[Federal Register: November 2, 2007 (Volume 72, Number 212)]
[Proposed Rules]
[Page 62309-62335]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr02no07-24]
[[Page 62309]]
-----------------------------------------------------------------------
Part II
Federal Deposit Insurance Corporation
-----------------------------------------------------------------------
12 CFR Parts 308 and 363
Annual Independent Audits and Reporting Requirements; Proposed Rule
[[Page 62310]]
-----------------------------------------------------------------------
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Parts 308 and 363
RIN 3064-AD21
Annual Independent Audits and Reporting Requirements
AGENCY: Federal Deposit Insurance Corporation (FDIC).
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: Section 36 of the Federal Deposit Insurance Act (FDI Act) and
the FDIC's implementing regulations (part 363) set forth annual
independent audit and reporting requirements for insured depository
institutions with $500 million or more in total assets. Given changes
in the industry, certain sound audit, reporting, and audit committee
practices incorporated in the Sarbanes-Oxley Act of 2002 (SOX); and the
FDIC's experience in administering part 363, the FDIC is proposing to
amend part 363 of its regulations. These amendments are designed to
further the objectives of section 36 by incorporating these sound
practices into part 363 and to provide clearer and more complete
guidance to institutions and independent public accountants concerning
compliance with the requirements of section 36 and part 363. As
required by section 36, the FDIC has consulted with the other federal
banking agencies. The FDIC is also proposing a technical amendment to
its rules and procedures (part 308, subpart U) for the removal,
suspension, or debarment of accountants and accounting firms.
DATES: Comments must be received on or before January 31, 2008.
ADDRESSES: You may submit comments by any of the following methods:
Agency Web Site: http://www.fdic.gov/regulations/laws/federal.
Follow instructions for submitting comments on the Agency Web
Site.
E-mail: Comments@FDIC.gov. Include ``Part 363--Independent
Audits and Reporting Requirements'' in the subject line of the message.
Mail: Robert E. Feldman, Executive Secretary, Attention:
Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429.
Hand Delivery/Courier: Guard station at the rear of the
550 17th Street Building (located on F Street) on business days between
7 a.m. and 5 p.m.
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Public Inspection: All comments received will be posted without
change to http://www.fdic.gov/regulations/laws/federal including any
personal information provided. Comments may be inspected and
photocopied in the FDIC Public Information Center, 3501 North Fairfax
Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5 p.m. on
business days. Paper copies of public comments may be ordered from the
Public Information Center by telephone at (877) 275-3342 or (703) 562-
2200.
FOR FURTHER INFORMATION CONTACT: Harrison E. Greene, Jr., Senior Policy
Analyst (Bank Accounting), Division of Supervision and Consumer
Protection, at hgreene@fdic.gov or (202) 898-8905; or Michelle
Borzillo, Counsel, Supervision and Legislation Section, Legal Division,
at mborzillo@fdic.gov or (202) 898-7400.
SUPPLEMENTARY INFORMATION:
I. Executive Summary
Section 36 of the Federal Deposit Insurance Act (FDI Act) and the
FDIC's implementing regulations (part 363) are generally intended to
facilitate early identification of problems in financial management at
insured depository institutions with total assets above certain
thresholds through annual independent audits, assessments of the
effectiveness of internal control over financial reporting and
compliance with designated laws and regulations, the establishment of
independent audit committees, and related reporting requirements. The
asset-size threshold for internal control assessments is $1 billion and
the threshold for the other requirements is $500 million. Given changes
in the industry, certain sound audit, reporting, and audit committee
practices incorporated in the Sarbanes-Oxley Act of 2002 (SOX); and the
FDIC's experience in administering part 363, the FDIC is proposing to
amend part 363 of its regulations. These amendments are designed to
further the objectives of section 36 by incorporating these sound
practices into part 363 and to provide clearer and more complete
guidance to institutions and independent public accountants concerning
compliance with the requirements of section 36 and part 363.
The most significant revisions included in the proposed amendments
would: (1) Require management and the independent public accountant to
identify the internal control framework used to evaluate internal
control over financial reporting and disclose all identified material
weaknesses; (2) extend the time period for a non-public institution to
file its Part 363 Annual Report by 30 days and replace the 30-day
extensions of the filing deadline that may be granted if an institution
(public or non-public) is confronted with extraordinary circumstances
beyond its reasonable control with a late filing notification
requirement that would have general applicability; (3) provide relief
from the annual reporting requirements for institutions that are merged
out of existence before the filing deadline; (4) provide relief from
reporting on internal control over financial reporting for businesses
acquired during the fiscal year; (5) require management's assessment of
compliance with designated safety and soundness laws and regulations to
state management's conclusion regarding compliance and disclose any
noncompliance with such laws and regulations; (6) clarify the
independence standards with which independent public accountants must
comply and enhance the enforceability of compliance with these
standards; (7) specify that the duties of the audit committee include
the appointment, compensation, and oversight of the independent public
accountant; (8) require audit committees to ensure that audit
engagement letters do not contain unsafe and unsound limitation of
liability provisions and require institutions to file copies of these
letters; (9) require certain communications by independent public
accountants to audit committees and establish retention requirements
for audit working papers; (10) require boards of directors to adopt
written criteria for evaluating an audit committee member's
independence and provide expanded guidance for boards of directors to
use in determining independence; (11) require the total assets of a
holding company's insured depository institution subsidiaries to
comprise 75 percent or more of the holding company's consolidated total
assets in order for an institution to comply with part 363 at the
holding company level; and (12) provide illustrative management reports
to assist institutions in complying with the annual reporting
requirements.
The FDIC is also proposing to amend its rules and procedures (part
308, subpart U) for the removal, suspension, or debarment of
accountants and accounting firms from performing audit services
required by section 36 of the FDI Act by specifying where an accountant
or accounting firm should file required notices of orders and actions
with the FDIC.
II. Background
Section 112 of the Federal Deposit Insurance Corporation
Improvement Act of 1991 (FDICIA) added section 36, ``Early
Identification of Needed
[[Page 62311]]
Improvements in Financial Management,'' to the FDI Act (12 U.S.C.
1831m). Section 36 is generally intended to facilitate early
identification of problems in financial management at insured
depository institutions above a certain asset size threshold (covered
institutions) through annual independent audits, assessments of the
effectiveness of internal control over financial reporting and
compliance with designated laws and regulations, and related reporting
requirements. Section 36 also includes requirements for audit
committees at these insured depository institutions. Section 36 grants
the FDIC discretion to set the asset size threshold for compliance with
these statutory requirements, but it states that the threshold cannot
be less than $150 million. Sections 36(d) and (f) also obligate the
FDIC to consult with the other federal banking agencies in implementing
these sections of the FDI Act, and the FDIC has performed the required
consultation.
Part 363 of the FDIC's regulations (12 CFR part 363) implements
section 36 of the FDI Act. When it adopted part 363 in 1993, the FDIC
stated that it was setting the asset size threshold at $500 million
rather than the $150 million specified in section 36 to mitigate the
financial burden of compliance with section 36 consistent with safety
and soundness. In selecting $500 million in total assets as the size
threshold, the FDIC noted that approximately 1,000 of the then nearly
14,000 FDIC-insured institutions would be subject to part 363. These
covered institutions held approximately 75 percent of the assets of
insured institutions at that time. By imposing the audit, reporting,
and audit committee requirements of part 363 on institutions with this
percentage of the industry's assets, the FDIC intended to ensure that
the Congress's objectives for achieving sound financial management at
insured institutions when it enacted section 36 would be focused on
those institutions posing the greatest potential risk to the insurance
funds then administered by the FDIC. Today, due to consolidation in the
banking and thrift industry and the effects of inflation, approximately
1,300 of the more than 8,600 insured institutions have $500 million or
more in total assets and are therefore subject to part 363. These
covered institutions hold approximately 91 percent of the assets of
insured institutions.
Until its most recent amendments, part 363 required each covered
institution to submit to the FDIC and other appropriate federal and
state supervisory agencies an annual report comprised of audited
financial statements, a statement of management's responsibilities,
assessments by management of the effectiveness of internal control over
financial reporting and compliance with designated laws and
regulations, and an independent public accountant's attestation report
on internal control over financial reporting. In addition, part 363
provided that each covered institution must establish an independent
audit committee of its board of directors comprised of outside
directors who are independent of management of the institution. Part
363 also includes Guidelines and Interpretations (Appendix A to part
363), which are intended to assist institutions and independent public
accountants in understanding and complying with section 36 and part
363.
In November 2005, the FDIC amended its part 363 annual audit and
reporting requirements and audit committee requirements. The amendments
raised the asset-size threshold from $500 million to $1 billion for the
assessments of internal control over financial reporting by management
and the independent public accountant. All of the other audit and
reporting requirements of part 363 continued to apply to all
institutions with $500 million or more in total assets. Also, for
covered institutions with between $500 million and $1 billion in total
assets, the amendments required only a majority, rather than all, of
the members of the audit committee, who must be outside directors, to
be independent of management.
III. Discussion and Section-by-Section Analysis of Proposed Amendments
When it amended part 363 in November 2005, the FDIC noted that it
had identified other aspects of part 363 that may warrant revision in
light of changes in the industry and the passage of SOX.
Given the number of proposed changes to part 363 and its Guidelines
and Interpretations and to enable readers and commenters to more easily
understand the context of these proposed changes, this notice includes
the entire text of part 363 as it is proposed to be amended, not just
the text of proposed amendments. Also, the following ``Table of
Proposed Changes to Part 363 and Appendices'' is intended to assist
readers and commenters in determining which sections of part 363 would
be affected by this proposal.
Table of Proposed Changes to Part 363 and Appendices
----------------------------------------------------------------------------------------------------------------
Unchanged Revised New Reserved
----------------------------------------------------------------------------------------------------------------
Part 363--Annual Independent Audits and Reporting Requirements
----------------------------------------------------------------------------------------------------------------
Table of Contents....................................... ............ X ............ ............
----------------------------------------------------------------------------------------------------------------
OMB Control Number
----------------------------------------------------------------------------------------------------------------
Sec. 363.0............................................ X ............ ............ ............
----------------------------------------------------------------------------------------------------------------
Scope
----------------------------------------------------------------------------------------------------------------
Sec. 363.1(a)......................................... ............ X ............ ............
Sec. 363.1(b)(1)...................................... ............ X ............ ............
Sec. 363.1(b)(2)...................................... ............ X ............ ............
Sec. 363.1(b)(3)...................................... X ............ ............ ............
Sec. 363.1(c)......................................... ............ ............ X ............
Sec. 363.1(d)......................................... ............ ............ X ............
----------------------------------------------------------------------------------------------------------------
Annual Reporting Requirements
----------------------------------------------------------------------------------------------------------------
Sec. 363.2(a)......................................... ............ X ............ ............
Sec. 363.2(b)......................................... ............ X ............ ............
Sec. 363.2(b)(1)...................................... ............ X ............ ............
[[Page 62312]]
Sec. 363.2(b)(2)...................................... ............ X ............ ............
Sec. 363.2(b)(3)...................................... ............ X ............ ............
Sec. 363.2(c)......................................... ............ ............ X ............
----------------------------------------------------------------------------------------------------------------
Independent Public Accountant
----------------------------------------------------------------------------------------------------------------
Sec. 363.3(a)......................................... X ............ ............ ............
Sec. 363.3(b)......................................... ............ X ............ ............
Sec. 363.3(c)......................................... X ............ ............ ............
Sec. 363.3(d)......................................... ............ ............ X ............
Sec. 363.3(e)......................................... ............ ............ X ............
Sec. 363.3(f)......................................... ............ ............ X ............
Sec. 363.3(g)......................................... ............ ............ X ............
----------------------------------------------------------------------------------------------------------------
Filing and Notice Requirements
----------------------------------------------------------------------------------------------------------------
Sec. 363.4(a)......................................... ............ X ............ ............
Sec. 363.4(b)......................................... X ............ ............ ............
Sec. 363.4(c)......................................... ............ X ............ ............
Sec. 363.4(d)......................................... X ............ ............ ............
Sec. 363.4(e)......................................... ............ ............ X ............
Sec. 363.4(f)......................................... ............ ............ X ............
----------------------------------------------------------------------------------------------------------------
Audit Committees
----------------------------------------------------------------------------------------------------------------
Sec. 363.5(a)......................................... ............ X ............ ............
Sec. 363.5(b)......................................... X ............ ............ ............
Sec. 363.5(c)......................................... ............ ............ X ............
----------------------------------------------------------------------------------------------------------------
Appendix A to Part 363--Guidelines and Interpretations
----------------------------------------------------------------------------------------------------------------
Table of Contents....................................... ............ X ............ ............
Introduction............................................ X ............ ............ ............
----------------------------------------------------------------------------------------------------------------
Scope (Sec. 363.1)
----------------------------------------------------------------------------------------------------------------
Guideline 1............................................. X ............ ............ ............
Guideline 2............................................. X ............ ............ ............
Guideline 3............................................. ............ X ............ ............
Guideline 4............................................. ............ X ............ ............
Guideline 4A............................................ ............ ............ X ............
----------------------------------------------------------------------------------------------------------------
Annual Reporting Requirements (Sec. 363.2)
----------------------------------------------------------------------------------------------------------------
Guideline 5............................................. ............ X ............ ............
Guideline 5A............................................ ............ ............ X ............
Guideline 6............................................. ............ X ............ ............
Guideline 7............................................. X ............ ............ ............
Guideline 8............................................. X ............ ............ ............
Guideline 8A............................................ ............ ............ X ............
Guideline 8B............................................ ............ ............ X ............
Guideline 9............................................. ............ X ............ ............
Guideline 10............................................ ............ X ............ ............
Guideline 11............................................ X ............ ............ ............
Guideline 12............................................ X ............ ............ ............
----------------------------------------------------------------------------------------------------------------
Role of Independent Public Accountant (Sec. 363.3)
----------------------------------------------------------------------------------------------------------------
Guideline 13............................................ ............ X ............ ............
Guideline 14............................................ ............ ............ ............ X
Guideline 15............................................ ............ X ............ ............
Guideline 16............................................ ............ ............ ............ X
Guideline 17............................................ X ............ ............ ............
Guideline 18............................................ ............ X ............ ............
Guideline 19............................................ X ............ ............ ............
Guideline 20............................................ ............ X ............ ............
Guideline 21............................................ X ............ ............ ............
----------------------------------------------------------------------------------------------------------------
Filing and Notice Requirements (Sec. 363.4)
----------------------------------------------------------------------------------------------------------------
Guideline 22............................................ ............ ............ ............ X
Guideline 23............................................ ............ X ............ ............
Guideline 24............................................ X ............ ............ ............
[[Page 62313]]
Guideline 25............................................ ............ ............ ............ X
Guideline 26............................................ ............ X ............ ............
----------------------------------------------------------------------------------------------------------------
Audit Committees (Sec. 363.5)
----------------------------------------------------------------------------------------------------------------
Guideline 27............................................ ............ X ............ ............
Guideline 28............................................ ............ X ............ ............
Guideline 29............................................ ............ ............ ............ X
Guideline 30............................................ ............ X ............ ............
Guideline 31............................................ ............ X ............ ............
Guideline 32............................................ X ............ ............ ............
Guideline 33............................................ X ............ ............ ............
Guideline 34............................................ X ............ ............ ............
Guideline 35............................................ ............ X ............ ............
----------------------------------------------------------------------------------------------------------------
Other
----------------------------------------------------------------------------------------------------------------
Guideline 36............................................ X ............ ............ ............
Table 1 to Appendix A--Designated Federal Laws and ............ X ............ ............
Regulations............................................
Appendix B--Illustrative Management Reports............. ............ ............ X ............
----------------------------------------------------------------------------------------------------------------
A. Scope (Sec. 363.1 and Guidelines 1-4A)
1. Applicability
The FDIC is proposing to amend Sec. 363.1(a) to more clearly state
that part 363 applies to any insured depository institution that has
consolidated total assets of $500 million or more at the beginning of
its fiscal year. For example, if an institution has a December 31
fiscal year end and its consolidated total assets were $600 million as
January 1, 2007, the institution would be subject to the annual
reporting requirements of part 363 and would have to file a Part 363
Annual Report for the fiscal year ending December 31, 2007. Also, the
institution would become subject to the other reporting requirements as
well as the audit committee requirements of part 363 on January 1,
2007.
2. Compliance by Subsidiaries of Holding Companies
At present, an insured depository institution that is a subsidiary
of a holding company may use consolidated holding company financial
statements to satisfy the audited financial statements requirement of
part 363 regardless of whether the assets of the insured depository
institution subsidiary or subsidiaries of the holding company represent
substantially all or only a minor portion of the holding company's
consolidated total assets. When the assets of insured depository
institution subsidiaries do not comprise a substantial portion of a
holding company's consolidated total assets, the FDIC staff has found
that the holding company's consolidated financial statements, including
the accompanying notes to the financial statements, do not tend to
provide sufficient information that is indicative of the financial
position and results of operations of these institutions. Also, when
the insured depository institution subsidiaries do not contribute
significantly to the holding company's financial position and results
of operations, the extent of audit coverage given to these institutions
in the audit of the consolidated holding company may be limited. Such
limited audit coverage would not be consistent with the purpose and
intent of section 36 of the FDI Act, which focuses on insured
depository institutions rather than holding companies. In this
situation, the assurance that would be provided by an independent audit
performed substantially at the level of the insured depository
institution subsidiaries is not otherwise available.
Therefore, given the differing characteristics of the holding
companies that own insured depository institutions as well as the
relationship of an insured depository institution's total assets to the
consolidated total assets of its parent holding company, and in keeping
with the intent and purpose of section 36 of the FDI Act, the FDIC is
proposing to amend Sec. Sec. 363.1(b)(1) and (2) by revising the
criteria for determining whether the audited financial statements
requirement and the other requirements of part 363 may be satisfied at
a holding company level. More specifically, to comply with the
requirements of part 363 at the top-tier or any other mid-tier holding
company level, the consolidated total assets of the insured depository
institution (or the consolidated total assets of all insured depository
institutions, regardless of size, if the top-tier or mid-tier holding
company owns or controls more than one insured depository institution)
would have to comprise 75 percent or more of the consolidated total
assets of the top-tier or mid-tier holding company. The FDIC believes
that this percentage-of-assets threshold should ensure that the extent
of independent audit work performed at the insured depository
institution level is sufficient to satisfy the intent of section 36 of
the FDI Act, that is, the early identification of needed improvements
in financial management at insured institutions. At the same time, this
threshold would continue to provide flexibility to the vast majority of
covered institutions that are part of a holding company structure with
respect to the level at which they may comply with part 363.
When determining an appropriate percentage-of-assets threshold for
compliance with part 363 at a holding company level, the FDIC
considered the range of percentage-of-assets ratios for insured
institutions that are part of a holding company structure. The vast
majority of insured institutions subject to part 363 that are in a
holding company structure are subsidiaries of organizations where the
assets of the insured depository institution subsidiaries of the
holding company comprise 90 percent or more of the holding company's
consolidated total assets. Of the remaining institutions subject to
part 363 that are in a holding company structure, most are subsidiaries
of organizations where the assets of the insured institutions comprise
either between 75 and 90 percent or less than 25 percent of the top-
tier parent company's consolidated total assets. Smaller numbers of
[[Page 62314]]
institutions are subsidiaries of organizations where the assets of the
insured institutions comprise from 25 to 50 percent or from 50 to 75
percent of the top-tier parent company's consolidated total assets.
However, in a number of cases where the insured institution
subsidiaries comprise less than 75 percent of the top-tier holding
company's consolidated total assets, the insured institution
subsidiaries that are subject to part 363 currently comply with the
regulation at a mid-tier holding company level where the assets of the
insured institution subsidiaries comprise 90 percent or more of the
mid-tier holding company's consolidated total assets. Thus, these
institutions would not need to change how they comply with part 363 in
response to the establishment of the proposed 75 percent threshold,
provided they continue to comply at the same mid-tier holding company
level and this holding company continues to meet the 75 percent
threshold.
The FDIC recognizes that those institutions currently complying
with part 363 at the holding company level that will not meet the
proposed 75 percent of consolidated total assets threshold will incur
additional costs from having to comply with the regulation at the
institution level or at a suitable mid-tier holding company level.
Nevertheless, the FDIC believes that the introduction of this
percentage-of-assets threshold strikes an appropriate balance between
insured institution financial data and audit coverage and the cost of
compliance with part 363.
As a related matter, guideline 3 to part 363, Compliance by Holding
Company Subsidiaries, states that when a holding company submits
audited consolidated financial statements and other reports or notices
required by part 363 on behalf of any subsidiary institution, an
accompanying cover letter should identify all subsidiary institutions
to which the statements, reports, or other notices pertain. Because
many cover letters received by the FDIC have not sufficiently
identified these subsidiary institutions, the FDIC is proposing to
amend guideline 3 to clarify what information should be included in the
cover letter. For example, for a Part 363 Annual Report, the cover
letter should identify the subsidiary institutions subject to part 363
included in the holding company's consolidated financial statements and
state whether the other annual report requirements are being satisfied
for these institutions at the holding company level or at the
institution level.
3. Financial Reporting
The FDIC is proposing to add a new Sec. 363.1(c) and a new
guideline 4A, Financial Reporting, to specify that ``financial
reporting'' includes both financial statements prepared in accordance
with generally accepted accounting principles and those prepared for
regulatory reporting purposes. Also, as proposed, guideline 4A would
clarify that financial statements prepared for regulatory reporting
purposes consist of the schedules equivalent to the basic financial
statements that are included in an institution's appropriate regulatory
report and that financial statements prepared for regulatory reporting
purposes do not include regulatory reports prepared by a non-bank
subsidiary of a holding company or an institution. For example, if a
bank holding company or an insured depository institution owns an
insurance subsidiary, financial statements prepared for regulatory
reporting purposes would not include any regulatory reports that the
insurance subsidiary is required to submit to its appropriate insurance
regulatory agency. These proposed amendments are consistent with
explanatory guidance issued by the FDIC on this subject in December
1994 after reviewing the Part 363 Annual Reports submitted earlier that
year, which was the first time these annual reports were required to be
filed with the FDIC.\1\
---------------------------------------------------------------------------
\1\ See FDIC Financial Institution Letter (FIL) 86-94, dated
December 23, 1994.
---------------------------------------------------------------------------
4. Definitions
The FDIC is proposing to add Sec. 363.1(d), Definitions, to define
several common terms used in part 363 and the guidelines.
B. Annual Reporting Requirements (Sec. 363.2 and Guidelines 5-12)
1. Audited Financial Statements
Consistent with sound management practices and the objective of
internal control over financial reporting, the FDIC is proposing to
amend Sec. 363.2(a) to require that the annual financial statements
reflect all material correcting adjustments identified by the
independent public accountant. Financial statements issued by insured
depository institutions that are public companies or by their parent
holding companies that are public companies are already subject to such
a requirement pursuant to section 401 of SOX. The FDIC believes this
requirement should also apply to institutions subject to part 363 that
are not public companies.
2. Management Report Contents
Based on its review of management reports filed pursuant to part
363, the FDIC has noted differences in the content of these reports and
insufficient information regarding the results of the assessments that
management must perform. When management has identified material
weaknesses in internal control over financial reporting or
noncompliance with designated safety and soundness laws and
regulations, these weaknesses and noncompliance have not always been
disclosed.
In addition, management's assessment of internal control over
financial reporting has often failed to disclose the internal control
framework used to perform the assessment of the effectiveness of these
controls. It is not always evident from management's report whether
controls over the preparation of the regulatory financial statements
have been included within the scope of management's assessment. The
omission of this information from an institution's management report
reduces the usefulness of the report as a means of identifying needed
improvements in financial management, which is the objective of section
36 of the FDI Act. The FDIC notes that the regulations adopted by the
Securities and Exchange Commission (SEC) in 2003 implementing the
requirement in section 404 of SOX for a management report on internal
control over financial reporting requires the identification of the
internal control framework management used to evaluate the
effectiveness of these controls and the disclosure of any identified
material weakness.
Accordingly, to provide clearer guidance on what should be included
in the management report, the FDIC is proposing to expand Sec.
363.2(b). As proposed, Sec. 363.2(b) would require management's
assessment of compliance with the designated safety and soundness laws
and regulations to include a clear statement as to management's
conclusion regarding compliance and disclose any noncompliance with
such laws and regulations. In addition, amended Sec. 363.2(b) would
require management's assessment of internal control over financial
reporting to identify the internal control framework that management
used to make its evaluation, include a statement that the evaluation
included controls over the preparation of regulatory financial
statements, include a clear statement as
[[Page 62315]]
to management's conclusion regarding the effectiveness of internal
control over financial reporting, disclose all material weaknesses
identified by management, and preclude management from concluding that
internal control over financial reporting is effective if there are any
material weaknesses.
Because part 363 and its guidelines provide only limited guidance
concerning the contents of the management report and the related
signature requirements for this report, institutions and auditors have
expressed interest in examples of acceptable reports. Therefore, to
assist management of insured depository institutions in complying with
the annual reporting requirements of Sec. 363.2, the FDIC is proposing
to add ``Appendix B to Part 363--Illustrative Management Reports.''
Proposed Appendix B would provide guidance regarding reporting
scenarios that satisfy the annual reporting requirements of part 363,
illustrative management reports, and an illustrative cover letter for
use when an institution complies with the annual reporting requirements
at the holding company level. The use of the wording in the
illustrative management reports and cover letter would not be required.
Regarding management's responsibility for assessing compliance with
the designated safety and soundness laws and regulations, the FDIC is
proposing to revise and update Table 1 to Appendix A of part 363 to
reflect changes in these safety and soundness laws and regulations that
have occurred since this table was last revised in 1997.
3. Management Report Signatures
Section 36(b)(2) of the FDI Act requires an institution's
management report to be signed by the chief executive officer and the
chief accounting officer or chief financial officer. In its reviews of
management reports, the FDIC has encountered inconsistencies between
the level at which the management report components are being satisfied
(insured depository institution level versus holding company level) and
the corporate level of the officers who are signing the management
report. More specifically, management reports are often not signed by
the officers at the appropriate corporate level when the audited
financial statements requirement is satisfied at the holding company
level or when one or more of the components of the management report is
satisfied at the holding company level and the remaining components of
the management report are satisfied at the insured depository
institution level. As a result, the FDIC believes institutions would
benefit from clearer guidance regarding who must sign the management
report. Therefore, the FDIC is proposing to add Sec. 363.2(c) to
specify which corporate officers must sign the management report and
also the level of the corporate signers (i.e., insured depository
institution level or the holding company level).
4. Institutions Merged Out of Existence
Currently, part 363 does not exempt an institution that is merged
out of existence after the end of its fiscal year but before the
deadline for filing its Part 363 Annual Report from filing an annual
report. Such institutions typically submit a written request for relief
from the annual report filing requirement and the request is approved
by the FDIC. To reduce regulatory burden and provide certainty for
merging institutions, the FDIC is proposing to add guideline 5A,
Institutions Merged Out of Existence, to explicitly provide relief from
filing a Part 363 Annual Report to an institution that is merged out of
existence after the end of its fiscal year, but before the deadline for
filing its Part 363 Annual Report. However, a covered institution that
is acquired after the end of its fiscal year, but retains its separate
corporate existence rather than being merged out of existence, would
continue to be required to file a part 363 Annual Report for that
fiscal year.
5. Management's Assessment of the Effectiveness of Internal Control
Over Financial Reporting
The FDIC has publicly advised institutions with $1 billion or more
in total assets that are public companies or subsidiaries of public
companies that they have considerable flexibility in determining how
best to satisfy the SEC's requirements for management's assessment of
internal control over financial reporting which implement section 404
of SOX, and the FDIC's requirements in part 363.\2\ The reporting
flexibility available to institutions subject to both the section 404
and the part 363 requirements was initially described in the preamble
to the SEC's section 404 final rule release (68 FR 36642, June 18,
2003). This final rule release explained that the flexible reporting
approach described in the preamble had been developed by the SEC staff
in consultation with the staff of the federal banking agencies. To
codify this reporting flexibility in part 363, the FDIC is proposing to
add guideline 8A, Management's Assessment of the Effectiveness of
Internal Control Over Financial Reporting. For an institution with $1
billion or more in total assets that is subject to both part 363 and
the SEC's rules implementing section 404 of SOX (or whose parent
holding company is subject to section 404 provided the condition in
Sec. 363.1(b)(2) is met), the proposed guideline describes two options
for complying with the filing requirements regarding management's
report on internal control over financial reporting. These options are
to prepare (1) a separate report to satisfy the FDIC's part 363
requirements and prepare a separate report to satisfy the SEC's section
404 requirements, or (2) a single report that satisfies all of the
FDIC's part 363 requirements and all of the SEC's section 404
requirements.
---------------------------------------------------------------------------
\2\ 70 FR 71231, November 28, 2005; 70 FR 44295, August 2, 2005;
FDIC Financial Institution Letter (FIL) 137-2004, December 21, 2004.
---------------------------------------------------------------------------
6. Internal Control Reports for Acquired Businesses
Currently, under the reporting requirements of part 363, both
management's and the related independent public accountant's evaluation
of an institution's internal control over financial reporting must
include controls at an institution in its entirety, including all of
its consolidated businesses, including businesses that were recently
acquired. However, the FDIC recognizes that it may not always be
possible for management to conduct an evaluation of the internal
control over financial reporting of an acquired business in the period
between the consummation date of the acquisition and the due date of
management's internal control evaluation. For public companies subject
to the internal control reporting requirements of section 404 of SOX,
the SEC staff has also acknowledged that conducting an internal control
evaluation of such an acquired business may not always be possible.
This led the SEC staff to provide guidance to public companies stating
that the staff would not object to the exclusion of the acquired
business from management's evaluation of internal control over
financial reporting, provided certain disclosures are made and other
conditions are met.\3\ The FDIC has received several written requests
from institutions subject to the internal control reporting
requirements of part 363 concerning their ability to exclude
[[Page 62316]]
recently acquired businesses from the scope of management's internal
control evaluation as of the end of the year of the acquisition. The
FDIC staff has granted such requests for relief subject to the same
disclosure parameters and other conditions that are laid out in the SEC
staff's guidance on this matter.
---------------------------------------------------------------------------
\3\ See Question 3 in the SEC staff's Frequently Asked Questions
on Management's Report on Internal Control Over Financial Reporting
and Certification of Disclosure in Exchange Act Periodic Reports at
http://www.sec.gov/info/accountants/controlfaq1004.htm.
---------------------------------------------------------------------------
To reduce regulatory burden, including the burden of submitting
written requests to the FDIC, and provide certainty to institutions,
the FDIC is proposing to add guideline 8B, Internal Control Reports for
Acquired Businesses, to explicitly provide relief from the reporting
requirements regarding internal control over financial reporting
related to business acquisitions made by an institution during its
fiscal year. As proposed and consistent with the SEC staff's guidance,
guideline 8B would permit management's evaluation of internal control
over financial reporting to exclude internal control over financial
reporting for the acquired business, provided management's report
identifies the acquired business, states that the acquired business is
excluded from management's evaluation of internal control over
financial reporting, and indicates the significance of the acquired
business to the institution's consolidated financial statements. Also,
proposed guideline 8B would clarify that if the acquired business is an
insured depository institution that is subject to part 363 and it is
not merged out of existence before the deadline for filing its Part 363
Annual Report, the acquired business (institution) must continue to
comply with all of the applicable requirements of part 363.
7. Standards for Internal Control
At present, guideline 10, Standards for Internal Control, provides
that each institution should determine its own standards for
establishing, maintaining, and assessing the effectiveness of its
internal control over financial reporting. However, the guideline does
not describe the characteristics of a suitable internal control
framework. Accordingly, the FDIC is proposing to amend guideline 10 to
provide guidance regarding the attributes of a suitable internal
control framework to be used by management in its evaluation of an
institution's internal control over financial reporting. Recognizing
that a significant percentage of institutions subject to part 363 or
their parent holding companies are also subject to the internal control
reporting requirements of section 404 of SOX, the attributes described
in amended guideline 10 are consistent with the attributes the SEC
described in the preamble to the SEC's section 404 final rule release
(68 FR 36648, June 18, 2003). The FDIC believes that a framework with
these attributes is appropriate for all institutions whether or not
they are public companies.
C. Independent Public Accountant (Sec. 363.3 and Guidelines 13-21)
1. Internal Control Over Financial Reporting
As with its experience in reviewing the portion of the management
report in which management provides its assessment of the effectiveness
of the institution's internal control over financial reporting, the
FDIC has found some independent public accountants' internal control
attestation reports to be less than sufficiently informative. Such
attestation reports are, therefore, inconsistent with the objectives of
section 36 of the FDI Act. As a consequence, the FDIC is proposing to
amend Sec. 363.3(b), which governs the independent public accountant's
report on internal control over financial reporting, to specify that,
consistent with generally accepted standards for attestation
engagements, the Public Company Accounting Oversight Board's (PCAOB)
auditing standards, and related PCAOB staff implementation guidance,
the accountant's report must:
Not be dated prior to the date of management's report on
its assessment of the effectiveness of internal control over financial
reporting;
Identify the internal control framework that the
accountant used to make the evaluation (which must be the same as the
internal control framework used by management);
Include a statement that the accountant's evaluation
included controls over the preparation of regulatory financial
statements;
Include a clear statement as to the accountant's
conclusion regarding the effectiveness of internal control over
financial reporting;
Disclose all material weaknesses identified by the
accountant; and
Conclude that internal control is ineffective if there are
any material weaknesses.
The FDIC is also proposing to amend guideline 18, Attestation
Report, to be consistent with Sec. 363.3(b)(2) by reiterating that the
attestation report on internal control over financial reporting should
include a statement as to regulatory reporting.
2. Communications With Audit Committee
According to section 204 of SOX, an accountant who audits a public
company's financial statements should report on a timely basis to the
company's audit committee: (1) All critical accounting policies, (2)
alternative accounting treatments discussed with management, and (3)
written communications provided to management, such as a management
letter or schedule of unadjusted differences. These reporting
requirements are intended to strengthen the relationship between the
audit committee and the accountant. The FDIC has previously stated that
effective communication between the accountant who audits the
institution's financial statements and the institution's audit
committee assists the audit committee in carrying out its
responsibilities. For this reason, the FDIC encouraged institutions,
regardless of whether they are public companies or not, to arrange with
their accountant to institute these reporting practices.\4\
Requirements that are similar, but not identical, to those set forth in
section 204 apply to accountants who audit the financial statements of
entities that are not public.\5\ Therefore, consistent with current
best practices and standards for audits of both public and non-public
entities, the FDIC is proposing to amend part 363 by adding Sec.
363.3(d), Communications with audit committee, to set a uniform minimum
requirement for such communication. As proposed, Sec. 363.3(d) would
require the independent public accountant to report the information
identified in section 204 of SOX to the audit committee.
---------------------------------------------------------------------------
\4\ See FDIC Financial Institution Letter (FIL) 17-2003, dated
March 5, 2003.
\5\ See Statement on Auditing Standards No. 114, The Auditor's
Communication With Those Charged With Governance, December 2006.
---------------------------------------------------------------------------
3. Retention of Working Papers
Section 36(g)(3)(A) of the FDI Act states that an independent
public accountant who performs audit services required by section 36
must agree to provide related working papers to the FDIC, any
appropriate federal banking agency, and any state bank supervisor.
However, when seeking to review audit working papers, the FDIC has
previously encountered situations where the working papers had been
retained for only a limited number of years. The SEC's rules and the
PCAOB's auditing standards implementing sections 802 and 103 of SOX,
respectively, now specify a 7-year retention period for audit working
papers. The American Institute of Certified Public Accountants' (AICPA)
auditing standards provide that the retention period for audit working
[[Page 62317]]
papers should not be shorter than five years.\6\ Since the retention
period applicable to audits of public companies is seven years, the
FDIC believes that a uniform retention period should apply to audits of
all institutions subject to part 363. Accordingly, consistent with the
current practices and professional standards for audits of both public
and non-public entities, the FDIC is proposing to amend part 363 by
adding Sec. 363.3(e), Retention of working papers. As proposed, Sec.
363.3(e) would require the independent public accountant to retain the
working papers related to its audit of the financial statements and, if
applicable, its evaluation of internal control over financial reporting
for seven years.
---------------------------------------------------------------------------
\6\ See Statement on Auditing Standards No. 103, Audit
Documentation, December 2006.
---------------------------------------------------------------------------
4. Independence
Section 36 of the FDI Act states that an ``independent public
accountant'' must perform the audit and attestation services required
by section 36 but it does not define ``independent,'' leaving this to
the FDIC's rulemaking authority. As adopted by the FDIC in 1993, part
363 includes guideline 14, Independence, which identifies the
independence standards applicable to accountants performing services
under section 36 and part 363. In 2003, the agencies jointly issued
rules of practice to implement the enforcement provisions of section
36(g)(4), which authorize the FDIC or an appropriate federal banking
agency to remove, suspend, or bar an accountant, for good cause, from
performing audit and attestation services for institutions subject to
section 36 and part 363.\7\ To enhance the enforceability of the
independence standards with which an accountant must comply for
purposes of part 363, the FDIC is proposing to move the independence
requirements for independent public accountants from guideline 14,
Independence, to new Sec. 363.3(f), Independence. As proposed, Sec.
363.3(f) would also clarify that the independent public accountant must
comply with the independence standards and interpretations of the PCAOB
that have been approved by the SEC in addition to the independence
standards and interpretations of the AICPA and the SEC.
---------------------------------------------------------------------------
\7\ 68 FR 48256, August 13, 2003.
---------------------------------------------------------------------------
5. Peer Reviews
Section 36(g)(3)(A)(ii) of the FDI Act requires an independent
public accountant to have received a peer review or be enrolled in a
peer review program that meets acceptable guidelines. At present,
guideline 15 to part 363 provides that to be acceptable, a peer review
should, among other things, be generally consistent with AICPA
standards. Since part 363 was originally adopted, the PCAOB has been
created and conducts inspections of registered public accounting firms,
some of which audit insured depository institutions subject to part 363
or their parent holding companies. These inspections serve a similar
purpose as peer reviews. In addition, the PCAOB issues reports on its
inspections of these accounting firms.
In response to this development and in light of the agencies'
issuance of rules of practice implementing the enforcement provisions
of section 36, as mentioned above, the FDIC is proposing to add new
Sec. 363.3(g) on peer reviews. The FDIC would move the requirements
for peer reviews and retention of the peer review working papers from
guideline 15, Peer Reviews, to Sec. 363.3(g). In addition, the
requirements for filing peer review reports would be moved to new Sec.
363.3(g) from guideline 16, Filing Peer Review Reports. As proposed,
Sec. 363.3(g) would also clarify that acceptable peer reviews include
peer reviews performed in accordance with the AICPA's Peer Review
Standards and inspections conducted by the PCAOB. It would also provide
that the FDIC would not make available for public inspection the
portion of any peer review report and inspection report determined to
be nonpublic by the AICPA and the PCAOB, respectively. Finally, the
FDIC is proposing to revise guideline 15 to explain that a peer review,
other than a PCAOB inspection, should be generally consistent with
AICPA Peer Review Standards.
6. Notice of Termination
Guideline 26, Notices Concerning Accountants, permits an
institution that is a public company or a subsidiary of a public
company to satisfy the requirement for filing a notice of termination
of its independent public accountant by using its current report (e.g.,
SEC Form 8-K) concerning a change in accountant to satisfy the similar
notice requirements of part 363. To reduce regulatory burden and
provide flexibility to the independent public accountant of such an
institution, the FDIC is proposing to amend guideline 20, Notice of
Termination, to permit the independent public accountant to satisfy the
requirement to file a notice of termination of its services in a
similar manner. As proposed, the independent public accountant
generally could satisfy the part 363 notice requirement by (1)
submitting the letter it provided to management to be filed with the
institution's or the holding company's current report filed with the
SEC or the appropriate federal banking agency or (2) relying on the
institution's or the holding company's current report filed by
management with the FDIC that includes the independent public
accountant's notice of termination of its services, provided the
independent public accountant confirms that management has filed a
current report that includes the accountant's letter to satisfy the
requirements of Sec. 363.3(c).
D. Filing and Notice Requirements (Sec. 363.4 and Guidelines 22-26)
1. Annual Reporting
Currently, the annual reporting requirements of part 363 require
each insured depository institution to file its Part 363 Annual Report
within 90 days after the end of its fiscal year. Part 363 also requires
each institution to file the independent public accountant's report on
the audited financial statements and, if applicable, the accountant's
attestation report on management's assessment of internal control over
financial reporting, both of which are components of the Part 363
Annual Report, within 15 days of receipt by the institution, which can
present a conflict with the annual report filing requirement. The FDIC
is also aware of the impact that earlier filing deadlines established
by the SEC for annual reports filed by certain public companies under
the federal securities laws (e.g., SEC Form 10-K) and more robust
auditing standards related to internal control over financial reporting
have had on the management of institutions, on the resources of
independent public accountants, and on auditing costs. To reduce cost
and burden, the FDIC is proposing to amend Sec. 363.4(a) by extending
the time period within which an insured depository institution that is
not a public company or a subsidiary of a public company must file its
Part 363 Annual Report from within 90 days to within 120 days after the
end of its fiscal year. An insured depository institution that is a
public company, or that is a subsidiary of a public company that meets
certain criteria, would continue to be required to file its Part 363
Annual Report within 90 days after the end of its fiscal year, which is
consistent with the maximum time frame that public companies have for
filing annual reports under the federal securities laws. The FDIC would
also eliminate the ambiguity in Sec. 363.4 concerning the filing
deadline for the components of the Part 363 Annual
[[Page 62318]]
Report that are prepared by the independent public accountant.
An insured depository institution with consolidated total assets of
less than $1 billion that is a public company or a subsidiary of a
public company is required to file management's assessment of the
effectiveness of internal control over financial reporting with the SEC
or the appropriate federal banking agency in accordance with the
compliance dates of the SEC's rules implementing section 404 of SOX.
Management's findings and conclusions with respect to internal control
over financial reporting, as disclosed in the assessment that
management files with the SEC or the appropriate federal banking
agency, provide information that would aid in meeting the objective of
section 36 of the FDI Act.
Therefore, the FDIC is proposing to add a provision to Sec.
363.4(a) that would require an institution of this size to submit a
copy of management's section 404 internal control assessment with its
Part 363 Annual Report, but this assessment will not be considered part
of the institution's Part 363 Annual Report.
2. Independent Public Accountant's Reports
Section 36(h)(2)(A) of the FDI Act and Sec. 363.4(c) require an
institution to file a copy of any management letter or other report
issued by its independent public accountant that pertains to the
financial statement audit and the attestation on internal control over
financial reporting within 15 days after receipt by the institution.
The FDIC's experience in administering part 363 indicates that
institutions are often uncertain as to which types of reports they
receive from their independent public accountant must be submitted to
the FDIC, the appropriate federal banking agency, and any appropriate
state bank supervisor pursuant to this filing requirement. As stated
above, this uncertainty extends to this 15-day filing requirement and
its relationship to the filing deadline for the Part 363 Annual Report.
To clarify the requirements for the filing of accountants' reports, the
FDIC is proposing to amend Sec. 363.4(c), Independent public
accountant's letters and reports, by providing examples of the types of
reports issued by an institution's independent public accountant,
except for the accountant's reports that are required to be included in
the institution's Part 363 Annual Report, that are to be filed within
15 days after receipt. Guideline 25, Independent Accountant's Reports,
would be deleted because it would be redundant and no longer needed.
In the Interagency Advisory on the Unsafe and Unsound Use of
Limitation of Liability Provisions in External Audit Engagement
Letters, the federal banking agencies expressed their concerns about
limitation of liability provisions included in external audit
engagement letters and advised institutions against entering into
engagement letters containing such provisions.\8\ To enable the FDIC to
timely review institutions' engagement letters with their independent
public accountants, the FDIC is also proposing to amend Sec. 363.4(c)
to require institutions to file copies of audit engagement letters,
including any related agreements and amendments, with the FDIC, the
appropriate federal banking agency, and any appropriate state bank
supervisor within 15 days of acceptance by the institution.
---------------------------------------------------------------------------
\8\ 71 FR 6847, February 9, 2006.
---------------------------------------------------------------------------
3. Notification of Late Filing
Guideline 23, Relief from Filing Deadlines, currently provides that
in the occasional event that an institution is confronted with
extraordinary circumstances beyond its reasonable control that
justifies an extension of the deadline for filing its Part 363 Annual
Report or another required report or notice, the institution may submit
a written request for an extension of the filing deadline of not more
than 30 days that explains the reasons for the request. Such a request
may be granted for good cause. Over the last several years, the reasons
set forth in the requests for extensions of time for filing Part 363
Annual Reports that have been submitted to the FDIC generally did not
represent extraordinary circumstances beyond the institution's
reasonable control, the standard currently set forth in guideline 23.
Also, several extension requests were repeats of requests from the same
institutions from the previous year.
Based upon this experience and given the proposed amendment to
Sec. 363.4(a) to extend the filing deadline for Part 363 Annual
Reports for non-public institutions from 90 to 120 days, the FDIC is
proposing to replace the extensions of time for filing reports that are
available only in extraordinary circumstances under guideline 23 with a
new Sec. 363.4(e),
Notification of late filing. In place of filing extensions that
have limited applicability, this new section would be applicable to all
institutions and would require an institution that is unable to timely
file all or any portion of its Part 363 Annual Report or any other
report or notice to submit a written notice of late filing before the
filing deadline for the report or notice. The late filing notice shall
disclose the institution's inability to timely file all or specified
portions of its Part 363 Annual Report or other report or notice, the
reasons therefore in reasonable detail, and the date when the report or
notice will be filed.
The FDIC is also proposing to amend guideline 23 by changing its
focus from extension requests to late filing notices consistent with
the approach taken in new Sec. 363.4(e). Amended guideline 23 would
explain that submitting a late filing notice would not cure the
apparent violation of part 363 arising from an institution's failure to
timely file a Part 363 Annual Report or any other required report or
notice. The supervisory response to such an apparent violation would
take into account the facts and circumstances surrounding an
institution's delay in filing. As proposed, guideline 23 would also
provide that, if the late filing applies to only a portion of the Part
363 Annual Report or any other report or notice, the components of the
report or notice that have been completed should be filed within the
prescribed filing period accompanied by either a cover letter that
indicates which components are omitted or a combined late filing notice
and cover letter.
4. Place for Filing
Current guideline 22 identifies the office of the FDIC, the
appropriate federal banking agency, and the appropriate state bank
supervisor to which reports and notices (other than peer review
reports) required by part 363 are to be filed. Nevertheless, the FDIC
has found that some institutions submit required reports and notices to
incorrect locations. The FDIC staff also receives questions from
institutions asking where reports and notices should be filed. To make
the information as to where Part 363 Annual Reports, written notices of
late filing, and other reports and notices (except peer review reports)
are to be filed more prominent, the FDIC is proposing to move this
information from guideline 22, Place for Filing, to a new Sec.
363.4(f), Place for filing.
E. Audit Committees (Sec. 363.5 and Guidelines 27-35)
1. Composition
Section 36(g)(1) of the FDI Act and Sec. 363.5(a) require each
insured depository institution subject to part 363 to have an
independent audit committee comprised entirely of outside directors. As
defined in Sec. 363.5(a)(3), in general, an outside director is a
director
[[Page 62319]]
who is not an officer or employee of the institution or any affiliate
of the institution. In addition, the outside directors who serve on the
audit committee must be ``independent of management,'' although a
minority of the audit committee members of institutions with $500
million or more but less than $1 billion in total assets need not be
``independent of management.'' According to guideline 27, Composition,
each institution's board of directors is responsible for determining at
least annually whether existing and potential audit committee members
satisfy the requirements governing audit committee composition.
Guidelines 28 and 29 set forth certain factors for boards of directors
to consider in determining whether an outside director is ``independent
of management.''
In order for a board of directors to perform its evaluation of
audit committee members in a consistent, effective, and reviewable
manner, the FDIC believes the board should be guided by an approved
policy or set of criteria that identifies the factors to be taken into
account by the board. Accordingly, the FDIC is proposing to amend
guideline 27 to state that an institution's board of directors should
maintain and use an approved set of written criteria for evaluating
audit committee member independence and that the results of and basis
for the board's determination with respect to each existing and
potential audit committee member should be recorded in the board's
minutes.
Guideline 30, Holding Company Audit Committees, provides guidance
for complying with the audit committee requirements of part 363 at the
holding company level. The FDIC is proposing to amend guideline 30 for
consistency with the proposed revisions to the holding company
provisions of Sec. 363.1(b) and to reflect the difference in the audit
committee composition requirements in Sec. 363.5(a) for institutions
with more than and less than $1 billion in total assets.
2. ``Independent of Management'' Considerations
Guideline 28, ``Independent of Management'' Considerations,
identifies five factors for a board of directors to consider when
determining the independence of an outside director. Guideline 29, Lack
of Independence, states that a director who owns or controls 10 percent
or more of any class of the institution's voting securities should not
be considered ``independent of management.'' The FDIC has found that
some of the factors in guideline 28 are so general that they fail to
provide meaningful guidance to boards of directors. At the same time,
many of the institutions subject to part 363 or their parent holding
companies are public companies with securities listed on a national
securities exchange. Under the SEC's Rule 10A-3 (17 CFR Sec. 240.10A-
3), each audit committee member of a listed issuer must be a director
of the issuer and must otherwise be independent. The listing standards
of the national securities exchange must set forth the criteria for
determining the independence of directors who are to serve on a listed
issuer's audit committee.
Based on its review, the FDIC believes that the independence
criteria for audit committee members included in the listing standards
of the national securities exchanges, together with the FDIC's existing
stock ownership criterion in guideline 29, represent an appropriate
framework for determining whether an outside director is ``independent
of management'' for purposes of part 363. Furthermore, for an
institution whose audit committee members or whose parent holding
company's audit committee members, if the holding company meets the
holding company provisions of Sec. 363.1(b), are subject to the
listing standards of a national securities exchange, allowing the
institution to use these standards for part 363 purposes will reduce
the institution's burden.
Therefore, the FDIC is proposing to combine guidelines 28 and 29
and provide expanded guidance for an institution's board of directors
to use in its assessment of an outside director's relationship to the
institution for the purposes of making ``independent of management''
determinations regarding audit committee members. For example, the
proposed amendment to guideline 28 includes a list of criteria that an
institution's board of directors should consider when determining
whether an outside director would be considered ``independent of
management.'' In developing the proposed list of criteria, the FDIC
considered the portion of the listing standards of the national
securities exchanges that apply to audit committees. An institution's
board of directors may also conclude that it should consider additional
criteria that may be appropriate in its particular circumstances. As an
alternative to the listed criteria, proposed guideline 28 would permit
an institution that is a public company or that is a subsidiary of a
public company, when the holding company provisions of Sec. 363.1(b)
are met, to apply the audit committee provisions of the listing
standards of the national securities exchange on which the public
institution or its public parent company is listed for purposes of
determining audit committee member independence. Similarly, all other
institutions, including those that are not public companies, may elect
to use the audit committee provisions of the listing standards of a
national securities exchange or association for determining audit
committee member independence.
3. Duties
According to section 36(g)(1)(B) of the FDI Act and Sec. 363.5(a),
an audit committee's duties include reviewing the basis for the Part
363 Annual Report with both management and the independent public
accountant. Guideline 31 further provides that the audit committee's
duties should be appropriate to the size of the institution and the
complexity of its operations and it identifies additional duties that
could be appropriate for the audit committee. These additional duties
include discussing with management the selection and termination of the
institution's independent public accountant. In addition, guideline 26
provides that, before engaging an independent public accountant, an
institution should review and satisfy itself that the accountant is in
compliance with the required qualifications set forth in guidelines 13
through 15, including the accountant's independence and receipt of a
peer review.
Under section 301 of SOX, the audit committee of each public
company listed on a national securities exchange or association must be
responsible for the appointment, compensation, and oversight of the
accounting firm engaged to prepare or issue an audit report or perform
related work. As the SEC noted when it adopted its final rule
implementing section 301, ``the auditing process may be compromised
when a company's outside auditors view their responsibility as serving
the company's management rather than its full board of directors or
audit committee. This may occur if the auditor views management as the
employer with hiring, firing and compensating powers. Under these
conditions, the auditor may not have the appropriate incentive to raise
concerns and conduct an objective review. * * * One way to help promote
auditor independence, then, is for the auditor to be hired, evaluated
and, if necessary, terminated by the audit committee.'' Because the
intent and purpose of section 36 of the FDI Act is the early
identification of needed improvements in financial management, it is
critical for the accountants that perform audit
[[Page 62320]]
and attestation services for insured depository institutions subject to
section 36 to have an appropriate incentive to raise concerns and
conduct an objective review. In this regard, the FDIC believes it is a
sound corporate governance practice for an institution's audit
committee, rather than its management, to be responsible for the
appointment, compensation, and oversight of the accountant, regardless
of whether the institution is a public company.
Therefore, the FDIC is proposing to amend Sec. 363.5(a),
Composition and duties, and guideline 31, Duties, to specify that, in
addition to reviewing with management and the independent public
accountant the basis for the reports issued under part 363, the duties
of the audit committee include the appointment, compensation, and
oversight of the independent public accountant who performs services
required under part 363. In order to discharge these duties with
respect to the independent public accountant, the audit committee
should also review and satisfy itself as to the independent public
accountant's compliance with the independence, peer review, and other
qualifications under part 363. Additionally, the audit committee should
be familiar with and ensure management's compliance with the
requirement to file notices concerning the engagement, resignation, or
dismissal of an independent public accountant. The FDIC is proposing to
include these duties in guideline 31.
4. Independent Public Accountant Engagement Letters
In response to an observed increase in the types and frequency of
provisions in financial institutions' external audit engagement letters
that limit the auditors' liability, the federal banking agencies issued
an Interagency Advisory on the Unsafe and Unsound Use of Limitation of
Liability Provisions in External Audit Engagement Letters (Interagency
Advisory) in February 2006.\9\ When they issued the Interagency
Advisory, the agencies stated their belief that when institutions agree
to limit their external auditors' liability in provisions in engagement
letters, such provisions may weaken the external auditors' objectivity,
impartiality, and performance, which may reduce the reliability of
audits and thereby raise safety and soundness concerns. The reliability
of audits is central to achieving the intent and purpose of section 36
of the FDI Act. Therefore, the FDIC is proposing to add Sec. 363.5(c),
Independent public accountant engagement letters, and amend guideline
31, Duties, to incorporate the principal provisions of the Interagency
Advisory.
---------------------------------------------------------------------------
\9\ See 71 FR 6847, February 9, 2006, and FDIC Financial
Institution Letter (FIL) 13-2006, issued on the same date. The
Federal Financial Institutions Examination Council on behalf of the
agencies issued the Interagency Advisory in proposed form for public
comment on May 10, 2005 (70 FR 24576).
---------------------------------------------------------------------------
As proposed, Sec. 363.5(c) and guideline 31 would require the
audit committee to ensure that audit engagement letters and any related
agreements with the independent public accountant for services to be
performed under part 363 do not contain any limitation of liability
provisions that: (1) Indemnify the independent public accountant
against claims made by third parties; (2) hold harmless or release the
independent public accountant from liability for claims or potential
claims that might be asserted by the client insured depository
institution, other than claims for punitive damages; or (3) limit the
remedies available to the client insured depository institution.
Consistent with the Interagency Advisory, the proposed amendment would
not preclude the use of alternative dispute resolution agreements and
jury trial waivers.
5. Transition Period for Forming and Restructuring Audit Committees
When an insured depository institution first exceeds the $500
million total assets threshold and becomes subject to part 363,
particularly an institution with few shareholders, the FDIC has
observed that, in some cases, such an institution encounters difficulty
in satisfying the requirements governing the composition of the
independent audit committee. If the board of directors lacks a
sufficient number of outside directors who are independent of
management to serve on the audit committee, the board members must
identify and attract qualified individuals in their community who would
be willing to become directors and audit committee members and who
would be ``independent of management.'' The lack of guidance in part
363 on the amount of time in which an institution must bring its audit
committee into compliance with the requirements governing its
composition when an institution first becomes subject to part 363
further complicates this process. This lack of guidance on the time
frame for attaining compliance also affects the other two asset-size
thresholds applicable to audit committee composition.
To provide both clarity and regulatory relief, the FDIC is
proposing to replace outdated guideline 35, which dealt with compliance
with the audit committee requirements of part 363 when the regulation
took effect in 1993, with a revised guideline 35, ``Transition Period
for Forming and Restructuring Audit Committees.'' As proposed,
guideline 35 would provide a one-year transition period for forming or
restructuring the audit committee when an institution first becomes
subject to part 363, when an institution's assets first reach the $1
billion asset-size threshold, and when an institution's assets first
reach the $3 billion asset-size threshold. The proposed revised
guideline would state that, when an institution first crosses one of
these three thresholds based on its total assets at the beginning of
its fiscal year, no regulatory action would be taken if the institution
forms or restructures its audit committee to comply with the applicable
requirements governing the composition of the committee by the end of
that fiscal year, provided the institution complied with any applicable
audit committee requirements for its preceding fiscal year.
F. Other Changes to Part 363
The FDIC also proposes to make other changes to part 363 to improve
its clarity, readability, and consistency of language, and to correct
or eliminate outdated terms, references, and provisions in the
regulation and appendix A.
G. Proposed Amendment to Part 308, Subpart U
In August 2003, pursuant to section 36(g)(4) of the FDI Act, the
FDIC and the other federal banking agencies jointly issued final rules
governing their authority to take disciplinary actions against
independent public accountants and accounting firms that perform audit
and attestation services required by section 36.\10\ Under the final
rules, certain violations of law, negligent conduct, reckless violation
of professional standards, or lack of qualifications to perform
auditing services may be considered good cause to remove, suspend, or
bar an accountant or firm from providing audit and attestation services
for institutions subject to section 36. The rules also prohibit an
accountant or accounting firm from performing these services if the
accountant or firm has been removed, suspended, or debarred by one of
the agencies, or if the SEC or PCAOB takes certain disciplinary actions
against the accountant or firm. Additionally, the final rules require
an accountant or an accounting firm to provide the agencies
[[Page 62321]]
with written notification of the accountant's or firm's removal,
suspension, or debarment. Part 308, subpart U, of the FDIC's rules and
regulations implements the requirements of section 36(g)(4) of the FDI
Act for institutions that are supervised by the FDIC. The FDIC is
proposing to amend Sec. 308.604(c) to identify the FDIC location where
an accountant or accounting firm should file required notices of orders
and actions regarding removal, suspension, or debarment.
---------------------------------------------------------------------------
\10\ See 68 FR 48256, April 13, 2003, and the FDIC's Financial
Institution Letter (FIL) FIL-66-2006, dated August 18, 2003.
---------------------------------------------------------------------------
IV. Request for Comments
The FDIC welcomes comments on all aspects of this proposal. In
particular, the FDIC invites comments on the following:
1. As proposed, the rule would require management's assessment of
compliance with designated safety and soundness laws and regulations to
include a clear statement as to management's conclusion regarding
compliance and disclose any noncompliance with such laws and
regulations. The designated safety and soundness laws and regulations
relate to loans to insiders and dividend restrictions. Management's
assessment of compliance is included in the management report within
the Part 363 Annual Report, which is available for public inspection.
Should the disclosure of instances of noncompliance with these
designated laws and regulations be made available for public inspection
or should the FDIC designate such disclosure as privileged and
confidential and not available to the public?
2. As proposed, the rule would require the total assets of a
holding company's insured depository institution subsidiaries to
comprise 75 percent or more of the holding company's consolidated total
assets as of the beginning of its fiscal year in order for an
institution to comply with part 363 at the holding company level. The
holding company could be the institution's top-tier or any mid-tier
holding company that meets the 75 percent threshold. Considering the
costs and benefits of a threshold, is 75 percent or more of
consolidated total assets an appropriate threshold? If not, what would
be an appropriate threshold to use for compliance with part 363 at a
holding company level?
V. Solicitation of Comments on Use of Plain Language
Section 722 of the Gramm-Leach-Bliley Act, Pub. L. 106-102, sec.
722, 113 Stat. 1338, 1471 (Nov. 12, 1999), requires the federal banking
agencies to use plain language in all proposed and final rules
published after January 1, 2000. We invite your comments on how to make
this proposal easier to understand. For example:
Have we organized the material to suit your needs? If not,
how could this material be better organized?
Are the requirements in the proposed regulation clearly
stated? If not, how could the regulation be more clearly stated?
Does the proposed regulation contain language or jargon
that is not clear? If so, which language requires clarification?
Would a different format (grouping and order of sections,
use of headings, paragraphing) make the regulation easier to
understand? If so, what changes to the format would make the regulation
easier to understand?
What else could we do to make the regulation easier to
understand?
VI. Solicitation of Comments on Impact on Community Banks
The FDIC seeks comments on the impact of this proposal on community
banks. The FDIC recognizes that community banks operate with more
limited resources than larger institutions and may present a different
risk profile. Thus, the FDIC specifically requests comments on the
impact of the proposal on community banks' current resources, including
personnel, and whether the goals of the proposed rule could be
achieved, for community banks, through an alternative approach.
VII. Regulatory Flexibility Act Analysis
The Regulatory Flexibility Act (RFA) requires that each federal
agency either certify that a proposed rule would not, if adopted in
final form, have a significant economic impact on a substantial number
of small entities or prepare an initial regulatory flexibility analysis
(IRFA) of the proposal and publish the analysis for comment. See 5
U.S.C. 603, 605. The Small Business Administration (SBA) defines small
banks as those with less than $165 million in assets. Because this rule
expressly exempts insured depository institutions having assets of less
than $500 million, it is inapplicable to small entities as defined by
the SBA. Therefore, it is certified that this proposed rule would not
have a significant economic impact on a substantial number of small
entities.
VIII. Paperwork Reduction Act
This proposed rule would revise a collection of information that
has been reviewed and approved by the Office of Management and Budget
(OMB) under control number 3064-0113, pursuant to the Paperwork
Reduction Act (44 U.S.C. 3501 et seq). The principal revisions that
bear on the collection of information under part 363 are the extension
of the filing deadline for the Part 363 Annual Report from 90 to 120
days after the end of the fiscal year for an institution that is not a
public company or a subsidiary of a public company, the replacement of
30-day extension requests (when an institution is confronted with
extraordinary circumstances beyond its reasonable control) with late
filing notices (regardless of the reason), the modification of the
criteria governing the acceptability of reports at the holding company
level rather than at the institution level, the expanded guidance on
the content of the management report and the independent public
accountant's internal control attestation report, the board of
directors' use of an approved set of written criteria for determining
whether an audit committee member is an outside director and is
``independent of management,'' and the new guidelines for institutions
merged out of existence and for internal control reports for acquired
businesses. It is anticipated that the overall effect of these changes
will be a small burden increase for affected insured institutions.
Comments are invited on: (a) Whether this collection of information is
necessary for the proper performance of the FDIC's functions, including
whether the information has practical utility; (b) the accuracy of the
estimates of the burden of the information collection; (c) ways to
enhance the quality, utility, and clarity of the information to be
collected; and (d) ways to minimize the burden of the information
collection on respondents, including through the use of automated
collection techniques or other forms of information technology.
Comments should be addressed to Steven F. Hanft, Paperwork
Clearance Officer, Room F-1062, Federal Deposit Insurance Corporation,
550 17th Street, NW., Washington, DC 20429, with copies to the OMB desk
officer for the FDIC by mail to the Office of Information and
Regulatory Affairs, U.S. Office of Management and Budget, New Executive
Office Building, Room 10235, 725 17th Street, NW., Washington, DC 20503
or by fax to (202) 395-6974.
The paperwork burden associated with this rule was last reviewed in
2005. At that time, the FDIC estimated the burden of this information
collection to be 65,612 hours for FDIC-supervised institutions. Before
giving effect to the proposed amendments, the estimated
[[Page 62322]]
burden would be 79,721 hours, an adjustment of 14,109 hours
attributable to an increase in the number of FDIC-supervised
institutions subject to part 363. If the revisions in this proposed
rule are implemented, the resulting estimated reporting burden for the
collection of information would be 83,599 hours, a program increase of
3,878 hours over the adjusted burden of 79,721 hours. The most
significant component of the increase is attributable to the proposed
revised requirements related to audit committee composition.
Number of Respondents: 5,230.
Total Annual Responses: 16,231.
Total Annual Burden Hours: 83,599.
List of Subjects
12 CFR Part 308
Administrative practice and procedure, Bank deposit insurance,
Banks, banking, Claims, Crime, Equal access to justice, Investigations,
Lawyers, Penalties, State nonmember banks.
12 CFR Part 363
Accounting, Administrative practice and procedure, Banks, banking,
Reporting and recordkeeping requirements.
For the reasons set forth in the preamble, the Board of Directors
of the FDIC proposes to amend title 12, chapter III, of the Code of
Federal Regulations as follows:
PART 308--RULES OF PRACTICE AND PROCEDURE
1. The authority citation for part 308 continues to read as
follows:
Authority: 5 U.S.C. 504, 554-557; 12 U.S.C. 93(b), 164, 505,
1815(e), 1817, 1818, 1820, 1828, 1829, 1829b, 1831i, 1831m(g)(4),
1831o, 1831p-1, 1832(c), 1884(b), 1972, 3102, 3108(a), 3349, 3909,
4717; 15 U.S.C. 78(h) and (i), 78o-4(c), 78o-5, 78q-1, 78s, 78u,
78u-2, 78u-3 and 78w, 6801(b), 6805(b)(1); 28 U.S.C. 2461 note; 31
U.S.C. 330, 5321; 42 U.S.C. 4012a; Sec. 3100(s), Pub. L. 104-134,
110 Stat. 1321-358.
Subpart U--Removal, Suspension, and Debarment of Accountants From
Performing Audit Services
2. Revise Sec. 308.604(c) to read as follows:
Sec. 308.604 Notice of removal, suspension, or debarment.
* * * * *
(c) Timing and place of notice. Written notice required by this
paragraph shall be given no later than 15 calendar days following the
effective date of an order or action, or 15 calendar days before an
accountant or accounting firm accepts an engagement to provide audit
services, whichever date is earlier. The written notice must be filed
by the independent public accountant or accounting firm with the FDIC,
Accounting and Securities Disclosure Section, 550 17th Street, NW.,
Washington, DC 20429.
3. Revise part 363 to read as follows:
PART 363--ANNUAL INDEPENDENT AUDITS AND REPORTING REQUIREMENTS
Sec.
363.0 OMB control number.
363.1 Scope and definitions.
363.2 Annual reporting requirements.
363.3 Independent public accountant.
363.4 Filing and notice requirements.
363.5 Audit committees.
Appendix A to Part 363--Guidelines and Interpretations
Appendix B to Part 363--Illustrative Management Reports
Authority: 12 U.S.C. 1831m.
Sec. 363.0 OMB control number.
The information collection requirements in this part have been
approved by the Office of Management and Budget under OMB control
number 3064-0113.
Sec. 363.1 Scope and definitions.
(a) Applicability. This part applies to any insured depository
institution with respect to any fiscal year in which its consolidated
total assets at the beginning of such fiscal year are $500 million or
more. The requirements specified in this part are in addition to any
other statutory and regulatory requirements otherwise applicable to an
insured depository institution.
(b) Compliance by subsidiaries of holding companies. (1) The
audited financial statements requirement of Sec. 363.2(a) for any
fiscal year may be satisfied for an insured depository institution that
is a subsidiary of a holding company by audited consolidated financial
statements of the top-tier or any mid-tier holding company provided
that the consolidated total assets of the insured depository
institution (or the consolidated total assets of all insured depository
institutions, regardless of size, if the holding company owns or
controls more than one insured depository institution) comprise 75
percent or more of the consolidated total assets of the holding company
at the beginning of its fiscal year.
(2) The other requirements of this part for an insured depository
institution that is a subsidiary of a holding company may be satisfied
by the top-tier or any mid-tier holding company if the insured
depository institution meets the criterion specified in Sec.
363.1(b)(1) and if:
(i) The services and functions comparable to those required of the
insured depository institution by this part are provided at the holding
company level; and
(ii) The insured depository institution has as of the beginning of
its fiscal year:
(A) Total assets of less than $5 billion; or
(B) Total assets of $5 billion or more and a composite CAMELS
rating of 1 or 2.
(3) The appropriate federal banking agency may revoke the exception
in paragraph (b)(2) of this section for any institution with total
assets in excess of $9 billion for any period of time during which the
appropriate federal banking agency determines that the institution's
exemption would create a significant risk to the Deposit Insurance
Fund.
(c) Financial reporting. For purposes of the management report
requirement of Sec. 363.2(b) and the internal control reporting
requirement of Sec. 363.3(b), ``financial reporting'' includes both
financial statements prepared in accordance with generally accepted
accounting principles and those prepared for regulatory reporting
purposes.
(d) Definitions. For purposes of this part, the following
definitions apply:
(1) AICPA means the American Institute of Certified Public
Accountants.
(2) GAAP means generally accepted accounting principles.
(3) PCAOB means the Public Company Accounting Oversight Board.
(4) Public company means an insured depository institution or other
company that has a class of securities registered with the U.S.
Securities and Exchange Commission or the appropriate federal banking
agency under Section 12 of the Securities Exchange Act of 1934.
(5) SEC means the U.S. Securities and Exchange Commission.
(6) SOX means the Sarbanes-Oxley Act of 2002.
Sec. 363.2 Annual reporting requirements.
(a) Audited financial statements. Each insured depository
institution shall prepare annual financial statements in accordance
with GAAP, which shall be audited by an independent public accountant.
The annual financial statements must reflect all material correcting
adjustments identified by the independent public accountant.
(b) Management report. Each insured depository institution annually
shall prepare, as of the end of the institution's
[[Page 62323]]
most recent fiscal year, a management report that must contain the
following:
(1) A statement of management's responsibilities for preparing the
institution's annual financial statements, for establishing and
maintaining an adequate internal control structure and procedures for
financial reporting, and for complying with laws and regulations
relating to safety and soundness that are designated by the FDIC and
the appropriate federal banking agency;
(2) An assessment by management of the insured depository
institution's compliance with such laws and regulations during such
fiscal year. The assessment must state management's conclusion as to
whether the insured depository institution has complied with the
designated safety and soundness laws and regulations during the fiscal
year and disclose any noncompliance with these laws and regulations;
and
(3) For an insured depository institution with consolidated total
assets of $1 billion or more at the beginning of such fiscal year, an
assessment by management of the effectiveness of such internal control
structure and procedures as of the end of such fiscal year that must
include the following:
(i) A statement identifying the internal control framework \1\ used
by management to evaluate the effectiveness of the insured depository
institution's internal control over financial reporting;
---------------------------------------------------------------------------
\1\ In the United States, the Committee of Sponsoring
Organizations (COSO) of the Treadway Commission has published
Internal Control--Integrated Framework, including an addendum on
safeguarding assets. Known as the COSO report, this publication
provides a suitable and available framework for purposes of
management's assessment.
---------------------------------------------------------------------------
(ii) A statement that the assessment included controls over the
preparation of regulatory financial statements in accordance with
regulatory reporting instructions including identification of such
regulatory reporting instructions; and
(iii) A statement expressing management's conclusion as to whether
the insured depository institution's internal control over financial
reporting is effective. Management must disclose all material
weaknesses in internal control over financial reporting, if any, that
it has identified. Management is precluded from concluding that the
insured depository institution's internal control over financial
reporting is effective if there are one or more material weaknesses.
(c) Management report signatures. Subject to the criteria specified
in Sec. 363.1(b):
(1) If the audited financial statements requirement specified in
Sec. 363.2(a) is satisfied at the insured depository institution level
and the management report requirement specified in Sec. 363.2(b) is
satisfied in its entirety at the insured depository institution level,
the management report must be signed by the chief executive officer and
the chief accounting officer or chief financial officer of the insured
depository institution;
(2) If the audited financial statements requirement specified in
Sec. 363.2(a) is satisfied at the holding company level and the
management report requirement specified in Sec. 363.2(b) is satisfied
in its entirety at the holding company level, the management report
must be signed by the chief executive officer and the chief accounting
officer or chief financial officer of the holding company; and
(3) If the audited financial statements requirement specified in
Sec. 363.2(a) is satisfied at the holding company level and:
(i) The management report requirement specified in Sec. 363.2(b)
is satisfied in its entirety at the insured depository institution
level; or
(ii) One or more of the components of the management report
specified in Sec. 363.2(b) is satisfied at the holding company level
and the remaining components of the management report are satisfied at
the insured depository institution level, the management report must be
signed by the chief executive officers and the chief accounting
officers or chief financial officers of both the holding company and
the insured depository institution and the management report must
clearly indicate the level (institution or holding company) at which
each of its components is being satisfied.
Sec. 363.3 Independent public accountant.
(a) Annual audit of financial statements. Each insured depository
institution shall engage an independent public accountant to audit and
report on its annual financial statements in accordance with GAAP and
section 37 of the Federal Deposit Insurance Act (12 U.S.C. 1831n). The
scope of the audit engagement shall be sufficient to permit such
accountant to determine and report whether the financial statements are
presented fairly and in accordance with GAAP.
(b) Internal control over financial reporting. For each insured
depository institution with total assets of $1 billion or more at the
beginning of the institution's fiscal year, the independent public
accountant who audits the institution's financial statements shall
examine, attest to, and report separately on, the assertion of
management concerning the effectiveness of the institution's internal
control structure and procedures for financial reporting. The
attestation and report shall be made in accordance with generally
accepted standards for attestation engagements or the PCAOB's auditing
standards, if applicable. The accountant's report must not be dated
prior to the date of the management report and management's assessment
of the effectiveness of internal control over financial reporting. The
accountant's report must include the following:
(1) A statement identifying the internal control framework used by
the independent public accountant, which must be the same as the
internal control framework used by management, to evaluate the
effectiveness of the insured depository institution's internal control
over financial reporting;
(2) A statement that the independent public accountant's evaluation
included controls over the preparation of regulatory financial
statements in accordance with regulatory reporting instructions
including identification of such regulatory reporting instructions; and
(3) A statement expressing the independent public accountant's
conclusion as to whether the insured depository institution's internal
control over financial reporting is effective. The report must disclose
all material weaknesses in internal control over financial reporting
that the independent public accountant has identified. The independent
public accountant is precluded from concluding that the insured
depository institution's internal control over financial reporting is
effective if there are one or more material weaknesses.
(c) Notice by accountant of termination of services. An independent
public accountant performing an audit under this part who ceases to be
the accountant for an insured depository institution shall notify the
FDIC and the appropriate federal banking agency in writing of such
termination within 15 days after the occurrence of such event, and set
forth in reasonable detail the reasons for such termination. The
written notice shall be filed at the place identified in Sec.
363.4(f).
(d) Communications with audit committee. The independent public
accountant must report the following on a timely basis to the audit
committee:
[[Page 62324]]
(1) All critical accounting policies used by the insured depository
institution,
(2) Alternative accounting treatments the independent public
accountant has discussed with management, and
(3) Other written communications the independent public accountant
has provided to management, such as a management letter or schedule of
unadjusted differences.
(e) Retention of working papers. The independent public accountant
must retain the working papers related to the audit of the insured
depository institution's financial statements and, if applicable, the
evaluation of the institution's internal control over financial
reporting for seven years, unless a longer period of time is required
by law.
(f) Independence. The independent public accountant must comply
with the independence standards and interpretations of the AICPA, the
SEC, and the PCAOB.
(g) Peer reviews. (1) Prior to commencing any services for an
insured depository institution under this part, the independent public
accountant must have received a peer review, or be enrolled in a peer
review program, that meets acceptable guidelines. Acceptable peer
reviews include peer reviews performed in accordance with the AICPA's
Peer Review Standards and inspections conducted by the PCAOB.
(2) Within 15 days of receiving notification that a peer review has
been accepted or a PCAOB inspection report has been issued, or before
commencing any audit under this part, whichever is earlier, the
independent public accountant must file two copies of the most recent
peer review report and the most recent PCAOB inspection report, if any,
accompanied by any letters of comments, response, and acceptance, with
the FDIC, Accounting and Securities Disclosure Section, 550 17th Street
NW., Washington, DC 20429, if the report has not already been filed.
Except for the portions of any peer review report and inspection report
determined to be nonpublic by the AICPA and the PCAOB, respectively,
the report will be made available for public inspection by the FDIC.
Sec. 363.4 Filing and notice requirements.
(a) Part 363 Annual Report. (1) Each insured depository institution
shall file with each of the FDIC, the appropriate federal banking
agency, and any appropriate state bank supervisor, two copies of its
Part 363 Annual Report. A Part 363 Annual Report must contain audited
comparative annual financial statements, the independent public
accountant's report thereon, a management report, and, if applicable,
the independent public accountant's attestation report on management's
assessment concerning the institution's internal control structure and
procedures for financial reporting as required by Sec. Sec. 363.2(a),
363.3(a), 363.2(b), and 363.3(b), respectively.
(2) Subject to the criteria specified in Sec. 363.1(b), each
insured depository institution with consolidated total assets of less
than $1 billion as of the beginning of its fiscal year that is required
to file, or whose parent holding company is required to file,
management's assessment of the effectiveness of internal control over
financial reporting with the SEC or the appropriate federal banking
agency in accordance with section 404 of SOX must submit a copy of such
assessment to the FDIC, the appropriate federal banking agency, and any
appropriate state bank supervisor with its Part 363 Annual Report as
additional information. This assessment will not be considered part of
the institution's Part 363 Annual Report.
(3) (i) Each insured depository institution that is neither a
public company nor a subsidiary of a public company that meets the
criterion specified in Sec. 363.1(b)(1) shall file its Part 363 Annual
Report within 120 days after the end of its fiscal year.
(ii) Each insured depository institution that is a public company
or a subsidiary of public company that meets the criterion specified in
Sec. 363.1(b)(1) shall file its Part 363 Annual Report within 90 days
after the end of its fiscal year.
(b) Public availability. The annual report in paragraph (a)(1) of
this section shall be available for public inspection.
(c) Independent public accountant's letters and reports. (1) Except
for the independent public accountant's reports that are included in
its Part 363 Annual Report, each insured depository institution shall
file with the FDIC, the appropriate federal banking agency, and any
appropriate state bank supervisor, a copy of any management letter or
other report issued by its independent public accountant with respect
to such institution and the services provided by such accountant
pursuant to this part within 15 days after receipt. Such reports
include, but are not limited to:
(i) Any written communication regarding matters that are required
to be communicated to the audit committee (for example, critical
accounting policies, alternative accounting treatments discussed with
management, and any schedule of unadjusted differences),
(ii) Any written communication of significant deficiencies and
material weaknesses in internal control required by the AICPA's or the
PCAOB's auditing standards;
(iii) For institutions with total assets of less than $1 billion as
of the beginning of their fiscal year that are public companies or
subsidiaries of public companies that meet the criterion specified in
Sec. 363.1(b)(1), any independent public accountant's report on the
audit of internal control over financial reporting required by section
404 of SOX and the PCAOB's auditing standards; and
(iv) For all institutions that are public companies or subsidiaries
of public companies that meet the criterion specified in Sec.
363.1(b)(1), any independent public accountant's written communication
of all deficiencies in internal control over financial reporting that
are of a lesser magnitude than significant deficiencies required by the
PCAOB's auditing standards.
(2) Each insured depository institution shall file with the FDIC,
the appropriate federal banking agency, and any appropriate state bank
supervisor, a copy of any audit engagement letter, including any
related agreements and amendments, within 15 days of acceptance by the
institution.
(d) Notice of engagement or change of accountants. Each insured
depository institution shall provide, within 15 days after the
occurrence of any such event, written notice to the FDIC, the
appropriate federal banking agency, and any appropriate state bank
supervisor of the engagement of an independent public accountant, or
the resignation or dismissal of the independent public accountant
previously engaged. The notice shall include a statement of the reasons
for any such resignation or dismissal in reasonable detail.
(e) Notification of late filing. No extensions of time for filing
reports required by Sec. 363.4 shall be granted. An insured depository
institution that is unable to timely file all or any portion of its
Part 363 Annual Report or any other report or notice required by Sec.
363.4 shall submit a written notice of late filing to the FDIC, the
appropriate federal banking agency, and any appropriate state bank
supervisor. The notice shall disclose the institution's inability to
timely file all or specified portions of its Part 363 Annual Report or
any other report or notice and the reasons therefore in reasonable
detail. The late filing notice shall also state the date when the
report or notice will be filed. The written notice shall be filed on or
before the deadline for filing the
[[Page 62325]]
Part 363 Annual Report or any other report or notice, as appropriate.
(f) Place for filing. The Part 363 Annual Report, any written
notification of late filing, and any other report or notice required by
Sec. 363.4 should be filed as follows:
(1) FDIC: Appropriate FDIC Regional or Area Office (Division of
Supervision and Consumer Protection), i.e., the FDIC regional or area
office in the FDIC region or area that is responsible for monitoring
the institution or, in the case of a subsidiary institution of a
holding company, the consolidated company. A filing made on behalf of
several covered institutions owned by the same parent holding company
should be accompanied by a transmittal letter identifying all of the
institutions covered.
(2) Office of the Comptroller of the Currency (OCC): Appropriate
OCC Supervisory Office.
(3) Federal Reserve: Appropriate Federal Reserve Bank.
(4) Office of Thrift Supervision (OTS): Appropriate OTS District
Office.
(5) State bank supervisor: The filing office of the appropriate
state bank supervisor.
Sec. 363.5 Audit committees.
(a) Composition and duties. Each insured depository institution
shall establish an audit committee of its board of directors, the
composition of which complies with paragraphs (a)(1), (2), and (3) of
this section. The duties of the audit committee shall include the
appointment, compensation, and oversight of the independent public
accountant who performs services required under this part, and
reviewing with management and the independent public accountant the
basis for the reports issued under this part.
(1) Each insured depository institution with total assets of $1
billion or more as of the beginning of its fiscal year shall establish
an independent audit committee of its board of directors, the members
of which shall be outside directors who are independent of management
of the institution.
(2) Each insured depository institution with total assets of $500
million or more but less than $1 billion as of the beginning of its
fiscal year shall establish an audit committee of its board of
directors, the members of which shall be outside directors, the
majority of whom shall be independent of management of the institution.
The appropriate Federal banking agency may, by order or regulation,
permit the audit committee of such an insured depository institution to
be made up of less than a majority of outside directors who are
independent of management, if the agency determines that the
institution has encountered hardships in retaining and recruiting a
sufficient number of competent outside directors to serve on the audit
committee of the institution.
(3) An outside director is a director who is not, and within the
preceding fiscal year has not been, an officer or employee of the
institution or any affiliate of the institution.
(b) Committees of large institutions. The audit committee of any
insured depository institution that has total assets of more than $3
billion, measured as of the beginning of each fiscal year, shall
include members with banking or related financial management expertise,
have access to its own outside counsel, and not include any large
customers of the institution. If a large institution is a subsidiary of
a holding company and relies on the audit committee of the holding
company to comply with this rule, the holding company's audit committee
shall not include any members who are large customers of the subsidiary
institution.
(c) Independent public accountant engagement letters. (1) In
performing its duties with respect to the appointment of the
institution's independent public accountant, the audit committee shall
ensure that engagement letters and any related agreements with the
independent public accountant for services to be performed under this
part do not contain any limitation of liability provisions that:
(i) Indemnify the independent public accountant against claims made
by third parties;
(ii) Hold harmless or release the independent public accountant
from liability for claims or potential claims that might be asserted by
the client insured depository institution, other than claims for
punitive damages; or
(iii) Limit the remedies available to the client insured depository
institution.
(2) Alternative dispute resolution agreements and jury trial waiver
provisions are not precluded provided that they do not incorporate any
limitation of liability provisions set forth in paragraph (c)(1) of
this section.
Appendix A to Part 363--Guidelines and Interpretations
Table of Contents
Introduction
Scope of Rule (Sec. 363.1)
1. Measuring Total Assets
2. Insured Branches of Foreign Banks
3. Compliance by Holding Company Subsidiaries
4. Comparable Services and Functions
4A. Financial Reporting
Annual Reporting Requirements (Sec. 363.2)
5. Annual Financial Statements
5A. Institutions Merged out of Existence
6. Holding Company Statements
7. Insured Branches of Foreign Banks
8. Management Report
8A. Management's Assessment of the Effectiveness of Internal Control
over Financial Reporting
8B. Internal Control Reports for Acquired Businesses
9. Safeguarding of Assets
10. Standards for Internal Control
11. Service Organizations
12. Compliance with Laws and Regulations
Role of Independent Public Accountant (Sec. 363.3)
13. General Qualifications
14. Reserved
15. Peer Review Guidelines
16. Reserved
17. Information to be Provided to the Independent Public Accountant
18. Attestation Report and Management Letter
19. Reviews with Audit Committee and Management
20. Notice of Termination
21. Reliance on Internal Auditors
Filing and Notice Requirements (Sec. 363.4)
22. Reserved
23. Notification of Late Filing
24. Public Availability
25. Reserved
26. Notices Concerning Accountants
Audit Committees (Sec. 363.5)
27. Composition
28. ``Independent of Management'' Considerations
29. Reserved
30. Holding Company Audit Committees
31. Duties
32. Banking or Related Financial Management Expertise
33. Large Customers
34. Access to Counsel
35. Transition Period for Forming and Restructuring Audit Committees
Other
36. Modifications of Guidelines
Introduction
Congress added section 36, ``Early Identification of Needed
Improvements in Financial Management'' (section 36), to the Federal
Deposit Insurance Act (FDI Act) in 1991.
The FDIC Board of Directors adopted 12 CFR part 363 of its rules
and regulations (the Rule) to implement those provisions of section
36 that require rulemaking. The FDIC also approved these
``Guidelines and Interpretations'' (the Guidelines) and directed
that they be published with the Rule to facilitate a better
understanding of, and full compliance with, the provisions of
section 36.
Although not contained in the Rule itself, some of the guidance
offered restates or refers to statutory requirements of section 36
and is therefore mandatory. If that is the case, the statutory
provision is cited.
[[Page 62326]]
Furthermore, upon adopting the Rule, the FDIC reiterated its
belief that every insured depository institution, regardless of its
size or charter, should have an annual audit of its financial
statements performed by an independent public accountant, and should
establish an audit committee comprised entirely of outside
directors.
The following Guidelines reflect the views of the FDIC
concerning the interpretation of section 36. The Guidelines are
intended to assist insured depository institutions (institutions),
their boards of directors, and their advisors, including their
independent public accountants and legal counsel, and to clarify
section 36 and the Rule. It is recognized that reliance on the
Guidelines may result in compliance with section 36 and the Rule
which may vary from institution to institution. Terms which are not
explained in the Guidelines have the meanings given them in the
Rule, the FDI Act, or professional accounting and auditing
literature.
Scope of Rule (Sec. 363.1)
1. Measuring Total Assets. To determine whether this part
applies, an institution should use total assets as reported on its
most recent Report of Condition (Call Report) or Thrift Financial
Report (TFR), the date of which coincides with the end of its
preceding fiscal year. If its fiscal year ends on a date other than
the end of a calendar quarter, it should use its Call Report or TFR
for the quarter end immediately preceding the end of its fiscal
year.
2. Insured Branches of Foreign Banks. Unlike other institutions,
insured branches of foreign banks are not separately incorporated or
capitalized. To determine whether this part applies, an insured
branch should measure claims on non-related parties reported on its
Report of Assets and Liabilities of U.S. Branches and Agencies of
Foreign Banks (form FFIEC 002).
3. Compliance by Holding Company Subsidiaries. Audited
consolidated financial statements and other reports or notices
required by this part that are submitted by a holding company for
any subsidiary institution should be accompanied by a cover letter
identifying all subsidiary institutions subject to part 363 that are
included in the holding company's submission. When submitting a Part
363 Annual Report, the cover letter should identify all subsidiary
institutions subject to part 363 included in the consolidated
financial statements and state whether the other annual report
requirements (i.e., management's statement of responsibilities,
management's assessment of compliance with designated safety and
soundness laws and regulations, and, if applicable, management's
assessment of the effectiveness of internal control over financial
reporting and the independent public accountant's attestation report
on management's internal control assessment) are being satisfied for
these institutions at the holding company level or at the
institution level. An institution filing holding company
consolidated financial statements as permitted by Sec. 363.1(b)(1)
also may report on changes in its independent public accountant on a
holding company basis. An institution that does not meet the
criteria in Sec. 363.1(b)(2) must satisfy the remaining provisions
of this part on an individual institution basis and maintain its own
audit committee. Subject to the criteria in Sec. Sec. 363.1(b)(1)
and (2), a multi-tiered holding company may satisfy all of the
requirements of this part at the top-tier or any mid-tier holding
company level.
4. Comparable Services and Functions. Services and functions
will be considered ``comparable'' to those required by this part if
the holding company:
(a) Prepares reports used by the subsidiary institution to meet
the requirements of this part;
(b) Has an audit committee that meets the requirements of this
part appropriate to its largest subsidiary institution; and
(c) Prepares and submits management's assessment of compliance
with the Designated Laws defined in guideline 12 and, if applicable,
management's assessment of the effectiveness of internal control
over financial reporting based on information concerning the
relevant activities and operations of those subsidiary institutions
within the scope of the Rule.
4A. Financial Reporting. (a) For purposes of this part,
``financial reporting'' includes financial statements prepared under
GAAP and those prepared for regulatory reporting purposes. Financial
statements prepared for regulatory reporting purposes consist of the
schedules equivalent to the basic financial statements that are
included in an institution's appropriate regulatory report, e.g.,
the bank Consolidated Reports of Condition and Income (Call Report)
and the Thrift Financial Report (TFR).
(b) Financial statements prepared for regulatory reporting
purposes do not include regulatory reports prepared by a non-bank
subsidiary of a holding company or an institution. For example, if a
bank holding company or an insured depository institution owns an
insurance subsidiary, financial statements prepared for regulatory
reporting purposes would not include any regulatory reports that the
insurance subsidiary is required to submit to its appropriate
insurance regulatory agency.
Annual Reporting Requirements (Sec. 363.2)
5. Annual Financial Statements. Each institution should prepare
comparative annual consolidated financial statements (balance sheets
and statements of income, changes in equity capital, and cash flows,
with accompanying footnote disclosures) in accordance with GAAP for
each of its two most recent fiscal years. Statements for the earlier
year may be presented on an unaudited basis if the institution was
not subject to this part for that year and audited statements were
not prepared.
5A. Institutions Merged Out of Existence. An institution that is
merged out of existence after the end of its fiscal year, but before
the deadline for filing its Part 363 Annual Report (120 days after
the end of its fiscal year for an institution that is neither a
public company nor a subsidiary of a public company that meets the
criterion specified in Sec. 363.1(b)(1), and 90 days after the end
of its fiscal year for an i