the 
holding company level are consistent with current practices and 
professional auditing and attestation standards.
    Regarding management's responsibility for assessing compliance with 
the laws and regulations pertaining to insider loans and dividend 
restrictions, the FDIC proposed to revise and update Table 1 to 
Appendix A of part 363 to reflect changes in these laws and regulations 
that have occurred since this table was last revised in 1997. The FDIC 
received no comments on the revised and updated Table 1.
3. Management Report Signatures
    Section 36(b)(2) of the FDI Act requires an institution's 
management report to be signed by the chief executive officer and the 
chief accounting officer or chief financial

[[Page 35733]]

officer. In its reviews of management reports, the FDIC has noted that 
these reports are often not signed by the officers at the appropriate 
corporate level when the audited financial statements requirement is 
satisfied at the holding company level or when one or more of the 
components of the management report is satisfied at the holding company 
level and the remaining components of the management report are 
satisfied at the insured depository institution level. Therefore, the 
FDIC proposed to add Sec.  363.2(c) to specify which corporate officers 
must sign the management report and also the level of the corporate 
signers (i.e., insured depository institution level or the holding 
company level). No comments were received on this aspect of the 
proposal.
4. Institutions Merged Out of Existence
    To reduce regulatory burden and provide certainty for merging 
institutions, the FDIC proposed to add guideline 5A, Institutions 
Merged Out of Existence, to explicitly provide relief from filing a 
Part 363 Annual Report for an institution that is merged out of 
existence after the end of its fiscal year, but before the deadline for 
filing its Part 363 Annual Report. However, a covered institution that 
is acquired after the end of its fiscal year, but retains its separate 
corporate existence rather than being merged out of existence, would 
continue to be required to file a Part 363 Annual Report for that 
fiscal year. Three commenters commented in support of this aspect of 
the proposal, one of whom stated that the proposed amendment will 
reduce both regulatory burden and uncertainty.
5. Management's Assessment of the Effectiveness of Internal Control 
Over Financial Reporting
    The FDIC has publicly advised institutions with $1 billion or more 
in total assets that are public companies or subsidiaries of public 
companies that they have considerable flexibility in determining how 
best to satisfy the SEC's requirements for management's assessment of 
internal control over financial reporting which implement section 404 
of SOX, and the FDIC's requirements in part 363.\3\ The reporting 
flexibility available to institutions subject to both the section 404 
and the part 363 requirements was initially described in the preamble 
to the SEC's section 404 final rule release (68 FR 36642, June 18, 
2003). This final rule release explained that the flexible reporting 
approach described in the preamble had been developed by the SEC staff 
in consultation with the staff of the Federal banking agencies. To 
codify this reporting flexibility in part 363, the FDIC proposed to add 
guideline 8A, Management's Assessment of the Effectiveness of Internal 
Control Over Financial Reporting. For an institution with $1 billion or 
more in total assets that is subject to both part 363 and the SEC's 
rules implementing section 404 of SOX (or whose parent holding company 
is subject to section 404 and the condition in Sec.  363.1(b)(2) is 
met), the proposed guideline describes two options for complying with 
the filing requirements regarding management's report on internal 
control over financial reporting. These options are to prepare (1) two 
separate reports, one to satisfy the FDIC's part 363 requirements and 
another to satisfy the SEC's section 404 requirements, or (2) a single 
report that satisfies all of the FDIC's part 363 requirements and all 
of the SEC's section 404 requirements. No comments were received on 
proposed new guideline 8A.
---------------------------------------------------------------------------

    \3\ 70 FR 71231, November 28, 2005; 70 FR 44295, August 2, 2005; 
FDIC Financial Institution Letter (FIL) 137-2004, December 21, 2004.
---------------------------------------------------------------------------

6. Internal Control Reports for Acquired Businesses
    Currently, under the reporting requirements of part 363, both 
management's and the independent public accountant's evaluation of an 
institution's internal control over financial reporting must include 
controls at an institution in its entirety, including all of its 
consolidated businesses, including businesses that were recently 
acquired. However, like the SEC staff, the FDIC recognizes that it may 
not always be possible for management to conduct an evaluation of the 
internal control over financial reporting of an acquired business in 
the period between the consummation date of the acquisition and the due 
date of management's internal control evaluation. The SEC staff has 
provided guidance to public companies stating that the staff would not 
object to the exclusion of the acquired business from management's 
evaluation of internal control over financial reporting, provided 
certain disclosures are made and other conditions are met.\4\ The FDIC 
has received and granted several written requests from institutions 
subject to the internal control reporting requirements of part 363 to 
exclude recently acquired businesses from the scope of management's 
internal control evaluation.
---------------------------------------------------------------------------

    \4\ See Question 3 in the SEC staff's Frequently Asked Questions 
on Management's Report on Internal Control Over Financial Reporting 
and Certification of Disclosure in Exchange Act Periodic Reports at 
http://www.sec.gov/info/accountants/controlfaq1004.htm.
---------------------------------------------------------------------------

    To reduce regulatory burden, including the burden of submitting 
written requests to the FDIC, and provide certainty to institutions, 
the FDIC proposed to add guideline 8B, Internal Control Reports for 
Acquired Businesses, to explicitly provide relief from the reporting 
requirements regarding internal control over financial reporting 
related to business acquisitions made by an institution during its 
fiscal year. As proposed and consistent with the SEC staff's guidance, 
guideline 8B would permit management's evaluation of internal control 
over financial reporting to exclude internal control over financial 
reporting for the acquired business, provided management's report 
identifies the acquired business, states that the acquired business is 
excluded from management's evaluation of internal control over 
financial reporting, and indicates the significance of the acquired 
business to the institution's consolidated financial statements. Also, 
proposed guideline 8B would clarify that if the acquired business is an 
insured depository institution that is subject to part 363 and it is 
not merged out of existence before the deadline for filing its Part 363 
Annual Report, the acquired business (institution) must continue to 
comply with all of the applicable requirements of part 363. One 
commenter commented on this aspect of the proposal and supported the 
amendment as proposed, stating that it will reduce both regulatory 
burden and uncertainty.
7. Standards for Internal Control
    At present, guideline 10, Standards for Internal Control, provides 
that each institution should determine its own standards for 
establishing, maintaining, and assessing the effectiveness of its 
internal control over financial reporting, but it does not describe the 
characteristics of a suitable internal control framework. The FDIC 
proposed to amend guideline 10 to provide guidance regarding the 
attributes of a suitable internal control framework. The proposed 
attributes are consistent with the attributes the SEC described in the 
preamble to the SEC's section 404 final rule release (68 FR 36648, June 
18, 2003). The FDIC believes that a framework with these attributes is 
appropriate for all institutions whether or not they are public 
companies. No comments were received on this aspect of the proposal.

[[Page 35734]]

C. Independent Public Accountant (Sec.  363.3 and Guidelines 13-21)

1. Internal Control Over Financial Reporting
    As with its experience in reviewing the portion of the management 
report in which management provides its assessment of the effectiveness 
of the institution's internal control over financial reporting, the 
FDIC has found some independent public accountants' internal control 
attestation reports to be less than sufficiently informative. Such 
attestation reports are, therefore, inconsistent with the objectives of 
section 36 of the FDI Act. As a consequence, the FDIC proposed to amend 
Sec.  363.3(b), which governs the independent public accountant's 
report on internal control over financial reporting, to specify that, 
consistent with generally accepted standards for attestation 
engagements, the Public Company Accounting Oversight Board's (PCAOB) 
auditing standards, and related PCAOB staff implementation guidance, 
the accountant's report must:
     Not be dated prior to the date of management's report on 
its assessment of the effectiveness of internal control over financial 
reporting;
     Identify the internal control framework that the 
accountant used to make the evaluation (which must be the same as the 
internal control framework used by management);
     Include a statement that the accountant's evaluation 
included controls over the preparation of regulatory financial 
statements;
     Include a clear statement as to the accountant's 
conclusion regarding the effectiveness of internal control over 
financial reporting;
     Disclose all material weaknesses identified by the 
accountant; and
     Conclude that internal control is ineffective if there are 
any material weaknesses.
    The FDIC also proposed to amend guideline 18, Attestation Report, 
to be consistent with Sec.  363.3(b)(2) by reiterating that the 
attestation report on internal control over financial reporting should 
include a statement as to regulatory reporting.
    The majority of commenters did not comment on the independent 
public accountant's report on internal control over financial 
reporting. However, four commenters expressed concerns or made 
recommendations as follows:
     Since the AICPA Auditing Standards Board's proposed 
revisions to the attestation standards for nonpublic companies will 
likely be similar to the requirements for public companies, and based 
upon the experiences of public companies complying with SOX 404, the 
requirement for the independent public accountant to examine, attest 
to, and report on management's assertion concerning internal control 
over financial reporting for both GAAP and regulatory reporting 
purposes will be too costly. Instead of having the accountant examine 
internal control, banking regulators should assess the adequacy of 
internal control over financial reporting as part of the examination 
process.
     The requirements that the independent public accountant's 
report on internal control over financial reporting identify the 
internal control framework used, state that the evaluation included 
controls over the preparation of regulatory financial statements, 
express the accountant's conclusion as to whether internal control is 
effective, and disclose all material weaknesses can be deleted because 
they are already addressed by the AICPA and PCAOB standards. The rule 
should instead refer to the professional auditing and attestation 
standards.
     The FDIC should consider a delayed phase-in of the 
requirement for the independent public accountant to assess internal 
control over financial reporting similar to the phase-in set forth in 
the SEC's rules implementing SOX 404.
     The requirement to disclose material weaknesses in 
internal control over financial reporting in the independent public 
accountant's report should be clarified as to whether the disclosure 
covers all identified material weaknesses, regardless of their status 
as of the institution's fiscal year-end, or only those in existence as 
of the end of the fiscal year that have not been remediated prior to 
that date, which is the disclosure requirement in the professional 
auditing and attestation standards.
    Independent public accountants have been required to examine, 
attest to, and report on management's assertion concerning the 
effectiveness of an institution's internal control over financial 
reporting since part 363 was first implemented in 1993. This 
requirement is also set forth in section 36 of the FDI Act. In November 
2005, the FDIC increased the asset size threshold for internal control 
assessments from $500 million to $1 billion for both management and the 
independent public accountant. At that time, the FDIC noted that recent 
and impending changes to the auditing and attestation standards 
governing internal control assessments that were making them more 
robust had and would continue to increase the cost and burden of the 
audit and reporting requirements of part 363. The FDIC concluded then 
that the increase to a $1 billion asset size threshold for requiring 
assessments and reports on internal control over financial reporting 
achieved an appropriate balance between burden reduction and 
maintaining safety and soundness for institutions subject to part 363. 
The FDIC continues to believe today that $1 billion remains a suitable 
size threshold for internal control assessments. Also, for the reasons 
previously stated in Section III.B.2, the FDIC does not believe that a 
``delayed phase-in'' of the requirement for the independent public 
accountant to report on management's assertion regarding internal 
control over financial reporting is necessary or appropriate. 
Additionally, the FDIC notes that under the SEC's most recent 
amendments, a non-accelerated filer need not file the auditor's 
attestation report on internal control over financial reporting until 
it files an annual report for a fiscal year ending on or after December 
15, 2009. Since part 363 has long required such internal control 
audits, the FDIC believes that it would be contrary to the objectives 
of section 36 of the FDI Act to allow institutions subject to part 363 
with $1 billion or more in total assets, that are not accelerated 
filers or subsidiaries of accelerated filers for Federal securities law 
purposes, to discontinue undergoing assessments of the effectiveness of 
their internal control over financial reporting by their external 
auditors until the SEC requires such audits for non-accelerated filers.
    In response to the comments regarding the disclosure of material 
weaknesses in internal control over financial reporting, the FDIC has 
revised Sec.  363.3(b)(3) to clarify that the independent auditor's 
internal control report must disclose all material weaknesses that the 
independent auditor has identified and that have not been remediated 
prior to the end of the institution's fiscal year.
    The FDIC has considered the suggestion that the rule be revised to 
refer to the existing standards of the auditing standard setters rather 
than including specific requirements in the rule. In this regard, both 
the current and proposed rule state that the independent public 
accountant's attestation and report on internal control over financial 
reporting shall be made in accordance with generally accepted standards 
for attestation engagements. However, as previously noted, the FDIC has 
found some independent public accountants' internal control attestation 
reports to be less than sufficiently informative, and

[[Page 35735]]

given the varying degrees of familiarity of institution management and 
audit committee members with professional auditing standards, the FDIC 
has decided to retain the specific requirements set forth in the 
proposed rule. The FDIC also believes that including these requirements 
in the proposed rule will assist audit committee members in the 
performance of their duties regarding the oversight of the external 
auditor. However, the FDIC has revised Sec.  363.3(b) to clarify that 
the auditor's report on internal control over financial reporting 
should satisfy the requirements set forth in both part 363 and 
applicable professional standards. In this regard, and consistent with 
guidance the FDIC issued in February 2008,\5\ the FDIC has also revised 
Sec.  363.3(b) and added guideline 18A to clarify that the attestation 
report on internal control over financial reporting may be made in 
accordance with the PCAOB's auditing standards even if the institution 
is a nonpublic company or a subsidiary of a nonpublic company.
---------------------------------------------------------------------------

    \5\ See FDIC Financial Institution Letter (FIL) 5-2008, dated 
February 1, 2008.
---------------------------------------------------------------------------

2. Communications With Audit Committee
    According to section 204 of SOX, an accountant who audits a public 
company's financial statements should report on a timely basis to the 
company's audit committee: (1) All critical accounting policies, (2) 
alternative accounting treatments discussed with management, and (3) 
written communications provided to management, such as a management 
letter or schedule of unadjusted differences. The FDIC has encouraged 
institutions, regardless of whether they are public companies, to 
arrange with their accountant to institute these reporting 
practices.\6\ Requirements that are similar, but not identical, to 
those set forth in section 204 apply to accountants who audit the 
financial statements of entities that are not public.\7\ Therefore, 
consistent with current best practices and standards for audits of both 
public and non-public entities, the FDIC proposed to amend part 363 by 
adding Sec.  363.3(d), Communications with audit committee, to set a 
uniform minimum requirement for such communication. As proposed, Sec.  
363.3(d) would require the independent public accountant to report the 
information identified in section 204 of SOX to the audit committee.
---------------------------------------------------------------------------

    \6\ See FDIC Financial Institution Letter (FIL) 17-2003, dated 
March 5, 2003.
    \7\ See Statement on Auditing Standards No. 114, The Auditor's 
Communication With Those Charged With Governance, December 2006.
---------------------------------------------------------------------------

    While the majority of commenters did not comment on the independent 
public accountant's communications with audit committees, three 
commenters expressed the following concerns:
     The communication requirements for auditors of nonpublic 
entities are included in the AICPA's standards and those for auditors 
of public companies are established by the PCAOB and the SEC. Rather 
than memorializing these communication requirements in the rule, refer 
to the existing standards of the AICPA, the PCAOB, and the SEC.
     The proposed amendments overlap the requirements of the 
AICPA standards and do not align with the communication required by SEC 
rules and regulations and may cause confusion as to the required 
communications. The requirements should either be removed in their 
entirety or clarified and aligned.
     SOX practices and principles regarding audit committee 
communications should be restricted to publicly held banks.
     Auditors should not be required to report critical 
accounting policies, alternative accounting treatments, and schedules 
of unadjusted differences to the audit committee. Management should 
have discretion as to whether these communications should be reported 
to the audit committee.
    The FDIC has considered the concerns raised by the commenters, 
including the suggestion that the rule be revised to refer to the 
existing standards of the auditing standard setters (AICPA, PCAOB, and 
SEC) rather than including specific requirements in the rule. Although 
the existing auditing standards for both public and nonpublic companies 
set forth the requirements for the independent public accountant's 
communications with audit committees, the FDIC believes that, given the 
varying degrees of familiarity of audit committee members with 
professional auditing standards, setting forth the requirements for the 
auditor's communications with audit committees in the proposed rule 
will assist audit committee members in the performance of their duties 
regarding the oversight of the external auditor. Therefore, the FDIC 
has decided to retain the requirements set forth in the proposed rule. 
However, the FDIC has revised Sec.  363.3(d) to clarify that the 
auditor should satisfy the audit committee communication requirements 
set forth in both part 363 and applicable professional standards. Also, 
based on its review of the professional standards regarding auditors' 
communications with audit committees, the FDIC believes that the 
revised requirements in the proposed rule are consistent with the 
existing professional standards.
3. Retention of Working Papers
    Section 36(g)(3)(A) of the FDI Act states that an independent 
public accountant who performs audit services required by section 36 
must agree to provide related working papers to the FDIC, any 
appropriate Federal banking agency, and any State bank supervisor. The 
SEC's rules and the auditing standards for public companies specify a 
7-year retention period for audit working papers while the auditing 
standards for nonpublic companies provide that the retention period for 
audit working papers should not be shorter than five years.\8\ The FDIC 
believes that a uniform retention period should apply to audits of all 
institutions subject to part 363. Accordingly, the FDIC proposed to 
amend part 363 by adding Sec.  363.3(e), Retention of working papers. 
As proposed, Sec.  363.3(e) would require the independent public 
accountant to retain the working papers related to its audit of the 
financial statements and, if applicable, its evaluation of internal 
control over financial reporting for seven years.
---------------------------------------------------------------------------

    \8\ See Rule 2-06 of the SEC's Regulation S-X, the PCAOB's 
Auditing Standard No. 3, Audit Documentation, June 2004, and the 
AICPA's Statement on Auditing Standards No. 103, Audit 
Documentation, December 2005.
---------------------------------------------------------------------------

    One commenter stated that the five-year retention period specified 
by the AICPA's auditing standards is appropriate for nonpublic 
companies. Another commenter was concerned that the proposed seven-year 
retention period may cause extra burden and expense for independent 
public accountants of nonpublic institutions.
    Under section 36 and part 363, the requirement for institutions to 
undergo audits of their financial statements and, if applicable, 
assessments of their internal control over financial reporting does not 
depend on whether they are public or nonpublic companies. Thus, the 
FDIC believes that the retention requirement for the working papers 
associated with auditors' performance of these services should also be 
independent of whether institutions are public or nonpublic companies. 
In this regard, the FDIC notes that the AICPA's auditing standards for 
nonpublic companies acknowledge that working paper retention periods 
may exceed five years. After considering the comments, the FDIC 
continues to believe that a uniform retention period for audit working 
papers should apply to all institutions subject to part 363. Therefore, 
the FDIC has decided to

[[Page 35736]]

retain the proposed seven-year retention period for working papers 
related to audits of financial statements and evaluations of internal 
control over financial reporting.
4. Independence
    Section 36 of the FDI Act states that an ``independent public 
accountant'' must perform the audit and attestation services required 
by section 36 but it does not define ``independent,'' leaving this to 
the FDIC's rulemaking authority. As adopted by the FDIC in 1993, part 
363 includes guideline 14, Independence, which identifies the 
independence standards applicable to accountants performing services 
under section 36 and part 363. This guideline specifies that the 
independent public accountant must comply with the independence 
standards applicable to audits of both nonpublic and public companies. 
In 2003, the agencies jointly issued rules of practice to implement the 
enforcement provisions of section 36(g)(4), which authorize the FDIC or 
an appropriate Federal banking agency to remove, suspend, or bar an 
accountant, for good cause, from performing audit and attestation 
services for institutions subject to section 36 and part 363.\9\ To 
enhance the enforceability of the independence standards with which an 
accountant must comply for purposes of part 363, the FDIC proposed to 
move the independence requirements for independent public accountants 
from guideline 14, Independence, to new Sec.  363.3(f), Independence. 
As proposed, Sec.  363.3(f) would retain the original independence 
concept of part 363, i.e., auditor compliance with the independence 
standards applicable to both nonpublic and public company audits, by 
clarifying that the independent public accountant must comply with the 
independence standards and interpretations of the PCAOB for audits of 
public companies that have been approved by the SEC in addition to the 
independence standards and interpretations of the AICPA and the SEC.
---------------------------------------------------------------------------

    \9\ 68 FR 48256, August 13, 2003.
---------------------------------------------------------------------------

    Two commenters stated that the proposed amendment with its explicit 
reference to compliance with the PCAOB's independence standards 
represents a best practice and that the coordination of the 
independence standards in part 363 with the independence standards of 
the AICPA, the SEC, and the PCAOB will reduce uncertainty. 
Nevertheless, one commenter recommended that the FDIC clarify whether 
an independent public accountant should (a) comply with the most 
restrictive independence requirement addressing a particular matter or 
(b) comply with the independence requirements that pertain only to 
public companies. In contrast, six commenters (which included the three 
bankers' trade organizations and two of the four accounting firms) were 
opposed to or expressed concerns about the proposed amendment. These 
commenters stated that:
     The FDIC should individually evaluate and clarify the 
applicability of each new SEC and PCAOB independence standard.
     The FDIC should revise part 363 to require the auditors of 
public institutions to meet the independence rules of the SEC and the 
PCAOB and the auditors of nonpublic institutions to meet only the 
AICPA's independence rules.
     Applying the independence standards of the SEC and the 
PCAOB equally to all independent public accountants may prohibit 
certain independent public accountants from performing engagements for 
nonpublic institutions subject to part 363.
     Adding the PCAOB's independence rules to the existing 
requirement for compliance with the independence rules of the SEC and 
the AICPA could be problematic for some community banks because: (1) 
Some banks may not have ready access to multiple accounting firms that 
satisfy the independence requirements of the PCAOB, the SEC, and the 
AICPA; and (2) it creates a third set of standards that the audit 
committee will need to review on a regular basis in order to fulfill 
its duties.
     Education efforts to explain the auditor independence 
requirements of part 363 will be needed because: (1) Many institutions 
subject to part 363 are nonpublic; and (2) many independent public 
accountants that provide services to nonpublic institutions are not 
registered with the PCAOB and may not be familiar with the independence 
standards of the SEC and the PCAOB.
    The foundation for auditor independence standards is the principle 
that auditors who provide audit services must be independent in fact 
and appearance with respect to their audit clients. The FDIC notes that 
the independence rules of the SEC and AICPA have been applicable to 
audits of both public and nonpublic institutions subject to part 363 
since the implementation of part 363 in 1993. More recently, SOX 
granted additional authority to set independence standards for 
accounting firms performing audits of public companies (issuers) to the 
PCAOB. In this regard, the PCAOB's independence standards do not become 
effective unless and until they are approved by the SEC, which means 
that they are tantamount to SEC independence standards.
    The FDIC acknowledges that both the AICPA's and the SEC's auditor 
independence standards, including those of the PCAOB, have evolved over 
time. The FDIC recognizes that the effect of periodic changes in these 
auditor independence standards carries over to accountants with insured 
depository institution audit clients subject to part 363 regardless of 
whether these clients are public or nonpublic institutions. Thus, as 
the AICPA, the SEC, and the PCAOB periodically revise their auditor 
independence standards, independent public accountants performing audit 
and attest services under part 363 must take appropriate steps to 
ensure that they continue to satisfy the qualifications for accountants 
with respect to independence that are set forth in part 363. While 
changes in independence standards can be burdensome to auditors and 
their clients, given the importance of the independence of the 
accountants who provide audit services to institutions subject to part 
363, which in number comprise the largest 17 percent of the insured 
depository institutions, the FDIC continues to believe that it is in 
the public interest for independence standards to apply uniformly to 
all accountants performing these services. To achieve this objective, 
auditors of institutions subject to part 363 should continue to comply 
with all of the independence standards applicable to both nonpublic and 
public institutions that are established by the AICPA, the SEC, and the 
PCAOB rather than to comply with these standards on a selective or 
exclusionary basis. Therefore, the FDIC has decided to proceed with the 
proposed amendment to the auditor independence provisions of part 363.
    However, as recommended by a commenter, the FDIC has revised the 
proposed rule to clarify that if a provision within one of the 
applicable independence standards is more restrictive than a provision 
addressing the same subject matter in one of the other independence 
standards, the independent public accountant must comply with the more 
restrictive independence requirement. For example, an external auditor 
is permitted to provide internal audit outsourcing services to an audit 
client under the AICPA's independence rules, but the independence rules 
of the SEC and the PCAOB generally prohibit an external auditor from 
providing such

[[Page 35737]]

services to an audit client. In this example, the external auditor 
would have to comply with the more restrictive independence 
requirements of the SEC and the PCAOB.
5. Peer Reviews
    Section 36(g)(3)(A)(ii) of the FDI Act requires an independent 
public accountant to have received a peer review or be enrolled in a 
peer review program that meets acceptable guidelines. At present, 
guideline 15 to part 363 provides that to be acceptable, a peer review 
should, among other things, be generally consistent with AICPA 
standards. Since part 363 was originally adopted, the PCAOB has been 
created and conducts inspections of registered public accounting firms, 
some of which audit insured depository institutions subject to part 363 
or their parent holding companies. These inspections serve a similar 
purpose as peer reviews. In addition, the PCAOB issues reports on its 
inspections of these accounting firms.
    In response to this development and in light of the agencies' 
issuance of rules of practice implementing the enforcement provisions 
of section 36, the FDIC proposed to add new Sec.  363.3(g) on peer 
reviews. The FDIC proposed to move the requirements for peer reviews, 
the filing of peer review reports, and the retention of peer review 
working papers from guideline 15, Peer Reviews, and guideline 16, 
Filing Peer Review Reports, to Sec.  363.3(g). As proposed, Sec.  
363.3(g) clarified that acceptable peer reviews include peer reviews 
performed in accordance with the AICPA's Peer Review Standards and 
inspections conducted by the PCAOB. It also provided that the FDIC 
would not make available for public inspection the portion of any peer 
review report and inspection report determined to be nonpublic by the 
AICPA and the PCAOB, respectively. Finally, the FDIC proposed to revise 
guideline 15 to explain that to be acceptable a peer review, other than 
a PCAOB inspection, should be generally consistent with AICPA Peer 
Review Standards.
    In their comments on the proposal, all four accounting firms and 
the accountants' trade organization did not object to filing the public 
portions of PCAOB inspection reports, but were opposed to filing the 
nonpublic portions of these reports. These commenters also expressed 
the following concerns:
     The proposed requirement is contrary to existing law (SOX) 
and the professional standards of the PCAOB. An accounting firm should 
be required to submit the nonpublic portion of a PCAOB inspection 
report to the FDIC only if it is made public by the PCAOB.
     Pursuant to Section 104(g)(2) of SOX, the PCAOB cannot 
disclose the nonpublic portion of an inspection report unless 
criticisms of the accounting firm's quality controls remain 
unremediated 12 months after the issuance of the report. There are only 
two exceptions to the statutory prohibition: (1) Disclosure to the SEC 
and State boards of public accountancy, and (2) to a ``Federal 
functional regulator'' when the PCAOB Board, in its discretion, 
determines that disclosure is necessary. The PCAOB has not made such a 
determination regarding any Federal banking agency.
     Since AICPA peer review reports and public portions of the 
PCAOB inspection reports are available to the FDIC on the AICPA and 
PCAOB Web sites, there should not be a requirement for auditors to 
submit reports directly to the FDIC.
    In response to the concerns raised by the commenters, the FDIC has 
revised the proposed amendment to require independent public 
accountants to file only the public portions of PCAOB inspection 
reports. The revised amendment also requires independent public 
accountants to file previously nonpublic portions of any PCAOB 
inspection report within 15 days of the PCAOB making such portions 
public. The FDIC has retained the existing requirement for independent 
public accountants to file peer review reports, accompanied by any 
letters of comments, response, and acceptance.
    Regarding AICPA peer review reports, the FDIC notes that these 
reports are publicly available on the AICPA Web site for some, but not 
all, independent public accountants and accounting firms. The AICPA's 
standards for performing and reporting on peer reviews do not require 
independent public accountants or accounting firms to post their peer 
review reports on the AICPA Web site. However, members of the AICPA's 
audit quality centers and the Private Companies Practice Section post 
their review reports on the AICPA Web site, certain firms voluntarily 
make their peer review reports public, and other firms make some 
aspects of their peer review reports available when required by a State 
board of public accountancy or the Government Accountability Office. 
Furthermore, since section 36 of the FDI Act requires peer review 
reports to be filed with the FDIC and made available for public 
inspection, the FDIC cannot override this statutory requirement despite 
the present availability of most of these reports on the PCAOB and 
AICPA Web sites. The FDIC has therefore retained the filing requirement 
for AICPA peer review reports and the public portions of PCAOB 
inspection reports.
6. Notice of Termination
    Guideline 26, Notices Concerning Accountants, permits an 
institution that is a public company or a subsidiary of a public 
company to satisfy the requirement for filing a notice of termination 
of its independent public accountant by using its current report (e.g., 
SEC Form 8-K) concerning a change in accountant to satisfy the similar 
notice requirements of part 363. To reduce regulatory burden and 
provide flexibility to the independent public accountant of such an 
institution, the FDIC proposed to amend guideline 20, Notice of 
Termination, to permit the independent public accountant to satisfy the 
requirement to file a notice of termination of its services in a 
similar manner. No comments were received on this aspect of the 
proposal.

D. Filing and Notice Requirements (Sec.  363.4 and Guidelines 22-26)

1. Annual Reporting
    At present, the annual reporting requirements of part 363 require 
each insured depository institution to file its Part 363 Annual Report 
within 90 days after the end of its fiscal year. Each institution is 
also required to file the independent public accountant's report on the 
audited financial statements and, if applicable, the accountant's 
attestation report on management's assessment of internal control over 
financial reporting, both of which are components of the Part 363 
Annual Report, within 15 days of receipt by the institution, which, at 
times, has presented a conflict with the annual report filing 
requirement. The FDIC has also noted that earlier filing deadlines 
established by the SEC for annual reports filed by certain public 
companies under the Federal securities laws (e.g., SEC Form 10-K) and 
more robust auditing standards related to internal control over 
financial reporting have had an impact on the management of 
institutions, on the resources of independent public accountants, and 
on auditing costs.
    To reduce cost and burden, the FDIC proposed to amend Sec.  
363.4(a) by extending the time period within which an insured 
depository institution that is not a public company or a subsidiary of 
a public company must file its Part 363 Annual Report from within 90 
days to within 120 days after the end of its fiscal year. As proposed, 
an insured depository institution that is a public

[[Page 35738]]

company, or that is a subsidiary of a public company that meets certain 
criteria, would continue to be required to file its Part 363 Annual 
Report within 90 days after the end of its fiscal year, which is 
consistent with the maximum time frame that public companies have for 
filing annual reports under the Federal securities laws. The proposed 
amendment would also eliminate the ambiguity in Sec.  363.4 concerning 
the filing deadline for the components of the Part 363 Annual Report 
that are prepared by the independent public accountant.
    An insured depository institution with consolidated total assets of 
less than $1 billion that is a public company or a subsidiary of a 
public company is required to file management's assessment of the 
effectiveness of internal control over financial reporting with the SEC 
or the appropriate Federal banking agency in accordance with the 
compliance dates of the SEC's rules implementing section 404 of SOX. 
Management's findings and conclusions with respect to internal control 
over financial reporting, as disclosed in the assessment that 
management files with the SEC or the appropriate Federal banking 
agency, provide information that would aid in meeting the objective of 
section 36 of the FDI Act. Therefore, the FDIC proposed to add a 
provision to Sec.  363.4(a) that would require an institution of this 
size to submit a copy of management's section 404 internal control 
assessment with its Part 363 Annual Report, but this assessment would 
not be considered part of the institution's Part 363 Annual Report.
    Five commenters expressed support for the proposed extension of the 
filing deadline for the Part 363 Annual Report for an institution that 
is not a public company or a subsidiary of a public company. These 
commenters stated that the additional 30 days will help to ensure that 
auditors are able to devote sufficient resources to the nonpublic 
engagements, provide nonpublic institutions with the additional time 
needed to comply with the filing requirements, and may help to reduce 
the cost of independent audits.
    At present, part 363 specifies that the Part 363 Annual Reports and 
reports on peer reviews shall be available for public inspection. 
Except for management letters, which are exempt from public disclosure 
pursuant to existing guideline 18, part 363 does not address the 
availability of other reports and notifications required to be filed 
under part 363. Consistent with the FDIC's longstanding practice, the 
FDIC has revised the proposed rule to clarify that, except for the 
annual reports, AICPA peer review reports, and PCAOB inspection 
reports, which shall be available for public inspection, all other 
reports and notifications required to be filed under part 363 are 
exempt from public disclosure by the FDIC.
2. Independent Public Accountant's Reports
    Section 36(h)(2)(A) of the FDI Act and Sec.  363.4(c) require an 
institution to file a copy of any management letter or other report 
issued by its independent public accountant that pertains to the 
financial statement audit and the attestation on internal control over 
financial reporting within 15 days after receipt by the institution. 
The FDIC's experience in administering part 363 indicates that 
institutions are often uncertain as to which types of reports they 
receive from their independent public accountant must be submitted to 
the FDIC, the appropriate Federal banking agency, and any appropriate 
State bank supervisor pursuant to this filing requirement. As stated 
above, this uncertainty extends to this 15-day filing requirement and 
its relationship to the filing deadline for the Part 363 Annual Report. 
To clarify the requirements for the filing of accountants' reports, the 
FDIC proposed to amend Sec.  363.4(c), Independent public accountant's 
letters and reports, by providing examples of the types of reports 
issued by an institution's independent public accountant, except for 
the accountant's reports that are required to be included in the 
institution's Part 363 Annual Report, that are to be filed within 15 
days after receipt. As proposed, Guideline 25, Independent Accountant's 
Reports, would be deleted because it would be redundant and no longer 
needed.
    In the Interagency Advisory on the Unsafe and Unsound Use of 
Limitation of Liability Provisions in External Audit Engagement 
Letters, the Federal banking agencies expressed their concerns about 
limitation of liability provisions included in external audit 
engagement letters and advised institutions against entering into 
engagement letters containing such provisions.\10\ To enable the FDIC 
to timely review institutions' engagement letters with their 
independent public accountants, the FDIC also proposed to amend Sec.  
363.4(c) to require institutions to file copies of audit engagement 
letters, including any related agreements and amendments, with the 
FDIC, the appropriate Federal banking agency, and any appropriate State 
bank supervisor within 15 days of acceptance by the institution.
---------------------------------------------------------------------------

    \10\ See 71 FR 6847, February 9, 2006, and FDIC Financial 
Institution Letter (FIL) 13-2006, issued on the same date.
---------------------------------------------------------------------------

    Eight commenters (which included two bank trade organizations, 
three accounting firms, and the accountants' trade organization) 
opposed requiring institutions to file audit engagement letters and 
were concerned about their public availability. These commenters stated 
that:
     It is not essential, practical, or beneficial for an 
institution to file the audit engagement letter. The requirement for 
the audit committee to ensure that the letter does not contain any 
inappropriate limitation of liability provisions is sufficient and 
appropriate.
     Instead of requiring institutions to file audit engagement 
letters, the FDIC could require management's report to include a 
statement that the audit engagement letter has been reviewed for unsafe 
and unsound limitation of liability provisions.
     The final rule should specify that audit engagement 
letters filed with the FDIC are ``exempt from disclosure'' under FOIA.
    The FDIC notes that, since the publication of the proposed rule, 
the AICPA's Professional Ethics Executive Committee has adopted 
Interpretation No. 501-8, Failure to Follow Requirements of 
Governmental Bodies, Commissions, or Other Regulatory Agencies on 
Indemnification and Limitation of Liability Provisions in Connection 
With Audit and Other Attest Services, which became effective July 31, 
2008.\11\ This ethics interpretation states:
---------------------------------------------------------------------------

    \11\ The full text of the Interpretation can be found on the 
AICPA's Web site at the following link: http://www.aicpa.org/download/ethics/EDITED_Adopted_501_8_final.pdf.

    Certain governmental bodies, commissions, or other regulatory 
agencies (collectively, regulators) have established requirements 
through laws, regulations, or published interpretations that 
prohibit entities subject to their regulation (regulated entity) 
from including certain types of indemnification and limitation of 
liability provisions in agreements for the performance of audit or 
other attest services that are required by such regulators or that 
provide that the existence of such provisions causes a member to be 
disqualified from providing such services to these entities. For 
example, Federal banking regulators, State insurance commissions, 
and the Securities and Exchange Commission have established such 
requirements.
    If a member enters into, or directs or knowingly permits another 
individual to enter into, a contract for the performance of audit or 
other attest services that are subject to the requirements of these 
regulators, the member should not include, or knowingly permit or 
direct another individual to include, an indemnification or 
limitation of

[[Page 35739]]

liability provision that would cause the regulated entity or member 
to be disqualified from providing such services to the regulated 
entity. A member who enters into, or directs or knowingly permits 
another individual to enter into, such an agreement for the 
performance of audit or other attest services that would cause the 
regulated entity or a member to be in violation of such 
requirements, or that would cause a member to be disqualified from 
providing such services to the regulated entity, would be considered 
to have committed an act discreditable to the profession.

    In consideration of the comments received and the issuance of this 
ethics interpretation, the FDIC has reevaluated this aspect of the 
proposal and has decided to remove the proposed requirement to file 
audit engagement letters, which will eliminate the burden that would 
have been associated with this filing requirement. However, the FDIC 
cautions institutions and independent public accountants that including 
unsafe and unsound limitation of liability provisions in audit 
engagement letters could result in adverse consequences. For example, 
the FDIC could determine that an audit of an institution's financial 
statements and, if applicable, its internal control over financial 
reporting that has been performed pursuant to an engagement letter 
containing these unsafe and unsound provisions does not satisfy the 
requirements of part 363. The institution could then be directed to 
engage a different independent public accountant to perform another 
audit. The independent public accountant whose engagement letter 
contained the unsafe and unsound limitation of liability provisions 
could also be subject to supervisory action by the FDIC or the 
institution's primary Federal regulator as well as disciplinary action 
by the relevant State board of public accountancy and the AICPA for an 
act discreditable to the profession.
3. Notification of Late Filing
    Guideline 23, Relief from Filing Deadlines, currently provides that 
in the occasional event that an institution is confronted with 
extraordinary circumstances beyond its reasonable control that 
justifies an extension of the deadline for filing its Part 363 Annual 
Report or another required report or notice, the institution may submit 
a written request for an extension of the filing deadline of not more 
than 30 days that explains the reasons for the request. Such a request 
may be granted for good cause. Over the last several years, the reasons 
set forth in the requests for extensions of time for filing Part 363 
Annual Reports that have been submitted to the FDIC generally did not 
represent extraordinary circumstances beyond the institution's 
reasonable control, the standard currently set forth in guideline 23. 
Also, several extension requests were repeats of requests from the same 
institutions from the previous year.
    Based upon this experience and given the proposed amendment to 
Sec.  363.4(a) to extend the filing deadline for Part 363 Annual 
Reports for non-public institutions from 90 to 120 days, the FDIC 
proposed to replace the extensions of time for filing reports that are 
available only in extraordinary circumstances under guideline 23 with a 
new Sec.  363.4(e), Notification of late filing. In place of filing 
extensions that have limited applicability, this new section would be 
applicable to all institutions and would require an institution that is 
unable to timely file all or any portion of its Part 363 Annual Report 
or any other report or notice required to be filed under part 363 to 
submit a written notice of late filing before the filing deadline for 
the report or notice. The late filing notice must disclose the 
institution's inability to timely file all or specified portions of its 
Part 363 Annual Report or other report or notice, the reasons therefore 
in reasonable detail, and the date by which the report or notice will 
be filed.
    The FDIC also proposed to amend guideline 23 by changing its focus 
from extension requests to late filing notices consistent with the 
approach taken in new Sec.  363.4(e). Amended guideline 23 explains 
that submitting a late filing notice will not cure the apparent 
violation of part 363 arising from an institution's failure to timely 
file a Part 363 Annual Report or any other required report or notice. 
The supervisory response to such an apparent violation would take into 
account the facts and circumstances surrounding an institution's delay 
in filing. As proposed, guideline 23 also provides that, if the late 
filing applies to only a portion of the Part 363 Annual Report or any 
other report or notice, the components of the report or notice that 
have been completed should be filed within the prescribed filing period 
accompanied by either a cover letter that indicates which components 
are omitted or a combined late filing notice and cover letter.
    One commenter suggested that the FDIC revise the proposed rule to 
provide for extensions of the filing due date for up to 60 days for 
institutions that are not public companies or subsidiaries of public 
companies instead of establishing a late filing notification 
requirement. In the FDIC's dealings with institutions unable to file 
their Part 363 Annual Reports by the filing deadline in the current 
rule, whether they are seeking extensions of the deadline or not, it is 
not uncommon for institutions to experience delays in their ability to 
file these reports that extend well in excess of 60 days after the 
filing deadline. Therefore, the FDIC believes that establishing a late 
filing notification requirement is a more practical approach for 
addressing the broad range of situations when institutions are unable 
to timely file reports required under part 363 than providing for 
longer extensions of the filing deadline in those cases where an 
institution meets an extraordinary circumstances standard. Accordingly, 
the FDIC has decided to adopt this aspect of the rule as proposed 
without revision.
4. Place for Filing
    Current guideline 22 identifies the office of the FDIC, the 
appropriate Federal banking agency, and the appropriate State bank 
supervisor to which reports and notices (other than peer review 
reports) required by part 363 are to be filed. Nevertheless, the FDIC 
has found that some institutions submit required reports and notices to 
incorrect locations. The FDIC staff also receives questions from 
institutions asking where reports and notices should be filed. To make 
the information as to where Part 363 Annual Reports, written notices of 
late filing, and other reports and notices (except peer review reports) 
are to be filed more prominent, the FDIC proposed to move this 
information from guideline 22, Place for Filing, to a new Sec.  
363.4(f), Place for filing. No comments were received on this aspect of 
the proposal.

E. Audit Committees (Sec.  363.5 and Guidelines 27-35)

1. Composition
    Section 36(g)(1) of the FDIC Act and Sec.  363.5(a) require each 
insured depository institution subject to part 363 to have an 
independent audit committee comprised entirely of outside directors. As 
defined in Sec.  363.5(a)(3), in general, an outside director is a 
director who is not an officer or employee of the institution or any 
affiliate of the institution. In addition, the outside directors who 
serve on the audit committee must be ``independent of management,'' 
although a minority of the audit committee members of institutions with 
$500 million or more but less than $1 billion in total assets need not 
be ``independent of management.'' Guideline 27, Composition, requires 
each institution's

[[Page 35740]]

board of directors to determine at least annually whether existing and 
potential audit committee members satisfy the requirements governing 
audit committee composition.
    In order for a board of directors to perform its evaluation of 
audit committee members in a consistent, effective, and reviewable 
manner, the FDIC believes the board should be guided by an approved 
policy or set of criteria that identifies the factors to be taken into 
account by the board. Accordingly, the FDIC proposed to amend guideline 
27 to require each institution's board of directors to maintain an 
approved set of written criteria for determining whether a director who 
is to serve on the audit committee is an outside director and is 
independent of management and to apply these criteria, at least 
annually, to determine whether each existing or potential audit 
committee member meets the requirements of section 36 and part 363. The 
proposed amendment to guideline 27 also requires that the results of 
and basis for the board's determination with respect to each existing 
and potential audit committee member be recorded in the board's 
minutes.
    Two commenters expressed support for the proposed requirement in 
guideline 27 for each institution's board of directors to adopt written 
criteria for determining if audit committee members meet the 
requirements of section 36 and part 363 and view it as a best practice. 
One of these commenters also recommended that the FDIC revise or expand 
Sec.  363.5(b) or guideline 28 to clarify the extent to which audit 
committee members who meet the SEC's definition of ``audit committee 
financial expert'' will be deemed to have ``banking or related 
financial management expertise'' for part 363 purposes.
    However, three commenters, including one bankers' trade 
organization, were not supportive of the proposed amendments to 
guideline 27. These commenters objected to the documentation 
requirements for audit committee members' independence and the 
requirements for the board of directors' minutes to reflect the results 
of and basis for the board's determinations regarding audit committee 
members' independence. As an alternative, two of these commenters 
recommended that audit committees be permitted to survey existing and 
potential members and make the survey available to examiners but not 
reflect the survey results in the board of directors' minutes.
    In addition to being a best practice, the FDIC believes that the 
adoption and implementation by an institution's board of directors of 
an approved policy or set of criteria that identify the factors to be 
taken into account for evaluating audit committee member independence 
improves corporate governance. Documenting the results of and basis for 
determinations with respect to each existing and potential audit 
committee member in the board's minutes further supports good corporate 
governance and provides evidence that the board is properly discharging 
its responsibilities under part 363 in the process for selecting audit 
committee members. Applying an approved policy or set of criteria and 
documenting the results provide a more robust and consistent process 
than having audit committees themselves survey existing and potential 
committee members for review by examiners, but with no oversight by the 
entire board of directors. Nevertheless, an annual survey of existing 
and potential audit committee members by the board may be a useful 
mechanism for determining whether these individuals satisfy the board's 
policy or set of criteria. For these reasons, the FDIC has decided to 
adopt guideline 27 as proposed without any revision.
    As to the suggestion regarding clarification of the extent to which 
audit committee members who have the attributes of an ``audit committee 
financial expert'' under the SEC's rules will be deemed to have 
``banking or related financial management expertise,'' the FDIC has 
revised guideline 32, Banking or Related Financial Management 
Expertise, to clarify that such persons will satisfy the criteria set 
forth in the guideline.
    Guideline 30, Holding Company Audit Committees, provides guidance 
for complying with the audit committee requirements of part 363 at the 
holding company level. The FDIC proposed to amend guideline 30 for 
consistency with the proposed revisions to the holding company 
provisions of Sec.  363.1(b) and to reflect the difference in the audit 
committee composition requirements in Sec.  363.5(a) for institutions 
with more than and less than $1 billion in total assets. No comments 
were received on this aspect of the proposal.
2. ``Independent of Management'' Considerations
    Guideline 28, ``Independent of Management'' Considerations, 
identifies five factors for a board of directors to consider when 
determining the independence of an outside director. Guideline 29, Lack 
of Independence, states that a director who owns or controls 10 percent 
or more of any class of the institution's voting securities should not 
be considered ``independent of management.'' The FDIC has found that 
some of the factors in guideline 28 are so general that they fail to 
provide meaningful guidance to boards of directors. At the same time, 
many of the institutions subject to part 363 or their parent holding 
companies are public companies with securities listed on a national 
securities exchange. Under the SEC's Rule 10A-3 (17 CFR 240.10A-3), 
each audit committee member of a listed issuer must be a director of 
the issuer and must otherwise be independent. The listing standards of 
the national securities exchange must set forth the criteria for 
determining the independence of directors who are to serve on a listed 
issuer's audit committee.
    Based on its review, the FDIC stated in the proposal to amend part 
363 that it believed that the independence criteria for audit committee 
members included in the listing standards of the national securities 
exchanges, together with the FDIC's existing stock ownership criterion 
in guideline 29, represented an appropriate framework for determining 
whether an outside director is ``independent of management'' for 
purposes of part 363. Furthermore, for an institution whose audit 
committee members or whose parent holding company's audit committee 
members, if the holding company meets the holding company provisions of 
Sec.  363.1(b), are subject to the listing standards of a national 
securities exchange, the FDIC observed that allowing the institution to 
use these standards for part 363 purposes would reduce the 
institution's burden.
    Therefore, the FDIC proposed to combine guidelines 28 and 29 and 
provide expanded guidance for an institution's board of directors to 
use in its assessment of an outside director's relationship to the 
institution for the purposes of making ``independent of management'' 
determinations regarding audit committee members. For example, the 
proposed amendment to guideline 28 included a list of criteria that an 
institution's board of directors should consider when determining 
whether an outside director would be considered ``independent of 
management.'' In developing the proposed list of criteria, the FDIC 
considered, but did not entirely replicate, the portion of the listing 
standards of the national securities exchanges that apply to audit 
committees. An institution's board of directors may also conclude that 
it

[[Page 35741]]

should consider additional criteria that may be appropriate in its 
particular circumstances. As an alternative to these criteria, revised 
guideline 28 would permit an institution that is a public company or a 
subsidiary of a public company (when the holding company provisions of 
Sec.  363.1(b) are met) that is subject to the listing standards of a 
national securities exchange to apply the audit committee provisions of 
the listing standards for purposes of determining audit committee 
member independence. Similarly, all other institutions, including those 
that are not public companies, may elect, but would not be required, to 
adopt the audit committee provisions of the listing standards of a 
national securities exchange or association as their criteria for 
determining audit committee member independence.
    While two commenters supported the proposed amendments regarding 
audit committee independence, five commenters (which included two 
bankers' trade organizations and three financial institutions) 
expressed certain concerns or suggested changes to the proposal. These 
commenters suggested that:
     Shareholders of closely-held companies should not be 
automatically prohibited from serving on the audit committee solely 
because they own 10 percent or more of the institution's voting stock.
     The FDIC should raise the proposed compensation limitation 
threshold from $60,000 to $100,000.
     The meaning of ``financial services'' as it relates to 
indirect compensation should be clarified. Furthermore, the need for 
``indirect compensation'' limits is questionable given all of the other 
independence requirements.
     Proposed guideline 28(b)(7) should be revised by removing 
from the definition of ``payment'' loans and other services extended to 
directors in the ordinary course of an institution's business as well 
as payments arising solely from investments in the bank's securities 
and payments made under non-discretionary charitable contribution 
matching programs. The $200,000 or 5 percent of gross revenues test in 
this guideline should be measured against the revenues of the recipient 
of the payment, and not the outside employer.
     Applying the director independence standards of the 
national securities exchanges to privately held banks will impose 
challenges for community banks located in areas where it is difficult 
to find competent directors to serve on the audit committee.
     Existing guidelines 28 and 29 provide sufficient guidance 
for institutions to determine the independence of a director.
     Audit committee independence criteria should consider an 
individual institution's complexity and risk profile. For community 
banks, audit committee member independence can be difficult to 
accomplish and maintain.

    In response to these comments and concerns, the FDIC has carefully 
reviewed the provisions of proposed revised guideline 28 on the 
``independent of management'' considerations that should be applied to 
audit committee members. First, the FDIC has reconsidered the existing 
10 percent stock ownership limit for audit committee members. In this 
regard, the SEC's and the national securities exchanges' rules do not 
impose such a limit on audit committee members. Therefore, consistent 
with these entities' rules, the FDIC is revising guideline 28 to 
provide that ownership of 10 percent or more of any class of voting 
securities of an institution would not be an automatic bar for 
considering an outside director to be independent of management. The 
revised guideline further provides that when an outside director's 
stock ownership equals or exceeds the 10 percent threshold, the 
institution's board of directors would be required to determine and 
document its determination as to whether such ownership would interfere 
with the outside director's exercise of independent judgment in 
carrying out the responsibilities of an audit committee member.
    Next, the FDIC has reconsidered the compensation limit applicable 
to audit committee members for direct and indirect compensation and, as 
suggested by commenters, has revised guideline 28 to increase the 
compensation threshold from $60,000 to $100,000. Additionally, the 
comments seeking greater clarity concerning the meaning of indirect 
compensation and the types of payments deemed to be compensation have 
merit. Therefore, the FDIC has revised the guideline to provide 
examples of indirect compensation and to specify that certain payments 
would not be included within the meaning of the terms direct and 
indirect compensation.
    In response to the suggestion to remove loans and other services 
extended to directors in the ordinary course of an institution's 
business as well as payments arising solely from investments in the 
bank's securities and payments made under non-discretionary charitable 
contribution matching programs from the definition of ``payment,'' the 
FDIC has revised and expanded guideline 28(b)(8) to specify what 
payments are not included within the meaning of the terms direct and 
indirect compensation and payments. As to the suggestion regarding the 
basis of the measurement for the $200,000 or 5 percent of gross revenue 
test, the FDIC has decided to retain this requirement as proposed so as 
to maintain consistency with the similar requirements set forth in the 
listing standards of the national securities exchanges and thereby 
minimize confusion in the application of this requirement.
    Based on questions it has received from covered institutions and 
its experience in administering the criteria set forth in the existing 
guidelines 28 and 29 regarding audit committee member independence, the 
FDIC concluded that these guidelines did not provide sufficient 
guidance for institutions to determine the independence of a director 
for the purposes of serving on an institution's audit committee. 
Therefore, the FDIC's experience contradicts the views of the commenter 
who asserted that the existing guidelines provide sufficient guidance.
    The FDIC acknowledges that some community banks may encounter 
challenges in accomplishing and maintaining audit committee member 
independence. In recognition of these challenges, the FDIC amended the 
audit committee provisions of part 363 in 2005 to allow a minority of 
the outside directors who serve on the audit committee of covered 
institutions with less than $1 billion in total assets not to be 
independent of management. After reviewing the criteria listed in 
proposed guideline 28 as they would be modified as discussed above, the 
FDIC believes that the nature and types of relationships included in 
the list represent a reasonable framework for evaluating whether 
outside directors who are candidates for the audit committees of 
covered institutions of all sizes, both public and nonpublic, are 
independent of management. Of particular note, the criteria include a 
$100,000 limit on certain forms of direct and indirect compensation to 
a director or immediate family members. In contrast, the SEC's and the 
national securities exchanges' rules currently limit the compensation 
of audit committee members to fees received as a director and audit 
committee member and prohibit all other compensation, direct and 
indirect. The FDIC chose not

[[Page 35742]]

to impose this prohibition, which applies to audit committee members of 
certain public companies, on all insured institutions subject to part 
363. The absence of this prohibition on compensation from the criteria 
in guideline 28 should benefit nonpublic community institutions subject 
to part 363. Similarly, the removal of the 10 percent stock ownership 
limit from the audit committee independence criteria should benefit 
community institutions. Therefore, the FDIC believes that the proposed 
amendments to guideline 28, as modified in response to comments, will 
provide institutions' boards of directors with appropriate guidance and 
sufficient flexibility for establishing their institutions' criteria 
for making ``independent of management'' determinations for audit 
committee members.
    In light of the revisions to guideline 28 regarding the criteria 
for determining an audit committee member's independence, boards of 
directors and audit committee members of covered institutions are 
reminded that under part 363 the selection of a director to serve as an 
audit committee member is basically a three-step process. The first 
step is to determine which of the composition requirements set forth in 
Sec.  363.5(a)(1) and (2) are applicable to the institution's audit 
committee. The second step is to determine if each director who is to 
serve on the audit committee is an ``outside director'' as defined in 
Sec.  363.5(a)(3). The third step is to determine if each ``outside 
director'' is independent of management in accordance with the 
provisions of guideline 28.
3. Audit Committee Duties
    According to section 36(g)(1)(B) of the FDI Act and Sec.  363.5(a), 
an audit committee's duties include reviewing the basis for the Part 
363 Annual Report with both management and the independent public 
accountant. Guideline 31 further provides that the audit committee's 
duties should be appropriate to the size of the institution and the 
complexity of its operations and it identifies additional duties that 
could be appropriate for the audit committee. These additional duties 
include discussing with management the selection and termination of the 
institution's independent public accountant. In addition, guideline 26 
provides that, before engaging an independent public accountant, an 
institution should review and satisfy itself that the accountant is in 
compliance with the required qualifications set forth in guidelines 13 
through 15, including the accountant's independence and receipt of a 
peer review.
    Under section 301 of SOX, the audit committee of each public 
company listed on a national securities exchange or association must be 
responsible for the appointment, compensation, and oversight of the 
accounting firm engaged to prepare or issue an audit report or perform 
related work. As the SEC noted when it adopted its final rule 
implementing section 301, ``the auditing process may be compromised 
when a company's outside auditors view their responsibility as serving 
the company's management rather than its full board of directors or 
audit committee. This may occur if the auditor views management as the 
employer with hiring, firing and compensating powers. Under these 
conditions, the auditor may not have the appropriate incentive to raise 
concerns and conduct an objective review. * * * One way to help promote 
auditor independence, then, is for the auditor to be hired, evaluated 
and, if necessary, terminated by the audit committee.'' Because the 
intent and purpose of section 36 of the FDI Act is the early 
identification of needed improvements in financial management, it is 
critical for the accountants that perform audit and attestation 
services for insured depository institutions subject to section 36 to 
have an appropriate incentive to raise concerns and conduct an 
objective review. In this regard, the FDIC believes it is a sound 
corporate governance practice for an institution's audit committee, 
rather than its management, to be responsible for the appointment, 
compensation, and oversight of the accountant, regardless of whether 
the institution is a public company.
    Therefore, the FDIC proposed to amend Sec.  363.5(a), Composition 
and duties, and guideline 31, Duties, to specify that, in addition to 
reviewing with management and the independent public accountant the 
basis for the reports issued under part 363, the duties of the audit 
committee include the appointment, compensation, and oversight of the 
independent public accountant who performs services required under part 
363. In order to discharge these duties with respect to the independent 
public accountant, the audit committee should also review and satisfy 
itself as to the independent public accountant's compliance with the 
independence, peer review, and other qualifications under part 363. 
Additionally, the audit committee should be familiar with and ensure 
management's compliance with the requirement to file notices concerning 
the engagement, resignation, or dismissal of an independent public 
accountant. The FDIC proposed to include these duties in guideline 31.
    Three commenters expressed support for the proposed amendments 
regarding the duties of the audit committee and stated that it 
represents a best practice regardless of an entity's asset size. 
However, one commenter, who was not supportive of the proposed 
amendments, recommended that the proposal be revised to remove the 
mandate for the audit committee to appoint and oversee the independent 
accountants in cases where the bank is privately-owned, more than 80 
percent of the voting shares are owned by a sole owner or the principal 
owner's immediate family, the shareholders authorize procedures to be 
followed with respect to the appointment and oversight of the 
independent accountants, and the bank has a Uniform Financial 
Institutions Rating of 1 or 2. This commenter also stated that while 
appointing the independent accountant is expected to be normal for an 
audit committee of a publicly-owned company, the value for a privately-
owned company is less clear. Additionally, this commenter stated that 
banks that are wholly owned by a single or a few shareholders, who are 
all immediate family members, do not need a separate board committee to 
do what they can do directly and that the mandate for a separate audit 
committee in these cases adds nothing to safety and soundness but adds 
additional bureaucracy and cost to the bank.
    Although the FDIC has considered these comments, this commenter's 
concerns, in essence, relate to the requirement for covered 
institutions, particularly for those that are privately-owned, to 
establish independent audit committees. In response, the FDIC notes 
that section 36(g) of the FDI Act requires each institution to which 
section 36 applies to have an independent audit committee made up of 
outside directors who are independent of management. Consequently, the 
FDIC lacks the rulemaking authority to permit a covered institution not 
to have an independent audit committee or to permit a covered 
institution's entire board of directors to act as an audit committee 
based on the nature of the institution's ownership. In this regard, in 
enacting section 36, Congress recognized the significant public 
interest in sound financial management and controls at covered 
institutions, including the important role of an independent audit 
committee, regardless of their ownership structure. Therefore, the FDIC 
has decided to adopt the proposed changes pertaining

[[Page 35743]]

to audit committee duties without revision.
4. Independent Public Accountant Engagement Letters
    In response to an observed increase in the types and frequency of 
provisions in financial institutions' external audit engagement letters 
that limit the auditors' liability, the Federal banking agencies issued 
an Interagency Advisory on the Unsafe and Unsound Use of Limitation of 
Liability Provisions in External Audit Engagement Letters (Interagency 
Advisory) in February 2006.\12\ When they issued the Interagency 
Advisory, the agencies stated their belief that when institutions agree 
to limit their external auditors' liability in provisions in engagement 
letters, such provisions may weaken the external auditors' objectivity, 
impartiality, and performance, which may reduce the reliability of 
audits and thereby raise safety and soundness concerns. The reliability 
of audits is central to achieving the intent and purpose of section 36 
of the FDI Act. Therefore, the FDIC proposed to add Sec.  363.5(c), 
Independent public accountant engagement letters, and amend guideline 
31, Duties, to incorporate the principal provisions of the Interagency 
Advisory.
---------------------------------------------------------------------------

    \12\ See 71 FR 6847, February 9, 2006, and FDIC Financial 
Institution Letter (FIL) 13-2006, issued on the same date.
---------------------------------------------------------------------------

    As proposed, Sec.  363.5(c) and guideline 31 would require the 
audit committee to ensure that audit engagement letters and any related 
agreements with the independent public accountant for services to be 
performed under part 363 do not contain any limitation of liability 
provisions that: (1) Indemnify the independent public accountant 
against claims made by third parties; (2) hold harmless or release the 
independent public accountant from liability for claims or potential 
claims that might be asserted by the client insured depository 
institution, other than claims for punitive damages; or (3) limit the 
remedies available to the client insured depository institution. 
Consistent with the Interagency Advisory, the proposed amendment would 
not preclude the use of alternative dispute resolution agreements and 
jury trial waivers. Four commenters expressed support for these 
proposed amendments to part 363. One of these commenters viewed this 
audit committee duty as a best practice. The FDIC is adopting these 
amendments as proposed.
5. Transition Period for Forming and Restructuring Audit Committees
    When an insured depository institution first exceeds the $500 
million total assets threshold and becomes subject to part 363, 
particularly an institution with few shareholders, the FDIC has 
observed that, in some cases, such an institution encounters difficulty 
in satisfying the requirements governing the composition of the 
independent audit committee. If the board of directors lacks a 
sufficient number of outside directors who are independent of 
management to serve on the audit committee, the board members must 
identify and attract qualified individuals in their community who would 
be willing to become directors and audit committee members and who 
would be ``independent of management.'' The lack of guidance in part 
363 on the amount of time in which an institution must bring its audit 
committee into compliance with the requirements governing its 
composition when an institution first becomes subject to part 363 
further complicates this process. This lack of guidance on the time 
frame for attaining compliance also affects the other two asset-size 
thresholds applicable to audit committee composition.
    To provide both clarity and regulatory relief, the FDIC proposed to 
replace outdated guideline 35, which dealt with compliance with the 
audit committee requirements of part 363 when the regulation took 
effect in 1993, with a revised guideline 35, Transition Period for 
Forming and Restructuring Audit Committees. As proposed, guideline 35 
would provide a one-year transition period for forming or restructuring 
the audit committee when an institution first becomes subject to part 
363, when an institution's assets first reach the $1 billion asset-size 
threshold, and when an institution's assets first reach the $3 billion 
asset-size threshold. The proposed revised guideline would state that, 
when an institution first crosses one of these three thresholds based 
on its total assets at the beginning of its fiscal year, no regulatory 
action would be taken if the institution forms or restructures its 
audit committee to comply with the applicable requirements governing 
the composition of the committee by the end of that fiscal year, 
provided the institution complied with any applicable audit committee 
requirements for its preceding fiscal year. The FDIC has also revised 
guideline 35 to clarify that, when an institution first becomes subject 
to part 363, this one-year transition period extends to the requirement 
for an institution's board of directors to develop a set of written 
criteria for determining whether a director who is to serve on the 
audit committee is an outside director and is independent of 
management. Two commenters expressed support for the proposed revisions 
to guideline 35, which the FDIC is adopting as proposed.

F. Other Changes to Part 363

    The FDIC also proposed to make other changes to part 363 to improve 
its clarity, readability, and consistency of language, and to correct 
or eliminate outdated terms, references, and provisions in the 
regulation and Appendix A. No comments on the proposal specifically 
addressed these other changes, which the FDIC is adopting as proposed.

G. Proposed Amendment to Part 308, Subpart U

    In August 2003, pursuant to section 36(g)(4) of the FDI Act, the 
FDIC and the other Federal banking agencies jointly issued final rules 
governing their authority to take disciplinary actions against 
independent public accountants and accounting firms that perform audit 
and attestation services required by section 36.\13\ Under the final 
rules, certain violations of law, negligent conduct, reckless violation 
of professional standards, or lack of qualifications to perform 
auditing services may be considered good cause to remove, suspend, or 
bar an accountant or firm from providing audit and attestation services 
for institutions subject to section 36. The rules also prohibit an 
accountant or accounting firm from performing these services if the 
accountant or firm has been removed, suspended, or debarred by one of 
the agencies, or if the SEC or PCAOB takes certain disciplinary actions 
against the accountant or firm. Additionally, the final rules require 
an accountant or an accounting firm to provide the agencies with 
written notification of the accountant's or firm's removal, suspension, 
or debarment. Part 308, subpart U, of the FDIC's regulations implements 
the requirements of section 36(g)(4) of the FDI Act for institutions 
that are supervised by the FDIC. The FDIC proposed to amend Sec.  
308.604(c) to identify the FDIC location where an accountant or 
accounting firm should file required notices of orders and actions 
regarding removal, suspension, or debarment. The FDIC received no 
comments on this proposed

[[Page 35744]]

amendment, which it is adopting as proposed.
---------------------------------------------------------------------------

    \13\ See 68 FR 48256, April 13, 2003, and the FDIC's Financial 
Institution Letter (FIL) FIL-66-2003, dated August 18, 2003.
---------------------------------------------------------------------------

 IV. Final Rule

    The FDIC has considered the comments received on its proposed 
amendments to part 363 and is adopting the amendments with the 
modifications and revisions that are more fully discussed in section 
III of this notice. The following is a summary of the most significant 
changes made to the proposal and incorporated into the final rule in 
response to the comments received:
     To reduce regulatory burden, the proposed requirement to 
file audit engagement letters within 15 days of acceptance by a covered 
institution was deleted.
     Guidance was added to the proposed requirement to disclose 
noncompliance with the designated safety and soundness laws and 
regulations--insider loans and dividend restrictions--to explain the 
extent of the required disclosure and to clarify that the disclosure 
applies only to noncompliance with these two designated categories of 
laws and regulations and not every safety and soundness law and 
regulation.
     To provide holding company subsidiary institutions that 
would not meet the proposed 75 percent of consolidated total assets 
threshold that permits, but does not require, compliance with part 363 
at the holding company level sufficient time to comply at the 
institution level, the effective date of this threshold was delayed 
until fiscal years ending on or after June 15, 2010. Until then, 
institutions may continue to choose to satisfy the requirements of part 
363 at a holding company level (to the extent currently permitted by 
part 363) whether or not the consolidated total assets of the insured 
depository institution subsidiaries of the holding company comprise 75 
percent or more of the holding company's consolidated total assets at 
the beginning of its fiscal year.
     The proposed requirements regarding the disclosure of 
material weaknesses in internal control over financial reporting by 
management and the independent public accountant were clarified and 
revised for consistency with the applicable auditing standards. The 
final rule provides that management and the accountant must disclose 
those material weaknesses in internal control over financial reporting 
that each has identified that have not been corrected prior to the 
institution's fiscal year-end.
     The proposed requirements regarding the auditor's 
communications with audit committees were clarified and revised to 
explain that auditors must satisfy the communication requirements set 
forth in the professional standards and those set forth in part 363.
     The proposed requirement that auditors comply with the 
independence rules of the AICPA, the SEC, and the PCAOB was clarified 
to require compliance with the more restrictive requirement when a 
provision within one of the applicable independence standards differs 
from a provision addressing the same subject matter in one of the other 
independence standards.
     The proposal was revised to require only the public 
portions of PCAOB inspection reports to be filed with the FDIC.
     The provision of part 363 stating that an outside director 
who owns 10 percent or more of an institution's stock is not 
independent of management was revised to be consistent with the SEC's 
and the national securities exchanges' rules. Rather than being an 
automatic bar for considering an outside director to be independent of 
management, the rule was revised to require the institution's board of 
directors to document its determination as to whether an outside 
director's ownership of 10 percent or more of the institution's stock 
would interfere with the director's independent judgment in carrying 
out the responsibilities of an audit committee member.
     The proposed maximum level of compensation, other than 
director and committee fees, that an audit committee member may receive 
and be considered independent of management was increased from $60,000 
to $100,000.
     Except for the Part 363 Annual Report and the independent 
public accountants' peer review reports and inspection reports, which 
the FDI Act requires to be made publicly available, part 363 was 
revised to exempt all other reports and notifications filed under part 
363 from public disclosure by the FDIC.

V. Effective and Compliance Dates

    Except as noted below, the final rule is effective August 19, 2009. 
Part 363 Annual Reports with a filing deadline on or after the 
effective date of these amendments should be prepared in accordance 
with the final rule.
    To provide the boards of directors of institutions currently 
subject to part 363 sufficient time to comply with the new provision of 
guideline 27 regarding the development of an approved set of written 
criteria for determining whether a director who is to serve on the 
audit committee is an outside director and is independent of 
management, the FDIC has determined that it is appropriate to set a 
delayed compliance date of December 31, 2009, for developing and 
adopting these written criteria. However, this delayed compliance date 
does not apply to the other provisions of guideline 27 regarding the 
composition of the audit committee, which have not been substantively 
changed. More specifically, at least annually, the board of each 
institution should determine whether each existing or potential audit 
committee member is an outside director and, depending on an 
institution's size, whether the requisite number of existing and 
potential audit committee members are ``independent of management'' of 
the institution. Also, the minutes of the board of directors should 
contain the results of and the basis for its determinations with 
respect to each existing and potential audit committee member.
    Also, to provide institutions that currently comply with part 363 
at the holding level but would not meet the 75-percent-of-consolidated-
total-assets threshold for eligibility to comply at the holding company 
level set forth in the final rule (Sec.  363.1(b)(1)(ii)) sufficient 
time to comply with this new requirement, the FDIC has determined that 
it is appropriate for the effective date of this provision of the final 
rule to be delayed until fiscal years ending on or after June 15, 2010. 
In this regard, Sec.  363.1(b)(1) of the final rule not only 
specifically provides for this delayed effective date but it also 
states that, for fiscal years ending on or before June 14, 2010, a 
covered institution that is a subsidiary of a holding company may 
continue to satisfy the audited financial statements requirement of 
part 363 at a holding company level whether or not the covered 
institution's total assets (or the consolidated total assets of all of 
its parent holding company's insured depository institution 
subsidiaries) comprise 75 percent or more of the holding company's 
consolidated total assets at the beginning of the fiscal year.

Regulatory Flexibility Act Analysis

    The Regulatory Flexibility Act (RFA) requires an agency that is 
issuing a final rule to provide a final regulatory flexibility analysis 
or to certify that the rule will not have a significant economic impact 
on a substantial number of small entities. See 5 U.S.C. 603(a) and 5 
U.S.C. 603(b). Under regulations issued by the Small Business 
Administration (see 13 CFR 121.201), a small entity includes a bank 
holding company, commercial bank, or

[[Page 35745]]

savings association with assets of $175 million or less (collectively, 
small banking organizations). This final rule would modify the audit 
and reporting requirements applicable to insured depository 
institutions with total assets of $500 million or more. The FDIC 
believes that this final rule will not have a significant economic 
impact on a substantial number of small entities because the final rule 
expressly exempts insured depository institutions with total assets of 
less than $500 million. In addition, the FDIC did not receive any 
comments that the proposal would have a direct significant impact on 
small banking organizations. Accordingly, the FDIC certifies that this 
rule will not have a significant economic impact on a substantial 
number of small entities.

Paperwork Reduction Act

    This final rule contains modifications to a collection of 
information that has been reviewed and approved by the Office of 
Management and Budget (OMB) under control number 3064-0113, pursuant to 
the Paperwork Reduction Act (44 U.S.C. 3501 et seq.). The estimated 
annual burden for the revisions in this final rule is consistent with 
the burden estimate for those revisions in the proposed rule, taking 
into account a reduction in the number of respondents, and approved by 
OMB. The principal revisions that bear on the collection of information 
under part 363 are the extension of the filing deadline for the Part 
363 Annual Report from 90 to 120 days after the end of the fiscal year 
for an institution that is not a public company or a subsidiary of a 
public company, the replacement of 30-day extension requests (when an 
institution is confronted with extraordinary circumstances beyond its 
reasonable control) with late filing notices (regardless of the 
reason), the modification of the criteria governing the acceptability 
of reports at the holding company level rather than at the institution 
level, the expanded guidance on the content of the management report 
and the independent public accountant's internal control attestation 
report, the board of directors' use of an approved set of written 
criteria for determining whether an audit committee member is an 
outside director and is ``independent of management,'' and the new 
guidelines for institutions merged out of existence and for internal 
control reports for acquired businesses. It is anticipated that the 
overall effect of these changes will be a small burden increase for 
affected insured institutions.
    The estimated reporting burden for the collection of information 
under part 363 is 83,324 hours per year.
    Number of Respondents: 5,205.
    Total Time per Response: 5.16 hrs.
    Total Annual Responses: 16,163.
    Total Annual Burden Hours: 83,324.

Small Business Regulatory Enforcement Fairness Act

    The Small Business Regulatory Enforcement Fairness Act of 1996 
(SBREFA) (Title II, Pub. L., 104-121) provides generally for agencies 
to report rules to Congress and the General Accountability Office (GAO) 
for review. The reporting requirement is triggered when a Federal 
agency issues a final rule. The FDIC will file the appropriate reports 
with Congress and the GAO as required by SBREFA. The Office of 
Management and Budget has determined that the rule does not constitute 
a ``major rule'' as defined by SBREFA.

List of Subjects

12 CFR Part 308

    Administrative practice and procedure, Bank deposit insurance, 
Banks, Banking, Claims, Crime, Equal access to justice, Investigations, 
Lawyers, Penalties, State nonmember banks.

12 CFR Part 363

    Accounting, Administrative practice and procedure, Banks, Banking, 
Reporting and recordkeeping requirements.

0
For the reasons set forth in the preamble, the Board of Directors of 
the FDIC amends title 12, chapter III, of the Code of Federal 
Regulations as follows:

PART 308--RULES OF PRACTICE AND PROCEDURE

Subpart U--Removal, Suspension, and Debarment of Accountants From 
Performing Audit Services

0
1. The authority citation for part 308 continues to read as follows:

    Authority: 5 U.S.C. 504, 554-557; 12 U.S.C. 93(b), 164, 505, 
1815(e), 1817, 1818, 1820, 1828, 1829, 1829b, 1831i, 1831m(g)(4), 
1831o, 1831p-1, 1832(c), 1884(b), 1972, 3102, 3108(a), 3349, 3909, 
4717; 15 U.S.C. 78(h) and (i), 78o-4(c), 78o-5, 78q-1, 78s, 78u, 
78u-2, 78u-3 and 78w, 6801(b), 6805(b)(1); 28 U.S.C. 2461 note; 31 
U.S.C. 330, 5321; 42 U.S.C. 4012a; Sec. 3100(s), Pub. L. 104-134, 
110 Stat. 1321-358.


0
2. Revise Sec.  308.604(c) to read as follows:


Sec.  308.604  Notice of removal, suspension, or debarment.

* * * * *
    (c) Timing and place of notice. Written notice required by this 
paragraph shall be given no later than 15 calendar days following the 
effective date of an order or action, or 15 calendar days before an 
accountant or accounting firm accepts an engagement to provide audit 
services, whichever date is earlier. The written notice must be filed 
by the independent public accountant or accounting firm with the FDIC, 
Accounting and Securities Disclosure Section, 550 17th Street, NW., 
Washington, DC 20429.

0
3. Revise Part 363 to read as follows:

PART 363--ANNUAL INDEPENDENT AUDITS AND REPORTING REQUIREMENTS

Sec.
363.0 OMB control number.
363.1 Scope and definitions.
363.2 Annual reporting requirements.
363.3 Independent public accountant.
363.4 Filing and notice requirements.
363.5 Audit committees.
Appendix A to Part 363--Guidelines and Interpretations
Appendix B to Part 363--Illustrative Management Reports

    Authority: 12 U.S.C. 1831m.


Sec.  363.0  OMB control number.

    The information collection requirements in this part have been 
approved by the Office of Management and Budget under OMB control 
number 3064-0113.


Sec.  363.1  Scope and definitions.

    (a) Applicability. This part applies to any insured depository 
institution with respect to any fiscal year in which its consolidated 
total assets as of the beginning of such fiscal year are $500 million 
or more. The requirements specified in this part are in addition to any 
other statutory and regulatory requirements otherwise applicable to an 
insured depository institution.
    (b) Compliance by subsidiaries of holding companies. (1) For an 
insured depository institution that is a subsidiary of a holding 
company, the audited financial statements requirement of Sec.  363.2(a) 
may be satisfied:
    (i) For fiscal years ending on or before June 14, 2010, by audited 
consolidated financial statements of the top-tier or any mid-tier 
holding company.
    (ii) For fiscal years ending on or after June 15, 2010, by audited 
consolidated financial statements of the top-tier or any mid-tier 
holding company provided that the consolidated total assets of the 
insured depository institution (or the consolidated total assets of all 
of the holding company's insured depository

[[Page 35746]]

institution subsidiaries, regardless of size, if the holding company 
owns or controls more than one insured depository institution) comprise 
75 percent or more of the consolidated total assets of this top-tier or 
mid-tier holding company as of the beginning of its fiscal year.
    (2) The other requirements of this part for an insured depository 
institution that is a subsidiary of a holding company may be satisfied 
by the top-tier or any mid-tier holding company if the insured 
depository institution meets the criterion specified in Sec.  
363.1(b)(1) and if:
    (i) The services and functions comparable to those required of the 
insured depository institution by this part are provided at this top-
tier or mid-tier holding company level; and
    (ii) The insured depository institution has as of the beginning of 
its fiscal year:
    (A) Total assets of less than $5 billion; or
    (B) Total assets of $5 billion or more and a composite CAMELS 
rating of 1 or 2.
    (3) The appropriate Federal banking agency may revoke the exception 
in paragraph (b)(2) of this section for any institution with total 
assets in excess of $9 billion for any period of time during which the 
appropriate Federal banking agency determines that the institution's 
exemption would create a significant risk to the Deposit Insurance 
Fund.
    (c) Financial reporting. For purposes of the management report 
requirement of Sec.  363.2(b) and the internal control reporting 
requirement of Sec.  363.3(b), ``financial reporting,'' at a minimum, 
includes both financial statements prepared in accordance with 
generally accepted accounting principles for the insured depository 
institution or its holding company and financial statements prepared 
for regulatory reporting purposes. For recognition and measurement 
purposes, financial statements prepared for regulatory reporting 
purposes shall conform to generally accepted accounting principles and 
section 37 of the Federal Deposit Insurance Act.
    (d) Definitions. For purposes of this part, the following 
definitions apply:
    (1) AICPA means the American Institute of Certified Public 
Accountants.
    (2) GAAP means generally accepted accounting principles.
    (3) PCAOB means the Public Company Accounting Oversight Board.
    (4) Public company means an insured depository institution or other 
company that has a class of securities registered with the U.S. 
Securities and Exchange Commission or the appropriate Federal banking 
agency under Section 12 of the Securities Exchange Act of 1934 and 
nonpublic company means an insured depository institution or other 
company that does not meet the definition of a public company.
    (5) SEC means the U.S. Securities and Exchange Commission.
    (6) SOX means the Sarbanes-Oxley Act of 2002.


Sec.  363.2  Annual reporting requirements.

    (a) Audited financial statements. Each insured depository 
institution shall prepare annual financial statements in accordance 
with GAAP, which shall be audited by an independent public accountant. 
The annual financial statements must reflect all material correcting 
adjustments necessary to conform with GAAP that were identified by the 
independent public accountant.
    (b) Management report. Each insured depository institution annually 
shall prepare, as of the end of the institution's most recent fiscal 
year, a management report that must contain the following:
    (1) A statement of management's responsibilities for preparing the 
institution's annual financial statements, for establishing and 
maintaining an adequate internal control structure and procedures for 
financial reporting, and for complying with laws and regulations 
relating to safety and soundness that are designated by the FDIC and 
the appropriate Federal banking agency;
    (2) An assessment by management of the insured depository 
institution's compliance with such laws and regulations during such 
fiscal year. The assessment must state management's conclusion as to 
whether the insured depository institution has complied with the 
designated safety and soundness laws and regulations during the fiscal 
year and disclose any noncompliance with these laws and regulations; 
and
    (3) For an insured depository institution with consolidated total 
assets of $1 billion or more as of the beginning of such fiscal year, 
an assessment by management of the effectiveness of such internal 
control structure and procedures as of the end of such fiscal year that 
must include the following:
    (i) A statement identifying the internal control framework \14\ 
used by management to evaluate the effectiveness of the insured 
depository institution's internal control over financial reporting;
---------------------------------------------------------------------------

    \14\ For example, in the United States, the Committee of 
Sponsoring Organizations (COSO) of the Treadway Commission has 
published Internal Control--Integrated Framework, including an 
addendum on safeguarding assets. Known as the COSO report, this 
publication provides a suitable and available framework for purposes 
of management's assessment.
---------------------------------------------------------------------------

    (ii) A statement that the assessment included controls over the 
preparation of regulatory financial statements in accordance with 
regulatory reporting instructions including identification of such 
regulatory reporting instructions; and
    (iii) A statement expressing management's conclusion as to whether 
the insured depository institution's internal control over financial 
reporting is effective as of the end of its fiscal year. Management 
must disclose all material weaknesses in internal control over 
financial reporting, if any, that it has identified that have not been 
remediated prior to the insured depository institution's fiscal year-
end. Management is precluded from concluding that the institution's 
internal control over financial reporting is effective if there are one 
or more material weaknesses.
    (c) Management report signatures. Subject to the criteria specified 
in Sec.  363.1(b):
    (1) If the audited financial statements requirement specified in 
Sec.  363.2(a) is satisfied at the insured depository institution level 
and the management report requirement specified in Sec.  363.2(b) is 
satisfied in its entirety at the insured depository institution level, 
the management report must be signed by the chief executive officer and 
the chief accounting officer or chief financial officer of the insured 
depository institution;
    (2) If the audited financial statements requirement specified in 
Sec.  363.2(a) is satisfied at the holding company level and the 
management report requirement specified in Sec.  363.2(b) is satisfied 
in its entirety at the holding company level, the management report 
must be signed by the chief executive officer and the chief accounting 
officer or chief financial officer of the holding company; and
    (3) If the audited financial statements requirement specified in 
Sec.  363.2(a) is satisfied at the holding company level and (i) the 
management report requirement specified in Sec.  363.2(b) is satisfied 
in its entirety at the insured depository institution level or (ii) one 
or more of the components of the management report specified in Sec.  
363.2(b) is satisfied at the holding company level and the remaining 
components of the management report are satisfied at the insured 
depository institution level, the management report must be signed by 
the chief executive officers and the chief accounting officers

[[Page 35747]]

or chief financial officers of both the holding company and the insured 
depository institution and the management report must clearly indicate 
the level (institution or holding company) at which each of its 
components is being satisfied.


Sec.  363.3  Independent public accountant.

    (a) Annual audit of financial statements. Each insured depository 
institution shall engage an independent public accountant to audit and 
report on its annual financial statements in accordance with generally 
accepted auditing standards or the PCAOB's auditing standards, if 
applicable, and section 37 of the Federal Deposit Insurance Act (12 
U.S.C. 1831n). The scope of the audit engagement shall be sufficient to 
permit such accountant to determine and report whether the financial 
statements are presented fairly and in accordance with GAAP.
    (b) Internal control over financial reporting. For each insured 
depository institution with total assets of $1 billion or more at the 
beginning of the institution's fiscal year, the independent public 
accountant who audits the institution's financial statements shall 
examine, attest to, and report separately on the assertion of 
management concerning the effectiveness of the institution's internal 
control structure and procedures for financial reporting. The 
attestation and report shall be made in accordance with generally 
accepted standards for attestation engagements or the PCAOB's auditing 
standards, if applicable. The accountant's report must not be dated 
prior to the date of the management report and management's assessment 
of the effectiveness of internal control over financial reporting. 
Notwithstanding the requirements set forth in applicable professional 
standards, the accountant's report must include the following:
    (1) A statement identifying the internal control framework used by 
the independent public accountant, which must be the same as the 
internal control framework used by management, to evaluate the 
effectiveness of the insured depository institution's internal control 
over financial reporting;
    (2) A statement that the independent public accountant's evaluation 
included controls over the preparation of regulatory financial 
statements in accordance with regulatory reporting instructions 
including identification of such regulatory reporting instructions; and
    (3) A statement expressing the independent public accountant's 
conclusion as to whether the insured depository institution's internal 
control over financial reporting is effective as of the end of its 
fiscal year. The report must disclose all material weaknesses in 
internal control over financial reporting that the independent public 
accountant has identified that have not been remediated prior to the 
insured depository institution's fiscal year-end. The independent 
public accountant is precluded from concluding that the insured 
depository institution's internal control over financial reporting is 
effective if there are one or more material weaknesses.
    (c) Notice by accountant of termination of services. An independent 
public accountant performing an audit under this part who ceases to be 
the accountant for an insured depository institution shall notify the 
FDIC, the appropriate Federal banking agency, and any appropriate State 
bank supervisor in writing of such termination within 15 days after the 
occurrence of such event, and set forth in reasonable detail the 
reasons for such termination. The written notice shall be filed at the 
place identified in Sec.  363.4(f).
    (d) Communications with audit committee. In addition to the 
requirements for communications with audit committees set forth in 
applicable professional standards, the independent public accountant 
must report the following on a timely basis to the audit committee:
    (1) All critical accounting policies and practices to be used by 
the insured depository institution,
    (2) All alternative accounting treatments within GAAP for policies 
and practices related to material items that the independent public 
accountant has discussed with management, including the ramifications 
of the use of such alternative disclosures and treatments, and the 
treatment preferred by the independent public accountant, and
    (3) Other written communications the independent public accountant 
has provided to management, such as a management letter or schedule of 
unadjusted differences.
    (e) Retention of working papers. The independent public accountant 
must retain the working papers related to the audit of the insured 
depository institution's financial statements and, if applicable, the 
evaluation of the institution's internal control over financial 
reporting for seven years from the report release date, unless a longer 
period of time is required by law.
    (f) Independence. The independent public accountant must comply 
with the independence standards and interpretations of the AICPA, the 
SEC, and the PCAOB. To the extent that any of the rules within any one 
of these independence standards (AICPA, SEC, and PCAOB) is more or less 
restrictive than the corresponding rule in the other independence 
standards, the independent public accountant must comply with the more 
restrictive rule.
    (g) Peer reviews and inspection reports. (1) Prior to commencing 
any services for an insured depository institution under this part, the 
independent public accountant must have received a peer review, or be 
enrolled in a peer review program, that meets acceptable guidelines. 
Acceptable peer reviews include peer reviews performed in accordance 
with the AICPA's Peer Review Standards and inspections conducted by the 
PCAOB.
    (2) Within 15 days of receiving notification that a peer review has 
been accepted or a PCAOB inspection report has been issued, or before 
commencing any audit under this part, whichever is earlier, the 
independent public accountant must file two copies of the most recent 
peer review report and the public portion of the most recent PCAOB 
inspection report, if any, accompanied by any letters of comments, 
response, and acceptance, with the FDIC, Accounting and Securities 
Disclosure Section, 550 17th Street, NW., Washington, DC 20429, if the 
report has not already been filed. The peer review reports and the 
public portions of the PCAOB inspection reports will be made available 
for public inspection by the FDIC.
    (3) Within 15 days of the PCAOB making public a previously 
nonpublic portion of an inspection report, the independent public 
accountant must file two copies of the previously nonpublic portion of 
the inspection report with the FDIC, Accounting and Securities 
Disclosure Section, 550 17th Street, NW., Washington, DC 20429. Such 
previously nonpublic portion of the PCAOB inspection report will be 
made available for public inspection by the FDIC.


Sec.  363.4  Filing and notice requirements.

    (a) Part 363 Annual Report. (1) Each insured depository institution 
shall file with each of the FDIC, the appropriate Federal banking 
agency, and any appropriate State bank supervisor, two copies of its 
Part 363 Annual Report. A Part 363 Annual Report must contain audited 
comparative annual financial statements, the independent public 
accountant's report thereon, a management report, and, if applicable, 
the independent public accountant's attestation report on management's 
assessment concerning the institution's internal control structure and

[[Page 35748]]

procedures for financial reporting as required by Sec. Sec.  363.2(a), 
363.3(a), 363.2(b), and 363.3(b), respectively.
    (2) Subject to the criteria specified in Sec.  363.1(b), each 
insured depository institution with consolidated total assets of less 
than $1 billion as of the beginning of its fiscal year that is required 
to file, or whose parent holding company is required to file, 
management's assessment of the effectiveness of internal control over 
financial reporting with the SEC or the appropriate Federal banking 
agency in accordance with section 404 of SOX must submit a copy of such 
assessment to the FDIC, the appropriate Federal banking agency, and any 
appropriate State bank supervisor with its Part 363 Annual Report as 
additional information. This assessment will not be considered part of 
the institution's Part 363 Annual Report.
    (3)(i) Each insured depository institution that is neither a public 
company nor a subsidiary of a public company that meets the criterion 
specified in Sec.  363.1(b)(1) shall file its Part 363 Annual Report 
within 120 days after the end of its fiscal year. (ii) Each insured 
depository institution that is a public company or a subsidiary of 
public company that meets the criterion specified in Sec.  363.1(b)(1) 
shall file its Part 363 Annual Report within 90 days after the end of 
its fiscal year.
    (b) Public availability. Except for the annual report in paragraph 
(a)(1) of this section and the peer reviews and inspection reports in 
Sec.  363.3(g), which shall be available for public inspection, the 
FDIC has determined that all other reports and notifications required 
by this part are exempt from public disclosure by the FDIC.
    (c) Independent public accountant's letters and reports. Except for 
the independent public accountant's reports that are included in its 
Part 363 Annual Report, each insured depository institution shall file 
with the FDIC, the appropriate Federal banking agency, and any 
appropriate State bank supervisor, a copy of any management letter or 
other report issued by its independent public accountant with respect 
to such institution and the services provided by such accountant 
pursuant to this part within 15 days after receipt. Such reports 
include, but are not limited to:
    (1) Any written communication regarding matters that are required 
to be communicated to the audit committee (for example, critical 
accounting policies, alternative accounting treatments discussed with 
management, and any schedule of unadjusted differences),
    (2) Any written communication of significant deficiencies and 
material weaknesses in internal control required by the AICPA's or the 
PCAOB's auditing standards;
    (3) For institutions with total assets of less than $1 billion as 
of the beginning of their fiscal year that are public companies or 
subsidiaries of public companies that meet the criterion specified in 
Sec.  363.1(b)(1), any independent public accountant's report on the 
audit of internal control over financial reporting required by section 
404 of SOX and the PCAOB's auditing standards; and
    (4) For all institutions that are public companies or subsidiaries 
of public companies that meet the criterion specified in Sec.  
363.1(b)(1), any independent public accountant's written communication 
of all deficiencies in internal control over financial reporting that 
are of a lesser magnitude than significant deficiencies required by the 
PCAOB's auditing standards.
    (d) Notice of engagement or change of accountants. Each insured 
depository institution shall provide, within 15 days after the 
occurrence of any such event, written notice to the FDIC, the 
appropriate Federal banking agency, and any appropriate State bank 
supervisor of the engagement of an independent public accountant, or 
the resignation or dismissal of the independent public accountant 
previously engaged. The notice shall include a statement of the reasons 
for any such resignation or dismissal in reasonable detail.
    (e) Notification of late filing. No extensions of time for filing 
reports required by Sec.  363.4 shall be granted. An insured depository 
institution that is unable to timely file all or any portion of its 
Part 363 Annual Report or any other report or notice required by Sec.  
363.4 shall submit a written notice of late filing to the FDIC, the 
appropriate Federal banking agency, and any appropriate State bank 
supervisor. The notice shall disclose the institution's inability to 
timely file all or specified portions of its Part 363 Annual Report or 
any other report or notice and the reasons therefore in reasonable 
detail. The late filing notice shall also state the date by which the 
report or notice will be filed. The written notice shall be filed on or 
before the deadline for filing the Part 363 Annual Report or any other 
report or notice, as appropriate.
    (f) Place for filing. The Part 363 Annual Report, any written 
notification of late filing, and any other report or notice required by 
Sec.  363.4 should be filed as follows:
    (1) FDIC: Appropriate FDIC Regional or Area Office (Division of 
Supervision and Consumer Protection), i.e., the FDIC regional or area 
office in the FDIC region or area that is responsible for monitoring 
the institution or, in the case of a subsidiary institution of a 
holding company, the consolidated company. A filing made on behalf of 
several covered institutions owned by the same parent holding company 
should be accompanied by a transmittal letter identifying all of the 
institutions covered.
    (2) Office of the Comptroller of the Currency (OCC): Appropriate 
OCC Supervisory Office.
    (3) Federal Reserve: Appropriate Federal Reserve Bank.
    (4) Office of Thrift Supervision (OTS): Appropriate OTS District 
Office.
    (5) State bank supervisor: The filing office of the appropriate 
State bank supervisor.


Sec.  363.5  Audit committees.

    (a) Composition and duties. Each insured depository institution 
shall establish an audit committee of its board of directors, the 
composition of which complies with paragraphs (a)(1), (2), and (3) of 
this section. The duties of the audit committee shall include the 
appointment, compensation, and oversight of the independent public 
accountant who performs services required under this part, and 
reviewing with management and the independent public accountant the 
basis for the reports issued under this part.
    (1) Each insured depository institution with total assets of $1 
billion or more as of the beginning of its fiscal year shall establish 
an independent audit committee of its board of directors, the members 
of which shall be outside directors who are independent of management 
of the institution.
    (2) Each insured depository institution with total assets of $500 
million or more but less than $1 billion as of the beginning of its 
fiscal year shall establish an audit committee of its board of 
directors, the members of which shall be outside directors, the 
majority of whom shall be independent of management of the institution. 
The appropriate Federal banking agency may, by order or regulation, 
permit the audit committee of such an insured depository institution to 
be made up of less than a majority of outside directors who are 
independent of management, if the agency determines that the 
institution has encountered hardships in retaining and recruiting a 
sufficient number of competent outside directors to serve on the audit 
committee of the institution.

[[Page 35749]]

    (3) An outside director is a director who is not, and within the 
preceding fiscal year has not been, an officer or employee of the 
institution or any affiliate of the institution.
    (b) Committees of large institutions. The audit committee of any 
insured depository institution with total assets of more than $3 
billion as of the beginning of its fiscal year shall include members 
with banking or related financial management expertise, have access to 
its own outside counsel, and not include any large customers of the 
institution. If a large institution is a subsidiary of a holding 
company and relies on the audit committee of the holding company to 
comply with this rule, the holding company's audit committee shall not 
include any members who are large customers of the subsidiary 
institution.
    (c) Independent public accountant engagement letters. (1) In 
performing its duties with respect to the appointment of the 
institution's independent public accountant, the audit committee shall 
ensure that engagement letters and any related agreements with the 
independent public accountant for services to be performed under this 
part do not contain any limitation of liability provisions that:
    (i) Indemnify the independent public accountant against claims made 
by third parties;
    (ii) Hold harmless or release the independent public accountant 
from liability for claims or potential claims that might be asserted by 
the client insured depository institution, other than claims for 
punitive damages; or
    (iii) Limit the remedies available to the client insured depository 
institution.
    (2) Alternative dispute resolution agreements and jury trial waiver 
provisions are not precluded from engagement letters provided that they 
do not incorporate any limitation of liability provisions set forth in 
paragraph (c)(1) of this section.

Appendix A to Part 363--Guidelines and Interpretations

Table of Contents

Introduction

Scope of Rule and Definitions (Sec.  363.1)
    1. Measuring Total Assets
    2. Insured Branches of Foreign Banks
    3. Compliance by Holding Company Subsidiaries
    4. Comparable Services and Functions
    4A. Financial Reporting
Annual Reporting Requirements (Sec.  363.2)
    5. Annual Financial Statements
    5A. Institutions Merged out of Existence
    6. Holding Company Statements
    7. Insured Branches of Foreign Banks
    7A. Compliance with Designated Laws and Regulations
    8. Management Report
    8A. Management's Reports on Internal Control over Financial 
Reporting under Part 363 and Section 404 of SOX
    8B. Internal Control Reports and Part 363 Annual Reports for 
Acquired Businesses
    8C. Management's Disclosure of Noncompliance with the Designated 
Laws and Regulations
    9. Safeguarding of Assets
    10. Standards for Internal Control
    11. Service Organizations
    12. Reserved
Role of Independent Public Accountant (Sec.  363.3)
    13. General Qualifications
    14. Reserved
    15. Peer Review Guidelines
    16. Reserved
    17. Information to be Provided to the Independent Public 
Accountant
    18. Attestation Report and Management Letters
    18A. Internal Control Attestation Standards for Independent 
Auditors
    19. Reviews with Audit Committee and Management
    20. Notice of Termination
    21. Reliance on Internal Auditors
Filing and Notice Requirements (Sec.  363.4)
    22. Reserved
    23. Notification of Late Filing
    24. Public Availability
    25. Reserved
    26. Notices Concerning Accountants
Audit Committees (Sec.  363.5)
    27. Composition
    28. ``Independent of Management'' Considerations
    29. Reserved
    30. Holding Company Audit Committees
    31. Duties
    32. Banking or Related Financial Management Expertise
    33. Large Customers
    34. Access to Counsel
    35. Transition Period for Forming and Restructuring Audit 
Committees
Other
    36. Modifications of Guidelines

Introduction

    Congress added section 36, ``Early Identification of Needed 
Improvements in Financial Management'' (section 36), to the Federal 
Deposit Insurance Act (FDI Act) in 1991.
    The FDIC Board of Directors adopted 12 CFR part 363 of its rules 
and regulations (the Rule) to implement those provisions of section 
36 that require rulemaking. The FDIC also approved these 
``Guidelines and Interpretations'' (the Guidelines) and directed 
that they be published with the Rule to facilitate a better 
understanding of, and full compliance with, the provisions of 
section 36.
    Although not contained in the Rule itself, some of the guidance 
offered restates or refers to statutory requirements of section 36 
and is therefore mandatory. If that is the case, the statutory 
provision is cited.
    Furthermore, upon adopting the Rule, the FDIC reiterated its 
belief that every insured depository institution, regardless of its 
size or charter, should have an annual audit of its financial 
statements performed by an independent public accountant, and should 
establish an audit committee comprised entirely of outside 
directors.
    The following Guidelines reflect the views of the FDIC 
concerning the interpretation of section 36. The Guidelines are 
intended to assist insured depository institutions (institutions), 
their boards of directors, and their advisors, including their 
independent public accountants and legal counsel, and to clarify 
section 36 and the Rule. It is recognized that reliance on the 
Guidelines may result in compliance with section 36 and the Rule 
which may vary from institution to institution. Terms which are not 
explained in the Guidelines have the meanings given them in the 
Rule, the FDI Act, or professional accounting and auditing 
literature.

Scope of Rule and Definitions (Sec.  363.1)

    1. Measuring Total Assets. To determine whether this part 
applies, an institution should use total assets as reported on its 
most recent Report of Condition (Call Report) or Thrift Financial 
Report (TFR), the date of which coincides with the end of its 
preceding fiscal year. If its fiscal year ends on a date other than 
the end of a calendar quarter, it should use its Call Report or TFR 
for the quarter end immediately preceding the end of its fiscal 
year.
    2. Insured Branches of Foreign Banks. Unlike other institutions, 
insured branches of foreign banks are not separately incorporated or 
capitalized. To determine whether this part applies, an insured 
branch should measure claims on non-related parties reported on its 
Report of Assets and Liabilities of U.S. Branches and Agencies of 
Foreign Banks (form FFIEC 002).
    3. Compliance by Holding Company Subsidiaries. Audited 
consolidated financial statements and other reports or notices 
required by this part that are submitted by a holding company for 
any subsidiary institution should be accompanied by a cover letter 
identifying all subsidiary institutions subject to part 363 that are 
included in the holding company's submission. When submitting a Part 
363 Annual Report, the cover letter should identify all subsidiary 
institutions subject to part 363 included in the consolidated 
financial statements and state whether the other annual report 
requirements (i.e., management's statement of responsibilities, 
management's assessment of compliance with designated safety and 
soundness laws and regulations, and, if applicable, management's 
assessment of the effectiveness of internal control over financial 
reporting and the independent public accountant's attestation report 
on management's internal control assessment) are being satisfied for 
these institutions at the holding company level or at the 
institution level. An institution filing holding company 
consolidated financial statements as permitted by Sec.  363.1(b)(1) 
also may report on changes in its independent public accountant on a 
holding company basis. An institution that does not meet the 
criteria in Sec.  363.1(b)(2) must satisfy the remaining provisions 
of this part on an individual institution basis and maintain its own 
audit committee. Subject to the criteria in Sec. Sec.  363.1(b)(1) 
and (2), a multi-

[[Page 35750]]

tiered holding company may satisfy all of the requirements of this 
part at the top-tier or any mid-tier holding company level.
    4. Comparable Services and Functions. Services and functions 
will be considered ``comparable'' to those required by this part if 
the holding company:
    (a) Prepares reports used by the subsidiary institution to meet 
the requirements of this part;
    (b) Has an audit committee that meets the requirements of this 
part appropriate to its largest subsidiary institution; and
    (c) Prepares and submits management's assessment of compliance 
with the Designated Laws and Regulations defined in guideline 7A 
and, if applicable, management's assessment of the effectiveness of 
internal control over financial reporting based on information 
concerning the relevant activities and operations of those 
subsidiary institutions within the scope of the Rule.
    4A. Financial Statements Prepared for Regulatory Reporting 
Purposes. (a) As set forth in Sec.  363.3(c) of this part, 
``financial reporting,'' at a minimum, includes both financial 
statements prepared in accordance with generally accepted accounting 
principles for the insured depository institution or its holding 
company and financial statements prepared for regulatory reporting 
purposes. More specifically, financial statements prepared for 
regulatory reporting purposes include the schedules equivalent to 
the basic financial statements that are included in an insured 
depository institution's or its holding company's appropriate 
regulatory report (for example, Schedules RC, RI, and RI-A in the 
Consolidated Reports of Condition and Income (Call Report) for an 
insured bank; and Schedules SC and SO, and the Summary of Changes in 
Equity Capital section in Schedule SI in the Thrift Financial Report 
(TFR) for an insured thrift institution). For recognition and 
measurement purposes, financial statements prepared for regulatory 
reporting purposes shall conform to generally accepted accounting 
principles and section 37 of the Federal Deposit Insurance Act.
    (b) Financial statements prepared for regulatory reporting 
purposes do not include regulatory reports prepared by a non-bank 
subsidiary of a holding company or an institution. For example, if a 
bank holding company or an insured depository institution owns an 
insurance subsidiary, financial statements prepared for regulatory 
reporting purposes would not include any regulatory reports that the 
insurance subsidiary is required to submit to its appropriate 
insurance regulatory agency.

Annual Reporting Requirements (Sec.  363.2)

    5. Annual Financial Statements. Each institution (other than an 
insured branch of a foreign bank) should prepare comparative annual 
consolidated financial statements (balance sheets and statements of 
income, changes in equity capital, and cash flows, with accompanying 
footnote disclosures) in accordance with GAAP for each of its two 
most recent fiscal years. Statements for the earlier year may be 
presented on an unaudited basis if the institution was not subject 
to this part for that year and audited statements were not prepared.
    5A. Institutions Merged Out of Existence. An institution that is 
merged out of existence after the end of its fiscal year, but before 
the deadline for filing its Part 363 Annual Report (120 days after 
the end of its fiscal year for an institution that is neither a 
public company nor a subsidiary of a public company that meets the 
criterion specified in Sec.  363.1(b)(1), and 90 days after the end 
of its fiscal year for an institution that is a public company or a 
subsidiary of a public company that meets the criterion specified in 
Sec.  363.1(b)(1)), is not required to file a Part 363 Annual Report 
for the last fiscal year of its existence.
    6. Holding Company Statements. Subject to the criterion 
specified in Sec.  363.1(b)(1), subsidiary institutions may file 
copies of their holding company's audited financial statements filed 
with the SEC or prepared for their FR Y-6 Annual Report under the 
Bank Holding Company Act of 1956 to satisfy the audited financial 
statements requirement of Sec.  363.2(a).
    7. Insured Branches of Foreign Banks. An insured branch of a 
foreign bank should satisfy the financial statements requirement by 
filing one of the following for each of its two most recent fiscal 
years:
    (a) Audited balance sheets, disclosing information about 
financial instruments with off-balance-sheet risk;
    (b) Schedules RAL and L of form FFIEC 002, prepared and audited 
on the basis of the instructions for its preparation; or
    (c) With written approval of the appropriate Federal banking 
agency, consolidated financial statements of the parent bank.
    7A. Compliance with Designated Laws and Regulations. The 
designated laws and regulations are the Federal laws and regulations 
concerning loans to insiders and the Federal and, if applicable, 
State laws and regulations concerning dividend restrictions (the 
Designated Laws and Regulations). Table 1 to this Appendix A lists 
the designated Federal laws and regulations pertaining to insider 
loans and dividend restrictions (but not the State laws and 
regulations pertaining to dividend restrictions) that are applicable 
to each type of institution.
    8. Management Report. Management should perform its own 
investigation and review of compliance with the Designated Laws and 
Regulations and, if required, the effectiveness of internal control 
over financial reporting. Management should maintain records of its 
determinations and assessments until the next Federal safety and 
soundness examination, or such later date as specified by the FDIC 
or the appropriate Federal banking agency. Management should provide 
in its assessment of the effectiveness of internal control over 
financial reporting, or supplementally, sufficient information to 
enable the accountant to report on its assertions. The management 
report of an insured branch of a foreign bank should be signed by 
the branch's managing official if the branch does not have a chief 
executive officer or a chief accounting or financial officer.
    8A. Management's Reports on Internal Control over Financial 
Reporting under Part 363 and Section 404 of SOX. An institution with 
$1 billion or more in total assets as of the beginning of its fiscal 
year that is subject to both part 363 and the SEC's rules 
implementing section 404 of SOX (as well as a public holding company 
permitted under the holding company exception in Sec.  363.1(b)(2) 
to file an internal control report on behalf of one or more 
subsidiary institutions with $1 billion or more in total assets) can 
choose either of the following two options for filing management's 
report on internal control over financial reporting.
    (i) Management can prepare two separate reports on the 
institution's or the holding company's internal control over 
financial reporting to satisfy the FDIC's part 363 requirements and 
the SEC's section 404 requirements; or
    (ii) Management can prepare a single report on internal control 
over financial reporting provided that it satisfies all of the 
FDIC's part 363 requirements and all of the SEC's section 404 
requirements.
    8B. Internal Control Reports and Part 363 Annual Reports for 
Acquired Businesses. Generally, the FDIC expects management's and 
the related independent public accountant's report on an 
institution's internal control over financial reporting to include 
controls at an institution in its entirety, including all of its 
consolidated entities. However, it may not always be possible for 
management to conduct an assessment of the internal control over 
financial reporting of an acquired business in the period between 
the consummation date of the acquisition and the due date of 
management's internal control assessment.
    (a) In such instances, the acquired business's internal control 
structure and procedures for financial reporting may be excluded 
from management's assessment report and the accountant's attestation 
report on internal control over financial reporting. However, the 
FDIC expects management's assessment report to identify the acquired 
business, state that the acquired business is excluded, and indicate 
the significance of this business to the institution's consolidated 
financial statements. Notwithstanding management's exclusion of the 
acquired business's internal control from its assessment, management 
should disclose any material change to the institution's internal 
control over financial reporting due to the acquisition of this 
business. Also, management may not omit the assessment of the 
acquired business's internal control from more than one annual part 
363 assessment report on internal control over financial reporting. 
When the acquired business's internal control over financial 
reporting is excluded from management's assessment, the independent 
public accountant may likewise exclude this acquired business's 
internal control over financial reporting from the accountant's 
evaluation of internal control over financial reporting.
    (b) If the acquired business is or has a consolidated subsidiary 
that is an insured depository institution subject to part 363 and 
the institution is not merged out of existence before the deadline 
for filing its Part 363 Annual Report (120 days after the end of its 
fiscal year for an institution that is neither a public company nor 
a subsidiary of a public

[[Page 35751]]

company that meets the criterion specified in Sec.  363.1(b)(1), and 
90 days after the end of its fiscal year for an institution that is 
a public company or a subsidiary of public company that meets the 
criterion specified in Sec.  363.1(b)(1)), the acquired institution 
must continue to comply with all of the applicable requirements of 
part 363, including filing its Part 363 Annual Report.
    8C. Management's Disclosure of Noncompliance with the Designated 
Laws and Regulations. Management's disclosure of noncompliance, if 
any, with the Designated Laws and Regulations should separately 
indicate the number of instances or frequency of noncompliance with 
the Federal laws and regulations pertaining to insider loans and the 
Federal (and, if applicable, State) laws and regulations pertaining 
to dividend restrictions. The disclosure is not required to 
specifically identify by name the individuals (e.g., officers or 
directors) who were responsible for or were the subject of any such 
noncompliance. However, the disclosure should include appropriate 
qualitative and quantitative information to describe the nature, 
type, and severity of the noncompliance and the dollar amount of the 
insider loan(s) or dividend(s) involved. Similar instances of 
noncompliance may be aggregated as to number of instances and 
quantified as to the dollar amounts or the range of dollar amounts 
of insider loans and/or dividends for which noncompliance occurred. 
Management may also wish to describe any corrective actions taken in 
response to the instances of noncompliance as well any controls or 
procedures that are being developed or that have been developed and 
implemented to prevent or detect and correct future instances of 
noncompliance on a timely basis.
    9. Safeguarding of Assets. ``Safeguarding of assets,'' as the 
term relates to internal control policies and procedures regarding 
financial reporting and which has precedent in accounting and 
auditing literature, should be encompassed in the management report 
and the independent public accountant's attestation discussed in 
guideline 18. Testing the existence of and compliance with internal 
controls on the management of assets, including loan underwriting 
and documentation, represents a reasonable implementation of section 
36. The FDIC expects such internal controls to be encompassed by the 
assertion in the management report, but the term ``safeguarding of 
assets'' need not be specifically stated. The FDIC does not require 
the accountant to attest to the adequacy of safeguards, but does 
require the accountant to determine whether safeguarding policies 
exist.\15\
---------------------------------------------------------------------------

    \15\ It is management's responsibility to establish policies 
concerning underwriting and asset management and to make credit 
decisions. The auditor's role is to test compliance with 
management's policies relating to financial reporting.
---------------------------------------------------------------------------

    10. Standards for Internal Control. The management of each 
insured depository institution with $1 billion or more in total 
assets as of the beginning of its fiscal year should base its 
assessment of the effectiveness of the institution's internal 
control over financial reporting on a suitable, recognized control 
framework established by a body of experts that followed due-process 
procedures, including the broad distribution of the framework for 
public comment. In addition to being available to users of 
management's reports, a framework is suitable only when it:
     Is free from bias;
     Permits reasonably consistent qualitative and 
quantitative measurements of an institution's internal control over 
financial reporting;
     Is sufficiently complete so that those relevant factors 
that would alter a conclusion about the effectiveness of an 
institution's internal control over financial reporting are not 
omitted; and
     Is relevant to an evaluation of internal control over 
financial reporting.
    In the United States, Internal Control--Integrated Framework, 
including its addendum on safeguarding assets, which was published 
by the Committee of Sponsoring Organizations of the Treadway 
Commission, and is known as the COSO report, provides a suitable and 
recognized framework for purposes of management's assessment. Other 
suitable frameworks have been published in other countries or may be 
developed in the future. Such other suitable frameworks may be used 
by management and the institution's independent public accountant in 
assessments, attestations, and audits of internal control over 
financial reporting.
    11. Service Organizations. Although service organizations should 
be considered in determining if internal control over financial 
reporting is effective, an institution's independent public 
accountant, its management, and its audit committee should exercise 
independent judgment concerning that determination. Onsite reviews 
of service organizations may not be necessary to prepare the report 
required by the Rule, and the FDIC does not intend that the Rule 
establish any such requirement.
    12. [Reserved.]

Role of Independent Public Accountant (Sec.  363.3)

    13. General Qualifications. To provide audit and attest services 
to insured depository institutions, an independent public accountant 
should be registered or licensed to practice as a public accountant, 
and be in good standing, under the laws of the State or other 
political subdivision of the United States in which the home office 
of the institution (or the insured branch of a foreign bank) is 
located. As required by section 36(g)(3)(A)(i), the accountant must 
agree to provide copies of any working papers, policies, and 
procedures relating to services performed under this part.
    14. [Reserved.]
    15. Peer Review Guidelines. The following peer review guidelines 
are acceptable:
    (a) The external peer review should be conducted by an 
organization independent of the accountant or firm being reviewed, 
as frequently as is consistent with professional accounting 
practices;
    (b) The peer review (other than a PCAOB inspection) should be 
generally consistent with AICPA Peer Review Standards; and
    (c) The review should include, if available, at least one audit 
on an insured depository institution or consolidated depository 
institution holding company.
    16. [Reserved.]
    17. Information to be Provided to the Independent Public 
Accountant. Attention is directed to section 36(h) which requires 
institutions to provide specified information to their accountants. 
An institution also should provide its accountant with copies of any 
notice that the institution's capital category is being changed or 
reclassified under section 38 of the FDI Act, and any correspondence 
from the appropriate Federal banking agency concerning compliance 
with this part.
    18. Attestation Report and Management Letters. The independent 
public accountant should provide the institution with any management 
letter and, if applicable, an internal control attestation report 
(as required by section 36(c)(1)) at the conclusion of the audit. 
The independent public accountant's attestation report on internal 
control over financial reporting must specifically include a 
statement as to regulatory reporting. If a holding company 
subsidiary relies on its holding company's management report to 
satisfy the Part 363 Annual Report requirements, the accountant may 
attest to and report on the management's assertions in one report, 
without reporting separately on each subsidiary covered by the Rule. 
The FDIC has determined that management letters are exempt from 
public disclosure.
    18A. Internal Control Attestation Standards for Independent 
Auditors. (a) Sec.  363.3(b) provides that the independent public 
accountant's attestation and report on management's assertion 
concerning the effectiveness of an institution's internal control 
structure and procedures for financial reporting shall be made in 
accordance with generally accepted standards for attestation 
engagements or the PCAOB's auditing standards, if applicable. The 
standards that should be followed by the institution's independent 
public accountant concerning internal control over financial 
reporting for institutions with $1 billion or more in total assets 
can be summarized as follows:
    (1) For an insured institution that is neither a public company 
nor a subsidiary of a public company, its independent public 
accountant need only follow the AICPA's attestation standards.
    (2) For an insured institution that is a public company that is 
required to comply with the auditor attestation requirement of 
section 404 of SOX, its independent public accountant should follow 
the PCAOB's auditing standards.
    (3) For an insured institution that is a public company but is 
not required to comply with the auditor attestation requirement of 
section 404 of SOX, its independent public accountant is not 
required to follow the PCAOB's auditing standards. In this case, the 
accountant need only follow the AICPA's attestation standards.
    (4) For an insured institution that is a subsidiary of a public 
company that is required to comply with the auditor attestation 
requirement of section 404 of

[[Page 35752]]

SOX, but is not itself a public company, the institution and its 
independent public accountant have flexibility in complying with the 
internal control requirements of part 363. If the conditions 
specified in Sec.  363.1(b)(2) are met, management and the 
independent public accountant may choose to report on internal 
control over financial reporting at the consolidated holding company 
level. In this situation, the independent public accountant's work 
would be performed for the public company in accordance with the 
PCAOB's auditing standards. Alternatively, the institution may 
choose to comply with the internal control reporting requirements of 
part 363 at the institution level and its independent public 
accountant could follow the AICPA's attestation standards.
    (b) If an independent public accountant need only follow the 
AICPA's attestation standards, the accountant and the insured 
institution may instead agree to have the internal control 
attestation performed under the PCAOB's auditing standards.
    19. Reviews with Audit Committee and Management. The independent 
public accountant should meet with the institution's audit committee 
to review the accountant's reports required by this part before they 
are filed. It also may be appropriate for the accountant to review 
its findings with the institution's board of directors and 
management.
    20. Notice of Termination. The notice of termination required by 
Sec.  363.3(c) should state whether the independent public 
accountant agrees with the assertions contained in any notice filed 
by the institution under Sec.  363.4(d), and whether the 
institution's notice discloses all relevant reasons for the 
accountant's termination. Subject to the criterion specified in 
Sec.  363.1(b)(1) regarding compliance with the audited financial 
statements requirement at the holding company level, the independent 
public accountant for an insured depository institution that is a 
public company and files reports with its appropriate Federal 
banking agency, or is a subsidiary of a public company that files 
reports with the SEC, may submit the letter it furnished to 
management to be filed with the institution's or the holding 
company's current report (e.g., SEC Form 8-K) concerning a change in 
accountant to satisfy the notice requirements of Sec.  363.3(c). 
Alternatively, if the independent public accountant confirms that 
management has filed a current report (e.g., SEC Form 8-K) 
concerning a change in accountant that satisfies the notice 
requirements of Sec.  363.4(d) and includes an independent public 
accountant's letter that satisfies the requirements of Sec.  
363.3(c), the independent public accountant may rely on the current 
report (e.g., SEC Form 8-K) filed with the FDIC by management 
concerning a change in accountant to satisfy the notice requirements 
of Sec.  363.3(c).
    21. Reliance on Internal Auditors. Nothing in this part or this 
Appendix is intended to preclude the ability of the independent 
public accountant to rely on the work of an institution's internal 
auditor.

Filing and Notice Requirements (Sec.  363.4)

    22. [Reserved.]
    23. Notification of Late Filing. (a) An institution's submission 
of a written notice of late filing does not cure the requirement to 
timely file the Part 363 Annual Report or other reports or notices 
required by Sec.  363.4. An institution's failure to timely file is 
considered an apparent violation of part 363.
    (b) If the late filing notice submitted pursuant to Sec.  
363.4(e) relates only to a portion of a Part 363 Annual Report or 
any other report or notice, the insured depository institution 
should file the other components of the report or notice within the 
prescribed filing period together with a cover letter that indicates 
which components of its Part 363 Annual Report or other report or 
notice are omitted. An institution may combine the written late 
filing notice and the cover letter into a single notice that is 
submitted together with the other components of the report or notice 
that are being timely filed.
    24. Public Availability. Each institution's Part 363 Annual 
Report should be available for public inspection at its main and 
branch offices no later than 15 days after it is filed with the 
FDIC. Alternatively, an institution may elect to mail one copy of 
its Part 363 Annual Report to any person who requests it. The Part 
363 Annual Report should remain available to the public until the 
Part 363 Annual Report for the next year is available. An 
institution may use its Part 363 Annual Report under this part to 
meet the annual disclosure statement required by 12 CFR 350.3, if 
the institution satisfies all other requirements of 12 CFR Part 350.
    25. [Reserved.]
    26. Notices Concerning Accountants. With respect to any 
selection, change, or termination of an independent public 
accountant, an institution's management and audit committee should 
be familiar with the notice requirements in Sec.  363.4(d) and 
guideline 20, and management should send a copy of any notice 
required under Sec.  363.4(d) to the independent public accountant 
when it is filed with the FDIC. An insured depository institution 
that is a public company and files reports required under the 
Federal securities laws with its appropriate Federal banking agency, 
or is a subsidiary of a public company that files such reports with 
the SEC, may use its current report (e.g., SEC Form 8-K) concerning 
a change in accountant to satisfy the notice requirements of Sec.  
363.4(d) subject to the criterion of Sec.  363.1(b)(1) regarding 
compliance with the audited financial statements requirement at the 
holding company level.

Audit Committees (Sec.  363.5)

    27. Composition. The board of directors of each institution 
should determine whether each existing or potential audit committee 
member meets the requirements of section 36 and this part. To do so, 
the board of directors should maintain an approved set of written 
criteria for determining whether a director who is to serve on the 
audit committee is an outside director (as defined in Sec.  
363.5(a)(3)) and is independent of management. At least annually, 
the board of each institution should determine whether each existing 
or potential audit committee member is an outside director. In 
addition, at least annually, the board of an institution with $1 
billion or more in total assets as of the beginning of its fiscal 
year should determine whether all existing and potential audit 
committee members are ``independent of management of the 
institution'' and the board of an institution with total assets of 
$500 million or more but less than $1 billion as of the beginning of 
its fiscal year should determine whether the majority of all 
existing and potential audit committee members are ``independent of 
management of the institution.'' The minutes of the board of 
directors should contain the results of and the basis for its 
determinations with respect to each existing and potential audit 
committee member. Because an insured branch of a foreign bank does 
not have a separate board of directors, the FDIC will not apply the 
audit committee requirements to such branch. However, any such 
branch is encouraged to make a reasonable good faith effort to see 
that similar duties are performed by persons whose experience is 
generally consistent with the Rule's requirements for an institution 
the size of the insured branch.
    28. ``Independent of Management'' Considerations. It is not 
possible to anticipate, or explicitly provide for, all circumstances 
that might signal potential conflicts of interest in, or that might 
bear on, an outside director's relationship to an insured depository 
institution and whether the outside director should be deemed 
``independent of management.'' When assessing an outside director's 
relationship with an institution, the board of directors should 
consider the issue not merely from the standpoint of the director 
himself or herself, but also from the standpoint of persons or 
organizations with which the director has an affiliation. These 
relationships can include, but are not limited to, commercial, 
banking, consulting, charitable, and family relationships. To assist 
boards of directors in fulfilling their responsibility to determine 
whether existing and potential members of the audit committee are 
``independent of management,'' paragraphs (a) through (d) of this 
guideline provide guidance for making this determination.
    (a) If an outside director, either directly or indirectly, owns 
or controls, or has owned or controlled within the preceding fiscal 
year, 10 percent or more of any outstanding class of voting 
securities of the institution, the institution's board of directors 
should determine, and document its basis and rationale for such 
determination, whether such ownership of voting securities would 
interfere with the outside director's exercise of independent 
judgment in carrying out the responsibilities of an audit committee 
member, including the ability to evaluate objectively the propriety 
of management's accounting, internal control, and reporting policies 
and practices. Notwithstanding the criteria set forth in paragraphs 
(b), (c), and (d) of this guideline, if the board of directors 
determines that such ownership of voting securities would interfere 
with the outside director's exercise of independent judgment, the 
outside director will not be considered ``independent of 
management.''
    (b) The following list sets forth additional criteria that, at a 
minimum, a board of

[[Page 35753]]

directors should consider when determining whether an outside 
director is ``independent of management.'' The board of directors 
may conclude that additional criteria are also relevant to this 
determination in light of the particular circumstances of its 
institution. Accordingly, an outside director will not be considered 
``independent of management'' if: (1) The director serves, or has 
served within the last three years, as a consultant, advisor, 
promoter, underwriter, legal counsel, or trustee of or to the 
institution or its affiliates.
    (2) The director has been, within the last three years, an 
employee of the institution or any of its affiliates or an immediate 
family member is, or has been within the last three years, an 
executive officer of the institution or any of its affiliates.
    (3) The director has participated in the preparation of the 
financial statements of the institution or any of its affiliates at 
any time during the last three years.
    (4) The director has received, or has an immediate family member 
who has received, during any twelve-month period within the last 
three years, more than $100,000 in direct and indirect compensation 
from the institution, its subsidiaries, and its affiliates for 
consulting, advisory, or other services other than director and 
committee fees and pension or other forms of deferred compensation 
for prior service (provided such compensation is not contingent in 
any way on continued service). Direct compensation also would not 
include compensation received by the director for former service as 
an interim chairman or interim chief executive officer.
    (5) The director or an immediate family member is a current 
partner of a firm that performs internal or external auditing 
services for the institution or any of its affiliates; the director 
is a current employee of such a firm; the director has an immediate 
family member who is a current employee of such a firm and who 
participates in the firm's audit, assurance, or tax compliance 
practice; or the director or an immediate family member was within 
the last three years (but no longer is) a partner or employee of 
such a firm and personally worked on the audit of the insured 
depository institution or any of its affiliates within that time.
    (6) The director or an immediate family member is, or has been 
within the last three years, employed as an executive officer of 
another entity where any of the present executive officers of the 
institution or any of its affiliates at the same time serves or 
served on that entity's compensation committee.
    (7) The director is a current employee, or an immediate family 
member is a current executive officer, of an entity that has made 
payments to, or received payments from, the institution or any of 
its affiliates for property or services in an amount which, in any 
of the last three fiscal years, exceeds the greater of $200 
thousand, or 5 percent of such entity's consolidated gross revenues. 
This would include payments made by the institution or any of its 
affiliates to not-for-profit entities where the director is an 
executive officer or where an immediate family member of the 
director is an executive officer.
    (8) For purposes of paragraph (b) of this guideline:
    (i) An ``immediate family member'' includes a person's spouse, 
parents, children, siblings, mothers- and fathers-in-law, sons- and 
daughters-in-law, brothers- and sisters-in-law, and anyone (other 
than domestic employees) who shares such person's home.
    (ii) The term affiliate of, or a person affiliated with, a 
specified person, means a person or entity that directly, or 
indirectly through one or more intermediaries, controls, or is 
controlled by, or is under common control with, the person 
specified.
    (iii) The term indirect compensation for consulting, advisory, 
or other services includes the acceptance of a fee for such services 
by a director's immediate family member or by an organization in 
which the director is a partner or principal that provides 
accounting, consulting, legal, investment banking, or financial 
advisory services to the institution, any of its subsidiaries, or 
any of its affiliates.
    (iv) The terms direct and indirect compensation and payments do 
not include payments such as dividends arising solely from 
investments in the institution's equity securities, provided the 
same per share amounts are paid to all shareholders of that class; 
interest income from investments in the institution's deposit 
accounts and debt securities; loans from the institution that 
conform to all regulatory requirements applicable to such loans 
except that interest payments or other fees paid in association with 
such loans would be considered payments; and payments under non-
discretionary charitable contribution matching programs.
    (c) An insured depository institution that is a public company 
and a listed issuer (as defined in Rule 10A-3 of the Securities 
Exchange Act of 1934 (Exchange Act)), or is a subsidiary of a public 
company that meets the criterion specified in Sec.  363.1(b)(1) and 
is a listed issuer, may choose to use the definition of audit 
committee member independence set forth in the listing standards 
applicable to the public institution or its public company parent 
for purposes of determining whether an outside director is 
``independent of management.''
    (d) All other insured depository institutions may choose to use 
the definition of audit committee member independence set forth in 
the listing standards of a national securities exchange that is 
registered with the SEC pursuant to section 6 of the Exchange Act or 
a national securities association that is registered with the SEC 
pursuant to section 15A(a) of the Exchange Act for purposes of 
determining whether an outside director is ``independent of 
management.''
    29. [Reserved.]
    30. Holding Company Audit Committees. (a) When an insured 
depository institution satisfies the requirements for the holding 
company exception specified in Sec. Sec.  363.1(b)(1) and (2), the 
audit committee requirement of this part may be satisfied by the 
audit committee of the top-tier or any mid-tier holding company. 
Members of the audit committee of the holding company should meet 
all the membership requirements applicable to the largest subsidiary 
depository institution subject to part 363 and should perform all 
the duties of the audit committee of a subsidiary institution 
subject to part 363, even if the holding company directors are not 
directors of the institution.
    (b) When an insured depository institution subsidiary with total 
assets of $1 billion or more as of the beginning of its fiscal year 
does not meet the requirements for the holding company exception 
specified in Sec. Sec.  363.1(b)(1) and (2) or maintains its own 
separate audit committee to satisfy the requirements of this part, 
the members of the audit committee of the top-tier or any mid-tier 
holding company may serve on the audit committee of the subsidiary 
institution if they are otherwise independent of management of the 
subsidiary institution, and, if applicable, meet any other 
requirements for a large subsidiary institution covered by this 
part.
    (c) When an insured depository institution with total assets of 
$500 million or more but less than $1 billion as of the beginning of 
its fiscal year does not meet the requirements for the holding 
company exception specified in Sec. Sec.  363.1(b)(1) and (2) or 
maintains its own separate audit committee to satisfy the 
requirements of this part, the members of the audit committee of the 
top-tier or any mid-tier holding company may serve on the audit 
committee of the subsidiary institution provided a majority of the 
institution's audit committee members are independent of management 
of the subsidiary institution.
    (d) Officers and employees of a top-tier or any mid-tier holding 
company may not serve on the audit committee of a subsidiary 
institution subject to part 363.
    31. Duties. The audit committee should perform all duties 
determined by the institution's board of directors and it should 
maintain minutes and other relevant records of its meetings and 
decisions. The duties of the audit committee should be appropriate 
to the size of the institution and the complexity of its operations, 
and, at a minimum, should include the appointment, compensation, and 
oversight of the independent public accountant; reviewing with 
management and the independent public accountant the basis for their 
respective reports issued under Sec. Sec.  363.2(a) and (b) and 
Sec. Sec.  363.3(a) and (b); reviewing and satisfying itself as to 
the independent public accountant's compliance with the required 
qualifications for independent public accountants set forth in 
Sec. Sec.  363.3(f) and (g) and guidelines 13 through 16; ensuring 
that audit engagement letters comply with the provisions of Sec.  
363.5(c) before engaging an independent public accountant; being 
familiar with the notice requirements in Sec.  363.4(d) and 
guideline 20 regarding the selection, change, or termination of an 
independent public accountant; and ensuring that management sends a 
copy of any notice required under Sec.  363.4(d) to the independent 
public accountant when it is filed with the FDIC. Appropriate 
additional duties could include:
    (a) Reviewing with management and the independent public 
accountant the scope of services required by the audit, significant 
accounting policies, and audit conclusions regarding significant 
accounting estimates;
    (b) Reviewing with management and the accountant their 
assessments of the

[[Page 35754]]

effectiveness of internal control over financial reporting, and the 
resolution of identified material weaknesses and significant 
deficiencies in internal control over financial reporting, including 
the prevention or detection of management override or compromise of 
the internal control system;
    (c) Reviewing with management the institution's compliance with 
the Designated Laws and Regulations identified in guideline 7A;
    (d) Discussing with management and the independent public 
accountant any significant disagreements between management and the 
independent public accountant; and
    (e) Overseeing the internal audit function.
    32. Banking or Related Financial Management Expertise. At least 
two members of the audit committee of a large institution shall have 
``banking or related financial management expertise'' as required by 
section 36(g)(1)(C)(i). This determination is to be made by the 
board of directors of the insured depository institution. A person 
will be considered to have such required expertise if the person has 
significant executive, professional, educational, or regulatory 
experience in financial, auditing, accounting, or banking matters as 
determined by the board of directors. Significant experience as an 
officer or member of the board of directors or audit committee of a 
financial services company would satisfy these criteria. A person 
who has the attributes of an ``audit committee financial expert'' as 
set forth in the SEC's rules would also satisfy these criteria.
    33. Large Customers. Any individual or entity (including a 
controlling person of any such entity) which, in the determination 
of the board of directors, has such significant direct or indirect 
credit or other relationships with the institution, the termination 
of which likely would materially and adversely affect the 
institution's financial condition or results of operations, should 
be considered a ``large customer'' for purposes of Sec.  363.5(b).
    34. Access to Counsel. The audit committee should be able to 
retain counsel at its discretion without prior permission of the 
institution's board of directors or its management. Section 36 does 
not preclude advice from the institution's internal counsel or 
regular outside counsel. It also does not require retaining or 
consulting counsel, but if the committee elects to do either, it 
also may elect to consider issues affecting the counsel's 
independence. Such issues would include whether to retain or consult 
only counsel not concurrently representing the institution or any 
affiliate, and whether to place limitations on any counsel 
representing the institution concerning matters in which such 
counsel previously participated personally and substantially as 
outside counsel to the committee.
    35. Transition Period for Forming and Restructuring Audit 
Committees.
    (a) When an insured depository institution's total assets as of 
the beginning of its fiscal year are $500 million or more for the 
first time and it thereby becomes subject to part 363, no regulatory 
action will be taken if the institution (1) develops and approves a 
set of written criteria for determining whether a director who is to 
serve on the audit committee is an outside director and is 
independent of management and (2) forms or restructures its audit 
committee to comply with Sec.  363.5(a)(2) by the end of that fiscal 
year.
    (b) When an insured depository institution's total assets as of 
the beginning of its fiscal year are $1 billion or more for the 
first time, no regulatory action will be taken if the institution 
forms or restructures its audit committee to comply with Sec.  
363.5(a)(1) by the end of that fiscal year, provided that the 
composition of its audit committee meets the requirements specified 
in Sec.  363.5(a)(2) at the beginning of that fiscal year, if such 
requirements were applicable.
    (c) When an insured depository institution's total assets as of 
the beginning of its fiscal year are $3 billion or more for the 
first time, no regulatory action will be taken if the institution 
forms or restructures its audit committee to comply with Sec.  
363.5(b) by the end of that fiscal year, provided that the 
composition of its audit committee meets the requirements specified 
in Sec.  363.5(a)(1) at the beginning of that fiscal year, if such 
requirements were applicable.

Other

    36. Modifications of Guidelines. The FDIC's Board of Directors 
has delegated to the Director of the FDIC's Division of Supervision 
and Consumer Protection authority to make and publish in the Federal 
Register minor technical amendments to the Guidelines in this 
Appendix and the guidance and illustrative reports in Appendix B, in 
consultation with the other appropriate Federal banking agencies, to 
reflect the practical experience gained from implementation of this 
part. It is not anticipated any such modification would be effective 
until affected institutions have been given reasonable advance 
notice of the modification. Any material modification or amendment 
will be subject to review and approval of the FDIC Board of 
Directors.

                                      Table 1 to Appendix A--Designated Federal Laws and Regulations Applicable to:
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                        State  member      State non-        Savings
                                                                                      National  banks       banks        member  banks     associations
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                       Insider Loans--Parts and/or Sections of Title 12 of the United States Code
--------------------------------------------------------------------------------------------------------------------------------------------------------
375a.........................................  Loans to Executive Officers of Banks.         [radic]          [radic]              (A)              (A)
375b.........................................  Extensions of Credit to Executive             [radic]          [radic]              (A)              (A)
                                                Officers, Directors, and Principal
                                                Shareholders of Banks.
1468(b)......................................  Extensions of Credit to Executive      ...............  ...............  ...............         [radic]
                                                Officers, Directors, and Principal
                                                Shareholders.
1828(j)(2)...................................  Extensions of Credit to Officers,      ...............  ...............         [radic]   ...............
                                                Directors, and Principal
                                                Shareholders.
1828(j)(3)(B)................................  Extensions of Credit to Officers,                 (B)   ...............               (C) ...............
                                                Directors, and Principal
                                                Shareholders.
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                          Parts and/or Sections of Title 12 of the Code of Federal Regulations
--------------------------------------------------------------------------------------------------------------------------------------------------------
31...........................................  Extensions of Credit to Insiders.....         [radic]   ...............  ...............  ...............
32...........................................  Lending Limits.......................         [radic]   ...............  ...............  ...............
215..........................................  Loans to Executive Officers,                  [radic]          [radic]              (D)              (E)
                                                Directors, and Principal
                                                Shareholders of Member Banks.
337.3........................................  Limits on Extensions of Credit to      ...............  ...............         [radic]   ...............
                                                Executive Officers, Directors, and
                                                Principal Shareholders of Insured
                                                Nonmember Banks.
563.43.......................................  Loans by Savings Associations to       ...............  ...............  ...............         [radic]
                                                Their Executive Officers, Directors,
                                                and Principal Shareholders.
--------------------------------------------------------------------------------------------------------------------------------------------------------

[[Page 35755]]

 
                                   Dividend Restrictions--Parts and/or Sections of Title 12 of the United States Code
--------------------------------------------------------------------------------------------------------------------------------------------------------
56...........................................  Prohibition on Withdrawal of Capital          [radic]          [radic]   ...............  ...............
                                                and Unearned Dividends.
60...........................................  Dividends and Surplus Fund...........         [radic]          [radic]   ...............  ...............
1467a(f).....................................  Declaration of Dividend..............  ...............  ...............  ...............         [radic]
1831o(d)(1)..................................  Prompt Corrective Action--Capital             [radic]          [radic]          [radic]          [radic]
                                                Distributions Restricted.
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                          Parts and/or Sections of Title 12 of the Code of Federal Regulations
--------------------------------------------------------------------------------------------------------------------------------------------------------
5 Subpart E..................................  Payment of Dividends.................         [radic]   ...............  ...............  ...............
6.6..........................................  Prompt Corrective Action--                    [radic]   ...............  ...............  ...............
                                                Restrictions on Undercapitalized
                                                Institutions.
208.5........................................  Dividends and Other Distributions....  ...............         [radic]   ...............  ...............
208.45.......................................  Prompt Corrective Action--             ...............         [radic]   ...............  ...............
                                                Restrictions on Undercapitalized
                                                Institutions.
325.105......................................  Prompt Corrective Action--             ...............  ...............         [radic]   ...............
                                                Restrictions on Undercapitalized
                                                Institutions.
563 Subpart E................................  Capital Distributions................  ...............  ...............  ...............         [radic]
565.6........................................  Prompt Corrective Action--             ...............  ...............  ...............         [radic]
                                                Restrictions on Undercapitalized
                                                Institutions.
--------------------------------------------------------------------------------------------------------------------------------------------------------
A. Subsections (g) and (h) of section 22 of the Federal Reserve Act [12 U.S.C. 375a, 375b]
B. Applies only to insured Federal branches of foreign banks.
C. Applies only to insured State branches of foreign banks.
D. See 12 CFR 337.3.
E. See 12 CFR 563.43.

Appendix B to Part 363--Illustrative Management Reports

Table of Contents

1. General
2. Reporting Scenarios for Institutions that are Holding Company 
Subsidiaries
3. Illustrative Statements of Management's Responsibilities
4. Illustrative Reports on Management's Assessment of Compliance 
with Designated Laws and Regulations
5. Illustrative Reports on Management's Assessment of Internal 
Control Over Financial Reporting
6. Illustrative Management Report--Combined Statement of 
Management's Responsibilities, Report on Management's Assessment of 
Compliance With Designated Laws and Regulations, and Report on 
Management's Assessment of Internal Control Over Financial Reporting
7. Illustrative Cover Letter--Compliance by Holding Company 
Subsidiaries

    1. General. The reporting scenarios, illustrative management 
reports, and the cover letter (when complying at the holding company 
level) in Appendix B to part 363 are intended to assist managements 
of insured depository institutions in complying with the annual 
reporting requirements of Sec.  363.2 and guideline 3, Compliance by 
Holding Company Subsidiaries, of Appendix A to part 363. However, 
use of the illustrative management reports and cover letter is not 
required. The managements of insured depository institutions are 
encouraged to tailor the wording of their management reports and 
cover letters to fit their particular circumstances, especially when 
reporting on material weaknesses in internal control over financial 
reporting or noncompliance with designated laws and regulations. 
Terms that are not explained in Appendix B have the meanings given 
them in part 363, the FDI Act, or professional accounting and 
auditing literature. Instructions to the preparer of the management 
reports are shown in brackets within the illustrative reports.
    2. Reporting Scenarios for Institutions that are Holding Company 
Subsidiaries. (a) Subject to the criteria specified in Sec.  
363.1(b), an insured depository institution that is a subsidiary of 
a holding company has flexibility in satisfying the reporting 
requirements of part 363. When reporting at the holding company 
level, the management report, or the individual components thereof, 
should identify those subsidiary institutions that are subject to 
part 363 and the extent to which they are included in the scope of 
the management report or a component of the report. The following 
reporting scenarios reflect how an insured depository institution 
that meets the criteria set forth in Sec.  363.1(b) could satisfy 
the annual reporting requirements of Sec.  363.2. Other reporting 
scenarios are possible.
    (i) An institution that is a subsidiary of a holding company may 
satisfy the requirements for audited financial statements; 
management's statement of responsibilities; management's assessment 
of the institution's compliance with the Federal laws and 
regulations pertaining to insider loans and the Federal and, if 
applicable, State laws and regulations pertaining to dividend 
restrictions; management's assessment of the effectiveness of 
internal control over financial reporting, if applicable; and the 
independent public accountant's attestation on management's 
assertion as to the effectiveness of internal control over financial 
reporting, if applicable, at the insured depository institution 
level.
    (ii) An institution that is a subsidiary of a holding company 
may satisfy the requirements for audited financial statements; 
management's statement of responsibilities; management's assessment 
of the institution's compliance with the Federal laws and 
regulations pertaining to insider loans and the Federal and, if 
applicable, State laws and regulations pertaining to dividend 
restrictions; management's assessment of the effectiveness of 
internal control over financial reporting, if applicable; and the 
independent public accountant's attestation on management's 
assertion as to the effectiveness of internal control over financial 
reporting, if applicable, at the holding company level.
    (iii) An institution that is a subsidiary of a holding company 
may satisfy the requirement for audited financial statements at the 
holding company level and may satisfy the requirements for 
management's statement of responsibilities; management's assessment 
of the institution's compliance with the Federal laws and 
regulations pertaining to insider loans and the Federal and, if 
applicable, State laws and regulations pertaining to dividend 
restrictions; management's assessment of the effectiveness of 
internal control over financial reporting, if applicable; and the 
independent public accountant's attestation on management's 
assertion as to the effectiveness of internal control over financial 
reporting, if applicable, at the insured depository institution 
level.
    (iv) An institution that is a subsidiary of a holding company 
may satisfy the

[[Page 35756]]

requirements for audited financial statements; management's 
statement of responsibilities; and management's assessment of the 
institution's compliance with the Federal laws and regulations 
pertaining to insider loans and the Federal and, if applicable, 
State laws and regulations pertaining to dividend restrictions at 
the insured depository institution level and may satisfy the 
requirements for the assessment by management of the effectiveness 
of internal control over financial reporting, if applicable; and the 
independent public accountant's attestation on management's 
assertion as to the effectiveness of internal control over financial 
reporting, if applicable, at the holding company level.
    (b) For an institution with total assets of $1 billion or more 
as of the beginning of its fiscal year, the assessment by management 
of the effectiveness of internal control over financial reporting 
and the independent public accountant's attestation on management's 
assertion as to the effectiveness of internal control over financial 
reporting, if applicable, must both be performed at the same level, 
i.e., either at the insured depository institution level or at the 
holding company level.
    (c) Financial statements prepared for regulatory reporting 
purposes encompass the schedules equivalent to the basic financial 
statements in an institution's appropriate regulatory report, e.g., 
the bank Consolidated Reports of Condition and Income (Call Report) 
and the Thrift Financial Report (TFR). Guideline 4A in Appendix A to 
part 363 identifies the schedules equivalent to the basic financial 
statements in the Call Report and TFR. When internal control 
assessments and attestations are performed at the holding company 
level, the FDIC believes that holding companies have flexibility in 
interpreting ``financial reporting'' as it relates to ``regulatory 
reporting'' and has not objected to several reporting approaches 
employed by holding companies to cover ``regulatory reporting.'' 
Certain holding companies have had management's assessment and the 
accountant's attestation cover the schedules equivalent to the basic 
financial statements that are included in the appropriate regulatory 
report, e.g., Call Report and the TFR, of each subsidiary 
institution subject to part 363. Other holding companies have had 
management's assessment and the accountant's attestation cover the 
schedules equivalent to the basic financial statements that are 
included in the holding company's year-end regulatory report (FR Y-
9C report) to the Federal Reserve Board.
    3. Illustrative Statements of Management's Responsibilities. The 
following illustrative statements of management's responsibilities 
satisfy the requirements of Sec.  363.2(b)(1).
    (a) Statement Made at Insured Depository Institution Level

Statement of Management's Responsibilities

    The management of ABC Depository Institution (the 
``Institution'') is responsible for preparing the Institution's 
annual financial statements in accordance with generally accepted 
accounting principles; for establishing and maintaining an adequate 
internal control structure and procedures for financial reporting, 
including controls over the preparation of regulatory financial 
statements in accordance with the instructions for the [specify the 
regulatory report]; and for complying with the Federal laws and 
regulations pertaining to insider loans and the Federal and, if 
applicable, State laws and regulations pertaining to dividend 
restrictions.

ABC Depository Institution

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

(b) Statement Made at Holding Company Level

Statement of Management's Responsibilities

    The management of BCD Holding Company (the ``Company'') is 
responsible for preparing the Company's annual financial statements 
in accordance with generally accepted accounting principles; for 
establishing and maintaining an adequate internal control structure 
and procedures for financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for the [specify the regulatory report]; and for 
complying with the Federal laws and regulations pertaining to 
insider loans and the Federal and, if applicable, State laws and 
regulations pertaining to dividend restrictions. The following 
subsidiary institutions of the Company that are subject to Part 363 
are included in this statement of management's responsibilities: 
[Identify the subsidiary institutions.]

BCD Holding Company

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

    4. Illustrative Reports on Management's Assessment of Compliance 
with Designated Laws and Regulations. The following illustrative 
reports on management's assessment of compliance with Designated 
Laws and Regulations satisfy the requirements of Sec.  363.2(b)(2).

(a) Statement Made at Insured Depository Institution Level--Compliance 
With Designated Laws and Regulations Pertaining to Insider Loans and 
Dividend Restrictions

Management's Assessment of Compliance With Designated Laws and 
Regulations

    The management of ABC Depository Institution (the 
``Institution'') has assessed the Institution's compliance with the 
Federal laws and regulations pertaining to insider loans and the 
Federal and, if applicable, State laws and regulations pertaining to 
dividend restrictions during the fiscal year that ended on December 
31, 20XX. Based upon its assessment, management has concluded that 
the Institution complied with the Federal laws and regulations 
pertaining to insider loans and the Federal and, if applicable, 
State laws and regulations pertaining to dividend restrictions 
during the fiscal year that ended on December 31, 20XX.

ABC Depository Institution

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

(b) Statement Made at Insured Depository Institution Level--
Noncompliance With Designated Laws and Regulations Pertaining to Both 
Insider Loans and Dividend Restrictions

Management's Assessment of Compliance With Designated Laws and 
Regulations

    The management of ABC Depository Institution (the 
``Institution'') has assessed the Institution's compliance with the 
Federal laws and regulations pertaining to insider loans and the 
Federal and, if applicable, State laws and regulations pertaining to 
dividend restrictions during the fiscal year that ended on December 
31, 20XX. Based upon its assessment, management has determined that, 
because of the instance(s) of noncompliance noted below, the 
Institution did not comply with the Federal laws and regulations 
pertaining to insider loans and the Federal and, if applicable, 
State laws and regulations pertaining to dividend restrictions 
during the fiscal year that ended on December 31, 20XX.
    [Identify and describe the instance or instances of 
noncompliance with the Federal laws and regulations pertaining to 
insider loans and the Federal and, if applicable, State laws and 
regulations pertaining to dividend restrictions, including 
appropriate qualitative and quantitative information to describe the 
nature, type, and severity of the noncompliance and the dollar 
amounts of the insider loan(s) and dividend(s) involved.]

ABC Depository Institution

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

(c) Statement Made at Insured Depository Institution Level--Compliance 
With Designated Laws and Regulations Pertaining to Insider Loans and 
Noncompliance With Designated Laws and Regulations Pertaining to 
Dividend Restrictions

Management's Assessment of Compliance With Designated Laws and 
Regulations

    The management of ABC Depository Institution (the 
``Institution'') has assessed the Institution's compliance with the 
Federal laws and regulations pertaining to insider loans and the 
Federal and, if applicable, State laws and regulations pertaining to 
dividend restrictions during the fiscal year that ended on December 
31, 20XX. Based upon its assessment, management has concluded that 
the Institution complied with the Federal laws and regulations 
pertaining to insider

[[Page 35757]]

loans during the fiscal year that ended on December 31, 20XX. Also, 
based upon its assessment, management has determined that, because 
of the instance(s) of noncompliance noted below, the Institution did 
not comply with the Federal and, if applicable, State laws and 
regulations pertaining to dividend restrictions during the fiscal 
year that ended on December 31, 20XX.
    [Identify and describe the instance or instances of 
noncompliance with the Federal and, if applicable, State laws and 
regulations pertaining to dividend restrictions, including 
appropriate qualitative and quantitative information to describe the 
nature, type, and severity of the noncompliance and the dollar 
amount(s) of the dividend(s) involved.]

ABC Depository Institution

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

(d) Statement Made at Insured Depository Institution Level--
Noncompliance With Designated Laws and Regulations Pertaining to 
Insider Loans and Compliance With Designated Laws and Regulations 
Pertaining to Dividend Restrictions

Management's Assessment of Compliance With Designated Laws and 
Regulations

    The management of ABC Depository Institution (the 
``Institution'') has assessed the Institution's compliance with the 
Federal laws and regulations pertaining to insider loans and the 
Federal and, if applicable, State laws and regulations pertaining to 
dividend restrictions during the fiscal year that ended on December 
31, 20XX. Based upon its assessment, management has determined that, 
because of the instance(s) of noncompliance noted below, the 
Institution did not comply with the Federal laws and regulations 
pertaining to insider loans during the fiscal year that ended on 
December 31, 20XX. Also, based upon its assessment, management has 
concluded that the Institution complied with the Federal and, if 
applicable, State laws and regulations pertaining to dividend 
restrictions during the fiscal year that ended on December 31, 20XX.
    [Identify and describe the instance or instances of 
noncompliance with the Federal laws and regulations pertaining to 
insider loans, including appropriate qualitative and quantitative 
information to describe the nature, type, and severity of the 
noncompliance and the dollar amount(s) of the insider loan(s) 
involved.]

ABC Depository Institution

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

(e) Statement Made at Holding Company Level--Compliance With Designated 
Laws and Regulations Pertaining to Insider Loans and Dividend 
Restrictions

Management's Assessment of Compliance With Designated Laws and 
Regulations

    The management of BCD Holding Company (the ``Company'') has 
assessed the Company's compliance with the Federal laws and 
regulations pertaining to insider loans and the Federal and, if 
applicable, State laws and regulations pertaining to dividend 
restrictions during the fiscal year that ended on December 31, 20XX. 
Based upon its assessment, management has concluded that the Company 
complied with the Federal laws and regulations pertaining to insider 
loans and the Federal and, if applicable, State laws and regulations 
pertaining to dividend restrictions during the fiscal year that 
ended on December 31, 20XX. The following subsidiary institutions of 
the Company that are subject to Part 363 are included in this 
assessment of compliance with these designated laws and regulations: 
[Identify the subsidiary institutions.]

BCD Holding Company

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

(f) Statement Made at Holding Company Level--Noncompliance With 
Designated Laws and Regulations Pertaining to Both Insider Loans and 
Dividend Restrictions

Management's Assessment of Compliance With Designated Laws and 
Regulations

    The management of BCD Holding Company (the ``Company'') has 
assessed the Company's compliance with the Federal laws and 
regulations pertaining to insider loans and the Federal and, if 
applicable, State laws and regulations pertaining to dividend 
restrictions during the fiscal year that ended on December 31, 20XX. 
The following subsidiary institutions of the Company that are 
subject to Part 363 are included in this assessment of compliance 
with these designated laws and regulations: [Identify the subsidiary 
institutions.]
    Based upon its assessment, management has determined that, 
because of the instance(s) of noncompliance noted below, the Company 
did not comply with the Federal laws and regulations pertaining to 
insider loans and the Federal and, if applicable, State laws and 
regulations pertaining to dividend restrictions during the fiscal 
year that ended on December 31, 20XX.
    [Identify and describe the instance or instances of 
noncompliance with the Federal laws and regulations pertaining to 
insider loans and the Federal and, if applicable, State laws and 
regulations pertaining to dividend restrictions, including 
appropriate qualitative and quantitative information to identify the 
subsidiary institutions of the Company that are subject to Part 363 
that had instances of noncompliance and describe the nature, type, 
and severity of the noncompliance and the dollar amount(s) of the 
insider loan(s) and dividend(s) involved.]

BCD Holding Company

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

(g) Statement Made at Holding Company Level--Compliance With Designated 
Laws and Regulations Pertaining to Insider Loans and Noncompliance With 
Designated Laws and Regulations Pertaining to Dividend Restrictions

Management's Assessment of Compliance With Designated Laws and 
Regulations

    The management of BCD Holding Company (the ``Company'') has 
assessed the Company's compliance with the Federal laws and 
regulations pertaining to insider loans and the Federal and, if 
applicable, State laws and regulations pertaining to dividend 
restrictions during the fiscal year that ended on December 31, 20XX. 
The following subsidiary institutions of the Company that are 
subject to Part 363 are included in this assessment of compliance 
with these designated laws and regulations: [Identify the subsidiary 
institutions.]
    Based upon its assessment, management has concluded that the 
Company complied with the Federal laws and regulations pertaining to 
insider loans during the fiscal year that ended on December 31, 
20XX. Also, based upon its assessment, management has determined 
that, because of the instance(s) of noncompliance noted below, the 
Company did not comply with the Federal and, if applicable, State 
laws and regulations pertaining to dividend restrictions during the 
fiscal year that ended on December 31, 20XX.
    [Identify and describe the instance or instances of 
noncompliance with the Federal and, if applicable, State laws and 
regulations pertaining to dividend restrictions, including 
appropriate qualitative and quantitative information to identify the 
subsidiary institutions of the Company that are subject to Part 363 
that had instances of noncompliance and describe the nature, type, 
and severity of the noncompliance and the dollar amount(s) of the 
dividend(s) involved.]

BCD Holding Company

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

(h) Statement Made at Holding Company Level--Noncompliance With 
Designated Laws and Regulations Pertaining to Insider Loans and 
Compliance With Designated Laws and Regulations Pertaining to Dividend 
Restrictions

Management's Assessment of Compliance With Designated Laws and 
Regulations

    The management of BCD Holding Company (the ``Company'') has 
assessed the Company's compliance with the Federal laws

[[Page 35758]]

and regulations pertaining to insider loans and the Federal and, if 
applicable, State laws and regulations pertaining to dividend 
restrictions during the fiscal year that ended on December 31, 20XX. 
The following subsidiary institutions of the Company that are 
subject to Part 363 are included in this assessment of compliance 
with these designated laws and regulations: [Identify the subsidiary 
institutions.]
    Based upon its assessment, management has determined that, 
because of the instance(s) of noncompliance noted below, the Company 
did not comply with the Federal laws and regulations pertaining to 
insider loans during the fiscal year that ended on December 31, 
20XX. Also, based upon its assessment, management has concluded that 
the Company complied with the Federal and, if applicable, State laws 
and regulations pertaining to dividend restrictions during the 
fiscal year that ended on December 31, 20XX.
    [Identify and describe the instance or instances of 
noncompliance with the Federal laws and regulations pertaining to 
insider loans, including appropriate qualitative and quantitative 
information to identify the subsidiary institutions of the Company 
that are subject to Part 363 that had instances of noncompliance and 
describe the nature, type, and severity of the noncompliance and the 
dollar amount(s) of the insider loan(s) involved.]

BCD Holding Company

-----------------------------------------------------------------------
John Doe, Chief Executive Officer


Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer


Date:------------------------------------------------------------------

    5. Illustrative Reports on Management's Assessment of Internal 
Control Over Financial Reporting. The following illustrative reports 
on management's assessment of internal control over financial 
reporting satisfy the requirements of Sec.  363.2(b)(3).

(a) Statement Made at Insured Depository Institution Level--No Material 
Weaknesses

Management's Assessment of Internal Control Over Financial Reporting

    ABC Depository Institution's (the ``Institution'') internal 
control over financial reporting is a process effected by those 
charged with governance, management, and other personnel, designed 
to provide reasonable assurance regarding the reliability of 
financial reporting and the preparation of reliable financial 
statements in accordance with accounting principles generally 
accepted in the United States of America and financial statements 
for regulatory reporting purposes, i.e., [specify the regulatory 
reports]. The Institution's internal control over financial 
reporting includes those policies and procedures that (1) pertain to 
the maintenance of records that, in reasonable detail, accurately 
and fairly reflect the transactions and dispositions of the assets 
of the Institution; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with accounting principles 
generally accepted in the United States of America and financial 
statements for regulatory reporting purposes, and that receipts and 
expenditures of the Institution are being made only in accordance 
with authorizations of management and directors of the Institution; 
and (3) provide reasonable assurance regarding prevention, or timely 
detection and correction of unauthorized acquisition, use, or 
disposition of the Institution's assets that could have a material 
effect on the financial statements.
    Because of its inherent limitations, internal control over 
financial reporting may not prevent, or detect and correct 
misstatements. Also, projections of any evaluation of effectiveness 
to future periods are subject to the risk that controls may become 
inadequate because of changes in conditions, or that the degree of 
compliance with the policies and procedures may deteriorate.
    Management is responsible for establishing and maintaining 
effective internal control over financial reporting including 
controls over the preparation of regulatory financial statements. 
Management assessed the effectiveness of the Institution's internal 
control over financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for the [specify the regulatory report], as of 
December 31, 20XX, based on the framework set forth by the Committee 
of Sponsoring Organizations of the Treadway Commission in Internal 
Control--Integrated Framework. Based upon its assessment, management 
has concluded that, as of December 31, 20XX, the Institution's 
internal control over financial reporting, including controls over 
the preparation of regulatory financial statements in accordance 
with the instructions for the [specify the regulatory report], is 
effective based on the criteria established in Internal Control--
Integrated Framework.
    Management's assessment of the effectiveness of internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for the [specify the regulatory report], as of December 31, 20XX, 
has been audited by [name of auditing firm], an independent public 
accounting firm, as stated in their report dated March XX, 20XY.

ABC Depository Institution

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

(b) Statement Made at Insured Depository Institution Level--One or More 
Material Weaknesses

Management's Assessment of Internal Control Over Financial Reporting

    ABC Depository Institution's (the ``Institution'') internal 
control over financial reporting is a process effected by those 
charged with governance, management, and other personnel, designed 
to provide reasonable assurance regarding the reliability of 
financial reporting and the preparation of reliable financial 
statements in accordance with accounting principles generally 
accepted in the United States of America and financial statements 
for regulatory reporting purposes, i.e., [specify the regulatory 
reports]. The Institution's internal control over financial 
reporting includes those policies and procedures that (1) pertain to 
the maintenance of records that, in reasonable detail, accurately 
and fairly reflect the transactions and dispositions of the assets 
of the Institution; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with accounting principles 
generally accepted in the United States of America and financial 
statements for regulatory reporting purposes, and that receipts and 
expenditures of the Institution are being made only in accordance 
with authorizations of management and directors of the Institution; 
and (3) provide reasonable assurance regarding prevention, or timely 
detection and correction of unauthorized acquisition, use, or 
disposition of the Institution's assets that could have a material 
effect on the financial statements.
    Because of its inherent limitations, internal control over 
financial reporting may not prevent, or detect and correct 
misstatements. Also, projections of any evaluation of effectiveness 
to future periods are subject to the risk that controls may become 
inadequate because of changes in conditions, or that the degree of 
compliance with the policies and procedures may deteriorate.
    Management is responsible for establishing and maintaining 
effective internal control over financial reporting including 
controls over the preparation of regulatory financial statements. 
Management assessed the effectiveness of the Institution's internal 
control over financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for the [specify the regulatory report], as of 
December 31, 20XX, based on the framework set forth by the Committee 
of Sponsoring Organizations of the Treadway Commission in Internal 
Control--Integrated Framework. Because of the material weakness (or 
weaknesses) noted below, management determined that the 
Institution's internal control over financial reporting, including 
controls over the preparation of regulatory financial statements in 
accordance with the instructions for the [specify the regulatory 
report], was not effective as of December 31, 20XX.
    [Identify and describe the material weakness or weaknesses.]
    Management's assessment of the effectiveness of internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for the [specify the regulatory report], as of December 31, 20XX, 
has been audited by [name of auditing firm], an independent public 
accounting firm, as stated in their report dated March XX, 20XY.

[[Page 35759]]

ABC Depository Institution

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

(c) Statement Made at Holding Company Level--No Material Weaknesses

Management's Assessment of Internal Control Over Financial Reporting

    BCD Holding Company's (the ``Company'') internal control over 
financial reporting is a process designed and effected by those 
charged with governance, management, and other personnel, to provide 
reasonable assurance regarding the reliability of financial 
reporting and the preparation of reliable financial statements in 
accordance with accounting principles generally accepted in the 
United States of America and financial statements for regulatory 
reporting purposes, i.e., [specify the regulatory reports]. The 
Company's internal control over financial reporting includes those 
policies and procedures that (1) pertain to the maintenance of 
records that, in reasonable detail, accurately and fairly reflect 
the transactions and dispositions of the assets of the Company; (2) 
provide reasonable assurance that transactions are recorded as 
necessary to permit preparation of financial statements in 
accordance with accounting principles generally accepted in the 
United States of America and financial statements for regulatory 
reporting purposes, and that receipts and expenditures of the 
Company are being made only in accordance with authorizations of 
management and directors of the Company; and (3) provide reasonable 
assurance regarding prevention, or timely detection and correction 
of unauthorized acquisition, use, or disposition of the Company's 
assets that could have a material effect on the financial 
statements.
    Because of its inherent limitations, internal control over 
financial reporting may not prevent, or detect and correct 
misstatements. Also, projections of any evaluation of effectiveness 
to future periods are subject to the risk that controls may become 
inadequate because of changes in conditions, or that the degree of 
compliance with the policies and procedures may deteriorate.
    Management is responsible for establishing and maintaining 
effective internal control over financial reporting including 
controls over the preparation of regulatory financial statements. 
Management assessed the effectiveness of the Company's internal 
control over financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for the [specify the regulatory report], as of 
December 31, 20XX, based on the framework set forth by the Committee 
of Sponsoring Organizations of the Treadway Commission in Internal 
Control--Integrated Framework. Based on that assessment, management 
concluded that, as of December 31, 20XX, the Company's internal 
control over financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for the [specify the regulatory report], is 
effective based on the criteria established in Internal Control--
Integrated Framework. The following subsidiary institutions of the 
Company that are subject to Part 363 are included in this assessment 
of the effectiveness of internal control over financial reporting: 
[Identify the subsidiary institutions.]
    Management's assessment of the effectiveness of internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for the [specify the regulatory report], as of December 31, 20XX, 
has been audited by [name of auditing firm], an independent public 
accounting firm, as stated in their report dated March XX, 20XY.

BCD Holding Company

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

(d) Statement Made at Holding Company Level--One or More Material 
Weaknesses

Management's Assessment of Internal Control Over Financial Reporting

    BCD Holding Company's (the ``Company'') internal control over 
financial reporting is a process effected by those charged with 
governance, management, and other personnel, designed to provide 
reasonable assurance regarding the reliability of financial 
reporting and the preparation of reliable financial statements in 
accordance with accounting principles generally accepted in the 
United States of America and financial statements for regulatory 
reporting purposes, i.e., [specify the regulatory reports]. The 
Company's internal control over financial reporting includes those 
policies and procedures that (1) pertain to the maintenance of 
records that, in reasonable detail, accurately and fairly reflect 
the transactions and dispositions of the assets of the Company; (2) 
provide reasonable assurance that transactions are recorded as 
necessary to permit preparation of financial statements in 
accordance with accounting principles generally accepted in the 
United States of America and financial statements for regulatory 
reporting purposes, and that receipts and expenditures of the 
Company are being made only in accordance with authorizations of 
management and directors of the Company; and (3) provide reasonable 
assurance regarding prevention, or timely detection and correction 
of unauthorized acquisition, use, or disposition of the Company's 
assets that could have a material effect on the financial 
statements.
    Because of its inherent limitations, internal control over 
financial reporting may not prevent, or detect and correct 
misstatements. Also, projections of any evaluation of effectiveness 
to future periods are subject to the risk that controls may become 
inadequate because of changes in conditions, or that the degree of 
compliance with the policies and procedures may deteriorate.
    Management is responsible for establishing and maintaining 
effective internal control over financial reporting including 
controls over the preparation of regulatory financial statements. 
Management assessed the effectiveness of the Company's internal 
control over financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for the [specify the regulatory report], as of 
December 31, 20XX, based on the framework set forth by the Committee 
of Sponsoring Organizations of the Treadway Commission in Internal 
Control--Integrated Framework. Because of the material weakness (or 
weaknesses) noted below, management determined that the Company's 
internal control over financial reporting, including controls over 
the preparation of regulatory financial statements in accordance 
with the instructions for the [specify the regulatory report], was 
not effective as of December 31, 20XX. The following subsidiary 
institutions of the Company that are subject to Part 363 are 
included in this assessment of the effectiveness of internal control 
over financial reporting: [Identify the subsidiary institutions.]
    [Identify and describe the material weakness or weaknesses.]
    Management's assessment of the effectiveness of internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for the [specify the regulatory report], as of December 31, 20XX, 
has been audited by [name of auditing firm], an independent public 
accounting firm, as stated in their report dated March XX, 20XY.

BCD Holding Company

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

    6. Illustrative Management Report--Combined Statement of 
Management's Responsibilities, Report on Management's Assessment of 
Compliance With Designated Laws and Regulations, and Report on 
Management's Assessment of Internal Control Over Financial 
Reporting, if applicable. The following illustrative management 
reports satisfy the requirements of Sec. Sec.  363.2(b)(1), (2), and 
(3).

(a) Management Report Made at Insured Depository Institution Level--
Compliance With Designated Laws and Regulations Pertaining to Insider 
Loans and Dividend Restrictions and No Material Weaknesses in Internal 
Control Over Financial Reporting

Management Report

Statement of Management's Responsibilities

    The management of ABC Depository Institution (the 
``Institution'') is responsible for preparing the Institution's 
annual financial statements in accordance with generally accepted 
accounting principles; for

[[Page 35760]]

establishing and maintaining an adequate internal control structure 
and procedures for financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for the [specify the regulatory report]; and for 
complying with the Federal laws and regulations pertaining to 
insider loans and the Federal and, if applicable, State laws and 
regulations pertaining to dividend restrictions.

Management's Assessment of Compliance With Designated Laws and 
Regulations

    The management of the Institution has assessed the Institution's 
compliance with the Federal laws and regulations pertaining to 
insider loans and the Federal and, if applicable, State laws and 
regulations pertaining to dividend restrictions during the fiscal 
year that ended on December 31, 20XX. Based upon its assessment, 
management has concluded that the Institution complied with the 
Federal laws and regulations pertaining to insider loans and the 
Federal and, if applicable, State laws and regulations pertaining to 
dividend restrictions during the fiscal year that ended on December 
31, 20XX.

Management's Assessment of Internal Control Over Financial 
Reporting

    The Institution's internal control over financial reporting is a 
process effected by those charged with governance, management, and 
other personnel, designed to provide reasonable assurance regarding 
the reliability of financial reporting and the preparation of 
reliable financial statements in accordance with accounting 
principles generally accepted in the United States of America and 
financial statements for regulatory reporting purposes, i.e., 
[specify the regulatory reports]. The Institution's internal control 
over financial reporting includes those policies and procedures that 
(1) pertain to the maintenance of records that, in reasonable 
detail, accurately and fairly reflect the transactions and 
dispositions of the assets of the Institution; (2) provide 
reasonable assurance that transactions are recorded as necessary to 
permit preparation of financial statements in accordance with 
accounting principles generally accepted in the United States of 
America and financial statements for regulatory reporting purposes, 
and that receipts and expenditures of the Institution are being made 
only in accordance with authorizations of management and directors 
of the Institution; and (3) provide reasonable assurance regarding 
prevention, or timely detection and correction of unauthorized 
acquisition, use, or disposition of the Institution's assets that 
could have a material effect on the financial statements.
    Because of its inherent limitations, internal control over 
financial reporting may not prevent, or detect and correct 
misstatements. Also, projections of any evaluation of effectiveness 
to future periods are subject to the risk that controls may become 
inadequate because of changes in conditions, or that the degree of 
compliance with the policies and procedures may deteriorate.
    Management assessed the effectiveness of the Institution's 
internal control over financial reporting, including controls over 
the preparation of regulatory financial statements in accordance 
with the instructions for the [specify the regulatory report], as of 
December 31, 20XX, based on the framework set forth by the Committee 
of Sponsoring Organizations of the Treadway Commission in Internal 
Control--Integrated Framework.
    Based upon its assessment, management has concluded that, as of 
December 31, 20XX, the Institution's internal control over financial 
reporting, including controls over the preparation of regulatory 
financial statements in accordance with the instructions for the 
[specify the regulatory report], is effective based on the criteria 
established in Internal Control--Integrated Framework.
    Management's assessment of the effectiveness of internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for the [specify the regulatory report], as of December 31, 20XX, 
has been audited by [name of auditing firm], an independent public 
accounting firm, as stated in their report dated March XX, 20XY.

ABC Depository Institution

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

(b) Management Report Made at Holding Company Level--Compliance With 
Designated Laws and Regulations Pertaining to Insider Loans and 
Dividend Restrictions and No Material Weaknesses in Internal Control 
Over Financial Reporting

Management Report

    [Instruction--The following illustrative introductory paragraph 
for the management report is applicable only if the same group of 
subsidiary institutions of the holding company that are subject to 
Part 363 are included in all three components of the management 
report required by Part 363: the statement of management's 
responsibilities, the report on management's assessment of 
compliance with the Designated Laws and Regulations pertaining to 
insider loans and dividend restrictions, and the report on 
management's assessment of internal control over financial 
reporting.]
    In this management report, the following subsidiary institutions 
of the BCD Holding Company (the ``Company'') that are subject to 
Part 363 are included in the statement of management's 
responsibilities; the report on management's assessment of 
compliance with the Federal laws and regulations pertaining to 
insider loans and the Federal and, if applicable, State laws and 
regulations pertaining to dividend restrictions; and the report on 
management's assessment of internal control over financial 
reporting: [Identify the subsidiary institutions.]
    [Instruction--The following illustrative introductory paragraph 
for the management report is applicable if the same group of 
subsidiary institutions of the holding company that are subject to 
Part 363 are included in the statement of management's 
responsibilities and management's assessment of compliance with the 
Designated Laws and Regulations pertaining to insider loans and 
dividend restrictions, but only some of the subsidiary institutions 
in the group are included in management's assessment of internal 
control over financial reporting.]
    In this management report, the following subsidiary institutions 
of BCD Holding Company (the ``Company'') that are subject to Part 
363 are included in the statement of management's responsibilities 
and the report on management's assessment of compliance with the 
Federal laws and regulations pertaining to insider loans and the 
Federal and, if applicable, State laws and regulations pertaining to 
dividend restrictions: [Identify the subsidiary institutions.] In 
addition, the following subsidiary institutions of the Company that 
are subject to Part 363 are included in the report on management's 
assessment of internal control over financial reporting: [Identify 
the subsidiary institutions.]

Statement of Management's Responsibilities

    The management of the Company is responsible for preparing the 
Company's annual financial statements in accordance with generally 
accepted accounting principles; for establishing and maintaining an 
adequate internal control structure and procedures for financial 
reporting, including controls over the preparation of regulatory 
financial statements in accordance with the instructions for the 
[specify the regulatory report]; and for complying with the Federal 
laws and regulations pertaining to insider loans and the Federal 
and, if applicable, State laws and regulations pertaining to 
dividend restrictions.

Management's Assessment of Compliance With Designated Laws and 
Regulations

    The management of the Company has assessed the Company's 
compliance with the Federal laws and regulations pertaining to 
insider loans and the Federal and, if applicable, State laws and 
regulations pertaining to dividend restrictions during the fiscal 
year that ended on December 31, 20XX. Based upon its assessment, 
management has concluded that the Company complied with the Federal 
laws and regulations pertaining to insider loans and the Federal 
and, if applicable, State laws and regulations pertaining to 
dividend restrictions during the fiscal year that ended on December 
31, 20XX.

Management's Assessment of Internal Control Over Financial 
Reporting

    The Company's internal control over financial reporting is a 
process effected by those charged with governance, management, and 
other personnel, designed to provide reasonable assurance regarding 
the reliability of financial reporting and the preparation of 
reliable financial statements in accordance with accounting 
principles generally accepted in the United States of America and 
financial statements for regulatory reporting purposes, i.e., 
[specify the regulatory reports]. The Company's internal control 
over financial reporting includes those policies

[[Page 35761]]

and procedures that (1) pertain to the maintenance of records that, 
in reasonable detail, accurately and fairly reflect the transactions 
and dispositions of the assets of the Company; (2) provide 
reasonable assurance that transactions are recorded as necessary to 
permit preparation of financial statements in accordance with 
accounting principles generally accepted in the United States of 
America and financial statements for regulatory reporting purposes, 
and that receipts and expenditures of the Company are being made 
only in accordance with authorizations of management and directors 
of the Company; and (3) provide reasonable assurance regarding 
prevention, or timely detection and correction of unauthorized 
acquisition, use, or disposition of the Company's assets that could 
have a material effect on the financial statements.
    Because of its inherent limitations, internal control over 
financial reporting may not prevent, or detect and correct 
misstatements. Also, projections of any evaluation of effectiveness 
to future periods are subject to the risk that controls may become 
inadequate because of changes in conditions, or that the degree of 
compliance with the policies and procedures may deteriorate.
    Management assessed the effectiveness of the Company's internal 
control over financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for the [specify the regulatory report], as of 
December 31, 20XX, based on the framework set forth by the Committee 
of Sponsoring Organizations of the Treadway Commission in Internal 
Control--Integrated Framework. Based upon its assessment, management 
has concluded that, as of December 31, 20XX, the Company's internal 
control over financial reporting, including controls over the 
preparation of regulatory financial statements in accordance with 
the instructions for the [specify the regulatory report], is 
effective based on the criteria established in Internal Control--
Integrated Framework.
    Management's assessment of the effectiveness of internal control 
over financial reporting, including controls over the preparation of 
regulatory financial statements in accordance with the instructions 
for the [specify the regulatory report], as of December 31, 20XX, 
has been audited by [name of auditing firm], an independent public 
accounting firm, as stated in their report dated March XX, 20XY.

BCD Holding Company

-----------------------------------------------------------------------
John Doe, Chief Executive Officer

Date:------------------------------------------------------------------

-----------------------------------------------------------------------
Jane Doe, Chief Financial Officer

Date:------------------------------------------------------------------

    7. Illustrative Cover Letter--Compliance by Holding Company 
Subsidiaries. The following illustrative cover letter satisfies the 
requirements of guideline 3, Compliance by Holding Company 
Subsidiaries, of Appendix A to part 363.

To: (Appropriate FDIC Regional or Area Office) Division of 
Supervision and Consumer Protection, FDIC, and (Appropriate District 
or Regional Office of the Primary Federal Regulator(s), if not the 
FDIC), and
    (Appropriate State Bank Supervisor(s), if applicable)

Dear [Insert addressees]:

    BCD Holding Company (the ``Company'') is filing two copies of 
the Part 363 Annual Report for the fiscal year ended December 31, 
20XX, on behalf of its insured depository institution subsidiaries 
listed in the chart below that are subject to Part 363. The Part 363 
Annual Report contains audited comparative annual financial 
statements, the independent public accountant's report on the 
audited financial statements, management's statement of 
responsibilities, management's assessment of compliance with the 
Designated Laws and Regulations pertaining to insider loans and 
dividend restrictions, and [if applicable] management's assessment 
of and the independent public accountant's attestation report on 
internal control over financial reporting. The chart below also 
indicates the level (institution or holding company) at which the 
requirements of Part 363 are being satisfied for each listed insured 
depository institution subsidiary. [If applicable] The Company's 
other insured depository institution subsidiaries that are subject 
to Part 363, which comply with all of the Part 363 annual reporting 
requirements at the institution level, have filed [or will file] 
their Part 363 Annual Reports separately.

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                          Management's
                                                                                         assessment of                             Independent auditor's
  Institutions subject to Part 363      Audited financial    Management's statement     compliance with     Management's internal     internal control
                                           statements          of responsibilities    designated laws and     control assessment     attestation report
                                                                                          regulations
--------------------------------------------------------------------------------------------------------------------------------------------------------
ABC Depository Institution.........  Holding Company Level.  Holding Company Level.  Holding Company Level  Holding Company Level  Holding Company
                                                                                                                                    Level.
DEF Depository Institution.........  Holding Company Level.  Institution Level.....  Institution Level....  Institution Level....  Institution Level.
--------------------------------------------------------------------------------------------------------------------------------------------------------

    If you have any questions regarding the annual report [or 
reports] of the Company's insured depository institution 
subsidiaries subject to Part 363 or if you need any further 
information, you may contact me at 987-654-3210.

BCD Holding Company

-----------------------------------------------------------------------

Date:------------------------------------------------------------------


[Insert officer's name and title.]


    Dated at Washington, DC, this 13th day of July 2009.

    By order of the Board of Directors.
Valerie J. Best,
Assistant Executive Secretary, Federal Deposit Insurance Corporation.
[FR Doc. E9-17009 Filed 7-17-09; 8:45 am]
BILLING CODE P