Section 36 of the Federal Deposit Insurance Act (FDI Act) and the FDIC's implementing regulation Part 363—Annual Audit and Reporting Requirements, (part 363) sets forth requirements for all state member banks and other insured depository institutions with $500 million or more in total assets regarding annual audits and the filing of related reports with the appropriate federal banking agencies. As of June 23, 2009, the FDIC has amended part 363—to strategically incorporate sound audit and reporting practices from the Sarbanes-Oxley Act of 2002 and to address changes in the banking industry.1 Section 36 is generally intended to facilitate early recognition of problems in financial management at insured depository institutions; state member banks must file required reports with the FDIC and their District's Federal Reserve Bank. This article will cover some of the major amendments and detail the specific reporting requirements.
The final rule includes amendments to annual reporting requirements, clarifications to the independence standards applicable to accountants, amendments to filing and notice requirements, and additional audit committee duties. The following sections highlight key changes.
The amendments to part 363 require that management's stated conclusion regarding compliance be included with management's assessment of compliance with laws and regulations pertaining to insider loans and dividend restrictions. Any noncompliance with such laws and regulations should also be included in this conclusion. The disclosure of any noncompliance will not require those responsible to be identified personally; however, the disclosure must include accurate qualitative and quantitative information relevant to the noncompliance, dividends, and insider loans involved. Any corrective actions taken by management should be included as well.
Required audit and attestation services must be performed by an independent public accountant. To qualify as an independent public accountant, one must meet the independence standards that apply to audits of both nonpublic and public companies. The revisions to part 363 explain that independent public accountants should be in compliance with the independence standards of the SEC and the AICPA, as well as the PCAOB when auditing public companies that have been approved by the SEC. If there is a situation in which more than one standard is relevant, the most restrictive of applicable standards should be adhered to. If an accountant does not meet the required standards, the FDIC (or other appropriate federal banking agency) has the power to dismiss, suspend, or prohibit an accountant from performing the necessary audit and attestation services.
The amendment requires that the board of directors develop and uphold written criteria for establishing that a prospective or current audit committee member is an outside director and independent of management. The criteria include:
These criteria must be applied annually (at a minimum) and recorded in the board's minutes.
Previously, an insured depository institution that is a subsidiary of a bank holding company could use consolidated holding company financial statements to satisfy the auditied financial statements requirement of part 363 regardless of whether the assets of that insured depository institution subsidiary or subsidiaries of the holding company represented substantially all or only a minor portion of the holding company's consolidated total assets. The amendments now require that the insured depository institution assets comprise at least 75 percent of a holding company's total consolidated assets in order to file on a consolidated level.
In summary, the rationale for the change is that, in the past, when the assets of insured depository institution subsidiaries did not comprise a substantial portion of a holding company's consolidated total assets, the consolidated financial statements, including the accompanying notes to the financial statements, did not always provide sufficient information regarding the financial position and results of operations of these institutions. In addition, the extent of audit coverage provided to these institutions in the audit of the consolidated holding company was sometimes limited.
This specific revision will not be enforced until fiscal years ending on or after June 15, 2010, in order to give affected insured depository institutions time to comply.
The amendments to part 363 will be effective 30 days after being published in the Federal Register. For most institutions, this will be year-end 2009. The exceptions to this rule are as follows:
Reports to be Filed for Institutions with $500 Million or More but Less than $1 Billion in Total Assets:
In general, an institution that is required to file, or whose parent holding company is required to file, management's assessment of the effectiveness of internal control over financial reporting with the Securities and Exchange Commission (SEC) or the appropriate federal banking agency in accordance with Section 404 of the Sarbanes-Oxley Act of 2002 must submit a copy of such assessment with its part 363 annual report as additional information. However, this assessment will not be considered part of the institution's part 363 annual report.
Reports to be Filed for Institutions with $1 Billion or More in Total Assets: