Independent Audits and Reporting Requirements, 71226-71233 [05-23310]
Download as PDF
<![CDATA[
71226
Federal Register / Vol. 70, No. 227 / Monday, November 28, 2005 / Rules and Regulations
2. The transfer and presentment warranties
for remotely created checks supplement the
Federal Trade Commission’s Telemarketing
Sales Rule, which requires telemarketers that
submit checks for payment to obtain the
customer’s ‘‘express verifiable authorization’’
(the authorization may be either in writing or
tape recorded and must be made available
upon request to the customer’s bank). 16 CFR
310.3(a)(3). The transfer and presentment
warranties shift liability to the depositary
bank only when the remotely created check
is unauthorized, and would not apply when
the customer initially authorizes a check but
then experiences ‘‘buyer’s remorse’’ and
subsequently tries to revoke the authorization
by asserting a claim against the paying bank
under U.C.C. 4–401. If the depositary bank
suspects ‘‘buyer’s remorse,’’ it may obtain
from its customer the express verifiable
authorization of the check by the paying
bank’s customer, required under the Federal
Trade Commission’s Telemarketing Sales
Rule, and use that authorization as a defense
to the warranty claim.
3. The scope of the transfer and
presentment warranties for remotely created
checks differs from that of the corresponding
U.C.C. warranty provisions in two respects.
The U.C.C. warranties differ from the
§ 229.34(d) warranties in that they are given
by any person, including a nonbank
depositor, that transfers a remotely created
check and not just to a bank, as is the case
under § 229.34(d). In addition, the U.C.C.
warranties state that the person on whose
account the item is drawn authorized the
issuance of the item in the amount for which
the item is drawn. The § 229.34(d) warranties
specifically cover the amount as well as the
payee stated on the check. Neither the U.C.C.
warranties, nor the § 229.34(d) warranties
apply to the date stated on the remotely
created check.
4. A bank making the § 229.34(d)
warranties may defend a claim asserting
violation of the warranties by proving that
the customer of the paying bank is precluded
by U.C.C. 4–406 from making a claim against
the paying bank. This may be the case, for
example, if the customer failed to discover
the unauthorized remotely created check in
a timely manner.
5. The transfer and presentment warranties
for a remotely created check apply to a
remotely created check that has been
reconverted to a substitute check.
*
*
*
*
BILLING CODE 6210–01–P
17:18 Nov 25, 2005
12 CFR Part 363
RIN 3064–AC91
Independent Audits and Reporting
Requirements
Federal Deposit Insurance
Corporation (FDIC).
ACTION: Final rule.
AGENCY:
SUMMARY: The FDIC is amending part
363 of its regulations concerning annual
independent audits and reporting
requirements, which implement section
36 of the Federal Deposit Insurance Act
(FDI Act), as proposed, but with
modifications to the composition of the
audit committee and the effective date.
The FDIC’s amendments raise the assetsize threshold from $500 million to $1
billion for internal control assessments
by management and external auditors.
For institutions between $500 million
and $1 billion in assets, the
amendments require the majority, rather
than all, of the members of the audit
committee, who must be outside
directors, to be independent of
management and create a hardship
exemption. The amendments also make
certain technical changes to part 363 to
correct outdated titles, terms, and
references in the regulation and its
appendix. As required by section 36, the
FDIC has consulted with the other
federal banking agencies.
EFFECTIVE DATE: The final rule is
effective December 28, 2005 and applies
to part 363 annual reports with a filing
deadline (90 days after the end of an
institution’s fiscal year) on or after the
effective date of these amendments.
FOR FURTHER INFORMATION CONTACT:
Harrison E. Greene, Jr., Senior Policy
Analyst (Bank Accounting), Division of
Supervision and Consumer Protection,
at hgreene@fdic.gov or (202) 898–8905;
or Michelle Borzillo, Counsel,
Supervision and Legislation Section,
Legal Division, at mborzillo@fdic.gov or
(202) 898–7400.
SUPPLEMENTARY INFORMATION:
I. Background
*
By order of the Board of Governors of the
Federal Reserve System, November 21, 2005.
Jennifer J. Johnson,
Secretary of the Board.
[FR Doc. 05–23331 Filed 11–25–05; 8:45 am]
VerDate Aug<31>2005
FEDERAL DEPOSIT INSURANCE
CORPORATION
Jkt 208001
Section 112 of the Federal Deposit
Insurance Corporation Improvement Act
of 1991 (FDICIA) added section 36,
‘‘Early Identification of Needed
Improvements in Financial
Management,’’ to the FDI Act (12 U.S.C.
1831m). Section 36 is generally
intended to facilitate early identification
of problems in financial management at
insured depository institutions above a
certain asset size threshold (covered
PO 00000
Frm 00016
Fmt 4700
Sfmt 4700
institutions) through annual
independent audits, assessments of the
effectiveness of internal control over
financial reporting and compliance with
designated laws and regulations, and
related requirements. Section 36 also
includes requirements for audit
committees at these insured depository
institutions. Section 36 grants the FDIC
discretion to set the asset size threshold
for compliance with these statutory
requirements, but it states that the
threshold cannot be less than $150
million. Sections 36(d) and (f) also
obligate the FDIC to consult with the
other Federal banking agencies in
implementing these sections of the FDI
Act, and the FDIC has performed that
consultation requirement.
Part 363 of the FDIC’s regulations (12
CFR part 363), which implements
section 36 of the FDI Act, requires each
covered institution to submit to the
FDIC and other appropriate Federal and
state supervisory agencies an annual
report that includes audited financial
statements, a statement of management’s
responsibilities, assessments by
management of the effectiveness of
internal control over financial reporting
and compliance with designated laws
and regulations, and an auditor’s
attestation report on internal control
over financial reporting. In addition,
part 363 provides that each covered
institution must establish an
independent audit committee of its
board of directors comprised of outside
directors who are independent of
management of the institution. Part 363
also includes Guidelines and
Interpretations (Appendix A to part
363), which are intended to assist
institutions and independent public
accountants in understanding and
complying with section 36 and part 363.
When it adopted part 363 in 1993, the
FDIC stated that it was setting the asset
size threshold at $500 million rather
than the $150 million specified in
section 36 to mitigate the financial
burden of compliance with section 36
consistent with safety and soundness. In
selecting $500 million in total assets as
the size threshold, the FDIC noted that
approximately 1,000 of the then nearly
14,000 FDIC-insured institutions would
be subject to part 363. These covered
institutions held approximately 75
percent of the assets of insured
institutions at that time. By imposing
the audit, reporting, and audit
committee requirements of part 363 on
institutions with this percentage of the
industry’s assets, the FDIC intended to
ensure that the Congress’s objectives for
achieving sound financial management
at insured institutions when it enacted
section 36 would be focused on those
E:\FR\FM\28NOR1.SGM
28NOR1
Federal Register / Vol. 70, No. 227 / Monday, November 28, 2005 / Rules and Regulations
institutions posing the greatest potential
risk to the insurance funds administered
by the FDIC. Today, due to
consolidation in the banking and thrift
industry and the effects of inflation,
more than 1,150 of the 8,900 insured
institutions have $500 million or more
in total assets and are therefore subject
to part 363. These covered institutions
hold approximately 90 percent of the
assets of insured institutions.
II. Discussion of Proposed Amendments
On July 19, 2005, the FDIC’s Board
approved the publication of proposed
amendments to part 363 of the FDIC’s
regulations, which were published in
the Federal Register on August 2, 2005,
for a 45-day comment period (70 FR
44293). The comment period closed on
September 16, 2005. As more fully
discussed below, the FDIC proposed to
raise the asset-size threshold in part 363
from $500 million to $1 billion for
internal control assessments by
management and external auditors and
for the members of the audit committee,
who must be outside directors, to be
independent of management. The FDIC
also proposed to make certain technical
changes to part 363 to correct outdated
titles, terms, and references in the
regulation and its appendix. As
proposed, the effective date of these
amendments was to be December 31,
2005.
In its proposal, the FDIC also noted
that it had identified other aspects of
part 363 that may warrant revision in
light of changes in the industry and the
passage of the Sarbanes-Oxley Act of
2002. However, the FDIC stated that it
had decided to proceed first with the
proposed amendments to the asset-size
threshold in part 363 in order to reduce
compliance burdens and expenses for
affected institutions in 2005. These
further revisions to part 363 are
expected to be proposed as soon as
practicable.
A. Increasing the Asset Size Threshold
for Internal Control Assessments
An effective internal control structure
is critical to the safety and soundness of
each insured institution. Given its
importance, internal control is
evaluated as part of the supervision of
individual institutions and its adequacy
is a factor in the management rating
assigned to an institution. Furthermore,
in the audit of an institution’s financial
statements, the external auditor must
obtain an understanding of internal
control, including assessing control risk,
and must report certain matters
regarding internal control to the
institution’s audit committee.
VerDate Aug<31>2005
17:18 Nov 25, 2005
Jkt 208001
An institution subject to part 363 has
the added requirement that its
management perform an assessment of
the internal control structure and
procedures for financial reporting and
that its external auditor examine, attest
to, and report on management’s
assertion concerning the institution’s
internal control over financial reporting.
For purposes of these internal control
provisions of part 363, the FDIC has
advised covered institutions that the
term ‘‘financial reporting’’ includes both
financial statements prepared in
accordance with generally accepted
accounting principles and those
prepared for regulatory reporting
purposes.1 Until year-end 2004, external
auditors performed their internal
control assessments in accordance with
an attestation standard issued by the
American Institute of Certified Public
Accountants (AICPA) known as ‘‘AT
501.’’
The Sarbanes-Oxley Act was enacted
into law on July 30, 2002. Section 404
of this Act imposes a requirement for
internal control assessments by the
management and external auditors of all
public companies that is similar to the
FDICIA requirement. The Securities and
Exchange Commission’s (SEC) rules
implementing these requirements took
effect at year-end 2004 for ‘‘accelerated
filers,’’ i.e., generally, public companies
whose common equity has an aggregate
market value of at least $75 million, but
they will not take effect until 2007 for
‘‘non-accelerated filers.’’ For the section
404 auditor attestations, the Public
Company Accounting Oversight Board’s
(PCAOB) Auditing Standard No. 2 (AS
2) applies. AS 2 replaces the AICPA’s
AT 501 internal control attestation
standard for public companies, but AS
2 does not apply to nonpublic
companies. The SEC’s section 404 rules
for management and the provisions of
AS 2 for section 404 audits of internal
control establish more robust
documentation and testing requirements
than those that have been applied by
covered institutions and their auditors
to satisfy the internal control reporting
requirements in part 363.
For internal control attestations of
nonpublic companies, the AICPA is
currently developing proposed revisions
to AT 501 that are expected to bring it
closer into line with the provisions of
AS 2. The revisions also are likely to
1 See FDIC Financial Institution Letter (FIL) 86–
94, dated December 23, 1994. FIL–86–94 indicates
that financial statements prepared for regulatory
reporting purposes encompass the schedules
equivalent to the basic financial statements in an
institution’s appropriate regulatory report, e.g., the
bank Reports of Condition and Income and the
Thrift Financial Report.
PO 00000
Frm 00017
Fmt 4700
Sfmt 4700
71227
have the effect of requiring greater
documentation and testing of internal
control over financial reporting by an
institution’s management in order for
the auditor to perform his or her
attestation work.
As the environment has changed and
continues to change since the enactment
of the Sarbanes-Oxley Act, the FDIC has
observed that compliance with the audit
and reporting requirements of part 363
has and will continue to become more
burdensome and costly, particularly for
smaller nonpublic covered institutions.
Thus, the FDIC reviewed the current
asset size threshold for compliance with
part 363 in light of the discretion
granted by section 36 that permits the
FDIC to determine the appropriate size
threshold (at or above $150 million) at
which insured institutions should be
subject to the various provisions of
section 36. Based on this review, the
FDIC proposed to amend part 363 to
increase the asset size threshold for
internal control assessments by
management and external auditors from
$500 million to $1 billion. Raising the
threshold to $1 billion would achieve
meaningful burden reduction without
sacrificing safety and soundness.
In reaching this decision, the FDIC
concluded that raising the $500 million
asset size threshold to $1 billion and
exempting all institutions below this
higher size level from all of the
reporting requirements of part 363
would not be consistent with the
objective of the underlying statute, i.e.,
early identification of needed
improvements in financial management.
In contrast, the FDIC believes that
relieving smaller covered institutions
from the burden of internal control
assessments, while retaining the
financial statement audit and other
reporting requirements for all
institutions with $500 million or more
in total assets, strikes an appropriate
balance in accomplishing this objective.
By raising the size threshold for internal
control assessments to $1 billion, about
600 of the largest insured institutions
with approximately 86 percent of
industry assets would continue to be
covered by the internal control reporting
requirements of part 363. At the same
time, the managements of all covered
institutions would remain responsible
for establishing and maintaining an
adequate internal control structure and
procedures for financial reporting, and
all institutions with $500 million or
more in total assets would continue to
include a statement to that effect in their
part 363 annual report.
E:\FR\FM\28NOR1.SGM
28NOR1
71228
Federal Register / Vol. 70, No. 227 / Monday, November 28, 2005 / Rules and Regulations
B. Composition of the Audit Committee
Currently, part 363 requires each
covered institution to establish an
independent audit committee of its
board of directors, comprised of outside
directors who are independent of
management of the institution. The
duties of the audit committee include
reviewing with management and the
institutions’ independent public
accountant the basis for the reports
included in the part 363 annual report
submitted to the FDIC and other
appropriate Federal and state
supervisory agencies. The FDIC’s
Guidelines to part 363 provide that, at
least annually, the board of directors of
a covered institution should determine
whether all existing and potential audit
committee members are ‘‘independent
of management of the institution.’’ The
guidelines also describe factors to
consider in making this determination.2
Section 36 provides that an
appropriate federal banking agency may
grant a hardship exemption to a covered
institution that would permit its
independent audit committee to be
made up of less than all, but no fewer
than a majority of, outside directors who
are independent of management. To
grant the exemption, the agency must
find that the institution has encountered
hardships in retaining and recruiting a
sufficient number of competent outside
directors.
Notwithstanding this exemption
provision of section 36, the FDIC has
observed that a number of smaller
covered institutions, particularly those
with few shareholders that have
recently exceeded $500 million in total
assets and become subject to part 363,
have encountered difficulty in satisfying
the independent audit committee
requirement. To comply with this
requirement, these institutions must
identify and attract qualified
individuals in their communities who
would be willing to become a director
and audit committee member and who
would be independent of management.
To relieve this burden, but also
recognizing that the FDIC has long held
that individuals who serve as directors
of any insured depository institution
should be persons of independent
judgment, the FDIC proposed to amend
part 363 to increase from $500 million
to $1 billion the asset size threshold for
requiring audit committee members to
be independent of management.
Conforming changes were also proposed
to be made to Guidelines 27–29 of
Appendix A to part 363. Each insured
depository institution with total assets
2 See Guidelines 27 through 29 of Appendix A to
part 363.
VerDate Aug<31>2005
17:18 Nov 25, 2005
Jkt 208001
of $500 million or more but less than $1
billion would continue to be required to
have an audit committee comprised of
outside directors. Consistent with
Guideline 29 of Appendix A to part 363,
an outside director would be defined as
an individual who is not, and within the
preceding year has not been, an officer
or employee of the institution or any
affiliate of the institution.
The proposed amendment to the audit
committee requirements for institutions
with between $500 million and $1
billion in total assets would allow an
outside director who is, for example, a
consultant or legal counsel to the
institution, a relative of an officer or
employee of the institution or its
affiliates, or the owner of 10 percent or
more of the stock of the institution to
serve as an audit committee member.
Nevertheless, the FDIC indicated in the
proposal that it would encourage each
institution with between $500 million
and $1 billion in assets to make a
reasonable good faith effort to establish
an audit committee of outside directors
who are independent of management.
III. Comments Received on Proposed
Amendments
In response to its August 2, 2005,
request for comment on the proposed
amendments to part 363, the FDIC
received comment letters from 28
different respondents 3: 15 banking and
thrift organizations, 7 bankers’
associations, 3 accountants and
accounting firms, the Conference of
State Bank Supervisors (CSBS), the
FDIC’s Office of Inspector General
(FDIC–OIG), and one other party.
Generally, the comment letters
expressed support for the proposed
amendments. All but one of the
respondents favored the proposal to
increase the asset-size threshold for
internal control assessments by
management and external auditors to $1
billion. As for the proposed increase to
$1 billion in the asset-size threshold for
the members of the audit committee,
who must be outside directors, to be
independent of management, 24 of the
28 respondents supported this aspect of
the proposal, two respondents opposed
it, and two respondents did not directly
comment on it. Respondents also raised
a number of other issues.
The CSBS commented on the
proposed change in the audit committee
provisions of part 363 for institutions
with $500 million to $1 billion in assets.
The CSBS, on behalf of state banking
3 The FDIC received 58 comment letters, which
included 20 identical letters from individuals at one
institution and 12 identical letters from individuals
at another institution.
PO 00000
Frm 00018
Fmt 4700
Sfmt 4700
departments, stated that there is value
in maintaining a significant level of
independence when fulfilling the
important role of an audit committee
member. Although it saw benefit in
alleviating some of the burden of a fully
independent audit committee, for safety
and soundness considerations, the CSBS
recommended that the chairman and a
majority of the audit committee
members at institutions in the $500
million to $1 billion asset size range be
required to be independent of
management rather than allowing all of
the outside directors on the audit
committee not to be independent of
management.
Five other commenters concurred
with the FDIC’s observation that some
smaller covered institutions have
encountered difficulty in establishing an
audit committee, all of whose members
are independent of management. In this
regard, the CSBS’s comment letter also
acknowledged the difficulties in
attaining and keeping a fully
independent audit committee,
especially in smaller rural communities.
Individuals who serve as directors of
insured institutions, whether or not they
serve on the audit committee, are
expected to be persons of independent
judgment. In this regard, under the
Uniform Financial Institutions Rating
System (62 FR 752, January 6, 1997), a
factor that the federal banking agencies’
examiners assess when they evaluate
the capability and performance of an
institution’s management and board of
directors for purposes of assigning an
appropriate Management component
rating is the extent to which the
management and board members are
affected by, or susceptible to, dominant
influence or concentration of authority.
Hence, the agencies’ examination staffs
are cognizant of the heightened level of
risk presented by the existence of a
dominant officer, whether or not outside
directors, including those on the audit
committee, are independent of
management.
After carefully considering the CSBS’s
recommendation, the FDIC has decided
to amend the proposal to require that a
majority of the audit committee
members of institutions with $500
million to $1 billion in assets, all of
whom must be outside directors, be
independent of management. In
addition, in recognition of the
difficulties that some individual
institutions in this size range may have
in attaining such an audit committee,
the final rule will provide an exemption
under which an appropriate Federal
banking agency may, by order or
regulation, permit the audit committee
of such an institution to be made up of
E:\FR\FM\28NOR1.SGM
28NOR1
Federal Register / Vol. 70, No. 227 / Monday, November 28, 2005 / Rules and Regulations
less than a majority of outside directors
who are independent of management, if
the agency determines that the
institution has encountered hardships
in retaining and recruiting a sufficient
number of competent outside directors
to serve on the audit committee of the
institution. The FDIC believes that this
change to its proposal strikes an
appropriate balance of reducing
regulatory burden without jeopardizing
safety and soundness.
Another commenter who addressed
the audit committee portion of the
proposal suggested that the FDIC’s
recommendation that institutions make
a ‘‘reasonable good faith effort’’ to
establish an audit committee of outside
directors who are independent of
management was vague and should be
deleted from the proposal. This
commenter added that, if the
recommendation were not deleted, the
FDIC should include a definition of, or
list of criteria that would constitute, a
‘‘reasonable good faith effort’’ and
provide guidance on how an institution
should document that it has undertaken
such an effort. While the FDIC
encourages each institution with
between $500 million and $1 billion in
assets to make a reasonable good faith
effort to establish an audit committee
comprised entirely of outside directors
who are independent of management,
each institution faces a unique set of
circumstances when it seeks to attract
competent individuals to be outside
directors who would be willing to serve
on its audit committee. Because a list of
criteria that would constitute evidence
of a ‘‘reasonable good faith effort’’ could
not consider all of the situations in
which institutions engaging in such a
search might find themselves, the FDIC
has chosen not to restrict institutions
and itself to a specific list.
In its comment letter on the proposal,
the FDIC–OIG recommended that
insured institutions with total assets of
$500 million or more, but less than $1
billion, that have or receive either a
composite rating or Management
component rating of 3, 4, or 5, i.e., 3 or
lower, under the Uniform Financial
Institutions Rating System (also known
as the CAMELS rating system) be
required to comply with all of the
requirements of Part 363 rather than
being provided the proposed relief for
institutions in this size range. The
FDIC–OIG indicated that, as of
September 12, 2005, 16 insured
institutions with $500 million to $1
billion in assets had less than a
satisfactory composite CAMELS rating.
Specifically, 11 institutions had a
composite rating of 3 and 5 institutions
had a 4 rating. The FDIC–OIG also noted
VerDate Aug<31>2005
17:18 Nov 25, 2005
Jkt 208001
that, over the last several months, 15
other insured institutions in this size
range with a composite rating of 2 had
a Management component rating of 3.
The FDIC–OIG indicated that, in
reviewing past failures of insured
institutions, it had observed that weak
corporate governance, including
financial reporting problems and the
lack of independence of the board of
directors from institution management,
was often a factor in the failure of these
institutions and contributed to material
losses ($25 million or more) to the
deposit insurance funds administered
by the FDIC. The FDIC–OIG also stated
that maintaining the full requirements
of part 363 for less than satisfactory
institutions would help to address
potential concerns about deficiencies by
the board of directors and in internal
control, internal audit, and external
audit and thereby mitigate the
possibility of institution failure.
As defined in the Uniform Financial
Institutions Rating System, institutions
with a composite rating of 2 are
fundamentally sound. There are no
material supervisory concerns and, as a
result, the supervisory response is
informal and limited. Institutions with a
composite rating of 3 exhibit some
degree of supervisory concern in one or
more of the six component areas
(Capital Adequacy, Asset Quality,
Management, Earnings, Liquidity, and
Sensitivity to Market Risk). These
financial institutions require more than
normal supervision, which may include
formal or informal enforcement actions.
Failure appears unlikely, however,
given the overall strength and financial
capacity of these institutions.
Institutions with a composite rating of 4
generally exhibit unsafe and unsound
practices or conditions. There are
serious financial or managerial
deficiencies that result in unsatisfactory
performance. Failure is a distinct
possibility if the problems and
weaknesses are not satisfactorily
addressed and resolved. Institutions
with a composite rating of 5 exhibit
extremely unsafe and unsound practices
or conditions and a critically deficient
performance. They are of the greatest
supervisory concern and ongoing
supervisory attention is necessary.
These institutions pose a significant risk
to the deposit insurance funds and
failure is highly probable.
A Management component rating of 3
indicates management and board
performance that need improvement or
risk management practices that are less
than satisfactory given the nature of the
institution’s activities. The capabilities
of management or the board of directors
may be insufficient for the type, size, or
PO 00000
Frm 00019
Fmt 4700
Sfmt 4700
71229
condition of the institution. Problems
and significant risks may be
inadequately identified, measured,
monitored, or controlled by
management. Because management’s
ability to respond to changing
circumstances and address risks is an
important factor in evaluating an
institution’s overall risk profile and the
level of supervisory attention that
should be devoted to an institution, the
Management component is given special
consideration when assigning the
institution’s composite rating.
Institutions that have a composite
rating of 3 or lower are already subject
to increased supervisory scrutiny and
are normally subject to formal or
informal supervisory actions (e.g.,
Memorandum of Understanding or
Cease and Desist Order) to address the
need for corrective actions for
weaknesses and deficiencies cited in
reports of examination or otherwise
identified through supervisory
oversight. In reviewing the institutions
cited in the FDIC–OIG’s comment letter,
the FDIC notes that all of the
institutions with a composite rating of 3
or lower are subject to formal and/or
informal supervisory actions and all of
the institutions with a composite rating
of 2 and a Management component
rating of 3 or lower are subject to
supervisory actions. The FDIC further
notes that approximately half of these
institutions are public companies or
subsidiaries of public companies that
are subject to the filing and reporting
requirements of the Federal securities
laws as implemented by the SEC.
The examination staffs of the FDIC
and the other Federal banking agencies
look to the assessments by management
of internal control over financial
reporting and the independent auditors’
attestation reports on those assessments
as one source of information on the
existence of any significant deficiencies
and material weaknesses in this internal
control structure. Nevertheless, the
agencies’ examiners are expected to
perform their own evaluation of an
institution’s internal control
environment and audit programs when
determining the condition of the
institution and the need for and degree
of any supervisory action. Moreover, the
examiners’ assessment of the internal
control environment encompasses not
only internal control over financial
reporting, but also internal control as it
relates to the effectiveness and
efficiency of the institution’s operations
and to its compliance with laws and
regulations.
The agencies’ examination staffs
consider many factors in determining an
institution’s composite rating and
E:\FR\FM\28NOR1.SGM
28NOR1
71230
Federal Register / Vol. 70, No. 227 / Monday, November 28, 2005 / Rules and Regulations
individual component ratings, including
the Management component. While
these factors include the capability and
performance of management and the
board of directors (including the board’s
committees such as the audit
committee), they also include the
adequacy of, and conformance with,
appropriate internal policies and
controls addressing the operations and
risks of significant activities; the
accuracy, timeliness, and effectiveness
of management information and risk
monitoring systems; the adequacy of
audits and internal control, including
internal control over financial reporting;
compliance with laws and regulations;
and the overall performance of the
institution and its risk profile.
As a consequence, when an
institution is assigned a composite
rating or a Management component
rating of 3 or lower, its Federal banking
agency’s supervisory response, which
may include formal or informal
enforcement actions, is tailored to the
specific weaknesses, deficiencies, and
problems identified by the examination
staff and seeks appropriate and timely
corrective action by management and
the board of directors. The factors
contributing to such a less than
satisfactory rating may or may not have
included ineffective internal control
over financial reporting and/or
unacceptable audit committee oversight
and performance. In this regard,
although the FDIC–OIG reported in its
comment letter that 15 institutions with
$500 million to $1 billion in assets had
recently been assigned a composite
rating of 2 and a Management
component rating of 3, the majority of
these institutions received this
Management rating for reasons
unrelated to deficiencies in internal
control over financial reporting (e.g., the
reasons were related to compliance with
the Bank Secrecy Act). Nevertheless, in
those cases where examiners detect
such internal control deficiencies at an
institution with $500 million to $1
billion in assets, if it is deemed
necessary and appropriate for
addressing these deficiencies, the
supervisory response by the institution’s
Federal banking agency could include a
requirement for management to perform
an assessment of internal control over
financial reporting and for the external
auditor to attest to management’s
assertion or for the external auditor to
report directly on internal control over
financial reporting.
Given that each institution with $500
million to $1 billion in assets with a
composite rating or Management
component rating of 3 or lower is
receiving closer than normal
VerDate Aug<31>2005
17:18 Nov 25, 2005
Jkt 208001
supervisory attention focused on
identified problem areas, imposing
additional requirements for internal
control assessments by management and
the external auditor and for the
replacement of all audit committee
members who are not independent of
management would levy burdens on all
such institutions, regardless of whether
this burden would address weaknesses
identified in a given institution.
However, as previously noted, the FDIC
believes that, in response to comments
from the CSBS, amending the proposal
to require a majority of the audit
committee members to be independent
of management strikes an appropriate
balance between reducing regulatory
burden and maintaining safety and
soundness.
Additionally, as a practical matter,
CAMELS ratings often change during
the year as a result of examination
findings or other supervisory oversight.
The FDIC–OIG’s recommendation
would subject institutions to
uncertainty if the subject provisions of
part 363 would apply immediately
during any given year in which an
institution’s composite or Management
component rating fell to 3 or lower. If
applied in the year following receipt of
the 3 or lower rating, the
recommendation would often result in
requiring compliance with the subject
provisions of part 363 after the
institution had corrected its problems
and obtained a higher composite or
Management rating. The first of these
approaches would be difficult, at best,
to plan for and implement on a timely
basis, while the alternative (lagging)
approach would often impose burden
after (the often unrelated) problems had
been addressed.
Furthermore, under the proposed
amendments to part 363, each
institution with $500 million to $1
billion in assets must continue to
undergo an annual audit of its financial
statements. In a financial statement
audit, the external auditor must obtain
an understanding of internal control and
must report certain matters regarding
internal control to the institution’s audit
committee. In this regard, on September
1, 2005, the AICPA Auditing Standards
Board issued a proposed Statement on
Auditing Standards (SAS) on the
‘‘Communication of Internal Control
Related Matters Noted in an Audit’’ that
will supersede its current SAS on this
topic, which is known as ‘‘SAS 60.’’ The
comment period for this auditing
proposal ended on October 31, 2005,
with the final standard expected in the
first quarter of 2006. Among other
things, the proposed SAS requires the
auditor to communicate, in writing, to
PO 00000
Frm 00020
Fmt 4700
Sfmt 4700
management and those charged with
governance (the board of directors and/
or the audit committee) significant
deficiencies and material weaknesses in
internal control of which the auditor
becomes aware. Under current SAS 60,
the auditor should report such
deficiencies and weaknesses to the audit
committee, preferably in writing, but
oral communication of this information
is also permitted. As proposed, the
improved communication provisions in
the SAS would be effective for audits of
financial statements for periods ending
on or after December 15, 2006. Part 363
requires covered institutions, regardless
of size, to submit copies of reports
related to their audits that are issued by
their external auditors, including these
written reports on significant
weaknesses and material weaknesses, to
the FDIC and other appropriate Federal
and state supervisory agencies.
After fully considering the FDIC–
OIG’s comment and the agencies’
supervisory tools and processes for
evaluating the soundness of institutions,
identifying institutions exhibiting
financial and operational weaknesses or
adverse trends, and focusing
appropriate supervisory attention on
such institutions, the FDIC has decided
not to revise its proposed increase in the
asset-size threshold in the manner
proposed by the FDIC–OIG and accord
a different treatment to institutions with
$500 million to $1 billion in assets that
have a composite rating or Management
component rating of 3 or lower.
However, the FDIC believes that the
change to the composition of the audit
committee that it is making in response
to the comments from the CSBS, which
will require a majority of the members
of the audit committee, who must be
outside directors, to be independent of
management, will help to address the
FDIC-OIG’s concerns about deficiencies
in the performance of the board and
audit committee of institutions with less
than satisfactory ratings.
Six commenters urged the FDIC to
approve the proposed amendments to
part 363 as soon as feasible because
many procedures related to the
assessment of internal control over
financial reporting are addressed prior
to an institution’s fiscal year-end,
particularly in the fourth fiscal quarter.
These commenters further
recommended that the FDIC either
change the effective date of the
amendments from December 31, 2005,
as proposed, to September 30, 2005, or
grant an institution’s primary Federal
regulator the authority to waive the
2005 internal control assessment
requirements for institutions with total
assets of $500 million or more but less
E:\FR\FM\28NOR1.SGM
28NOR1
Federal Register / Vol. 70, No. 227 / Monday, November 28, 2005 / Rules and Regulations
than $1 billion that have fiscal yearends other than December 31. The FDIC
concurs with these commenters’
suggestion concerning the effective date
and, in response, is changing the
effective date of the amendments to part
363 from December 31, 2005, to
December 28, 2005. The final rule will
apply to part 363 annual reports with a
filing deadline (90 days after the end of
an institution’s fiscal year) on or after
the effective date of these amendments.
Four commenters recommended that
the $1 billion asset-size threshold be
tied to an index that would
automatically increase the threshold
annually. For reasons of practicality and
to provide certainty to institutions
concerning the size at which full
compliance with part 363 is required,
the FDIC has decided not to adopt this
indexing recommendation.
The FDIC also received several
recommendations from commenters that
are outside the scope of the proposed
amendments to part 363 and,
accordingly, the FDIC has decided not
to implement these recommendations as
part of the final rule. These comments
included the following: (1) Increase the
asset size threshold for applying the
SEC independence rules to external
auditors, (2) have the FDIC adopt its
own independence rules for external
auditors, (3) enhance the FDIC’s review
of external audit reports, (4) make the
standards for performing audits of
internal control over financial reporting
the same for both public and non-public
companies, and (5) establish a fraud
hotline for both examiners and bank
employees.
IV. Final Rule
The FDIC has considered the
comments received on its proposed
amendments to part 363 and is adopting
the amendments as proposed, but with
modifications to the composition of the
audit committee and the effective date.
This final rule raises the asset-size
threshold from $500 million to $1
billion for internal control assessments
by management and external auditors.
For institutions between $500 million
and $1 billion in assets, it also requires
the majority, rather than all, of the
members of the audit committee, who
must be outside directors, to be
independent of management and creates
a hardship exemption. In addition, the
final rule makes certain technical
changes to part 363 to correct outdated
titles, terms, and references in the
regulation and its appendix.
This final rule takes effect December
28, 2005, not on December 31, 2005, as
proposed, and it applies to part 363
VerDate Aug<31>2005
17:18 Nov 25, 2005
Jkt 208001
annual reports with a filing deadline 4
on or after the rule’s effective date. For
example, for insured institutions (both
public and non-public) with fiscal years
that ended on September 30, 2005, or
that will end on December 31, 2005, that
had $500 million or more in total assets,
but less than $1 billion in total assets,
at the beginning of the fiscal year, the
final rule means that the part 363
annual report that these institutions
must submit to the FDIC and other
appropriate Federal and state
supervisory agencies within 90 days
after the end of the fiscal year needs to
include only audited financial
statements, statements of management’s
responsibilities, management’s
assessment of the institution’s
compliance with designated laws and
regulations, and an auditor’s report on
the financial statements.
For insured depository institutions
that are public companies or
subsidiaries of public companies,
regardless of size, the FDIC’s
amendments to part 363 do not relieve
public companies of their obligation to
comply with the internal control
assessment requirements imposed by
section 404 of the Sarbanes-Oxley Act in
accordance with the effective dates for
compliance set forth in the SEC’s
implementing rules.
Nevertheless, the FDIC reminds
insured institutions with $1 billion or
more in total assets that are public
companies or subsidiaries of public
companies that they have considerable
flexibility in determining how best to
satisfy the internal control assessment
requirements in the SEC’s section 404
rules and the FDIC’s part 363. As
indicated in the preamble to the SEC’s
section 404 final rule release, the FDIC
(and the other Federal banking agencies)
agreed with the SEC that insured
depository institutions that are subject
to both part 363 (as well as holding
companies permitted under the holding
company exception in part 363 to file an
internal control report on behalf of their
insured depository institution
subsidiaries) and the SEC’s rules
implementing section 404 can choose
either of the following two options:
• They can prepare two separate
reports of management on the
institution’s or the holding company’s
internal control over financial reporting
to satisfy the FDIC’s part 363
requirements and the SEC’s section 404
requirements; or
• They can prepare a single report of
management on internal control over
4 Under section 363.4(a), an institution’s filing
deadline is 90 days after the end of the institution’s
fiscal year.
PO 00000
Frm 00021
Fmt 4700
Sfmt 4700
71231
financial reporting that satisfies both the
FDIC’s requirements and the SEC’s
requirements.5
For more complete information on
these two options, institutions (and
holding companies) should refer to
section II.H.4. of the preamble to the
SEC’s section 404 final rule release (68
FR 36648, June 18, 2003).
Paperwork Reduction Act
This regulation contains
modifications to a collection of
information that have been reviewed
and approved by the Office of
Management and Budget under control
number 3064–0113, pursuant to the
Paperwork Reduction Act (44 U.S.C.
3501 et seq.). The primary modification
increases the asset size threshold for
compliance with certain reporting
requirements in part 363.
The estimated reporting burden for
the collection of information under part
363 is 65,612 hours per year.
Number of Respondents: 5,243.
Total Annual Responses: 15,684.
Total Annual Burden Hours: 65,612.
Regulatory Flexibility Act
The Regulatory Flexibility Act
requires that each Federal agency either
certify that a proposed rule would not,
if adopted in final form, have a
significant economic impact on a
substantial number of small entities or
prepare an initial regulatory flexibility
analysis of the proposal and publish the
analysis for comment. See 5 U.S.C. 603,
605. The Small Business Administration
(SBA) defines small banks as those with
less than $150 million in assets. Because
this rule expressly exempts insured
depository institutions having assets of
less than $500 million, it is inapplicable
to small entities as defined by the SBA.
Therefore, it is certified that this
proposed rule would not have a
significant economic impact on a
substantial number of small entities.
5 Footnote 117 in the preamble to the SEC’s
section 404 final rule releases states that ‘‘[a]n
insured depository institution subject to both the
FDIC’s [internal control assessment] requirements
and our new requirements [i.e., a public depository
institution] choosing to file a single report to satisfy
both sets of requirements will file the report with
its primary Federal regulator under the Exchange
Act and the FDIC, its primary Federal regulator (if
other than the FDIC), and any appropriate state
depository institution supervisor under part 363 of
the FDIC’s regulations. A [public] holding company
choosing to prepare a single report to satisfy both
sets of requirements will file the report with the
[Securities and Exchange] Commission under the
Exchange Act and the FDIC, the primary Federal
regulator of the insured depository institution
subsidiary subject to the FDIC’s requirements, and
any appropriate state depository institution
supervisor under part 363.’’
E:\FR\FM\28NOR1.SGM
28NOR1
71232
Federal Register / Vol. 70, No. 227 / Monday, November 28, 2005 / Rules and Regulations
Small Business Regulatory Enforcement
Fairness Act
I
The Small Business Regulatory
Enforcement Fairness Act of 1996
(SBREFA) (Title II, Pub. L. 104–121)
provides generally for agencies to report
rules to Congress and the General
Accounting Office (GAO) for review.
The reporting requirement is triggered
when a Federal agency issues a final
rule. The FDIC will file the appropriate
reports with Congress and the GAO as
required by SBREFA. The Office of
Management and Budget has
determined that the rule does not
constitute a ‘‘major rule’’ as defined by
SBREFA.
§ 363.3
List of Subjects in 12 CFR Part 363
Accounting, Administrative practice
and procedure, Banks, Banking,
Reporting and recording keeping
requirements.
I For the reasons set forth in the
preamble, the Board of Directors of the
FDIC hereby amends part 363 of title 12,
chapter III, of the Code of Federal
Regulations as follows:
PART 363—ANNUAL INDEPENDENT
AUDITS AND REPORTING
REQUIREMENTS
1. The authority citation for part 363
continues to be read as follows:
I
Authority: 12 U.S.C. 1831m.
2. Section 363.1 is amended by
revising paragraph (b)(2)(ii)(B) to read as
follows:
I
§ 363.1
Scope.
*
*
*
*
*
(b) * * *
(2) * * *
(ii) * * *
(B) Total assets of $5 billion or more
and a composite CAMELS rating of 1 or
2.
*
*
*
*
*
I 3. Section 363.2(b) is amended by
revising paragraph (b)(2) and adding
paragraph (b)(3) to read as follows:
§ 363.2
Annual reporting requirements.
*
*
*
*
*
(b) * * *
(2) An assessment by management of
the institution’s compliance with such
laws and regulations during such fiscal
year; and
(3) For an institution with total assets
of $1 billion or more at the beginning of
such fiscal year, an assessment by
management of the effectiveness of such
internal control structure and
procedures as of the end of such fiscal
year.
VerDate Aug<31>2005
17:18 Nov 25, 2005
Jkt 208001
4. Section 363.3 is amended by
revising paragraph (b) to read as follows:
Independent public accountant.
*
*
*
*
*
(b) Additional reports. For each
insured depository institution with total
assets of $1 billion or more at the
beginning of the institution’s fiscal year,
such independent public accountant
shall examine, attest to, and report
separately on, the assertion of
management concerning the
institution’s internal control structure
and procedures for financial reporting.
The attestation shall be made in
accordance with generally accepted
standards for attestation engagements.
*
*
*
*
*
I 5. Section 363.5 is amended by
revising paragraph (a) to read as follows:
§ 363.5
Audit committees.
(a) Composition and duties. Each
insured depository institution shall
establish an audit committee of its board
of directors, the composition of which
complies with paragraphs (a)(1), (2), and
(3) of this section, and the duties of
which shall include reviewing with
management and the independent
public accountant the basis for the
reports issued under this part.
(1) Each insured depository
institution with total assets of $1 billion
or more as of the beginning of its fiscal
year shall establish an independent
audit committee of its board of
directors, the members of which shall be
outside directors who are independent
of management of the institution.
(2) Each insured depository
institution with total assets of $500
million or more but less than $1 billion
as of the beginning of its fiscal year shall
establish an audit committee of its board
of directors, the members of which shall
be outside directors, the majority of
whom shall be independent of
management of the institution. The
appropriate Federal banking agency
may, by order or regulation, permit the
audit committee of such an insured
depository institution to be made up of
less than a majority of outside directors
who are independent of management, if
the agency determines that the
institution has encountered hardships
in retaining and recruiting a sufficient
number of competent outside directors
to serve on the audit committee of the
institution.
(3) An outside director is a director
who is not, and within the preceding
fiscal year has not been, an officer or
employee of the institution or any
affiliate of the institution.
*
*
*
*
*
PO 00000
Frm 00022
Fmt 4700
Sfmt 4700
6. Appendix A to part 363 is amended
as follows:
I a. Footnote 2, Guideline 10, is
amended by adding ‘‘Risk Management’’
after ‘‘FDIC’s Division of Supervision
and Consumer Protection (DSC)’’;
I b. Guideline 16 is amended by
removing ‘‘Registration and Disclosure
Section’’ and adding in its place
‘‘Accounting and Securities Disclosure
Section’’;
I c. Guideline 22 is amended by
revising the first sentence of paragraph
(a) to read as set forth below;
I d. Guideline 27 is amended by
revising the second sentence to read as
set forth below;
I e. Guideline 28 is amended by
revising paragraph (a) to read as set
forth below;
I f. Guideline 29 is revised to read as set
forth below; and
I g. The first sentence of Guideline 36
is revised to read as set forth below.
The revisions read as follows:
I
Appendix A to Part 363—Guidelines
and Interpretations
*
*
*
*
*
Filing and Notice Requirements (§ 363.4)
22. * * *
(a) FDIC: Appropriate FDIC Regional or
Area Office (Supervision and Consumer
Protection), i.e., the FDIC regional or area
office in the FDIC region or area that is
responsible for monitoring the institution or,
in the case of a subsidiary institution of a
holding company, the consolidated company.
* * *
*
*
*
*
*
Audit Committees (§ 363.5)
27. * * * At least annually, the board of
an institution with $1 billion or more in total
assets at the beginning of its fiscal year
should determine whether all existing and
potential audit committee members are
‘‘independent of management of the
institution’’ and the board of an institution
with total assets of $500 million or more but
less than $1 billion as of the beginning of its
fiscal year should determine whether the
majority of all existing and potential audit
committee members are ‘‘independent of
management of the institution.’’ * * *
28. * * *
(a) Has previously been an officer of the
institution or any affiliate of the institution;
*
*
*
*
*
29. Lack of independence. An outside
director should not be considered
independent of management if such director
owns or controls, or has owned or controlled
within the preceding fiscal year, assets
representing 10 percent or more of any
outstanding class of voting securities of the
institution.
*
*
*
*
*
Other
36. Modifications of guidelines. The FDIC’s
Board of Directors has delegated to the
E:\FR\FM\28NOR1.SGM
28NOR1
Federal Register / Vol. 70, No. 227 / Monday, November 28, 2005 / Rules and Regulations
Director of the FDIC’s Division of
Supervision and Consumer Protection (DSC)
authority to make and publish in the Federal
Register minor technical amendments to the
Guidelines in this appendix, in consultation
with the other appropriate federal banking
agencies, to reflect the practical experience
gained from implementation of this
part.* * *
*
*
*
*
*
By order of the Board of Directors.
Dated at Washington, DC, this 8th day of
November, 2005.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
[FR Doc. 05–23310 Filed 11–25–05; 8:45 am]
BILLING CODE 6714–01–P
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 71
[Docket No. FAA–2003–15471; Airspace
Docket No. 03–AWA–6]
RIN 2120–AA66
Modification of the Minneapolis Class
B Airspace Area; MN
Federal Aviation
Administration (FAA), DOT.
ACTION: Final rule.
AGENCY:
SUMMARY: This action modifies the
current Minneapolis, MN, Class B
airspace area to contain large turbinepowered aircraft during operations to
the new Runway 17/35 and to address
an increase in aircraft operations to and
from the Minneapolis-St. Paul
International (Wold-Chamberlain)
Airport (MSP). The FAA is taking this
action to enhance safety and improve
the management of aircraft operations in
the Minneapolis terminal area. Further,
this action supports the FAA’s national
airspace redesign goal of optimizing
terminal and en route airspace areas to
reduce aircraft delays and improve
system capacity.
DATES: Effective Date: 0901 UTC,
February 16, 2006.
FOR FURTHER INFORMATION CONTACT:
Steve Rohring, Airspace and Rules,
Office of System Operations Airspace
and AIM, Federal Aviation
Administration, 800 Independence
Avenue, SW., Washington, DC 20591;
telephone: (202) 267–8783.
SUPPLEMENTARY INFORMATION:
Background
On November 24, 2003, the FAA
published in the Federal Register a
notice of proposed rulemaking (NPRM)
VerDate Aug<31>2005
17:18 Nov 25, 2005
Jkt 208001
to modify the Minneapolis Class B
airspace area (68 FR 65859). The FAA
proposed the action due to a significant
growth in aircraft operations and the
construction of a new runway (Runway
17/35) to accommodate the growth. The
proposed modifications were designed
to contain large turbine-powered aircraft
within the MSP Class B airspace area
and included expanding the lateral
dimensions of the existing MSP Class B
airspace area as well as increasing the
vertical limits from 8,000 feet above
mean sea level (MSL) to 10,000 feet
MSL.
Subsequent to the issuance of the
NPRM, the FAA’s further analysis of
airspace requirements revealed that
additional airspace (beyond and below
that airspace proposed in the NPRM)
will be needed to contain large
turbine’powered aircraft conducting
approaches to the new Runway 35
within the MSP Class B airspace area.
To provide the public an opportunity to
comment on the additional required
airspace, the FAA issued a
supplemental notice of proposed
rulemaking (SNPRM) that included a
new area F (70 FR 43803). Area F
reflects the additional airspace that the
FAA determined will be needed, as well
as changes suggested by the Air Line
Pilots Association, International (ALPA)
and the National Business Aviation
Association, Inc. (NBAA) in response to
the NPRM (see ‘‘Discussion of
Comment’’ below).
Discussion of Comments
In response to the NPRM, the FAA
received three comments.
The Aircraft Owners and Pilots
Association (AOPA) expressed a
concern that the dimensions of the MSP
Class B airspace area should conform to
the unique needs of users rather than
conform to a national standard. They
also expressed a concern that raising the
vertical limits from 8,000 feet MSL to
10,000 feet MSL would ‘‘pose a serious
operational limitation to pilots wishing
to over fly’’ the MSP Class B airspace
area. AOPA also expressed a desire for
charted visual flight rules (VFR) flyways
in the MSP terminal area.
The FAA has determined that some
aircraft may have to fly farther or at
lower or higher altitudes to remain clear
of the modified MSP Class B airspace
area; however, this is necessary to
separate them from large turbinepowered aircraft arriving and departing
MSP. The management of aircraft
operations to the new runway will
require several new arrival vector areas
between the altitudes of 7,000 feet and
10,000 feet MSL over the MSP terminal
area. Specifically, aircraft that currently
PO 00000
Frm 00023
Fmt 4700
Sfmt 4700
71233
proceed directly to MSP and then enter
an east/west downwind pattern will be
vectored to a downwind pattern via
northbound and southbound paths
located to the east and west of MSP.
This change in traffic flow is needed to
accommodate three arrival streams
rather than the current practice of using
two arrival streams. As a result of these
new procedures, approximately 900
high-performance aircraft will be
vectored to join arrival streams as far as
30 nautical miles (NM) from MSP
between the altitudes of 7,000 and
10,000 feet MSL on a daily basis.
In response to AOPA’s comment
pertaining to VFR flyways, the FAA
agrees that charted VFR flyways could
minimize the impact on aircraft that
choose to circumnavigate the MSP Class
B airspace area. However, because VFR
flyways are not addressed in a Class B
rulemaking action, the FAA plans to
develop and institute VFR flyways for
the MSP terminal area through a
separate, non-rulemaking process.
ALPA and the NBAA expressed
concern that the ‘‘southeast cut-out’’ of
the proposed Area E would result in
aircraft not being contained in Class B
airspace when operating on the
extended final approach course to the
new Runway 35. They suggest reducing
the size of the cut-out by changing the
western boundary of the proposed cutout from the Gopher 170 radial to the
Gopher 160 radial. The FAA agrees with
this comment and has adopted the
suggested modification.
The FAA received the following
comments in response to the SNPRM:
AOPA again expressed a concern that
raising the vertical limits of the MSP
Class B airspace area from 8,000 feet
MSL to 10,000 feet MSL would ‘‘pose a
serious operational limitation to those
pilots wishing to over fly’’ the MSP
Class B airspace area and reiterated their
desire for charted VFR flyways. They
also mentioned that the ad hoc
committee recommendations did not
fully address their concerns. The FAA’s
response to AOPA’s comments remains
as stated previously in this document.
The FAA also received comments
from two pilots in response to the
SNPRM. They commented that they
practice aerobatic maneuvers at and
below 8,000 feet MSL approximately 15
NM west of the Flying Cloud Airport
(between the cities of Belle Plaine and
Cologne). They request that the FAA
exclude the area that they practice in
from the MSP Class B airspace area.
While the FAA acknowledges that
aerobatic operations in the area may be
impacted, the FAA is not able to
accommodate this request because the
area between Belle Plaine and Cologne
E:\FR\FM\28NOR1.SGM
28NOR1
]]>Agencies
[Federal Register Volume 70, Number 227 (Monday, November 28, 2005)]
[Rules and Regulations]
[Pages 71226-71233]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 05-23310]
-----------------------------------------------------------------------
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 363
RIN 3064-AC91
Independent Audits and Reporting Requirements
AGENCY: Federal Deposit Insurance Corporation (FDIC).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The FDIC is amending part 363 of its regulations concerning
annual independent audits and reporting requirements, which implement
section 36 of the Federal Deposit Insurance Act (FDI Act), as proposed,
but with modifications to the composition of the audit committee and
the effective date. The FDIC's amendments raise the asset-size
threshold from $500 million to $1 billion for internal control
assessments by management and external auditors. For institutions
between $500 million and $1 billion in assets, the amendments require
the majority, rather than all, of the members of the audit committee,
who must be outside directors, to be independent of management and
create a hardship exemption. The amendments also make certain technical
changes to part 363 to correct outdated titles, terms, and references
in the regulation and its appendix. As required by section 36, the FDIC
has consulted with the other federal banking agencies.
Effective Date: The final rule is effective December 28, 2005 and
applies to part 363 annual reports with a filing deadline (90 days
after the end of an institution's fiscal year) on or after the
effective date of these amendments.
FOR FURTHER INFORMATION CONTACT: Harrison E. Greene, Jr., Senior Policy
Analyst (Bank Accounting), Division of Supervision and Consumer
Protection, at hgreene@fdic.gov or (202) 898-8905; or Michelle
Borzillo, Counsel, Supervision and Legislation Section, Legal Division,
at mborzillo@fdic.gov or (202) 898-7400.
SUPPLEMENTARY INFORMATION:
I. Background
Section 112 of the Federal Deposit Insurance Corporation
Improvement Act of 1991 (FDICIA) added section 36, ``Early
Identification of Needed Improvements in Financial Management,'' to the
FDI Act (12 U.S.C. 1831m). Section 36 is generally intended to
facilitate early identification of problems in financial management at
insured depository institutions above a certain asset size threshold
(covered institutions) through annual independent audits, assessments
of the effectiveness of internal control over financial reporting and
compliance with designated laws and regulations, and related
requirements. Section 36 also includes requirements for audit
committees at these insured depository institutions. Section 36 grants
the FDIC discretion to set the asset size threshold for compliance with
these statutory requirements, but it states that the threshold cannot
be less than $150 million. Sections 36(d) and (f) also obligate the
FDIC to consult with the other Federal banking agencies in implementing
these sections of the FDI Act, and the FDIC has performed that
consultation requirement.
Part 363 of the FDIC's regulations (12 CFR part 363), which
implements section 36 of the FDI Act, requires each covered institution
to submit to the FDIC and other appropriate Federal and state
supervisory agencies an annual report that includes audited financial
statements, a statement of management's responsibilities, assessments
by management of the effectiveness of internal control over financial
reporting and compliance with designated laws and regulations, and an
auditor's attestation report on internal control over financial
reporting. In addition, part 363 provides that each covered institution
must establish an independent audit committee of its board of directors
comprised of outside directors who are independent of management of the
institution. Part 363 also includes Guidelines and Interpretations
(Appendix A to part 363), which are intended to assist institutions and
independent public accountants in understanding and complying with
section 36 and part 363.
When it adopted part 363 in 1993, the FDIC stated that it was
setting the asset size threshold at $500 million rather than the $150
million specified in section 36 to mitigate the financial burden of
compliance with section 36 consistent with safety and soundness. In
selecting $500 million in total assets as the size threshold, the FDIC
noted that approximately 1,000 of the then nearly 14,000 FDIC-insured
institutions would be subject to part 363. These covered institutions
held approximately 75 percent of the assets of insured institutions at
that time. By imposing the audit, reporting, and audit committee
requirements of part 363 on institutions with this percentage of the
industry's assets, the FDIC intended to ensure that the Congress's
objectives for achieving sound financial management at insured
institutions when it enacted section 36 would be focused on those
[[Page 71227]]
institutions posing the greatest potential risk to the insurance funds
administered by the FDIC. Today, due to consolidation in the banking
and thrift industry and the effects of inflation, more than 1,150 of
the 8,900 insured institutions have $500 million or more in total
assets and are therefore subject to part 363. These covered
institutions hold approximately 90 percent of the assets of insured
institutions.
II. Discussion of Proposed Amendments
On July 19, 2005, the FDIC's Board approved the publication of
proposed amendments to part 363 of the FDIC's regulations, which were
published in the Federal Register on August 2, 2005, for a 45-day
comment period (70 FR 44293). The comment period closed on September
16, 2005. As more fully discussed below, the FDIC proposed to raise the
asset-size threshold in part 363 from $500 million to $1 billion for
internal control assessments by management and external auditors and
for the members of the audit committee, who must be outside directors,
to be independent of management. The FDIC also proposed to make certain
technical changes to part 363 to correct outdated titles, terms, and
references in the regulation and its appendix. As proposed, the
effective date of these amendments was to be December 31, 2005.
In its proposal, the FDIC also noted that it had identified other
aspects of part 363 that may warrant revision in light of changes in
the industry and the passage of the Sarbanes-Oxley Act of 2002.
However, the FDIC stated that it had decided to proceed first with the
proposed amendments to the asset-size threshold in part 363 in order to
reduce compliance burdens and expenses for affected institutions in
2005. These further revisions to part 363 are expected to be proposed
as soon as practicable.
A. Increasing the Asset Size Threshold for Internal Control Assessments
An effective internal control structure is critical to the safety
and soundness of each insured institution. Given its importance,
internal control is evaluated as part of the supervision of individual
institutions and its adequacy is a factor in the management rating
assigned to an institution. Furthermore, in the audit of an
institution's financial statements, the external auditor must obtain an
understanding of internal control, including assessing control risk,
and must report certain matters regarding internal control to the
institution's audit committee.
An institution subject to part 363 has the added requirement that
its management perform an assessment of the internal control structure
and procedures for financial reporting and that its external auditor
examine, attest to, and report on management's assertion concerning the
institution's internal control over financial reporting. For purposes
of these internal control provisions of part 363, the FDIC has advised
covered institutions that the term ``financial reporting'' includes
both financial statements prepared in accordance with generally
accepted accounting principles and those prepared for regulatory
reporting purposes.\1\ Until year-end 2004, external auditors performed
their internal control assessments in accordance with an attestation
standard issued by the American Institute of Certified Public
Accountants (AICPA) known as ``AT 501.''
---------------------------------------------------------------------------
\1\ See FDIC Financial Institution Letter (FIL) 86-94, dated
December 23, 1994. FIL-86-94 indicates that financial statements
prepared for regulatory reporting purposes encompass the schedules
equivalent to the basic financial statements in an institution's
appropriate regulatory report, e.g., the bank Reports of Condition
and Income and the Thrift Financial Report.
---------------------------------------------------------------------------
The Sarbanes-Oxley Act was enacted into law on July 30, 2002.
Section 404 of this Act imposes a requirement for internal control
assessments by the management and external auditors of all public
companies that is similar to the FDICIA requirement. The Securities and
Exchange Commission's (SEC) rules implementing these requirements took
effect at year-end 2004 for ``accelerated filers,'' i.e., generally,
public companies whose common equity has an aggregate market value of
at least $75 million, but they will not take effect until 2007 for
``non-accelerated filers.'' For the section 404 auditor attestations,
the Public Company Accounting Oversight Board's (PCAOB) Auditing
Standard No. 2 (AS 2) applies. AS 2 replaces the AICPA's AT 501
internal control attestation standard for public companies, but AS 2
does not apply to nonpublic companies. The SEC's section 404 rules for
management and the provisions of AS 2 for section 404 audits of
internal control establish more robust documentation and testing
requirements than those that have been applied by covered institutions
and their auditors to satisfy the internal control reporting
requirements in part 363.
For internal control attestations of nonpublic companies, the AICPA
is currently developing proposed revisions to AT 501 that are expected
to bring it closer into line with the provisions of AS 2. The revisions
also are likely to have the effect of requiring greater documentation
and testing of internal control over financial reporting by an
institution's management in order for the auditor to perform his or her
attestation work.
As the environment has changed and continues to change since the
enactment of the Sarbanes-Oxley Act, the FDIC has observed that
compliance with the audit and reporting requirements of part 363 has
and will continue to become more burdensome and costly, particularly
for smaller nonpublic covered institutions. Thus, the FDIC reviewed the
current asset size threshold for compliance with part 363 in light of
the discretion granted by section 36 that permits the FDIC to determine
the appropriate size threshold (at or above $150 million) at which
insured institutions should be subject to the various provisions of
section 36. Based on this review, the FDIC proposed to amend part 363
to increase the asset size threshold for internal control assessments
by management and external auditors from $500 million to $1 billion.
Raising the threshold to $1 billion would achieve meaningful burden
reduction without sacrificing safety and soundness.
In reaching this decision, the FDIC concluded that raising the $500
million asset size threshold to $1 billion and exempting all
institutions below this higher size level from all of the reporting
requirements of part 363 would not be consistent with the objective of
the underlying statute, i.e., early identification of needed
improvements in financial management. In contrast, the FDIC believes
that relieving smaller covered institutions from the burden of internal
control assessments, while retaining the financial statement audit and
other reporting requirements for all institutions with $500 million or
more in total assets, strikes an appropriate balance in accomplishing
this objective. By raising the size threshold for internal control
assessments to $1 billion, about 600 of the largest insured
institutions with approximately 86 percent of industry assets would
continue to be covered by the internal control reporting requirements
of part 363. At the same time, the managements of all covered
institutions would remain responsible for establishing and maintaining
an adequate internal control structure and procedures for financial
reporting, and all institutions with $500 million or more in total
assets would continue to include a statement to that effect in their
part 363 annual report.
[[Page 71228]]
B. Composition of the Audit Committee
Currently, part 363 requires each covered institution to establish
an independent audit committee of its board of directors, comprised of
outside directors who are independent of management of the institution.
The duties of the audit committee include reviewing with management and
the institutions' independent public accountant the basis for the
reports included in the part 363 annual report submitted to the FDIC
and other appropriate Federal and state supervisory agencies. The
FDIC's Guidelines to part 363 provide that, at least annually, the
board of directors of a covered institution should determine whether
all existing and potential audit committee members are ``independent of
management of the institution.'' The guidelines also describe factors
to consider in making this determination.\2\
---------------------------------------------------------------------------
\2\ See Guidelines 27 through 29 of Appendix A to part 363.
---------------------------------------------------------------------------
Section 36 provides that an appropriate federal banking agency may
grant a hardship exemption to a covered institution that would permit
its independent audit committee to be made up of less than all, but no
fewer than a majority of, outside directors who are independent of
management. To grant the exemption, the agency must find that the
institution has encountered hardships in retaining and recruiting a
sufficient number of competent outside directors.
Notwithstanding this exemption provision of section 36, the FDIC
has observed that a number of smaller covered institutions,
particularly those with few shareholders that have recently exceeded
$500 million in total assets and become subject to part 363, have
encountered difficulty in satisfying the independent audit committee
requirement. To comply with this requirement, these institutions must
identify and attract qualified individuals in their communities who
would be willing to become a director and audit committee member and
who would be independent of management.
To relieve this burden, but also recognizing that the FDIC has long
held that individuals who serve as directors of any insured depository
institution should be persons of independent judgment, the FDIC
proposed to amend part 363 to increase from $500 million to $1 billion
the asset size threshold for requiring audit committee members to be
independent of management. Conforming changes were also proposed to be
made to Guidelines 27-29 of Appendix A to part 363. Each insured
depository institution with total assets of $500 million or more but
less than $1 billion would continue to be required to have an audit
committee comprised of outside directors. Consistent with Guideline 29
of Appendix A to part 363, an outside director would be defined as an
individual who is not, and within the preceding year has not been, an
officer or employee of the institution or any affiliate of the
institution.
The proposed amendment to the audit committee requirements for
institutions with between $500 million and $1 billion in total assets
would allow an outside director who is, for example, a consultant or
legal counsel to the institution, a relative of an officer or employee
of the institution or its affiliates, or the owner of 10 percent or
more of the stock of the institution to serve as an audit committee
member. Nevertheless, the FDIC indicated in the proposal that it would
encourage each institution with between $500 million and $1 billion in
assets to make a reasonable good faith effort to establish an audit
committee of outside directors who are independent of management.
III. Comments Received on Proposed Amendments
In response to its August 2, 2005, request for comment on the
proposed amendments to part 363, the FDIC received comment letters from
28 different respondents \3\: 15 banking and thrift organizations, 7
bankers' associations, 3 accountants and accounting firms, the
Conference of State Bank Supervisors (CSBS), the FDIC's Office of
Inspector General (FDIC-OIG), and one other party. Generally, the
comment letters expressed support for the proposed amendments. All but
one of the respondents favored the proposal to increase the asset-size
threshold for internal control assessments by management and external
auditors to $1 billion. As for the proposed increase to $1 billion in
the asset-size threshold for the members of the audit committee, who
must be outside directors, to be independent of management, 24 of the
28 respondents supported this aspect of the proposal, two respondents
opposed it, and two respondents did not directly comment on it.
Respondents also raised a number of other issues.
---------------------------------------------------------------------------
\3\ The FDIC received 58 comment letters, which included 20
identical letters from individuals at one institution and 12
identical letters from individuals at another institution.
---------------------------------------------------------------------------
The CSBS commented on the proposed change in the audit committee
provisions of part 363 for institutions with $500 million to $1 billion
in assets. The CSBS, on behalf of state banking departments, stated
that there is value in maintaining a significant level of independence
when fulfilling the important role of an audit committee member.
Although it saw benefit in alleviating some of the burden of a fully
independent audit committee, for safety and soundness considerations,
the CSBS recommended that the chairman and a majority of the audit
committee members at institutions in the $500 million to $1 billion
asset size range be required to be independent of management rather
than allowing all of the outside directors on the audit committee not
to be independent of management.
Five other commenters concurred with the FDIC's observation that
some smaller covered institutions have encountered difficulty in
establishing an audit committee, all of whose members are independent
of management. In this regard, the CSBS's comment letter also
acknowledged the difficulties in attaining and keeping a fully
independent audit committee, especially in smaller rural communities.
Individuals who serve as directors of insured institutions, whether
or not they serve on the audit committee, are expected to be persons of
independent judgment. In this regard, under the Uniform Financial
Institutions Rating System (62 FR 752, January 6, 1997), a factor that
the federal banking agencies' examiners assess when they evaluate the
capability and performance of an institution's management and board of
directors for purposes of assigning an appropriate Management component
rating is the extent to which the management and board members are
affected by, or susceptible to, dominant influence or concentration of
authority. Hence, the agencies' examination staffs are cognizant of the
heightened level of risk presented by the existence of a dominant
officer, whether or not outside directors, including those on the audit
committee, are independent of management.
After carefully considering the CSBS's recommendation, the FDIC has
decided to amend the proposal to require that a majority of the audit
committee members of institutions with $500 million to $1 billion in
assets, all of whom must be outside directors, be independent of
management. In addition, in recognition of the difficulties that some
individual institutions in this size range may have in attaining such
an audit committee, the final rule will provide an exemption under
which an appropriate Federal banking agency may, by order or
regulation, permit the audit committee of such an institution to be
made up of
[[Page 71229]]
less than a majority of outside directors who are independent of
management, if the agency determines that the institution has
encountered hardships in retaining and recruiting a sufficient number
of competent outside directors to serve on the audit committee of the
institution. The FDIC believes that this change to its proposal strikes
an appropriate balance of reducing regulatory burden without
jeopardizing safety and soundness.
Another commenter who addressed the audit committee portion of the
proposal suggested that the FDIC's recommendation that institutions
make a ``reasonable good faith effort'' to establish an audit committee
of outside directors who are independent of management was vague and
should be deleted from the proposal. This commenter added that, if the
recommendation were not deleted, the FDIC should include a definition
of, or list of criteria that would constitute, a ``reasonable good
faith effort'' and provide guidance on how an institution should
document that it has undertaken such an effort. While the FDIC
encourages each institution with between $500 million and $1 billion in
assets to make a reasonable good faith effort to establish an audit
committee comprised entirely of outside directors who are independent
of management, each institution faces a unique set of circumstances
when it seeks to attract competent individuals to be outside directors
who would be willing to serve on its audit committee. Because a list of
criteria that would constitute evidence of a ``reasonable good faith
effort'' could not consider all of the situations in which institutions
engaging in such a search might find themselves, the FDIC has chosen
not to restrict institutions and itself to a specific list.
In its comment letter on the proposal, the FDIC-OIG recommended
that insured institutions with total assets of $500 million or more,
but less than $1 billion, that have or receive either a composite
rating or Management component rating of 3, 4, or 5, i.e., 3 or lower,
under the Uniform Financial Institutions Rating System (also known as
the CAMELS rating system) be required to comply with all of the
requirements of Part 363 rather than being provided the proposed relief
for institutions in this size range. The FDIC-OIG indicated that, as of
September 12, 2005, 16 insured institutions with $500 million to $1
billion in assets had less than a satisfactory composite CAMELS rating.
Specifically, 11 institutions had a composite rating of 3 and 5
institutions had a 4 rating. The FDIC-OIG also noted that, over the
last several months, 15 other insured institutions in this size range
with a composite rating of 2 had a Management component rating of 3.
The FDIC-OIG indicated that, in reviewing past failures of insured
institutions, it had observed that weak corporate governance, including
financial reporting problems and the lack of independence of the board
of directors from institution management, was often a factor in the
failure of these institutions and contributed to material losses ($25
million or more) to the deposit insurance funds administered by the
FDIC. The FDIC-OIG also stated that maintaining the full requirements
of part 363 for less than satisfactory institutions would help to
address potential concerns about deficiencies by the board of directors
and in internal control, internal audit, and external audit and thereby
mitigate the possibility of institution failure.
As defined in the Uniform Financial Institutions Rating System,
institutions with a composite rating of 2 are fundamentally sound.
There are no material supervisory concerns and, as a result, the
supervisory response is informal and limited. Institutions with a
composite rating of 3 exhibit some degree of supervisory concern in one
or more of the six component areas (Capital Adequacy, Asset Quality,
Management, Earnings, Liquidity, and Sensitivity to Market Risk). These
financial institutions require more than normal supervision, which may
include formal or informal enforcement actions. Failure appears
unlikely, however, given the overall strength and financial capacity of
these institutions. Institutions with a composite rating of 4 generally
exhibit unsafe and unsound practices or conditions. There are serious
financial or managerial deficiencies that result in unsatisfactory
performance. Failure is a distinct possibility if the problems and
weaknesses are not satisfactorily addressed and resolved. Institutions
with a composite rating of 5 exhibit extremely unsafe and unsound
practices or conditions and a critically deficient performance. They
are of the greatest supervisory concern and ongoing supervisory
attention is necessary. These institutions pose a significant risk to
the deposit insurance funds and failure is highly probable.
A Management component rating of 3 indicates management and board
performance that need improvement or risk management practices that are
less than satisfactory given the nature of the institution's
activities. The capabilities of management or the board of directors
may be insufficient for the type, size, or condition of the
institution. Problems and significant risks may be inadequately
identified, measured, monitored, or controlled by management. Because
management's ability to respond to changing circumstances and address
risks is an important factor in evaluating an institution's overall
risk profile and the level of supervisory attention that should be
devoted to an institution, the Management component is given special
consideration when assigning the institution's composite rating.
Institutions that have a composite rating of 3 or lower are already
subject to increased supervisory scrutiny and are normally subject to
formal or informal supervisory actions (e.g., Memorandum of
Understanding or Cease and Desist Order) to address the need for
corrective actions for weaknesses and deficiencies cited in reports of
examination or otherwise identified through supervisory oversight. In
reviewing the institutions cited in the FDIC-OIG's comment letter, the
FDIC notes that all of the institutions with a composite rating of 3 or
lower are subject to formal and/or informal supervisory actions and all
of the institutions with a composite rating of 2 and a Management
component rating of 3 or lower are subject to supervisory actions. The
FDIC further notes that approximately half of these institutions are
public companies or subsidiaries of public companies that are subject
to the filing and reporting requirements of the Federal securities laws
as implemented by the SEC.
The examination staffs of the FDIC and the other Federal banking
agencies look to the assessments by management of internal control over
financial reporting and the independent auditors' attestation reports
on those assessments as one source of information on the existence of
any significant deficiencies and material weaknesses in this internal
control structure. Nevertheless, the agencies' examiners are expected
to perform their own evaluation of an institution's internal control
environment and audit programs when determining the condition of the
institution and the need for and degree of any supervisory action.
Moreover, the examiners' assessment of the internal control environment
encompasses not only internal control over financial reporting, but
also internal control as it relates to the effectiveness and efficiency
of the institution's operations and to its compliance with laws and
regulations.
The agencies' examination staffs consider many factors in
determining an institution's composite rating and
[[Page 71230]]
individual component ratings, including the Management component. While
these factors include the capability and performance of management and
the board of directors (including the board's committees such as the
audit committee), they also include the adequacy of, and conformance
with, appropriate internal policies and controls addressing the
operations and risks of significant activities; the accuracy,
timeliness, and effectiveness of management information and risk
monitoring systems; the adequacy of audits and internal control,
including internal control over financial reporting; compliance with
laws and regulations; and the overall performance of the institution
and its risk profile.
As a consequence, when an institution is assigned a composite
rating or a Management component rating of 3 or lower, its Federal
banking agency's supervisory response, which may include formal or
informal enforcement actions, is tailored to the specific weaknesses,
deficiencies, and problems identified by the examination staff and
seeks appropriate and timely corrective action by management and the
board of directors. The factors contributing to such a less than
satisfactory rating may or may not have included ineffective internal
control over financial reporting and/or unacceptable audit committee
oversight and performance. In this regard, although the FDIC-OIG
reported in its comment letter that 15 institutions with $500 million
to $1 billion in assets had recently been assigned a composite rating
of 2 and a Management component rating of 3, the majority of these
institutions received this Management rating for reasons unrelated to
deficiencies in internal control over financial reporting (e.g., the
reasons were related to compliance with the Bank Secrecy Act).
Nevertheless, in those cases where examiners detect such internal
control deficiencies at an institution with $500 million to $1 billion
in assets, if it is deemed necessary and appropriate for addressing
these deficiencies, the supervisory response by the institution's
Federal banking agency could include a requirement for management to
perform an assessment of internal control over financial reporting and
for the external auditor to attest to management's assertion or for the
external auditor to report directly on internal control over financial
reporting.
Given that each institution with $500 million to $1 billion in
assets with a composite rating or Management component rating of 3 or
lower is receiving closer than normal supervisory attention focused on
identified problem areas, imposing additional requirements for internal
control assessments by management and the external auditor and for the
replacement of all audit committee members who are not independent of
management would levy burdens on all such institutions, regardless of
whether this burden would address weaknesses identified in a given
institution. However, as previously noted, the FDIC believes that, in
response to comments from the CSBS, amending the proposal to require a
majority of the audit committee members to be independent of management
strikes an appropriate balance between reducing regulatory burden and
maintaining safety and soundness.
Additionally, as a practical matter, CAMELS ratings often change
during the year as a result of examination findings or other
supervisory oversight. The FDIC-OIG's recommendation would subject
institutions to uncertainty if the subject provisions of part 363 would
apply immediately during any given year in which an institution's
composite or Management component rating fell to 3 or lower. If applied
in the year following receipt of the 3 or lower rating, the
recommendation would often result in requiring compliance with the
subject provisions of part 363 after the institution had corrected its
problems and obtained a higher composite or Management rating. The
first of these approaches would be difficult, at best, to plan for and
implement on a timely basis, while the alternative (lagging) approach
would often impose burden after (the often unrelated) problems had been
addressed.
Furthermore, under the proposed amendments to part 363, each
institution with $500 million to $1 billion in assets must continue to
undergo an annual audit of its financial statements. In a financial
statement audit, the external auditor must obtain an understanding of
internal control and must report certain matters regarding internal
control to the institution's audit committee. In this regard, on
September 1, 2005, the AICPA Auditing Standards Board issued a proposed
Statement on Auditing Standards (SAS) on the ``Communication of
Internal Control Related Matters Noted in an Audit'' that will
supersede its current SAS on this topic, which is known as ``SAS 60.''
The comment period for this auditing proposal ended on October 31,
2005, with the final standard expected in the first quarter of 2006.
Among other things, the proposed SAS requires the auditor to
communicate, in writing, to management and those charged with
governance (the board of directors and/or the audit committee)
significant deficiencies and material weaknesses in internal control of
which the auditor becomes aware. Under current SAS 60, the auditor
should report such deficiencies and weaknesses to the audit committee,
preferably in writing, but oral communication of this information is
also permitted. As proposed, the improved communication provisions in
the SAS would be effective for audits of financial statements for
periods ending on or after December 15, 2006. Part 363 requires covered
institutions, regardless of size, to submit copies of reports related
to their audits that are issued by their external auditors, including
these written reports on significant weaknesses and material
weaknesses, to the FDIC and other appropriate Federal and state
supervisory agencies.
After fully considering the FDIC-OIG's comment and the agencies'
supervisory tools and processes for evaluating the soundness of
institutions, identifying institutions exhibiting financial and
operational weaknesses or adverse trends, and focusing appropriate
supervisory attention on such institutions, the FDIC has decided not to
revise its proposed increase in the asset-size threshold in the manner
proposed by the FDIC-OIG and accord a different treatment to
institutions with $500 million to $1 billion in assets that have a
composite rating or Management component rating of 3 or lower. However,
the FDIC believes that the change to the composition of the audit
committee that it is making in response to the comments from the CSBS,
which will require a majority of the members of the audit committee,
who must be outside directors, to be independent of management, will
help to address the FDIC-OIG's concerns about deficiencies in the
performance of the board and audit committee of institutions with less
than satisfactory ratings.
Six commenters urged the FDIC to approve the proposed amendments to
part 363 as soon as feasible because many procedures related to the
assessment of internal control over financial reporting are addressed
prior to an institution's fiscal year-end, particularly in the fourth
fiscal quarter. These commenters further recommended that the FDIC
either change the effective date of the amendments from December 31,
2005, as proposed, to September 30, 2005, or grant an institution's
primary Federal regulator the authority to waive the 2005 internal
control assessment requirements for institutions with total assets of
$500 million or more but less
[[Page 71231]]
than $1 billion that have fiscal year-ends other than December 31. The
FDIC concurs with these commenters' suggestion concerning the effective
date and, in response, is changing the effective date of the amendments
to part 363 from December 31, 2005, to December 28, 2005. The final
rule will apply to part 363 annual reports with a filing deadline (90
days after the end of an institution's fiscal year) on or after the
effective date of these amendments.
Four commenters recommended that the $1 billion asset-size
threshold be tied to an index that would automatically increase the
threshold annually. For reasons of practicality and to provide
certainty to institutions concerning the size at which full compliance
with part 363 is required, the FDIC has decided not to adopt this
indexing recommendation.
The FDIC also received several recommendations from commenters that
are outside the scope of the proposed amendments to part 363 and,
accordingly, the FDIC has decided not to implement these
recommendations as part of the final rule. These comments included the
following: (1) Increase the asset size threshold for applying the SEC
independence rules to external auditors, (2) have the FDIC adopt its
own independence rules for external auditors, (3) enhance the FDIC's
review of external audit reports, (4) make the standards for performing
audits of internal control over financial reporting the same for both
public and non-public companies, and (5) establish a fraud hotline for
both examiners and bank employees.
IV. Final Rule
The FDIC has considered the comments received on its proposed
amendments to part 363 and is adopting the amendments as proposed, but
with modifications to the composition of the audit committee and the
effective date. This final rule raises the asset-size threshold from
$500 million to $1 billion for internal control assessments by
management and external auditors. For institutions between $500 million
and $1 billion in assets, it also requires the majority, rather than
all, of the members of the audit committee, who must be outside
directors, to be independent of management and creates a hardship
exemption. In addition, the final rule makes certain technical changes
to part 363 to correct outdated titles, terms, and references in the
regulation and its appendix.
This final rule takes effect December 28, 2005, not on December 31,
2005, as proposed, and it applies to part 363 annual reports with a
filing deadline \4\ on or after the rule's effective date. For example,
for insured institutions (both public and non-public) with fiscal years
that ended on September 30, 2005, or that will end on December 31,
2005, that had $500 million or more in total assets, but less than $1
billion in total assets, at the beginning of the fiscal year, the final
rule means that the part 363 annual report that these institutions must
submit to the FDIC and other appropriate Federal and state supervisory
agencies within 90 days after the end of the fiscal year needs to
include only audited financial statements, statements of management's
responsibilities, management's assessment of the institution's
compliance with designated laws and regulations, and an auditor's
report on the financial statements.
---------------------------------------------------------------------------
\4\ Under section 363.4(a), an institution's filing deadline is
90 days after the end of the institution's fiscal year.
---------------------------------------------------------------------------
For insured depository institutions that are public companies or
subsidiaries of public companies, regardless of size, the FDIC's
amendments to part 363 do not relieve public companies of their
obligation to comply with the internal control assessment requirements
imposed by section 404 of the Sarbanes-Oxley Act in accordance with the
effective dates for compliance set forth in the SEC's implementing
rules.
Nevertheless, the FDIC reminds insured institutions with $1 billion
or more in total assets that are public companies or subsidiaries of
public companies that they have considerable flexibility in determining
how best to satisfy the internal control assessment requirements in the
SEC's section 404 rules and the FDIC's part 363. As indicated in the
preamble to the SEC's section 404 final rule release, the FDIC (and the
other Federal banking agencies) agreed with the SEC that insured
depository institutions that are subject to both part 363 (as well as
holding companies permitted under the holding company exception in part
363 to file an internal control report on behalf of their insured
depository institution subsidiaries) and the SEC's rules implementing
section 404 can choose either of the following two options:
They can prepare two separate reports of management on the
institution's or the holding company's internal control over financial
reporting to satisfy the FDIC's part 363 requirements and the SEC's
section 404 requirements; or
They can prepare a single report of management on internal
control over financial reporting that satisfies both the FDIC's
requirements and the SEC's requirements.\5\
---------------------------------------------------------------------------
\5\ Footnote 117 in the preamble to the SEC's section 404 final
rule releases states that ``[a]n insured depository institution
subject to both the FDIC's [internal control assessment]
requirements and our new requirements [i.e., a public depository
institution] choosing to file a single report to satisfy both sets
of requirements will file the report with its primary Federal
regulator under the Exchange Act and the FDIC, its primary Federal
regulator (if other than the FDIC), and any appropriate state
depository institution supervisor under part 363 of the FDIC's
regulations. A [public] holding company choosing to prepare a single
report to satisfy both sets of requirements will file the report
with the [Securities and Exchange] Commission under the Exchange Act
and the FDIC, the primary Federal regulator of the insured
depository institution subsidiary subject to the FDIC's
requirements, and any appropriate state depository institution
supervisor under part 363.''
---------------------------------------------------------------------------
For more complete information on these two options, institutions
(and holding companies) should refer to section II.H.4. of the preamble
to the SEC's section 404 final rule release (68 FR 36648, June 18,
2003).
Paperwork Reduction Act
This regulation contains modifications to a collection of
information that have been reviewed and approved by the Office of
Management and Budget under control number 3064-0113, pursuant to the
Paperwork Reduction Act (44 U.S.C. 3501 et seq.). The primary
modification increases the asset size threshold for compliance with
certain reporting requirements in part 363.
The estimated reporting burden for the collection of information
under part 363 is 65,612 hours per year.
Number of Respondents: 5,243.
Total Annual Responses: 15,684.
Total Annual Burden Hours: 65,612.
Regulatory Flexibility Act
The Regulatory Flexibility Act requires that each Federal agency
either certify that a proposed rule would not, if adopted in final
form, have a significant economic impact on a substantial number of
small entities or prepare an initial regulatory flexibility analysis of
the proposal and publish the analysis for comment. See 5 U.S.C. 603,
605. The Small Business Administration (SBA) defines small banks as
those with less than $150 million in assets. Because this rule
expressly exempts insured depository institutions having assets of less
than $500 million, it is inapplicable to small entities as defined by
the SBA. Therefore, it is certified that this proposed rule would not
have a significant economic impact on a substantial number of small
entities.
[[Page 71232]]
Small Business Regulatory Enforcement Fairness Act
The Small Business Regulatory Enforcement Fairness Act of 1996
(SBREFA) (Title II, Pub. L. 104-121) provides generally for agencies to
report rules to Congress and the General Accounting Office (GAO) for
review. The reporting requirement is triggered when a Federal agency
issues a final rule. The FDIC will file the appropriate reports with
Congress and the GAO as required by SBREFA. The Office of Management
and Budget has determined that the rule does not constitute a ``major
rule'' as defined by SBREFA.
List of Subjects in 12 CFR Part 363
Accounting, Administrative practice and procedure, Banks, Banking,
Reporting and recording keeping requirements.
0
For the reasons set forth in the preamble, the Board of Directors of
the FDIC hereby amends part 363 of title 12, chapter III, of the Code
of Federal Regulations as follows:
PART 363--ANNUAL INDEPENDENT AUDITS AND REPORTING REQUIREMENTS
0
1. The authority citation for part 363 continues to be read as follows:
Authority: 12 U.S.C. 1831m.
0
2. Section 363.1 is amended by revising paragraph (b)(2)(ii)(B) to read
as follows:
Sec. 363.1 Scope.
* * * * *
(b) * * *
(2) * * *
(ii) * * *
(B) Total assets of $5 billion or more and a composite CAMELS
rating of 1 or 2.
* * * * *
0
3. Section 363.2(b) is amended by revising paragraph (b)(2) and adding
paragraph (b)(3) to read as follows:
Sec. 363.2 Annual reporting requirements.
* * * * *
(b) * * *
(2) An assessment by management of the institution's compliance
with such laws and regulations during such fiscal year; and
(3) For an institution with total assets of $1 billion or more at
the beginning of such fiscal year, an assessment by management of the
effectiveness of such internal control structure and procedures as of
the end of such fiscal year.
0
4. Section 363.3 is amended by revising paragraph (b) to read as
follows:
Sec. 363.3 Independent public accountant.
* * * * *
(b) Additional reports. For each insured depository institution
with total assets of $1 billion or more at the beginning of the
institution's fiscal year, such independent public accountant shall
examine, attest to, and report separately on, the assertion of
management concerning the institution's internal control structure and
procedures for financial reporting. The attestation shall be made in
accordance with generally accepted standards for attestation
engagements.
* * * * *
0
5. Section 363.5 is amended by revising paragraph (a) to read as
follows:
Sec. 363.5 Audit committees.
(a) Composition and duties. Each insured depository institution
shall establish an audit committee of its board of directors, the
composition of which complies with paragraphs (a)(1), (2), and (3) of
this section, and the duties of which shall include reviewing with
management and the independent public accountant the basis for the
reports issued under this part.
(1) Each insured depository institution with total assets of $1
billion or more as of the beginning of its fiscal year shall establish
an independent audit committee of its board of directors, the members
of which shall be outside directors who are independent of management
of the institution.
(2) Each insured depository institution with total assets of $500
million or more but less than $1 billion as of the beginning of its
fiscal year shall establish an audit committee of its board of
directors, the members of which shall be outside directors, the
majority of whom shall be independent of management of the institution.
The appropriate Federal banking agency may, by order or regulation,
permit the audit committee of such an insured depository institution to
be made up of less than a majority of outside directors who are
independent of management, if the agency determines that the
institution has encountered hardships in retaining and recruiting a
sufficient number of competent outside directors to serve on the audit
committee of the institution.
(3) An outside director is a director who is not, and within the
preceding fiscal year has not been, an officer or employee of the
institution or any affiliate of the institution.
* * * * *
0
6. Appendix A to part 363 is amended as follows:
0
a. Footnote 2, Guideline 10, is amended by adding ``Risk Management''
after ``FDIC's Division of Supervision and Consumer Protection (DSC)'';
0
b. Guideline 16 is amended by removing ``Registration and Disclosure
Section'' and adding in its place ``Accounting and Securities
Disclosure Section'';
0
c. Guideline 22 is amended by revising the first sentence of paragraph
(a) to read as set forth below;
0
d. Guideline 27 is amended by revising the second sentence to read as
set forth below;
0
e. Guideline 28 is amended by revising paragraph (a) to read as set
forth below;
0
f. Guideline 29 is revised to read as set forth below; and
0
g. The first sentence of Guideline 36 is revised to read as set forth
below.
The revisions read as follows:
Appendix A to Part 363--Guidelines and Interpretations
* * * * *
Filing and Notice Requirements (Sec. 363.4)
22. * * *
(a) FDIC: Appropriate FDIC Regional or Area Office (Supervision
and Consumer Protection), i.e., the FDIC regional or area office in
the FDIC region or area that is responsible for monitoring the
institution or, in the case of a subsidiary institution of a holding
company, the consolidated company. * * *
* * * * *
Audit Committees (Sec. 363.5)
27. * * * At least annually, the board of an institution with $1
billion or more in total assets at the beginning of its fiscal year
should determine whether all existing and potential audit committee
members are ``independent of management of the institution'' and the
board of an institution with total assets of $500 million or more
but less than $1 billion as of the beginning of its fiscal year
should determine whether the majority of all existing and potential
audit committee members are ``independent of management of the
institution.'' * * *
28. * * *
(a) Has previously been an officer of the institution or any
affiliate of the institution;
* * * * *
29. Lack of independence. An outside director should not be
considered independent of management if such director owns or
controls, or has owned or controlled within the preceding fiscal
year, assets representing 10 percent or more of any outstanding
class of voting securities of the institution.
* * * * *
Other
36. Modifications of guidelines. The FDIC's Board of Directors
has delegated to the
[[Page 71233]]
Director of the FDIC's Division of Supervision and Consumer
Protection (DSC) authority to make and publish in the Federal
Register minor technical amendments to the Guidelines in this
appendix, in consultation with the other appropriate federal banking
agencies, to reflect the practical experience gained from
implementation of this part.* * *
* * * * *
By order of the Board of Directors.
Dated at Washington, DC, this 8th day of November, 2005.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
[FR Doc. 05-23310 Filed 11-25-05; 8:45 am]
BILLING CODE 6714-01-P
