Annual Independent Audits and Reporting Requirements, 32226-32261 [E9-15378]
Download as PDF
32226
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Parts 308 and 363
RIN 3064–AD21
Annual Independent Audits and
Reporting Requirements
AGENCY: Federal Deposit Insurance
Corporation (FDIC).
ACTION: Final rule.
SUMMARY: The FDIC is amending part
363 of its regulations concerning annual
independent audits and reporting
requirements for certain insured
depository institutions, which
implements section 36 of the Federal
Deposit Insurance Act (FDI Act), largely
as proposed, but with certain
modifications made in response to the
comments received. The amendments
are designed to further the objectives of
section 36 by incorporating certain
sound audit, reporting, and audit
committee practices from the SarbanesOxley Act of 2002 (SOX) into part 363
and they also reflect the FDIC’s
experience in administering part 363.
The amendments will provide clearer
and more complete guidance to
institutions and independent public
accountants concerning compliance
with the requirements of section 36 and
part 363. As required by section 36, the
FDIC has consulted with the other
Federal banking agencies. The FDIC is
also making a technical amendment to
its rules and procedures (part 308,
subpart U) for the removal, suspension,
or debarment of accountants and
accounting firms.
DATES: This final rule is effective August
6, 2009.
Applicability date: The final rule
applies to part 363 Annual Reports with
a filing deadline on or after the effective
date of these amendments. Under the
final rule, the filing deadline for Part
363 Annual Reports is 120 days after the
end of its fiscal year for an institution
that is neither a public company nor a
subsidiary of a public company and 90
days after the end of its fiscal year for
an institution that is a public company
or a subsidiary of public company.
Compliance date: The compliance
date for the provision of the final rule
that directs covered institutions’ boards
of directors to develop and adopt an
approved set of written criteria for
determining whether a director who is
to serve on the audit committee is an
outside director and is independent of
management (guideline 27) is delayed
until December 31, 2009. The provision
of the final rule that requires the total
assets of a holding company’s insured
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
depository institution subsidiaries to
comprise 75 percent or more of the
holding company’s consolidated total
assets in order for an institution to be
eligible to comply with part 363 at the
holding company level (§ 363.1(b)(1)(ii))
is effective for fiscal years ending on or
after June 15, 2010.
FOR FURTHER INFORMATION CONTACT:
Harrison E. Greene, Jr., Senior Policy
Analyst (Bank Accounting), Division of
Supervision and Consumer Protection,
at hgreene@fdic.gov or (202) 898–8905;
or Michelle Borzillo, Senior Counsel,
Supervision and Legislation Section,
Legal Division, at mborzillo@fdic.gov or
(202) 898–7400.
SUPPLEMENTARY INFORMATION:
I. Executive Summary
Section 36 of the Federal Deposit
Insurance Act (FDI Act) and the FDIC’s
implementing regulations (part 363) are
generally intended to facilitate early
identification of problems in financial
management at insured depository
institutions with total assets above
certain thresholds through annual
independent audits, assessments of the
effectiveness of internal control over
financial reporting and compliance with
laws and regulations pertaining to
insider loans and dividend restrictions,
the establishment of independent audit
committees, and related reporting
requirements. The asset-size threshold
for an institution for internal control
assessments is $1 billion and the
threshold for the other requirements
generally is $500 million. Given changes
in the industry; certain sound audit,
reporting, and audit committee practices
incorporated in the Sarbanes-Oxley Act
of 2002 (SOX); and the FDIC’s
experience in administering part 363,
the FDIC is amending part 363 of its
regulations. These amendments are
designed to further the objectives of
section 36 by incorporating these sound
practices into part 363 and to provide
clearer and more complete guidance to
institutions and independent public
accountants concerning compliance
with the requirements of section 36 and
part 363.
After making certain modifications to
the proposed amendments to part 363 in
response to the comments received, the
most significant revisions included in
the final rule will: (1) Extend the time
period for a non-public institution to
file its part 363 Annual Report by 30
days and replace the 30-day extension
of the filing deadline that may be
granted if an institution (public or nonpublic) is confronted with extraordinary
circumstances beyond its reasonable
control with a late filing notification
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
requirement that would have general
applicability; (2) provide relief from the
annual reporting requirements for
institutions that are merged out of
existence before the filing deadline; (3)
provide relief from reporting on internal
control over financial reporting for
businesses acquired during the fiscal
year; (4) require management’s
assessment of compliance with the laws
and regulations pertaining to insider
loans and dividend restrictions to state
management’s conclusion regarding
compliance and disclose any
noncompliance with such laws and
regulations; (5) require an institution’s
management and the independent
public accountant to identify the
internal control framework used to
evaluate internal control over financial
reporting and disclose all identified
material weaknesses that have not been
remediated prior to the institution’s
most recent fiscal year-end; (6) clarify
the independence standards with which
independent public accountants must
comply and enhance the enforceability
of compliance with these standards; (7)
specify that the duties of the audit
committee include the appointment,
compensation, and oversight of the
independent public accountant,
including ensuring that audit
engagement letters do not contain
unsafe and unsound limitation of
liability provisions; (8) require certain
communications by independent public
accountants to audit committees; (9)
establish retention requirements for
audit working papers; (10) require
boards of directors to adopt written
criteria for evaluating an audit
committee member’s independence and
provide expanded guidance for boards
of directors to use in determining
independence; (11) provide that
ownership of 10 percent or more of any
class of voting securities of an
institution is not an automatic bar for
considering an outside director to be
independent of management; (12)
require the total assets of a holding
company’s insured depository
institution subsidiaries to comprise 75
percent or more of the holding
company’s consolidated total assets in
order for an institution to be eligible to
comply with part 363 at the holding
company level; and (13) provide
illustrative management reports to assist
institutions in complying with the
annual reporting requirements.
The FDIC is also amending its rules
and procedures (part 308, subpart U) for
the removal, suspension, or debarment
of accountants and accounting firms
from performing audit services required
by section 36 of the FDI Act to specify
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
where an accountant or accounting firm
should file required notices of orders
and actions with the FDIC.
II. Background
Section 112 of the Federal Deposit
Insurance Corporation Improvement Act
of 1991 (FDICIA) added section 36,
‘‘Early Identification of Needed
Improvements in Financial
Management,’’ to the FDI Act (12 U.S.C.
1831m). Section 36 is generally
intended to facilitate early identification
of problems in financial management at
insured depository institutions above a
certain asset size threshold through
annual independent audits, assessments
of the effectiveness of internal control
over financial reporting and compliance
with designated laws and regulations,
and related reporting requirements.
Section 36 also includes requirements
for audit committees at these insured
depository institutions. Section 36
grants the FDIC discretion to set the
asset size threshold for compliance with
these statutory requirements, but it
states that the threshold cannot be less
than $150 million. Sections 36(d) and (f)
also obligate the FDIC to consult with
the other Federal banking agencies in
implementing these sections of the FDI
Act, and the FDIC has performed the
required consultation.
Part 363 of the FDIC’s regulations (12
CFR part 363), which implements
section 36 of the FDI Act, was initially
adopted by the FDIC’s Board of
Directors in 1993. At present, part 363
requires each insured depository
institution with $500 million or more in
total assets (covered institution) to
submit to the FDIC and other
appropriate Federal and State
supervisory agencies an annual report
(Part 363 Annual Report) comprised of
audited financial statements, and a
management report containing a
statement of management’s
responsibilities and an assessment by
management of compliance with laws
and regulations pertaining to insider
loans and dividend restrictions. The
management report component of the
annual report for an institution with $1
billion or more in total assets must also
include an assessment by management
of the effectiveness of internal control
over financial reporting and an
independent public accountant’s
attestation report on internal control
over financial reporting. In addition,
part 363 provides that each covered
institution’s board of directors must
establish an independent audit
committee comprised of outside
directors. For an institution with
between $500 million and $1 billion in
total assets, part 363 requires a majority
32227
of the members of the audit committee
to be independent of management of the
institution. For a larger institution, all of
the members of the audit committee
must be independent of management.
Part 363 also includes Guidelines and
Interpretations (Appendix A to part
363), which are intended to assist
institutions and independent public
accountants in understanding and
complying with section 36 and part 363.
III. Discussion of Proposed
Amendments and Comments Received
On October 16, 2007, the FDIC’s
Board approved the publication of
proposed amendments to part 363 and
part 308, subpart U, of the FDIC’s
regulations, which were published in
the Federal Register on November 2,
2007, for a 90-day comment period (72
FR 62310). The comment period closed
on January 31, 2008.
Given the number and extent of
changes to part 363 and its Guidelines
and Interpretations and to enable
readers to more easily understand the
context of the changes, this notice
includes the entire text of part 363 as
amended, not just the amended text.
Also, the following ‘‘Table of Changes to
Part 363 and Appendices’’ is intended
to assist readers in determining which
sections of part 363 are affected by the
final rule.
TABLE OF CHANGES TO PART 363 AND APPENDICES
Unchanged
Revised
New
Reserved
Part 363—Annual Independent Audits and Reporting Requirements
Table of Contents ............................................................................................................
OMB Control Number § 363.0 .........................................................................................
Scope and Definitions:
§ 363.1(a) ..................................................................................................................
§ 363.1(b)(1) .............................................................................................................
§ 363.1(b)(2) .............................................................................................................
§ 363.1(b)(3) .............................................................................................................
§ 363.1(c) ..................................................................................................................
§ 363.1(d) ..................................................................................................................
Annual Reporting Requirements:
§ 363.2(a) ..................................................................................................................
§ 363.2(b) ..................................................................................................................
§ 363.2(b)(1) .............................................................................................................
§ 363.2(b)(2) .............................................................................................................
§ 363.2(b)(3) .............................................................................................................
§ 363.2(c) ..................................................................................................................
Independent Public Accountant:
§ 363.3(a) ..................................................................................................................
§ 363.3(b) ..................................................................................................................
§ 363.3(c) ..................................................................................................................
§ 363.3(d) ..................................................................................................................
§ 363.3(e) ..................................................................................................................
§ 363.3(f) ...................................................................................................................
§ 363.3(g) ..................................................................................................................
Filing and Notice Requirements:
§ 363.4(a) ..................................................................................................................
§ 363.4(b) ..................................................................................................................
§ 363.4(c) ..................................................................................................................
§ 363.4(d) ..................................................................................................................
§ 363.4(e) ..................................................................................................................
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
....................
X
X
....................
....................
....................
....................
....................
....................
....................
....................
X
....................
....................
X
X
X
....................
....................
....................
....................
....................
....................
....................
X
X
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
X
X
X
X
X
....................
....................
....................
....................
....................
....................
X
....................
....................
....................
....................
....................
....................
X
....................
....................
....................
....................
....................
....................
....................
X
X
....................
....................
....................
....................
....................
....................
....................
X
X
X
X
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
X
....................
X
X
X
....................
....................
....................
....................
....................
....................
X
....................
....................
....................
....................
....................
E:\FR\FM\07JYR2.SGM
07JYR2
32228
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
TABLE OF CHANGES TO PART 363 AND APPENDICES—Continued
Unchanged
§ 363.4(f) ...................................................................................................................
Audit Committees:
§ 363.5(a) ..................................................................................................................
§ 363.5(b) ..................................................................................................................
§ 363.5(c) ..................................................................................................................
Revised
New
Reserved
....................
....................
X
....................
....................
....................
....................
X
X
....................
....................
....................
X
....................
....................
....................
....................
X
X
....................
....................
....................
....................
....................
X
X
....................
....................
....................
....................
....................
X
X
....................
....................
....................
....................
....................
X
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
X
....................
X
X
....................
X
....................
....................
....................
X
X
X
....................
....................
X
....................
....................
X
....................
X
X
X
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
X
....................
....................
....................
....................
X
....................
....................
X
....................
X
X
....................
X
....................
....................
X
....................
....................
X
....................
....................
....................
....................
....................
....................
....................
X
....................
....................
....................
....................
X
....................
X
....................
....................
....................
....................
....................
....................
....................
....................
X
....................
....................
....................
X
....................
....................
X
....................
....................
....................
....................
....................
X
....................
....................
X
....................
....................
....................
....................
....................
....................
....................
X
X
....................
X
X
....................
X
X
X
....................
....................
X
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
X
....................
....................
....................
....................
....................
....................
....................
X
....................
....................
....................
....................
X
....................
....................
X
....................
....................
Appendix A to Part 363—Guidelines and Interpretations
Table of Contents ............................................................................................................
Introduction ......................................................................................................................
Scope (§ 363.1):
Guideline 1 ...............................................................................................................
Guideline 2 ...............................................................................................................
Guideline 3 ...............................................................................................................
Guideline 4 ...............................................................................................................
Guideline 4A .............................................................................................................
Annual Reporting Requirements (§ 363.2):
Guideline 5 ...............................................................................................................
Guideline 5A .............................................................................................................
Guideline 6 ...............................................................................................................
Guideline 7 ...............................................................................................................
Guideline 7A .............................................................................................................
Guideline 8 ...............................................................................................................
Guideline 8A .............................................................................................................
Guideline 8B .............................................................................................................
Guideline 8C .............................................................................................................
Guideline 9 ...............................................................................................................
Guideline 10 .............................................................................................................
Guideline 11 .............................................................................................................
Guideline 12 .............................................................................................................
Role of Independent Public Accountant (§ 363.3):
Guideline 13 .............................................................................................................
Guideline 14 .............................................................................................................
Guideline 15 .............................................................................................................
Guideline 16 .............................................................................................................
Guideline 17 .............................................................................................................
Guideline 18 .............................................................................................................
Guideline 18A ...........................................................................................................
Guideline 19 .............................................................................................................
Guideline 20 .............................................................................................................
Guideline 21 .............................................................................................................
Filing and Notice Requirements (§ 363.4):
Guideline 22 .............................................................................................................
Guideline 23 .............................................................................................................
Guideline 24 .............................................................................................................
Guideline 25 .............................................................................................................
Guideline 26 .............................................................................................................
Audit Committees (§ 363.5):
Guideline 27 .............................................................................................................
Guideline 28 .............................................................................................................
Guideline 29 .............................................................................................................
Guideline 30 .............................................................................................................
Guideline 31 .............................................................................................................
Guideline 32 .............................................................................................................
Guideline 33 .............................................................................................................
Guideline 34 .............................................................................................................
Guideline 35 .............................................................................................................
Other:
Guideline 36 .............................................................................................................
Table 1 to Appendix A:
Designated Federal Laws and Regulations .............................................................
Appendix B—Illustrative Management Reports ...............................................................
In response to its request for
comments, the FDIC received 23
comment letters that addressed the
proposed amendments to part 363.
These commenters represented 12
financial institutions; 3 bankers’ trade
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
organizations; 4 accounting firms; 1
accountants’ trade organization; 1 State
regulatory organization; and 2 law firms.
Regarding the technical amendment
to part 308, Subpart U, the FDIC did not
receive any comments on its proposal to
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
specify the location where an
accountant or accounting firm should
file required notices of orders and
actions regarding removal, suspension,
or debarment.
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
With respect to the comments
received on the proposed amendments
to part 363, eight commenters expressed
general support for the proposal, seven
commenters were generally not
supportive, and eight commenters did
not express an overall view on the
proposal. While comments were
received on almost every aspect of the
proposed amendments, no commenter
specifically commented on each aspect.
However, eleven commenters expressed
concerns regarding the regulatory
burden associated with various aspects
of the proposal. In addition,
commenters expressed concerns about
the following aspects of the proposed
amendments:
• Disclosure of noncompliance with
the designated laws and regulations,
• Insured depository institution
percentage-of-consolidated-total-assets
threshold for eligibility to comply with
part 363 at a holding company level,
• Management’s report on internal
control over financial reporting,
• Independent public accountant’s
report on internal control over financial
reporting,
• Independent public accountant’s
communications with audit committees,
• Time period for the retention of the
independent public accountant’s
working papers,
• Independence standards applicable
to independent public accountants,
• Filing requirement for and public
availability of AICPA peer review
reports and PCAOB inspection reports
on independent public accountants,
• Filing requirement for and public
availability of audit engagement letters,
and
• Audit committee member
independence.
The following sections discuss the
proposed amendments and the
comments and concerns raised by the
commenters, including the responses
received on two specific aspects of the
proposed amendments for which the
FDIC specifically requested comments:
(1) Disclosure of noncompliance with
the designated safety and soundness
laws and regulations pertaining to
insider loans and dividend restrictions,
and (2) the 75 percent of total assets
threshold for eligibility to comply with
the requirements of part 363 at the
holding company level.
A. Scope and Definitions (§ 363.1 and
Guidelines 1–4A)
1. Applicability
The FDIC proposed to amend
§ 363.1(a) to more clearly state that part
363 applies to any insured depository
institution that has consolidated total
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
assets of $500 million or more at the
beginning of its fiscal year.
One commenter that represents over
30 community banks recommended that
the FDIC raise the asset size threshold
from $500 million to $1 billion for
requiring compliance with part 363. In
November 2005, when the FDIC
increased the asset size threshold for
assessments of internal control over
financial reporting from $500 million to
$1 billion, it concluded that exempting
all institutions below this higher size
level from all of the requirements of part
363 would not be consistent with the
objective of the underlying statute, i.e.,
early identification of needed
improvements in financial management.
The Federal banking agencies rely upon
financial information to evaluate the
condition of insured depository
institutions and to determine the
adequacy of regulatory capital. Accurate
and reliable measurement of an
institution’s loans, other assets, and
earnings has a direct bearing on the
determination of regulatory capital. The
agencies are able to place greater
reliance on measurements contained in
financial statements that have been
subject to an independent audit.
Independent audits help to identify
weaknesses in internal control over
financial reporting and risk management
at institutions and reinforce corrective
measures, thus complementing
supervisory efforts in contributing to the
safety and soundness of insured
depository institutions. Therefore, after
considering this comment, the FDIC has
determined that, except where a $1
billion or higher asset threshold already
applies, the $500 million asset size
threshold continues to be the
appropriate level for requiring
compliance with part 363.
2. Compliance by Subsidiaries of
Holding Companies
At present, an insured depository
institution that is a subsidiary of a
holding company may use consolidated
holding company financial statements
to satisfy the audited financial
statements requirement of part 363
regardless of whether the assets of the
insured depository institution
subsidiary or subsidiaries of the holding
company represent substantially all or
only a minor portion of the holding
company’s consolidated total assets.
When the assets of insured depository
institution subsidiaries do not comprise
a substantial portion of a holding
company’s consolidated total assets, the
FDIC staff has found that the holding
company’s consolidated financial
statements, including the accompanying
notes to the financial statements, do not
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
32229
tend to provide sufficient information
that is indicative of the financial
position and results of operations of
these institutions. Also, when the
insured depository institution
subsidiaries do not contribute
significantly to the holding company’s
financial position and results of
operations, the extent of audit coverage
given to these institutions in the audit
of the consolidated holding company
may be limited. Such limited audit
coverage would not be consistent with
the purpose and intent of section 36 of
the FDI Act, which focuses on insured
depository institutions rather than
holding companies. In this situation, the
assurance that would be provided by an
independent audit performed
substantially at the level of the insured
depository institution subsidiaries is not
otherwise available.
Therefore, given the differing
characteristics of the holding companies
that own insured depository institutions
as well as the relationship of an insured
depository institution’s total assets to
the consolidated total assets of its parent
holding company, and in keeping with
the intent and purpose of section 36 of
the FDI Act, the FDIC proposed to
amend §§ 363.1(b)(1) and (2) by revising
the criteria for determining whether the
audited financial statements
requirement and the other requirements
of part 363 may be satisfied at a holding
company level. More specifically, in
order for a covered institution to be
eligible to comply with the
requirements of part 363 at the top-tier
or any other mid-tier holding company
level, the FDIC proposed that the
consolidated total assets of the insured
depository institution (or the
consolidated total assets of all insured
depository institutions, regardless of
size, if the top-tier or mid-tier holding
company owns or controls more than
one insured depository institution) must
comprise 75 percent or more of the
consolidated total assets of the top-tier
or mid-tier holding company. The FDIC
believes that this percentage-of-assets
threshold should ensure that the extent
of independent audit work performed at
the insured depository institution level
is sufficient to satisfy the intent of
section 36 of the FDI Act, that is, the
early identification of needed
improvements in financial management
at insured institutions. The FDIC also
believes that this threshold will
continue to provide flexibility to the
vast majority of covered institutions that
are part of a holding company structure
with respect to the level at which they
may comply with part 363.
When determining an appropriate
percentage-of-assets threshold for
E:\FR\FM\07JYR2.SGM
07JYR2
32230
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
compliance with part 363 at a holding
company level, the FDIC considered the
range of percentage-of-assets ratios for
covered institutions that are part of a
holding company structure. The vast
majority of insured institutions subject
to part 363 that are in a holding
company structure are subsidiaries of
organizations where the assets of the
insured depository institution
subsidiaries of the holding company
comprise 90 percent or more of the
holding company’s consolidated total
assets. Of the remaining institutions
subject to part 363 that are in a holding
company structure, most are
subsidiaries of organizations where the
assets of the insured institutions
comprise either from 75 to 90 percent or
less than 25 percent of the top-tier
parent company’s consolidated total
assets. Smaller numbers of institutions
are subsidiaries of organizations where
the assets of the insured institutions
comprise from 25 to 50 percent or from
50 to 75 percent of the top-tier parent
company’s consolidated total assets.
However, in a number of cases where
the insured institution subsidiaries
comprise less than 75 percent of the toptier holding company’s consolidated
total assets, the insured institution
subsidiaries that are subject to part 363
currently comply with the regulation at
a mid-tier holding company level where
the assets of the insured institution
subsidiaries comprise 90 percent or
more of the mid-tier holding company’s
consolidated total assets. Thus, these
institutions would not need to change
how they comply with part 363 in
response to the establishment of the
proposed 75 percent threshold,
provided they continue to comply at the
same mid-tier holding company level
and this holding company continues to
meet the 75 percent threshold.
To assist it in considering the costs
and benefits of a threshold, the FDIC
specifically requested comment as to
whether 75 percent or more of
consolidated total assets is an
appropriate threshold. Six commenters
expressed views that the 75 percent
threshold is reasonable, is in the
public’s best interest, and provides ease
of application while obtaining
appropriate audit coverage of the
insured depository institutions.
Three commenters were opposed to
the proposed 75 percent threshold.
These commenters expressed the
following concerns:
• The goal is reasonable but the
proposed 75 percent threshold may not
be appropriate. Instead, lower the
threshold and require institutions that
are below the threshold to consult with
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
the FDIC prior to reporting at the
holding company level.
• Compliance at the holding company
level should not be dependent on the
aggregate size of the subsidiary insured
depository institutions relative to the
holding company.
• Institutions should have until the
end of their first full fiscal year after the
FDIC promulgates the final rule to
comply with the proposed change.
• The 75 percent threshold is
arbitrary and may result in treating very
similar institutions differently. An
objectives-based approach should be
used.
The FDIC continues to recognize that
those institutions currently complying
with part 363 at the holding company
level that will not meet the proposed 75percent-of-consolidated-total-assets
threshold will incur additional costs
from having to comply with the
regulation at the institution level or at
a suitable mid-tier holding company
level. Requiring institutions that do
meet the 75 percent threshold, or a
lower percentage threshold, to consult
with the FDIC prior to reporting at a
holding company level would add a
new element of regulatory burden and
would not provide certainty nor
contribute to the ease of application of
the 75 percent threshold. The FDIC has
concluded that the 75-percent-of-assets
threshold strikes an appropriate balance
between insured institution financial
data and audit coverage and the cost of
compliance with part 363.
The FDIC agrees with the comment
that institutions that currently report at
the holding company level, but do not
meet the 75-percent-of-consolidatedtotal-assets threshold, should be
afforded sufficient time to comply with
this new requirement. Accordingly, the
FDIC has decided to delay the effective
date for implementing this threshold
until fiscal years ending on or after June
15, 2010. Thus, for fiscal years ending
on or before June 14, 2010, all insured
depository institutions may continue to
satisfy the audited financial statements
requirement of part 363 at a holding
company level whether or not the
institution’s consolidated total assets (or
the consolidated total assets of all of its
parent holding company’s insured
institutions) comprise 75 percent or
more of the holding company’s
consolidated total assets at the
beginning of the fiscal year.
Guideline 3 to part 363, Compliance
by Holding Company Subsidiaries,
states that when a holding company
submits audited consolidated financial
statements and other reports or notices
required by part 363 on behalf of any
subsidiary institution, an accompanying
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
cover letter should identify all
subsidiary institutions to which the
statements, reports, or other notices
pertain. Because many cover letters
received by the FDIC have not
sufficiently identified these subsidiary
institutions, the FDIC proposed to
amend guideline 3 to clarify what
information should be included in the
cover letter. No comments were
received on this aspect of the proposal.
3. Financial Reporting
The FDIC proposed to add a new
§ 363.1(c) and a new guideline 4A,
Financial Reporting, to specify that
‘‘financial reporting’’ includes both
financial statements prepared in
accordance with generally accepted
accounting principles and those
prepared for regulatory reporting
purposes. Also, as proposed, guideline
4A clarifies that financial statements
prepared for regulatory reporting
purposes consist of the schedules
equivalent to the basic financial
statements that are included in an
institution’s appropriate regulatory
report and that financial statements
prepared for regulatory reporting
purposes do not include regulatory
reports prepared by a non-bank
subsidiary of a holding company or an
institution.
One commenter recommended that
the FDIC further clarify the definition of
financial reporting for purposes of part
363 to more clearly align it with current
reporting practices. This commenter
also stated that, when reporting at a
holding company level, ‘‘regulatory
reporting’’ would not extend to
assertions about internal control over
financial reporting at the subsidiary
institution level. Another commenter,
an accountants’ trade organization,
stated that the proposed amendment
seems to imply that institutions’
regulatory reports may not be prepared
in conformity with generally accepted
accounting principles (GAAP). This
commenter recommended that the FDIC
clarify the definition of financial
reporting to state that both financial
statements and the regulatory reports be
prepared in accordance with GAAP to
make it consistent with current practice.
While the FDIC believes that the
proposed amendments are consistent
with explanatory guidance it issued on
this subject in December 1994,1 the
FDIC has decided to modify the
proposed definition of financial
reporting set forth in § 363.1(c) and
guideline 4A, Financial Reporting, to
state more clearly that, when reporting
1 See FDIC Financial Institution Letter (FIL) 86–
94, dated December 23, 1994.
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
at a holding company level, it includes
the financial statements and regulatory
reports of an institution’s holding
company. The modified definition
would also state that, for recognition
and measurement purposes, regulatory
reporting requirements shall conform to
GAAP.
4. Definitions
The FDIC proposed to add § 363.1(d),
Definitions, to define several common
terms used in part 363 and the
guidelines and received no comments
on these definitions.
B. Annual Reporting Requirements
(§ 363.2 and Guidelines 5–12)
1. Audited Financial Statements
Consistent with sound management
practices and the objective of internal
control over financial reporting, the
FDIC proposed to amend § 363.2(a) to
require that the annual financial
statements reflect all material correcting
adjustments identified by the
independent public accountant.
Financial statements issued by insured
depository institutions that are public
companies or by their parent holding
companies that are public companies
are already subject to such a
requirement pursuant to section 401 of
SOX. The FDIC believes this
requirement should also apply to
institutions subject to part 363 that are
not public companies.
In response to a commenter’s
recommendation, the FDIC revised this
proposed requirement to provide
additional context regarding the phrase
‘‘material correcting adjustments
identified by the independent public
accountant’’ by explaining that these
adjustments should be those that are
necessary for the financial statements to
conform with GAAP.
2. Part 363 Management Report
Contents
The FDIC has noted differences in the
content of the management reports
included in Part 363 Annual Reports
and the adequacy of the information in
these management reports regarding the
results of management’s assessments of
the effectiveness of internal control over
financial reporting and compliance with
the laws and regulations pertaining to
insider loans and dividend restrictions.
Identified material weaknesses in
internal control over financial reporting
and instances of noncompliance with
insider lending requirements and
dividend restrictions have not always
been disclosed.
In addition, management’s assessment
of internal control over financial
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
reporting has often failed to disclose the
internal control framework used to
perform the assessment of the
effectiveness of these controls and to
clearly state whether controls over the
preparation of the regulatory financial
statements have been included within
the scope of management’s assessment.
The omission of this information from
an institution’s management report
reduces the usefulness of the report as
a means of identifying needed
improvements in financial management,
which is the objective of section 36 of
the FDI Act. The regulations adopted by
the Securities and Exchange
Commission (SEC) in 2003
implementing the requirement in
section 404 of SOX for a management
report on internal control over financial
reporting requires management to
identify the internal control framework
it used to evaluate the effectiveness of
these controls and to disclose any
identified material weakness.
To provide clearer guidance on the
information that should be included in
the management report, the FDIC
proposed to expand § 363.2(b) to require
management’s assessment of
compliance with the laws and
regulations pertaining to insider loans
and dividend restrictions to include a
clear statement as to management’s
conclusion regarding compliance and to
disclose any noncompliance with such
laws and regulations. In addition, the
proposed amendment to § 363.2(b)
would require management’s
assessment of internal control over
financial reporting to identify the
internal control framework that
management used to make its
evaluation, include a statement that the
evaluation included controls over the
preparation of regulatory financial
statements, include a clear statement as
to management’s conclusion regarding
the effectiveness of internal control over
financial reporting, disclose all material
weaknesses identified by management,
and preclude management from
concluding that internal control over
financial reporting is effective if there
are any material weaknesses.
The FDIC specifically requested
comment as to whether the disclosure in
the management report of instances of
noncompliance with the laws and
regulations pertaining to insider loans
and dividend restrictions should be
made available for public inspection or
be designated as privileged and
confidential and not be made available
to the public by the FDIC. Three
commenters supported public
availability only for disclosures of
‘‘material’’ noncompliance and twelve
commenters were not supportive of
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
32231
public availability of disclosures of
noncompliance. These commenters
were concerned that minor errors may
be mistaken for a systemic compliance
failure and stated that noncompliance
should be addressed through the
examination process.
The FDIC has considered these
comments and notes that all insured
depository institutions, regardless of
size, are required to comply with the
designated safety and soundness laws
and regulations that deal with insider
loans and dividend restrictions.
Moreover, these laws and regulations
have not substantially changed since
part 363 was first implemented in 1993.
Thus, well before an insured depository
institution reaches $500 million in total
assets and becomes subject to part 363,
it should already have appropriate
policies, procedures, controls, and
systems in place to monitor insider
lending activities and assess its
dividend-paying capacity and thereby
ensure compliance with the safety and
soundness laws and regulations in these
two designated areas. Public availability
of disclosures of instances of
noncompliance with these designated
laws and regulations should act as a
further stimulus to management’s efforts
to ensure that its policies, procedures,
controls, and systems are sound and
operating effectively. Therefore, the
FDIC has concluded that, to reinforce
the importance of management’s
responsibility for complying with the
laws and regulations pertaining to
insider loans and dividend restrictions,
instances of noncompliance with these
laws and regulations should be
disclosed in management’s assessment
(that is included in the management
report) and made available to the public.
Nevertheless, based on the comments
it received on this issue, the FDIC
believes it would be useful to provide
further guidance regarding disclosure of
noncompliance with the designated
safety and soundness laws and
regulations. Accordingly, the FDIC is
adding guideline 8C, Management’s
Disclosure of Noncompliance with
Designated Laws and Regulations, to
Appendix A to part 363. This guideline
states that management is not required
to specifically identify the individual or
individuals (e.g., officers or directors)
who were responsible for or were the
subject of any such noncompliance and
provides general parameters for making
the disclosure. For example, the
disclosure should include appropriate
qualitative and quantitative information
to describe the nature, type, and severity
of the noncompliance. Also, similar
instances of noncompliance may be
aggregated.
E:\FR\FM\07JYR2.SGM
07JYR2
32232
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
While the majority of commenters did
not comment on the proposed revisions
applicable to management’s report on
internal control over financial reporting,
four commenters expressed concerns or
made recommendations as follows:
• The report is not necessary, its costs
exceed the benefits derived, and it is
difficult for small community banks to
recruit personnel with the level of
training and experience necessary to
implement the accounting and reporting
rules.
• Consider a ‘‘delayed phase-in’’ of
the requirements for assessing internal
control over financial reporting similar
to the phase-in utilized by the SEC in its
rules implementing section 404 of SOX.
• Raise the asset size threshold for
this requirement from $1 billion to $3
billion to ease regulatory burden.
• The requirement to disclose all
identified material weaknesses in
internal control over financial reporting
in management’s report should be
clarified as to whether the disclosure
covers all identified material
weaknesses, regardless of their status as
of the institution’s fiscal year-end, or
only those in existence as of the end of
the fiscal year that have not been
remediated prior to that date.
Management has been required to
assess and report on the effectiveness of
an institution’s internal control over
financial reporting since part 363 was
first implemented in 1993. In November
2005, when the FDIC increased the asset
size threshold for internal control
assessments from $500 million to $1
billion, it concluded, and continues to
believe, that the $1 billion asset size
threshold is appropriate for requiring
assessments and reports on internal
control over financial reporting.
Therefore, the FDIC has decided to
retain the $1 billion asset size threshold
for requiring assessments and reports on
internal control over financial reporting.
Also, for the reasons previously stated,
the FDIC does not believe that a
‘‘delayed phase-in’’ of the requirement
for assessing and reporting on internal
control over financial reporting is
necessary or appropriate. Moreover, a
phase-in of the requirement for
management to assess and report on
internal control over financial reporting
in effect already exists because this
requirement takes effect only when an
institution’s total assets exceed $1
billion, not when the institution first
becomes subject to the other audit and
reporting requirements of section 36 and
part 363 when its assets reach $500
million.
With respect to management’s
reporting on the material weaknesses it
has identified in the management report
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
component of its Part 363 Annual
Report, the FDIC notes that section 36
of the FDI Act requires management to
perform an assessment of internal
control over financial reporting as of
year-end. Therefore, to clarify
management’s reporting responsibility,
the FDIC has revised § 363.2(b)(3)(iii) to
explain that management must disclose
all material weaknesses in internal
control over financial reporting that it
has identified and that have not been
remediated prior to the end of the
institution’s fiscal year.
Because part 363 and its guidelines
provide only limited guidance
concerning the contents of the
management report and the related
signature requirements for this report,
institutions and auditors have expressed
interest in examples of acceptable
reports. Therefore, to assist
managements of insured depository
institutions in complying with the
annual reporting requirements of
§ 363.2, the FDIC proposed to add
Appendix B to Part 363—Illustrative
Management Reports. Appendix B
provides guidance regarding reporting
scenarios that satisfy the annual
reporting requirements of part 363,
illustrative management reports, and an
illustrative cover letter for use when an
institution complies with the annual
reporting requirements at the holding
company level. The FDIC also states in
Appendix B that the use of the
illustrative management reports and
cover letter is not required. The FDIC
encourages the managements of insured
depository institutions to tailor the
wording of their management reports to
fit their particular circumstances,
especially when reporting on material
weaknesses in internal control over
financial reporting or noncompliance
with designated laws and regulations.
Two commenters stated that the
illustrative management reports are
helpful and will mitigate regulatory
burden. Another commenter suggested
that the illustrative management reports
would be better suited in an accounting
and auditing guide that could be
updated regularly to reflect changes in
professional standards or other
requirements that would affect these
reports and that the accounting and
auditing guide could illustrate the
differences in reporting under AICPA
and PCAOB standards. This commenter
also stated that the illustrative
management report on internal control
over financial reporting at the holding
company level is inconsistent with
current practice and that it does not
clearly and appropriately describe the
scope of the internal control
assessments by management or the
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
independent public accountant. This
commenter added that the language in
the illustrative management report on
internal control at the holding company
level does not make it clear to a reader
whether management has separately
assessed the effectiveness of internal
control over financial reporting at each
subsidiary institution listed in the
report.
The FDIC has considered this
commenter’s suggestion that the
illustrative management reports would
be better suited in an accounting and
auditing guide. In this regard, the FDIC
notes that auditing and attestation
standards require auditors to evaluate
the elements that management is
required to present in its report on its
assessment of internal control over
financial reporting, but these standards
do not fully address the requirements of
part 363 for management reports on
internal control nor do they provide
guidance to management regarding the
preparation of management reports for
part 363 purposes. Given the varying
degrees of familiarity of institution
management with professional auditing
and attestation standards as well as the
lack of availability of illustrative
management reports that satisfy the
requirements of part 363, the FDIC has
determined that the illustrative
management reports should be provided
in Appendix B to part 363. However, in
response to this commenter’s statements
concerning the illustrative management
reports on internal control over
financial reporting at the holding
company level, the FDIC has revised the
text of these illustrative management
reports, which are presented in sections
5(c) and (d) and 6(b) of Appendix B.
More specifically, the sample text in
these illustrative reports that identifies
the subsidiary institutions that are
subject to part 363 has been revised by
removing the language stating that these
institutions are included in the scope of
management’s assessment of internal
control over financial reporting. The
FDIC believes that the revised
illustrative management reports on
internal control over financial reporting
at the holding company level are
consistent with current practices and
professional auditing and attestation
standards.
Regarding management’s
responsibility for assessing compliance
with the laws and regulations pertaining
to insider loans and dividend
restrictions, the FDIC proposed to revise
and update Table 1 to Appendix A of
part 363 to reflect changes in these laws
and regulations that have occurred since
this table was last revised in 1997. The
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
FDIC received no comments on the
revised and updated Table 1.
3. Management Report Signatures
Section 36(b)(2) of the FDI Act
requires an institution’s management
report to be signed by the chief
executive officer and the chief
accounting officer or chief financial
officer. In its reviews of management
reports, the FDIC has noted that these
reports are often not signed by the
officers at the appropriate corporate
level when the audited financial
statements requirement is satisfied at
the holding company level or when one
or more of the components of the
management report is satisfied at the
holding company level and the
remaining components of the
management report are satisfied at the
insured depository institution level.
Therefore, the FDIC proposed to add
§ 363.2(c) to specify which corporate
officers must sign the management
report and also the level of the corporate
signers (i.e., insured depository
institution level or the holding company
level). No comments were received on
this aspect of the proposal.
4. Institutions Merged Out of Existence
To reduce regulatory burden and
provide certainty for merging
institutions, the FDIC proposed to add
guideline 5A, Institutions Merged Out of
Existence, to explicitly provide relief
from filing a Part 363 Annual Report for
an institution that is merged out of
existence after the end of its fiscal year,
but before the deadline for filing its Part
363 Annual Report. However, a covered
institution that is acquired after the end
of its fiscal year, but retains its separate
corporate existence rather than being
merged out of existence, would
continue to be required to file a Part 363
Annual Report for that fiscal year. Three
commenters commented in support of
this aspect of the proposal, one of whom
stated that the proposed amendment
will reduce both regulatory burden and
uncertainty.
5. Management’s Assessment of the
Effectiveness of Internal Control Over
Financial Reporting
The FDIC has publicly advised
institutions with $1 billion or more in
total assets that are public companies or
subsidiaries of public companies that
they have considerable flexibility in
determining how best to satisfy the
SEC’s requirements for management’s
assessment of internal control over
financial reporting which implement
section 404 of SOX, and the FDIC’s
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
requirements in part 363.2 The reporting
flexibility available to institutions
subject to both the section 404 and the
part 363 requirements was initially
described in the preamble to the SEC’s
section 404 final rule release (68 FR
36642, June 18, 2003). This final rule
release explained that the flexible
reporting approach described in the
preamble had been developed by the
SEC staff in consultation with the staff
of the Federal banking agencies. To
codify this reporting flexibility in part
363, the FDIC proposed to add guideline
8A, Management’s Assessment of the
Effectiveness of Internal Control Over
Financial Reporting. For an institution
with $1 billion or more in total assets
that is subject to both part 363 and the
SEC’s rules implementing section 404 of
SOX (or whose parent holding company
is subject to section 404 and the
condition in § 363.1(b)(2) is met), the
proposed guideline describes two
options for complying with the filing
requirements regarding management’s
report on internal control over financial
reporting. These options are to prepare
(1) two separate reports, one to satisfy
the FDIC’s part 363 requirements and
another to satisfy the SEC’s section 404
requirements, or (2) a single report that
satisfies all of the FDIC’s part 363
requirements and all of the SEC’s
section 404 requirements. No comments
were received on proposed new
guideline 8A.
6. Internal Control Reports for Acquired
Businesses
Currently, under the reporting
requirements of part 363, both
management’s and the independent
public accountant’s evaluation of an
institution’s internal control over
financial reporting must include
controls at an institution in its entirety,
including all of its consolidated
businesses, including businesses that
were recently acquired. However, like
the SEC staff, the FDIC recognizes that
it may not always be possible for
management to conduct an evaluation of
the internal control over financial
reporting of an acquired business in the
period between the consummation date
of the acquisition and the due date of
management’s internal control
evaluation. The SEC staff has provided
guidance to public companies stating
that the staff would not object to the
exclusion of the acquired business from
management’s evaluation of internal
control over financial reporting,
provided certain disclosures are made
2 70 FR 71231, November 28, 2005; 70 FR 44295,
August 2, 2005; FDIC Financial Institution Letter
(FIL) 137–2004, December 21, 2004.
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
32233
and other conditions are met.3 The FDIC
has received and granted several written
requests from institutions subject to the
internal control reporting requirements
of part 363 to exclude recently acquired
businesses from the scope of
management’s internal control
evaluation.
To reduce regulatory burden,
including the burden of submitting
written requests to the FDIC, and
provide certainty to institutions, the
FDIC proposed to add guideline 8B,
Internal Control Reports for Acquired
Businesses, to explicitly provide relief
from the reporting requirements
regarding internal control over financial
reporting related to business
acquisitions made by an institution
during its fiscal year. As proposed and
consistent with the SEC staff’s guidance,
guideline 8B would permit
management’s evaluation of internal
control over financial reporting to
exclude internal control over financial
reporting for the acquired business,
provided management’s report identifies
the acquired business, states that the
acquired business is excluded from
management’s evaluation of internal
control over financial reporting, and
indicates the significance of the
acquired business to the institution’s
consolidated financial statements. Also,
proposed guideline 8B would clarify
that if the acquired business is an
insured depository institution that is
subject to part 363 and it is not merged
out of existence before the deadline for
filing its Part 363 Annual Report, the
acquired business (institution) must
continue to comply with all of the
applicable requirements of part 363.
One commenter commented on this
aspect of the proposal and supported
the amendment as proposed, stating that
it will reduce both regulatory burden
and uncertainty.
7. Standards for Internal Control
At present, guideline 10, Standards
for Internal Control, provides that each
institution should determine its own
standards for establishing, maintaining,
and assessing the effectiveness of its
internal control over financial reporting,
but it does not describe the
characteristics of a suitable internal
control framework. The FDIC proposed
to amend guideline 10 to provide
guidance regarding the attributes of a
suitable internal control framework. The
proposed attributes are consistent with
3 See Question 3 in the SEC staff’s Frequently
Asked Questions on Management’s Report on
Internal Control Over Financial Reporting and
Certification of Disclosure in Exchange Act Periodic
Reports at https://www.sec.gov/info/accountants/
controlfaq1004.htm.
E:\FR\FM\07JYR2.SGM
07JYR2
32234
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
the attributes the SEC described in the
preamble to the SEC’s section 404 final
rule release (68 FR 36648, June 18,
2003). The FDIC believes that a
framework with these attributes is
appropriate for all institutions whether
or not they are public companies. No
comments were received on this aspect
of the proposal.
C. Independent Public Accountant
(§ 363.3 and Guidelines 13–21)
1. Internal Control Over Financial
Reporting
As with its experience in reviewing
the portion of the management report in
which management provides its
assessment of the effectiveness of the
institution’s internal control over
financial reporting, the FDIC has found
some independent public accountants’
internal control attestation reports to be
less than sufficiently informative. Such
attestation reports are, therefore,
inconsistent with the objectives of
section 36 of the FDI Act. As a
consequence, the FDIC proposed to
amend § 363.3(b), which governs the
independent public accountant’s report
on internal control over financial
reporting, to specify that, consistent
with generally accepted standards for
attestation engagements, the Public
Company Accounting Oversight Board’s
(PCAOB) auditing standards, and
related PCAOB staff implementation
guidance, the accountant’s report must:
• Not be dated prior to the date of
management’s report on its assessment
of the effectiveness of internal control
over financial reporting;
• Identify the internal control
framework that the accountant used to
make the evaluation (which must be the
same as the internal control framework
used by management);
• Include a statement that the
accountant’s evaluation included
controls over the preparation of
regulatory financial statements;
• Include a clear statement as to the
accountant’s conclusion regarding the
effectiveness of internal control over
financial reporting;
• Disclose all material weaknesses
identified by the accountant; and
• Conclude that internal control is
ineffective if there are any material
weaknesses.
The FDIC also proposed to amend
guideline 18, Attestation Report, to be
consistent with § 363.3(b)(2) by
reiterating that the attestation report on
internal control over financial reporting
should include a statement as to
regulatory reporting.
The majority of commenters did not
comment on the independent public
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
accountant’s report on internal control
over financial reporting. However, four
commenters expressed concerns or
made recommendations as follows:
• Since the AICPA Auditing
Standards Board’s proposed revisions to
the attestation standards for nonpublic
companies will likely be similar to the
requirements for public companies, and
based upon the experiences of public
companies complying with SOX 404,
the requirement for the independent
public accountant to examine, attest to,
and report on management’s assertion
concerning internal control over
financial reporting for both GAAP and
regulatory reporting purposes will be
too costly. Instead of having the
accountant examine internal control,
banking regulators should assess the
adequacy of internal control over
financial reporting as part of the
examination process.
• The requirements that the
independent public accountant’s report
on internal control over financial
reporting identify the internal control
framework used, state that the
evaluation included controls over the
preparation of regulatory financial
statements, express the accountant’s
conclusion as to whether internal
control is effective, and disclose all
material weaknesses that can be deleted
because they are already addressed by
the AICPA and PCAOB standards. The
rule should instead refer to the
professional auditing and attestation
standards.
• The FDIC should consider a
delayed phase-in of the requirement for
the independent public accountant to
assess internal control over financial
reporting similar to the phase-in set
forth in the SEC’s rules implementing
SOX 404.
• The requirement to disclose
material weaknesses in internal control
over financial reporting in the
independent public accountant’s report
should be clarified as to whether the
disclosure covers all identified material
weaknesses, regardless of their status as
of the institution’s fiscal year-end, or
only those in existence as of the end of
the fiscal year that have not been
remediated prior to that date, which is
the disclosure requirement in the
professional auditing and attestation
standards.
Independent public accountants have
been required to examine, attest to, and
report on management’s assertion
concerning the effectiveness of an
institution’s internal control over
financial reporting since part 363 was
first implemented in 1993. This
requirement is also set forth in section
36 of the FDI Act. In November 2005,
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
the FDIC increased the asset size
threshold for internal control
assessments from $500 million to $1
billion for both management and the
independent public accountant. At that
time, the FDIC noted that recent and
impending changes to the auditing and
attestation standards governing internal
control assessments that were making
them more robust had and would
continue to increase the cost and burden
of the audit and reporting requirements
of part 363. The FDIC concluded then
that the increase to a $1 billion asset
size threshold for requiring assessments
and reports on internal control over
financial reporting achieved an
appropriate balance between burden
reduction and maintaining safety and
soundness for institutions subject to
part 363. The FDIC continues to believe
today that $1 billion remains a suitable
size threshold for internal control
assessments. Also, for the reasons
previously stated in Section III.B.2, the
FDIC does not believe that a ‘‘delayed
phase-in’’ of the requirement for the
independent public accountant to report
on management’s assertion regarding
internal control over financial reporting
is necessary or appropriate.
Additionally, the FDIC notes that under
the SEC’s most recent amendments, a
non-accelerated filer need not file the
auditor’s attestation report on internal
control over financial reporting until it
files an annual report for a fiscal year
ending on or after December 15, 2009.
Since part 363 has long required such
internal control audits, the FDIC
believes that it would be contrary to the
objectives of section 36 of the FDI Act
to allow institutions subject to part 363
with $1 billion or more in total assets,
that are not accelerated filers or
subsidiaries of accelerated filers for
Federal securities law purposes, to
discontinue undergoing assessments of
the effectiveness of their internal control
over financial reporting by their external
auditors until the SEC requires such
audits for non-accelerated filers.
In response to the comments
regarding the disclosure of material
weaknesses in internal control over
financial reporting, the FDIC has revised
§ 363.3(b)(3) to clarify that the
independent auditor’s internal control
report must disclose all material
weaknesses that the independent
auditor has identified and that have not
been remediated prior to the end of the
institution’s fiscal year.
The FDIC has considered the
suggestion that the rule be revised to
refer to the existing standards of the
auditing standard setters rather than
including specific requirements in the
rule. In this regard, both the current and
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
proposed rules state that the
independent public accountant’s
attestation and report on internal
control over financial reporting shall be
made in accordance with generally
accepted standards for attestation
engagements. However, as previously
noted, the FDIC has found some
independent public accountants’
internal control attestation reports to be
less than sufficiently informative, and
given the varying degrees of familiarity
of institution management and audit
committee members with professional
auditing standards, the FDIC has
decided to retain the specific
requirements set forth in the proposed
rule. The FDIC also believes that
including these requirements in the
proposed rule will assist audit
committee members in the performance
of their duties regarding the oversight of
the external auditor. However, the FDIC
has revised § 363.3(b) to clarify that the
auditor’s report on internal control over
financial reporting should satisfy the
requirements set forth in both part 363
and applicable professional standards.
In this regard, and consistent with
guidance the FDIC issued in February
2008,4 the FDIC has also revised
§ 363.3(b) and added guideline 18A to
clarify that the attestation report on
internal control over financial reporting
may be made in accordance with the
PCAOB’s auditing standards even if the
institution is a nonpublic company or a
subsidiary of a nonpublic company.
2. Communications With Audit
Committee
According to section 204 of SOX, an
accountant who audits a public
company’s financial statements should
report on a timely basis to the
company’s audit committee: (1) All
critical accounting policies, (2)
alternative accounting treatments
discussed with management, and (3)
written communications provided to
management, such as a management
letter or schedule of unadjusted
differences. The FDIC has encouraged
institutions, regardless of whether they
are public companies, to arrange with
their accountant to institute these
reporting practices.5 Requirements that
are similar, but not identical, to those
set forth in section 204 apply to
accountants who audit the financial
statements of entities that are not
public.6 Therefore, consistent with
4 See FDIC Financial Institution Letter (FIL) 5–
2008, dated February 1, 2008.
5 See FDIC Financial Institution Letter (FIL) 17–
2003, dated March 5, 2003.
6 See Statement on Auditing Standards No. 114,
The Auditor’s Communication With Those Charged
With Governance, December 2006.
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
current best practices and standards for
audits of both public and non-public
entities, the FDIC proposed to amend
part 363 by adding § 363.3(d),
Communications with audit committee,
to set a uniform minimum requirement
for such communication. As proposed,
§ 363.3(d) would require the
independent public accountant to report
the information identified in section 204
of SOX to the audit committee.
While the majority of commenters did
not comment on the independent public
accountant’s communications with
audit committees, three commenters
expressed the following concerns:
• The communication requirements
for auditors of nonpublic entities are
included in the AICPA’s standards and
those for auditors of public companies
are established by the PCAOB and the
SEC. Rather than memorializing these
communication requirements in the
rule, refer to the existing standards of
the AICPA, the PCAOB, and the SEC.
• The proposed amendments overlap
the requirements of the AICPA
standards and do not align with the
communication required by SEC rules
and regulations and may cause
confusion as to the required
communications. The requirements
should either be removed in their
entirety or clarified and aligned.
• SOX practices and principles
regarding audit committee
communications should be restricted to
publicly held banks.
• Auditors should not be required to
report critical accounting policies,
alternative accounting treatments, and
schedules of unadjusted differences to
the audit committee. Management
should have discretion as to whether
these communications should be
reported to the audit committee.
The FDIC has considered the concerns
raised by the commenters, including the
suggestion that the rule be revised to
refer to the existing standards of the
auditing standard setters (AICPA,
PCAOB, and SEC) rather than including
specific requirements in the rule.
Although the existing auditing
standards for both public and nonpublic
companies set forth the requirements for
the independent public accountant’s
communications with audit committees,
the FDIC believes that, given the varying
degrees of familiarity of audit committee
members with professional auditing
standards, setting forth the requirements
for the auditor’s communications with
audit committees in the proposed rule
will assist audit committee members in
the performance of their duties
regarding the oversight of the external
auditor. Therefore, the FDIC has
decided to retain the requirements set
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
32235
forth in the proposed rule. However, the
FDIC has revised § 363.3(d) to clarify
that the auditor should satisfy the audit
committee communication requirements
set forth in both part 363 and applicable
professional standards. Also, based on
its review of the professional standards
regarding auditors’ communications
with audit committees, the FDIC
believes that the revised requirements in
the proposed rule are consistent with
the existing professional standards.
3. Retention of Working Papers
Section 36(g)(3)(A) of the FDI Act
states that an independent public
accountant who performs audit services
required by section 36 must agree to
provide related working papers to the
FDIC, any appropriate Federal banking
agency, and any State bank supervisor.
The SEC’s rules and the auditing
standards for public companies specify
a 7-year retention period for audit
working papers while the auditing
standards for nonpublic companies
provide that the retention period for
audit working papers should not be
shorter than five years.7 The FDIC
believes that a uniform retention period
should apply to audits of all institutions
subject to part 363. Accordingly, the
FDIC proposed to amend part 363 by
adding § 363.3(e), Retention of working
papers. As proposed, § 363.3(e) would
require the independent public
accountant to retain the working papers
related to its audit of the financial
statements and, if applicable, its
evaluation of internal control over
financial reporting for seven years.
One commenter stated that the fiveyear retention period specified by the
AICPA’s auditing standards is
appropriate for nonpublic companies.
Another commenter was concerned that
the proposed seven-year retention
period may cause extra burden and
expense for independent public
accountants of nonpublic institutions.
Under section 36 and part 363, the
requirement for institutions to undergo
audits of their financial statements and,
if applicable, assessments of their
internal control over financial reporting
does not depend on whether they are
public or nonpublic companies. Thus,
the FDIC believes that the retention
requirement for the working papers
associated with auditors’ performance of
these services should also be
independent of whether institutions are
public or nonpublic companies. In this
regard, the FDIC notes that the AICPA’s
7 See Rule 2–06 of the SEC’s Regulation S–X, the
PCAOB’s Auditing Standard No. 3, Audit
Documentation, June 2004, and the AICPA’s
Statement on Auditing Standards No. 103, Audit
Documentation, December 2005.
E:\FR\FM\07JYR2.SGM
07JYR2
32236
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
auditing standards for nonpublic
companies acknowledge that working
paper retention periods may exceed five
years. After considering the comments,
the FDIC continues to believe that a
uniform retention period for audit
working papers should apply to all
institutions subject to part 363.
Therefore, the FDIC has decided to
retain the proposed seven-year retention
period for working papers related to
audits of financial statements and
evaluations of internal control over
financial reporting.
4. Independence
Section 36 of the FDI Act states that
an ‘‘independent public accountant’’
must perform the audit and attestation
services required by section 36 but it
does not define ‘‘independent,’’ leaving
this to the FDIC’s rulemaking authority.
As adopted by the FDIC in 1993, part
363 includes guideline 14,
Independence, which identifies the
independence standards applicable to
accountants performing services under
section 36 and part 363. This guideline
specifies that the independent public
accountant must comply with the
independence standards applicable to
audits of both nonpublic and public
companies. In 2003, the agencies jointly
issued rules of practice to implement
the enforcement provisions of section
36(g)(4), which authorize the FDIC or an
appropriate Federal banking agency to
remove, suspend, or bar an accountant,
for good cause, from performing audit
and attestation services for institutions
subject to section 36 and part 363.8 To
enhance the enforceability of the
independence standards with which an
accountant must comply for purposes of
part 363, the FDIC proposed to move the
independence requirements for
independent public accountants from
guideline 14, Independence, to new
§ 363.3(f), Independence. As proposed,
§ 363.3(f) would retain the original
independence concept of part 363, i.e.,
auditor compliance with the
independence standards applicable to
both nonpublic and public company
audits, by clarifying that the
independent public accountant must
comply with the independence
standards and interpretations of the
PCAOB for audits of public companies
that have been approved by the SEC in
addition to the independence standards
and interpretations of the AICPA and
the SEC.
Two commenters stated that the
proposed amendment with its explicit
reference to compliance with the
PCAOB’s independence standards
8 68
FR 48256, August 13, 2003.
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
represents a best practice and that the
coordination of the independence
standards in part 363 with the
independence standards of the AICPA,
the SEC, and the PCAOB will reduce
uncertainty. Nevertheless, one
commenter recommended that the FDIC
clarify whether an independent public
accountant should (a) comply with the
most restrictive independence
requirement addressing a particular
matter or (b) comply with the
independence requirements that pertain
only to public companies. In contrast,
six commenters (which included the
three bankers’ trade organizations and
two of the four accounting firms) were
opposed to or expressed concerns about
the proposed amendment. These
commenters stated that:
• The FDIC should individually
evaluate and clarify the applicability of
each new SEC and PCAOB
independence standard.
• The FDIC should revise part 363 to
require the auditors of public
institutions to meet the independence
rules of the SEC and the PCAOB and the
auditors of nonpublic institutions to
meet only the AICPA’s independence
rules.
• Applying the independence
standards of the SEC and the PCAOB
equally to all independent public
accountants may prohibit certain
independent public accountants from
performing engagements for nonpublic
institutions subject to part 363.
• Adding the PCAOB’s independence
rules to the existing requirement for
compliance with the independence
rules of the SEC and the AICPA could
be problematic for some community
banks because: (1) Some banks may not
have ready access to multiple
accounting firms that satisfy the
independence requirements of the
PCAOB, the SEC, and the AICPA; and
(2) it creates a third set of standards that
the audit committee will need to review
on a regular basis in order to fulfill its
duties.
• Education efforts to explain the
auditor independence requirements of
part 363 will be needed because: (1)
Many institutions subject to part 363 are
nonpublic; and (2) many independent
public accountants that provide services
to nonpublic institutions are not
registered with the PCAOB and may not
be familiar with the independence
standards of the SEC and the PCAOB.
The foundation for auditor
independence standards is the principle
that auditors who provide audit services
must be independent in fact and
appearance with respect to their audit
clients. The FDIC notes that the
independence rules of the SEC and
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
AICPA have been applicable to audits of
both public and nonpublic institutions
subject to part 363 since the
implementation of part 363 in 1993.
More recently, SOX granted additional
authority to set independence standards
for accounting firms performing audits
of public companies (issuers) to the
PCAOB. In this regard, the PCAOB’s
independence standards do not become
effective unless and until they are
approved by the SEC, which means that
they are tantamount to SEC
independence standards.
The FDIC acknowledges that both the
AICPA’s and the SEC’s auditor
independence standards, including
those of the PCAOB, have evolved over
time. The FDIC recognizes that the effect
of periodic changes in these auditor
independence standards carries over to
accountants with insured depository
institution audit clients subject to part
363 regardless of whether these clients
are public or nonpublic institutions.
Thus, as the AICPA, the SEC, and the
PCAOB periodically revise their auditor
independence standards, independent
public accountants performing audit
and attest services under part 363 must
take appropriate steps to ensure that
they continue to satisfy the
qualifications for accountants with
respect to independence that are set
forth in part 363. While changes in
independence standards can be
burdensome to auditors and their
clients, given the importance of the
independence of the accountants who
provide audit services to institutions
subject to part 363, which in number
comprise the largest 16 percent of the
insured depository institutions, the
FDIC continues to believe that it is in
the public interest for independence
standards to apply uniformly to all
accountants performing these services.
To achieve this objective, auditors of
institutions subject to part 363 should
continue to comply with all of the
independence standards applicable to
both nonpublic and public institutions
that are established by the AICPA, the
SEC, and the PCAOB rather than to
comply with these standards on a
selective or exclusionary basis.
Therefore, the FDIC has decided to
proceed with the proposed amendment
to the auditor independence provisions
of part 363.
However, as recommended by a
commenter, the FDIC has revised the
proposed rule to clarify that if a
provision within one of the applicable
independence standards is more
restrictive than a provision addressing
the same subject matter in one of the
other independence standards, the
independent public accountant must
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
comply with the more restrictive
independence requirement. For
example, an external auditor is
permitted to provide internal audit
outsourcing services to an audit client
under the AICPA’s independence rules,
but the independence rules of the SEC
and the PCAOB generally prohibit an
external auditor from providing such
services to an audit client. In this
example, the external auditor would
have to comply with the more restrictive
independence requirements of the SEC
and the PCAOB.
5. Peer Reviews
Section 36(g)(3)(A)(ii) of the FDI Act
requires an independent public
accountant to have received a peer
review or be enrolled in a peer review
program that meets acceptable
guidelines. At present, guideline 15 to
part 363 provides that to be acceptable,
a peer review should, among other
things, be generally consistent with
AICPA standards. Since part 363 was
originally adopted, the PCAOB has been
created and conducts inspections of
registered public accounting firms, some
of which audit insured depository
institutions subject to part 363 or their
parent holding companies. These
inspections serve a similar purpose as
peer reviews. In addition, the PCAOB
issues reports on its inspections of these
accounting firms.
In response to this development and
in light of the agencies’ issuance of rules
of practice implementing the
enforcement provisions of section 36,
the FDIC proposed to add new § 363.3(g)
on peer reviews. The FDIC proposed to
move the requirements for peer reviews,
the filing of peer review reports, and the
retention of peer review working papers
from guideline 15, Peer Reviews, and
guideline 16, Filing Peer Review
Reports, to § 363.3(g). As proposed,
§ 363.3(g) clarified that acceptable peer
reviews include peer reviews performed
in accordance with the AICPA’s Peer
Review Standards and inspections
conducted by the PCAOB. It also
provided that the FDIC would not make
available for public inspection the
portion of any peer review report and
inspection report determined to be
nonpublic by the AICPA and the
PCAOB, respectively. Finally, the FDIC
proposed to revise guideline 15 to
explain that to be acceptable a peer
review, other than a PCAOB inspection,
should be generally consistent with
AICPA Peer Review Standards.
In their comments on the proposal, all
four accounting firms and the
accountants’ trade organization did not
object to filing the public portions of
PCAOB inspection reports, but were
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
opposed to filing the nonpublic portions
of these reports. These commenters also
expressed the following concerns:
• The proposed requirement is
contrary to existing law (SOX) and the
professional standards of the PCAOB.
An accounting firm should be required
to submit the nonpublic portion of a
PCAOB inspection report to the FDIC
only if it is made public by the PCAOB.
• Pursuant to Section 104(g)(2) of
SOX, the PCAOB cannot disclose the
nonpublic portion of an inspection
report unless criticisms of the
accounting firm’s quality controls
remain unremediated 12 months after
the issuance of the report. There are
only two exceptions to the statutory
prohibition: (1) Disclosure to the SEC
and State boards of public accountancy,
and (2) to a ‘‘Federal functional
regulator’’ when the PCAOB Board, in
its discretion, determines that
disclosure is necessary. The PCAOB has
not made such a determination
regarding any Federal banking agency.
• Since AICPA peer review reports
and public portions of the PCAOB
inspection reports are available to the
FDIC on the AICPA and PCAOB Web
sites, there should not be a requirement
for auditors to submit reports directly to
the FDIC.
In response to the concerns raised by
the commenters, the FDIC has revised
the proposed amendment to require
independent public accountants to file
only the public portions of PCAOB
inspection reports. The revised
amendment also requires independent
public accountants to file previously
nonpublic portions of any PCAOB
inspection report within 15 days of the
PCAOB making such portions public.
The FDIC has retained the existing
requirement for independent public
accountants to file peer review reports,
accompanied by any letters of
comments, response, and acceptance.
Regarding AICPA peer review reports,
the FDIC notes that these reports are
publicly available on the AICPA Web
site for some, but not all, independent
public accountants and accounting
firms. The AICPA’s standards for
performing and reporting on peer
reviews do not require independent
public accountants or accounting firms
to post their peer review reports on the
AICPA Web site. However, members of
the AICPA’s audit quality centers and
the Private Companies Practice Section
post their review reports on the AICPA
Web site, certain firms voluntarily make
their peer review reports public, and
other firms make some aspects of their
peer review reports available when
required by a State board of public
accountancy or the Government
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
32237
Accountability Office. Furthermore,
since section 36 of the FDI Act requires
peer review reports to be filed with the
FDIC and made available for public
inspection, the FDIC cannot override
this statutory requirement despite the
present availability of most of these
reports on the PCAOB and AICPA Web
sites. The FDIC has therefore retained
the filing requirement for AICPA peer
review reports and the public portions
of PCAOB inspection reports.
6. Notice of Termination
Guideline 26, Notices Concerning
Accountants, permits an institution that
is a public company or a subsidiary of
a public company to satisfy the
requirement for filing a notice of
termination of its independent public
accountant by using its current report
(e.g., SEC Form 8–K) concerning a
change in accountant to satisfy the
similar notice requirements of part 363.
To reduce regulatory burden and
provide flexibility to the independent
public accountant of such an institution,
the FDIC proposed to amend guideline
20, Notice of Termination, to permit the
independent public accountant to
satisfy the requirement to file a notice
of termination of its services in a similar
manner. No comments were received on
this aspect of the proposal.
D. Filing and Notice Requirements
(§ 363.4 and Guidelines 22–26)
1. Annual Reporting
At present, the annual reporting
requirements of part 363 require each
insured depository institution to file its
Part 363 Annual Report within 90 days
after the end of its fiscal year. Each
institution is also required to file the
independent public accountant’s report
on the audited financial statements and,
if applicable, the accountant’s
attestation report on management’s
assessment of internal control over
financial reporting, both of which are
components of the Part 363 Annual
Report, within 15 days of receipt by the
institution, which, at times, has
presented a conflict with the annual
report filing requirement. The FDIC has
also noted that earlier filing deadlines
established by the SEC for annual
reports filed by certain public
companies under the Federal securities
laws (e.g., SEC Form 10–K) and more
robust auditing standards related to
internal control over financial reporting
have had an impact on the management
of institutions, on the resources of
independent public accountants, and on
auditing costs.
To reduce cost and burden, the FDIC
proposed to amend § 363.4(a) by
E:\FR\FM\07JYR2.SGM
07JYR2
32238
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
extending the time period within which
an insured depository institution that is
not a public company or a subsidiary of
a public company must file its Part 363
Annual Report from within 90 days to
within 120 days after the end of its
fiscal year. As proposed, an insured
depository institution that is a public
company, or that is a subsidiary of a
public company that meets certain
criteria, would continue to be required
to file its Part 363 Annual Report within
90 days after the end of its fiscal year,
which is consistent with the maximum
time frame that public companies have
for filing annual reports under the
Federal securities laws. The proposed
amendment would also eliminate the
ambiguity in § 363.4 concerning the
filing deadline for the components of
the Part 363 Annual Report that are
prepared by the independent public
accountant.
An insured depository institution
with consolidated total assets of less
than $1 billion that is a public company
or a subsidiary of a public company is
required to file management’s
assessment of the effectiveness of
internal control over financial reporting
with the SEC or the appropriate Federal
banking agency in accordance with the
compliance dates of the SEC’s rules
implementing section 404 of SOX.
Management’s findings and conclusions
with respect to internal control over
financial reporting, as disclosed in the
assessment that management files with
the SEC or the appropriate Federal
banking agency, provide information
that would aid in meeting the objective
of section 36 of the FDI Act. Therefore,
the FDIC proposed to add a provision to
§ 363.4(a) that would require an
institution of this size to submit a copy
of management’s section 404 internal
control assessment with its Part 363
Annual Report, but this assessment
would not be considered part of the
institution’s Part 363 Annual Report.
Five commenters expressed support
for the proposed extension of the filing
deadline for the Part 363 Annual Report
for an institution that is not a public
company or a subsidiary of a public
company. These commenters stated that
the additional 30 days will help to
ensure that auditors are able to devote
sufficient resources to the nonpublic
engagements, provide nonpublic
institutions with the additional time
needed to comply with the filing
requirements, and may help to reduce
the cost of independent audits.
At present, part 363 specifies that the
Part 363 Annual Reports and reports on
peer reviews shall be available for
public inspection. Except for
management letters, which are exempt
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
from public disclosure pursuant to
existing guideline 18, part 363 does not
address the availability of other reports
and notifications required to be filed
under part 363. Consistent with the
FDIC’s longstanding practice, the FDIC
has revised the proposed rule to clarify
that, except for the annual reports,
AICPA peer review reports, and PCAOB
inspection reports, which shall be
available for public inspection, all other
reports and notifications required to be
filed under part 363 are exempt from
public disclosure by the FDIC.
2. Independent Public Accountant’s
Reports
Section 36(h)(2)(A) of the FDI Act and
§ 363.4(c) require an institution to file a
copy of any management letter or other
report issued by its independent public
accountant that pertains to the financial
statement audit and the attestation on
internal control over financial reporting
within 15 days after receipt by the
institution. The FDIC’s experience in
administering part 363 indicates that
institutions are often uncertain as to
which types of reports they receive from
their independent public accountant
must be submitted to the FDIC, the
appropriate Federal banking agency,
and any appropriate State bank
supervisor pursuant to this filing
requirement. As stated above, this
uncertainty extends to this 15-day filing
requirement and its relationship to the
filing deadline for the Part 363 Annual
Report. To clarify the requirements for
the filing of accountants’ reports, the
FDIC proposed to amend § 363.4(c),
Independent public accountant’s letters
and reports, by providing examples of
the types of reports issued by an
institution’s independent public
accountant, except for the accountant’s
reports that are required to be included
in the institution’s Part 363 Annual
Report, that are to be filed within 15
days after receipt. As proposed,
Guideline 25, Independent
Accountant’s Reports, would be deleted
because it would be redundant and no
longer needed.
In the Interagency Advisory on the
Unsafe and Unsound Use of Limitation
of Liability Provisions in External Audit
Engagement Letters, the Federal banking
agencies expressed their concerns about
limitation of liability provisions
included in external audit engagement
letters and advised institutions against
entering into engagement letters
containing such provisions.9 To enable
the FDIC to timely review institutions’
71 FR 6847, February 9, 2006, and FDIC
Financial Institution Letter (FIL) 13–2006, issued on
the same date.
PO 00000
9 See
Frm 00014
Fmt 4701
Sfmt 4700
engagement letters with their
independent public accountants, the
FDIC also proposed to amend § 363.4(c)
to require institutions to file copies of
audit engagement letters, including any
related agreements and amendments,
with the FDIC, the appropriate Federal
banking agency, and any appropriate
State bank supervisor within 15 days of
acceptance by the institution.
Eight commenters (which included
two bank trade organizations, three
accounting firms, and the accountants’
trade organization) opposed requiring
institutions to file audit engagement
letters and were concerned about their
public availability. These commenters
stated that:
• It is not essential, practical, or
beneficial for an institution to file the
audit engagement letter. The
requirement for the audit committee to
ensure that the letter does not contain
any inappropriate limitation of liability
provisions is sufficient and appropriate.
• Instead of requiring institutions to
file audit engagement letters, the FDIC
could require management’s report to
include a statement that the audit
engagement letter has been reviewed for
unsafe and unsound limitation of
liability provisions.
• The final rule should specify that
audit engagement letters filed with the
FDIC are ‘‘exempt from disclosure’’
under FOIA.
The FDIC notes that, since the
publication of the proposed rule, the
AICPA’s Professional Ethics Executive
Committee has adopted Interpretation
No. 501–8, Failure to Follow
Requirements of Governmental Bodies,
Commissions, or Other Regulatory
Agencies on Indemnification and
Limitation of Liability Provisions in
Connection With Audit and Other Attest
Services, which became effective July
31, 2008.10 This ethics interpretation
states:
Certain governmental bodies, commissions,
or other regulatory agencies (collectively,
regulators) have established requirements
through laws, regulations, or published
interpretations that prohibit entities subject
to their regulation (regulated entity) from
including certain types of indemnification
and limitation of liability provisions in
agreements for the performance of audit or
other attest services that are required by such
regulators or that provide that the existence
of such provisions causes a member to be
disqualified from providing such services to
these entities. For example, Federal banking
regulators, State insurance commissions, and
the Securities and Exchange Commission
have established such requirements.
10 The full text of the Interpretation can be found
on the AICPA’s Web site at the following link:
https://www.aicpa.org/download/ethics/
EDITED_Adopted_501_8_final.pdf.
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
If a member enters into, or directs or
knowingly permits another individual to
enter into, a contract for the performance of
audit or other attest services that are subject
to the requirements of these regulators, the
member should not include, or knowingly
permit or direct another individual to
include, an indemnification or limitation of
liability provision that would cause the
regulated entity or member to be disqualified
from providing such services to the regulated
entity. A member who enters into, or directs
or knowingly permits another individual to
enter into, such an agreement for the
performance of audit or other attest services
that would that would cause the regulated
entity or a member to be in violation of such
requirements, or that would cause a member
to be disqualified from providing such
services to the regulated entity, would be
considered to have committed an act
discreditable to the profession.
In consideration of the comments
received and the issuance of this ethics
interpretation, the FDIC has reevaluated
this aspect of the proposal and has
decided to remove the proposed
requirement to file audit engagement
letters, which will eliminate the burden
that would have been associated with
this filing requirement. However, the
FDIC cautions institutions and
independent public accountants that
including unsafe and unsound
limitation of liability provisions in audit
engagement letters could result in
adverse consequences. For example, the
FDIC could determine that an audit of
an institution’s financial statements
and, if applicable, its internal control
over financial reporting that has been
performed pursuant to an engagement
letter containing these unsafe and
unsound provisions does not satisfy the
requirements of part 363. The
institution could then be directed to
engage a different independent public
accountant to perform another audit.
The independent public accountant
whose engagement letter contained the
unsafe and unsound limitation of
liability provisions could also be subject
to supervisory action by the FDIC or the
institution’s primary Federal regulator
as well as disciplinary action by the
relevant State board of public
accountancy and the AICPA for an act
discreditable to the profession.
3. Notification of Late Filing
Guideline 23, Relief From Filing
Deadlines, currently provides that in the
occasional event that an institution is
confronted with extraordinary
circumstances beyond its reasonable
control that justifies an extension of the
deadline for filing its Part 363 Annual
Report or another required report or
notice, the institution may submit a
written request for an extension of the
filing deadline of not more than 30 days
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
that explains the reasons for the request.
Such a request may be granted for good
cause. Over the last several years, the
reasons set forth in the requests for
extensions of time for filing Part 363
Annual Reports that have been
submitted to the FDIC generally did not
represent extraordinary circumstances
beyond the institution’s reasonable
control, the standard currently set forth
in guideline 23. Also, several extension
requests were repeats of requests from
the same institutions from the previous
year.
Based upon this experience and given
the proposed amendment to § 363.4(a)
to extend the filing deadline for Part 363
Annual Reports for non-public
institutions from 90 to 120 days, the
FDIC proposed to replace the extensions
of time for filing reports that are
available only in extraordinary
circumstances under guideline 23 with
a new § 363.4(e), Notification of Late
Filing. In place of filing extensions that
have limited applicability, this new
section would be applicable to all
institutions and would require an
institution that is unable to timely file
all or any portion of its Part 363 Annual
Report or any other report or notice
required to be filed under part 363 to
submit a written notice of late filing
before the filing deadline for the report
or notice. The late filing notice must
disclose the institution’s inability to
timely file all or specified portions of its
Part 363 Annual Report or other report
or notice, the reasons therefore in
reasonable detail, and the date by which
the report or notice will be filed.
The FDIC also proposed to amend
guideline 23 by changing its focus from
extension requests to late filing notices
consistent with the approach taken in
new § 363.4(e). Amended guideline 23
explains that submitting a late filing
notice will not cure the apparent
violation of part 363 arising from an
institution’s failure to timely file a Part
363 Annual Report or any other
required report or notice. The
supervisory response to such an
apparent violation would take into
account the facts and circumstances
surrounding an institution’s delay in
filing. As proposed, guideline 23 also
provides that, if the late filing applies to
only a portion of the Part 363 Annual
Report or any other report or notice, the
components of the report or notice that
have been completed should be filed
within the prescribed filing period
accompanied by either a cover letter
that indicates which components are
omitted or a combined late filing notice
and cover letter.
One commenter suggested that the
FDIC revise the proposed rule to
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
32239
provide for extensions of the filing due
date for up to 60 days for institutions
that are not public companies or
subsidiaries of public companies
instead of establishing a late filing
notification requirement. In the FDIC’s
dealings with institutions unable to file
their Part 363 Annual Reports by the
filing deadline in the current rule,
whether they are seeking extensions of
the deadline or not, it is not uncommon
for institutions to experience delays in
their ability to file these reports that
extend well in excess of 60 days after
the filing deadline. Therefore, the FDIC
believes that establishing a late filing
notification requirement is a more
practical approach for addressing the
broad range of situations when
institutions are unable to timely file
reports required under part 363 than
providing for longer extensions of the
filing deadline in those cases where an
institution meets an extraordinary
circumstances standard. Accordingly,
the FDIC has decided to adopt this
aspect of the rule as proposed without
revision.
4. Place for Filing
Current guideline 22 identifies the
office of the FDIC, the appropriate
Federal banking agency, and the
appropriate State bank supervisor to
which reports and notices (other than
peer review reports) required by part
363 are to be filed. Nevertheless, the
FDIC has found that some institutions
submit required reports and notices to
incorrect locations. The FDIC staff also
receives questions from institutions
asking where reports and notices should
be filed. To make the information as to
where Part 363 Annual Reports, written
notices of late filing, and other reports
and notices (except peer review reports)
are to be filed more prominent, the FDIC
proposed to move this information from
guideline 22, Place for Filing, to a new
§ 363.4(f), Place for Filing. No comments
were received on this aspect of the
proposal.
E. Audit Committees (§ 363.5 and
Guidelines 27–35)
1. Composition
Section 36(g)(1) of the FDI Act and
§ 363.5(a) require each insured
depository institution subject to part
363 to have an independent audit
committee comprised entirely of outside
directors. As defined in § 363.5(a)(3), in
general, an outside director is a director
who is not an officer or employee of the
institution or any affiliate of the
institution. In addition, the outside
directors who serve on the audit
committee must be ‘‘independent of
E:\FR\FM\07JYR2.SGM
07JYR2
32240
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
management,’’ although a minority of
the audit committee members of
institutions with $500 million or more
but less than $1 billion in total assets
need not be ‘‘independent of
management.’’ Guideline 27,
Composition, requires each institution’s
board of directors to determine at least
annually whether existing and potential
audit committee members satisfy the
requirements governing audit committee
composition.
In order for a board of directors to
perform its evaluation of audit
committee members in a consistent,
effective, and reviewable manner, the
FDIC believes the board should be
guided by an approved policy or set of
criteria that identifies the factors to be
taken into account by the board.
Accordingly, the FDIC proposed to
amend guideline 27 to require each
institution’s board of directors to
maintain an approved set of written
criteria for determining whether a
director who is to serve on the audit
committee is an outside director and is
independent of management and to
apply these criteria, at least annually, to
determine whether each existing or
potential audit committee member
meets the requirements of section 36
and part 363. The proposed amendment
to guideline 27 also requires that the
results of and basis for the board’s
determination with respect to each
existing and potential audit committee
member be recorded in the board’s
minutes.
Two commenters expressed support
for the proposed requirement in
guideline 27 for each institution’s board
of directors to adopt written criteria for
determining if audit committee
members meet the requirements of
section 36 and part 363 and view it as
a best practice. One of these
commenters also recommended that the
FDIC revise or expand § 363.5(b) or
guideline 28 to clarify the extent to
which audit committee members who
meet the SEC’s definition of ‘‘audit
committee financial expert’’ will be
deemed to have ‘‘banking or related
financial management expertise’’ for
part 363 purposes.
However, three commenters,
including one bankers’ trade
organization, were not supportive of the
proposed amendments to guideline 27.
These commenters objected to the
documentation requirements for audit
committee members’ independence and
the requirements for the board of
directors’ minutes to reflect the results
of and basis for the board’s
determinations regarding audit
committee members’ independence. As
an alternative, two of these commenters
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
recommended that audit committees be
permitted to survey existing and
potential members and make the survey
available to examiners but not reflect
the survey results in the board of
directors’ minutes.
In addition to being a best practice,
the FDIC believes that the adoption and
implementation by an institution’s
board of directors of an approved policy
or set of criteria that identifies the
factors to be taken into account for
evaluating audit committee member
independence improves corporate
governance. Documenting the results of
and basis for determinations with
respect to each existing and potential
audit committee member in the board’s
minutes further supports good corporate
governance and provides evidence that
the board is properly discharging its
responsibilities under part 363 in the
process for selecting audit committee
members. Applying an approved policy
or set of criteria and documenting the
results provide a more robust and
consistent process than having audit
committees themselves survey existing
and potential committee members for
review by examiners, but with no
oversight by the entire board of
directors.
Nevertheless, an annual survey of
existing and potential audit committee
members by the board may be a useful
mechanism for determining whether
these individuals satisfy the board’s
policy or set of criteria. For these
reasons, the FDIC has decided to adopt
guideline 27 as proposed without any
revision.
As to the suggestion regarding
clarification of the extent to which audit
committee members who have the
attributes of an ‘‘audit committee
financial expert’’ under the SEC’s rules
will be deemed to have ‘‘banking or
related financial management
expertise,’’ the FDIC has revised
guideline 32, Banking or Related
Financial Management Expertise, to
clarify that such persons will satisfy the
criteria set forth in the guideline.
Guideline 30, Holding Company
Audit Committees, provides guidance
for complying with the audit committee
requirements of part 363 at the holding
company level. The FDIC proposed to
amend guideline 30 for consistency
with the proposed revisions to the
holding company provisions of
§ 363.1(b) and to reflect the difference in
the audit committee composition
requirements in § 363.5(a) for
institutions with more than and less
than $1 billion in total assets. No
comments were received on this aspect
of the proposal.
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
2. ‘‘Independent of Management’’
Considerations
Guideline 28, ‘‘Independent of
Management’’ Considerations, identifies
five factors for a board of directors to
consider when determining the
independence of an outside director.
Guideline 29, Lack of Independence,
states that a director who owns or
controls 10 percent or more of any class
of the institution’s voting securities
should not be considered ‘‘independent
of management.’’ The FDIC has found
that some of the factors in guideline 28
are so general that they fail to provide
meaningful guidance to boards of
directors. At the same time, many of the
institutions subject to part 363 or their
parent holding companies are public
companies with securities listed on a
national securities exchange. Under the
SEC’s Rule 10A–3 (17 CFR 240.10A–3),
each audit committee member of a listed
issuer must be a director of the issuer
and must otherwise be independent.
The listing standards of the national
securities exchange must set forth the
criteria for determining the
independence of directors who are to
serve on a listed issuer’s audit
committee.
Based on its review, the FDIC stated
in the proposal to amend part 363 that
it believed that the independence
criteria for audit committee members
included in the listing standards of the
national securities exchanges, together
with the FDIC’s existing stock
ownership criterion in guideline 29,
represented an appropriate framework
for determining whether an outside
director is ‘‘independent of
management’’ for purposes of part 363.
Furthermore, for an institution whose
audit committee members or whose
parent holding company’s audit
committee members, if the holding
company meets the holding company
provisions of § 363.1(b), are subject to
the listing standards of a national
securities exchange, the FDIC observed
that allowing the institution to use these
standards for part 363 purposes would
reduce the institution’s burden.
Therefore, the FDIC proposed to
combine guidelines 28 and 29 and
provide expanded guidance for an
institution’s board of directors to use in
its assessment of an outside director’s
relationship to the institution for the
purposes of making ‘‘independent of
management’’ determinations regarding
audit committee members. For example,
the proposed amendment to guideline
28 included a list of criteria that an
institution’s board of directors should
consider when determining whether an
outside director would be considered
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
‘‘independent of management.’’ In
developing the proposed list of criteria,
the FDIC considered, but did not
entirely replicate, the portion of the
listing standards of the national
securities exchanges that apply to audit
committees. An institution’s board of
directors may also conclude that it
should consider additional criteria that
may be appropriate in its particular
circumstances. As an alternative to
these criteria, revised guideline 28
would permit an institution that is a
public company or a subsidiary of a
public company (when the holding
company provisions of § 363.1(b) are
met) that is subject to the listing
standards of a national securities
exchange to apply the audit committee
provisions of the listing standards for
purposes of determining audit
committee member independence.
Similarly, all other institutions,
including those that are not public
companies, may elect, but would not be
required, to adopt the audit committee
provisions of the listing standards of a
national securities exchange or
association as their criteria for
determining audit committee member
independence.
While two commenters supported the
proposed amendments regarding audit
committee independence, five
commenters (which included two
bankers’ trade organizations and three
financial institutions) expressed certain
concerns or suggested changes to the
proposal. These commenters suggested
that:
• Shareholders of closely-held
companies should not be automatically
prohibited from serving on the audit
committee solely because they own 10
percent or more of the institution’s
voting stock.
• The FDIC should raise the proposed
compensation limitation threshold from
$60,000 to $100,000.
• The meaning of ‘‘financial services’’
as it relates to indirect compensation
should be clarified. Furthermore, the
need for ‘‘indirect compensation’’ limits
is questionable given all of the other
independence requirements.
• Proposed guideline 28(b)(7) should
be revised by removing from the
definition of ‘‘payment’’ loans and other
services extended to directors in the
ordinary course of an institution’s
business as well as payments arising
solely from investments in the bank’s
securities and payments made under
non-discretionary charitable
contribution matching programs. The
$200,000 or 5 percent of gross revenues
test in this guideline should be
measured against the revenues of the
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
recipient of the payment, and not the
outside employer.
• Applying the director
independence standards of the national
securities exchanges to privately held
banks will impose challenges for
community banks located in areas
where it is difficult to find competent
directors to serve on the audit
committee.
• Existing guidelines 28 and 29
provide sufficient guidance for
institutions to determine the
independence of a director.
• Audit committee independence
criteria should consider an individual
institution’s complexity and risk profile.
For community banks, audit committee
member independence can be difficult
to accomplish and maintain.
In response to these comments and
concerns, the FDIC has carefully
reviewed the provisions of proposed
revised guideline 28 on the
‘‘independent of management’’
considerations that should be applied to
audit committee members. First, the
FDIC has reconsidered the existing 10
percent stock ownership limit for audit
committee members. In this regard, the
SEC’s and the national securities
exchanges’ rules do not impose such a
limit on audit committee members.
Therefore, consistent with these entities’
rules, the FDIC is revising guideline 28
to provide that ownership of 10 percent
or more of any class of voting securities
of an institution would not be an
automatic bar for considering an outside
director to be independent of
management. The revised guideline
further provides that when an outside
director’s stock ownership equals or
exceeds the 10 percent threshold, the
institution’s board of directors would be
required to determine and document its
determination as to whether such
ownership would interfere with the
outside director’s exercise of
independent judgment in carrying out
the responsibilities of an audit
committee member.
Next, the FDIC has reconsidered the
compensation limit applicable to audit
committee members for direct and
indirect compensation and, as suggested
by commenters, has revised guideline
28 to increase the compensation
threshold from $60,000 to $100,000.
Additionally, the comments seeking
greater clarity concerning the meaning
of indirect compensation and the types
of payments deemed to be
compensation have merit. Therefore, the
FDIC has revised the guideline to
provide examples of indirect
compensation and to specify that certain
payments would not be included within
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
32241
the meaning of the terms direct and
indirect compensation.
In response to the suggestion to
remove loans and other services
extended to directors in the ordinary
course of an institution’s business as
well as payments arising solely from
investments in the bank’s securities and
payments made under non-discretionary
charitable contribution matching
programs from the definition of
‘‘payment,’’ the FDIC has revised and
expanded guideline 28(b)(8) to specify
what payments are not included within
the meaning of the terms direct and
indirect compensation and payments.
As to the suggestion regarding the basis
of the measurement for the $200,000 or
5 percent of gross revenue test, the FDIC
has decided to retain this requirement
as proposed so as to maintain
consistency with the similar
requirements set forth in the listing
standards of the national securities
exchanges and thereby minimize
confusion in the application of this
requirement.
Based on questions it has received
from covered institutions and its
experience in administering the criteria
set forth the existing guidelines 28 and
29 regarding audit committee member
independence, the FDIC concluded that
these guidelines did not provide
sufficient guidance for institutions to
determine the independence of a
director for the purposes of serving on
an institution’s audit committee.
Therefore, the FDIC’s experience
contradicts the views of the commenter
who asserted that the existing
guidelines provide sufficient guidance.
The FDIC acknowledges that some
community banks may encounter
challenges in accomplishing and
maintaining audit committee member
independence. In recognition of these
challenges, the FDIC amended the audit
committee provisions of part 363 in
2005 to allow a minority of the outside
directors who serve on the audit
committee of covered institutions with
less than $1 billion in total assets not to
be independent of management. After
reviewing the criteria listed in proposed
guideline 28 as they would be modified
as discussed above, the FDIC believes
that the nature and types of
relationships included in the list
represent a reasonable framework for
evaluating whether outside directors
who are candidates for the audit
committees of covered institutions of all
sizes, both public and nonpublic, are
independent of management. Of
particular note, the criteria include a
$100,000 limit on certain forms of direct
and indirect compensation to a director
or immediate family members. In
E:\FR\FM\07JYR2.SGM
07JYR2
32242
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
contrast, the SEC’s and the national
securities exchanges’ rules currently
limit the compensation of audit
committee members to fees received as
a director and audit committee member
and prohibit all other compensation,
direct and indirect. The FDIC chose not
to impose this prohibition, which
applies to audit committee members of
certain public companies, on all insured
institutions subject to part 363. The
absence of this prohibition on
compensation from the criteria in
guideline 28 should benefit nonpublic
community institutions subject to part
363. Similarly, the removal of the 10
percent stock ownership limit from the
audit committee independence criteria
should benefit community institutions.
Therefore, the FDIC believes that the
proposed amendments to guideline 28,
as modified in response to comments,
will provide institutions’ boards of
directors with appropriate guidance and
sufficient flexibility for establishing
their institutions’ criteria for making
‘‘independent of management’’
determinations for audit committee
members.
In light of the revisions to guideline
28 regarding the criteria for determining
an audit committee member’s
independence, boards of directors and
audit committee members of covered
institutions are reminded that under
part 363 the selection of a director to
serve as an audit committee member is
basically a three step process. The first
step is to determine which of the
composition requirements set forth in
§ 363.5(a)(1) and (2) are applicable to
the institution’s audit committee. The
second step is to determine if each
director who is to serve on the audit
committee is an ‘‘outside director’’ as
defined in § 363.5(a)(3). The third step
is to determine if each ‘‘outside
director’’ is independent of management
in accordance with the provisions of
guideline 28.
3. Audit Committee Duties
According to section 36(g)(1)(B) of the
FDI Act and § 363.5(a), an audit
committee’s duties include reviewing
the basis for the part 363 Annual Report
with both management and the
independent public accountant.
Guideline 31 further provides that the
audit committee’s duties should be
appropriate to the size of the institution
and the complexity of its operations and
it identifies additional duties that could
be appropriate for the audit committee.
These additional duties include
discussing with management the
selection and termination of the
institution’s independent public
accountant. In addition, guideline 26
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
provides that, before engaging an
independent public accountant, an
institution should review and satisfy
itself that the accountant is in
compliance with the required
qualifications set forth in guidelines 13
through 15, including the accountant’s
independence and receipt of a peer
review.
Under section 301 of SOX, the audit
committee of each public company
listed on a national securities exchange
or association must be responsible for
the appointment, compensation, and
oversight of the accounting firm engaged
to prepare or issue an audit report or
perform related work. As the SEC noted
when it adopted its final rule
implementing section 301, ‘‘the auditing
process may be compromised when a
company’s outside auditors view their
responsibility as serving the company’s
management rather than its full board of
directors or audit committee. This may
occur if the auditor views management
as the employer with hiring, firing and
compensating powers. Under these
conditions, the auditor may not have the
appropriate incentive to raise concerns
and conduct an objective review. * * *
One way to help promote auditor
independence, then, is for the auditor to
be hired, evaluated and, if necessary,
terminated by the audit committee.’’
Because the intent and purpose of
section 36 of the FDI Act is the early
identification of needed improvements
in financial management, it is critical
for the accountants that perform audit
and attestation services for insured
depository institutions subject to section
36 to have an appropriate incentive to
raise concerns and conduct an objective
review. In this regard, the FDIC believes
it is a sound corporate governance
practice for an institution’s audit
committee, rather than its management,
to be responsible for the appointment,
compensation, and oversight of the
accountant, regardless of whether the
institution is a public company.
Therefore, the FDIC proposed to
amend § 363.5(a), Composition and
Duties, and guideline 31, Duties, to
specify that, in addition to reviewing
with management and the independent
public accountant the basis for the
reports issued under part 363, the duties
of the audit committee include the
appointment, compensation, and
oversight of the independent public
accountant who performs services
required under part 363. In order to
discharge these duties with respect to
the independent public accountant, the
audit committee should also review and
satisfy itself as to the independent
public accountant’s compliance with
the independence, peer review, and
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
other qualifications under part 363.
Additionally, the audit committee
should be familiar with and ensure
management’s compliance with the
requirement to file notices concerning
the engagement, resignation, or
dismissal of an independent public
accountant. The FDIC proposed to
include these duties in guideline 31.
Three commenters expressed support
for the proposed amendments regarding
the duties of the audit committee and
stated that it represents a best practice
regardless of an entity’s asset size.
However, one commenter, who was not
supportive of the proposed
amendments, recommended that the
proposal be revised to remove the
mandate for the audit committee to
appoint and oversee the independent
accountants in cases where the bank is
privately-owned, more than 80 percent
of the voting shares are owned by a sole
owner or the principal owner’s
immediate family, the shareholders
authorize procedures to be followed
with respect to the appointment and
oversight of the independent
accountants, and the bank has a
Uniform Financial Institutions Rating of
1 or 2. This commenter also stated that
while appointing the independent
accountant is expected to be normal for
an audit committee of a publicly-owned
company, the value for a privatelyowned company is less clear.
Additionally, this commenter stated that
banks that are wholly owned by a single
or a few shareholders, who are all
immediate family members, do not need
a separate board committee to do what
they can do directly and that the
mandate for a separate audit committee
in these cases adds nothing to safety and
soundness but adds additional
bureaucracy and cost to the bank.
Although the FDIC has considered
these comments, this commenter’s
concerns, in essence, relate to the
requirement for covered institutions,
particularly for those that are privatelyowned, to establish independent audit
committees. In response, the FDIC notes
that section 36(g) of the FDI Act requires
each institution to which section 36
applies to have an independent audit
committee made up of outside directors
who are independent of management.
Consequently, the FDIC lacks the
rulemaking authority to permit a
covered institution not to have an
independent audit committee or to
permit a covered institution’s entire
board of directors to act as an audit
committee based on the nature of the
institution’s ownership. In this regard,
in enacting section 36, Congress
recognized the significant public
interest in sound financial management
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
and controls at covered institutions,
including the important role of an
independent audit committee,
regardless of their ownership structure.
Therefore, the FDIC has decided to
adopt the proposed changes pertaining
to audit committee duties without
revision.
4. Independent Public Accountant
Engagement Letters
In response to an observed increase in
the types and frequency of provisions in
financial institutions’ external audit
engagement letters that limit the
auditors’ liability, the Federal banking
agencies issued an Interagency Advisory
on the Unsafe and Unsound Use of
Limitation of Liability Provisions in
External Audit Engagement Letters
(Interagency Advisory) in February
2006.11 When they issued the
Interagency Advisory, the agencies
stated their belief that when institutions
agree to limit their external auditors’
liability in provisions in engagement
letters, such provisions may weaken the
external auditors’ objectivity,
impartiality, and performance, which
may reduce the reliability of audits and
thereby raise safety and soundness
concerns. The reliability of audits is
central to achieving the intent and
purpose of section 36 of the FDI Act.
Therefore, the FDIC proposed to add
§ 363.5(c), Independent Public
Accountant Engagement Letters, and
amend guideline 31, Duties, to
incorporate the principal provisions of
the Interagency Advisory.
As proposed, § 363.5(c) and guideline
31 would require the audit committee to
ensure that audit engagement letters and
any related agreements with the
independent public accountant for
services to be performed under part 363
do not contain any limitation of liability
provisions that: (1) Indemnify the
independent public accountant against
claims made by third parties; (2) hold
harmless or release the independent
public accountant from liability for
claims or potential claims that might be
asserted by the client insured depository
institution, other than claims for
punitive damages; or (3) limit the
remedies available to the client insured
depository institution. Consistent with
the Interagency Advisory, the proposed
amendment would not preclude the use
of alternative dispute resolution
agreements and jury trial waivers. Four
commenters expressed support for these
proposed amendments to part 363. One
of these commenters viewed this audit
11 See 71 FR 6847, February 9, 2006, and FDIC
Financial Institution Letter (FIL) 13–2006, issued on
the same date.
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
committee duty as a best practice. The
FDIC is adopting these amendments as
proposed.
5. Transition Period for Forming and
Restructuring Audit Committees
When an insured depository
institution first exceeds the $500
million total assets threshold and
becomes subject to part 363, particularly
an institution with few shareholders,
the FDIC has observed that, in some
cases, such an institution encounters
difficulty in satisfying the requirements
governing the composition of the
independent audit committee. If the
board of directors lacks a sufficient
number of outside directors who are
independent of management to serve on
the audit committee, the board members
must identify and attract qualified
individuals in their community who
would be willing to become directors
and audit committee members and who
would be ‘‘independent of
management.’’ The lack of guidance in
part 363 on the amount of time in which
an institution must bring its audit
committee into compliance with the
requirements governing its composition
when an institution first becomes
subject to part 363 further complicates
this process. This lack of guidance on
the time frame for attaining compliance
also affects the other two asset-size
thresholds applicable to audit
committee composition.
To provide both clarity and regulatory
relief, the FDIC proposed to replace
outdated guideline 35, which dealt with
compliance with the audit committee
requirements of part 363 when the
regulation took effect in 1993, with a
revised guideline 35, Transition Period
for Forming and Restructuring Audit
Committees. As proposed, guideline 35
would provide a one-year transition
period for forming or restructuring the
audit committee when an institution
first becomes subject to part 363, when
an institution’s assets first reach the $1
billion asset-size threshold, and when
an institution’s assets first reach the $3
billion asset-size threshold. The
proposed revised guideline would state
that, when an institution first crosses
one of these three thresholds based on
its total assets at the beginning of its
fiscal year, no regulatory action would
be taken if the institution forms or
restructures its audit committee to
comply with the applicable
requirements governing the composition
of the committee by the end of that
fiscal year, provided the institution
complied with any applicable audit
committee requirements for its
preceding fiscal year. The FDIC has also
revised guideline 35 to clarify that,
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
32243
when an institution first becomes
subject to part 363, this one-year
transition period extends to the
requirement for an institution’s board of
directors to develop a set of written
criteria for determining whether a
director who is to serve on the audit
committee is an outside director and is
independent of management. Two
commenters expressed support for the
proposed revisions to guideline 35,
which the FDIC is adopting as proposed.
F. Other Changes to Part 363
The FDIC also proposed to make other
changes to part 363 to improve its
clarity, readability, and consistency of
language, and to correct or eliminate
outdated terms, references, and
provisions in the regulation and
Appendix A. No comments on the
proposal specifically addressed these
other changes, which the FDIC is
adopting as proposed.
G. Proposed Amendment to Part 308,
Subpart U
In August 2003, pursuant to section
36(g)(4) of the FDI Act, the FDIC and the
other Federal banking agencies jointly
issued final rules governing their
authority to take disciplinary actions
against independent public accountants
and accounting firms that perform audit
and attestation services required by
section 36.12 Under the final rules,
certain violations of law, negligent
conduct, reckless violation of
professional standards, or lack of
qualifications to perform auditing
services may be considered good cause
to remove, suspend, or bar an
accountant or firm from providing audit
and attestation services for institutions
subject to section 36. The rules also
prohibit an accountant or accounting
firm from performing these services if
the accountant or firm has been
removed, suspended, or debarred by one
of the agencies, or if the SEC or PCAOB
takes certain disciplinary actions against
the accountant or firm. Additionally, the
final rules require an accountant or an
accounting firm to provide the agencies
with written notification of the
accountant’s or firm’s removal,
suspension, or debarment. Part 308,
subpart U, of the FDIC’s regulations
implements the requirements of section
36(g)(4) of the FDI Act for institutions
that are supervised by the FDIC. The
FDIC proposed to amend § 308.604(c) to
identify the FDIC location where an
accountant or accounting firm should
file required notices of orders and
12 See 68 FR 48256, April 13, 2003, and the
FDIC’s Financial Institution Letter (FIL) FIL–66–
2003, dated August 18, 2003.
E:\FR\FM\07JYR2.SGM
07JYR2
32244
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
actions regarding removal, suspension,
or debarment. The FDIC received no
comments on this proposed
amendment, which it is adopting as
proposed.
IV. Final Rule
The FDIC has considered the
comments received on its proposed
amendments to part 363 and is adopting
the amendments with the modifications
and revisions that are more fully
discussed in section III of this notice.
The following is a summary of the most
significant changes made to the
proposal and incorporated into the final
rule in response to the comments
received:
• To reduce regulatory burden, the
proposed requirement to file audit
engagement letters within 15 days of
acceptance by a covered institution was
deleted.
• Guidance was added to the
proposed requirement to disclose
noncompliance with the designated
safety and soundness laws and
regulations—insider loans and dividend
restrictions—to explain the extent of the
required disclosure and to clarify that
the disclosure applies only to
noncompliance with these two
designated categories of laws and
regulations and not every safety and
soundness law and regulation.
• To provide holding company
subsidiary institutions that would not
meet the proposed 75 percent of
consolidated total assets threshold that
permits, but does not require,
compliance with part 363 at the holding
company level sufficient time to comply
at the institution level, the effective date
of this threshold was delayed until
fiscal years ending on or after June 15,
2010. Until then, institutions may
continue to choose to satisfy the
requirements of part 363 at a holding
company level (to the extent currently
permitted by part 363) whether or not
the consolidated total assets of the
insured depository institution
subsidiaries of the holding company
comprise 75 percent or more of the
holding company’s consolidated total
assets at the beginning of its fiscal year.
• The proposed requirements
regarding the disclosure of material
weaknesses in internal control over
financial reporting by management and
the independent public accountant were
clarified and revised for consistency
with the applicable auditing standards.
The final rule provides that
management and the accountant must
disclose those material weaknesses in
internal control over financial reporting
that each has identified that have not
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
been corrected prior to the institution’s
fiscal year-end.
• The proposed requirements
regarding the auditor’s communications
with audit committees were clarified
and revised to explain that auditors
must satisfy the communication
requirements set forth in the
professional standards and those set
forth in part 363.
• The proposed requirement that
auditors comply with the independence
rules of the AICPA, the SEC, and the
PCAOB was clarified to require
compliance with the more restrictive
requirement when a provision within
one of the applicable independence
standards differs from a provision
addressing the same subject matter in
one of the other independence
standards.
• The proposal was revised to require
only the public portions of PCAOB
inspection reports to be filed with the
FDIC.
• The provision of part 363 stating
that an outside director who owns 10
percent or more of an institution’s stock
is not independent of management was
revised to be consistent with the SEC’s
and the national securities exchanges’
rules. Rather than being an automatic
bar for considering an outside director
to be independent of management, the
rule was revised to require the
institution’s board of directors to
document its determination as to
whether an outside director’s ownership
of 10 percent or more of the institution’s
stock would interfere with the director’s
independent judgment in carrying out
the responsibilities of an audit
committee member.
• The proposed maximum level of
compensation, other than director and
committee fees, that an audit committee
member may receive and be considered
independent of management was
increased from $60,000 to $100,000.
• Except for the part 363 Annual
Report and the independent public
accountants’ peer review reports and
inspection reports, which the FDI Act
requires to be made publicly available,
part 363 was revised to exempt all other
reports and notifications filed under
part 363 from public disclosure by the
FDIC.
V. Effective and Compliance Dates
Except as noted below, the final rule
is effective August 6, 2009.
The final rule applies to Part 363
Annual Reports with a filing deadline
on or after the effective date of these
amendments. Under the final rule, the
filing deadline for Part 363 Annual
Reports is 120 days after the end of its
fiscal year for an institution that is
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
neither a public company nor a
subsidiary of a public company and 90
days after the end of its fiscal year for
an institution that is a public company
or a subsidiary of a public company.
To provide the boards of directors of
institutions currently subject to part 363
sufficient time to comply with the new
provision of guideline 27 regarding the
development of an approved set of
written criteria for determining whether
a director who is to serve on the audit
committee is an outside director and is
independent of management, the FDIC
has determined that it is appropriate to
set a delayed compliance date of
December 31, 2009, for developing and
adopting these written criteria.
However, this delayed compliance date
does not apply to the other provisions
of guideline 27 regarding the
composition of the audit committee,
which have not been substantively
changed. More specifically, at least
annually, the board of each institution
should determine whether each existing
or potential audit committee member is
an outside director and, depending on
an institution’s size, whether the
requisite number of existing and
potential audit committee members are
‘‘independent of management’’ of the
institution. Also, the minutes of the
board of directors should contain the
results of and the basis for its
determinations with respect to each
existing and potential audit committee
member.
Also, to provide institutions that
currently comply with part 363 at the
holding level but would not meet the
75-percent-of-consolidated-total-assets
threshold for eligibility to comply at the
holding company level set forth in the
final rule (§ 363.1(b)(1)(ii)) sufficient
time to comply with this new
requirement, the FDIC has determined
that it is appropriate for the effective
date of this provision of the final rule to
be delayed until fiscal years ending on
or after June 15, 2010. In this regard,
§ 363.1(b)(1) of the final rule not only
specifically provides for this delayed
effective date but it also states that, for
fiscal years ending on or before June 14,
2010, a covered institution that is a
subsidiary of a holding company may
continue to satisfy the audited financial
statements requirement of part 363 at a
holding company level whether or not
the covered institution’s total assets (or
the consolidated total assets of all of its
parent holding company’s insured
depository institution subsidiaries)
comprise 75 percent or more of the
holding company’s consolidated total
assets at the beginning of the fiscal year.
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
Regulatory Flexibility Act Analysis
The Regulatory Flexibility Act (RFA)
requires an agency that is issuing a final
rule to provide a final regulatory
flexibility analysis or to certify that the
rule will not have a significant
economic impact on a substantial
number of small entities. See 5 U.S.C.
603(a) and 5 U.S.C. 603(b). Under
regulations issued by the Small
Business Administration (see 13 CFR
121.201), a small entity includes a bank
holding company, commercial bank, or
savings association with assets of $175
million or less (collectively, small
banking organizations). This final rule
would modify the audit and reporting
requirements applicable to insured
depository institutions with total assets
of $500 million or more. The FDIC
believes that this final rule will not have
a significant economic impact on a
substantial number of small entities
because the final rule expressly exempts
insured depository institutions with
total assets of less than $500 million. In
addition, the FDIC did not receive any
comments that the proposal would have
a direct significant impact on small
banking organizations. Accordingly, the
FDIC certifies that this rule will not
have a significant economic impact on
a substantial number of small entities.
Paperwork Reduction Act
This final rule contains modifications
to a collection of information that has
been reviewed and approved by the
Office of Management and Budget
(OMB) under control number 3064–
0113, pursuant to the Paperwork
Reduction Act (44 U.S.C. 3501 et seq.).
The estimated annual burden for the
revisions in this final rule is consistent
with the burden estimate for those
revisions in the proposed rule, taking
into account a reduction in the number
of respondents, and approved by OMB.
The principal revisions that bear on the
collection of information under part 363
are the extension of the filing deadline
for the part 363 Annual Report from 90
to 120 days after the end of the fiscal
year for an institution that is not a
public company or a subsidiary of a
public company, the replacement of 30day extension requests (when an
institution is confronted with
extraordinary circumstances beyond its
reasonable control) with late filing
notices (regardless of the reason), the
modification of the criteria governing
the acceptability of reports at the
holding company level rather than at
the institution level, the expanded
guidance on the content of the
management report and the
independent public accountant’s
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
internal control attestation report, the
board of directors’ use of an approved
set of written criteria for determining
whether an audit committee member is
an outside director and is ‘‘independent
of management,’’ and the new
guidelines for institutions merged out of
existence and for internal control
reports for acquired businesses. It is
anticipated that the overall effect of
these changes will be a small burden
increase for affected insured
institutions.
The estimated reporting burden for
the collection of information under part
363 is 83,324 hours per year.
Number of Respondents: 5,205.
Total Time per Response: 5.16 hrs.
Total Annual Responses: 16,163.
Total Annual Burden Hours: 83,324.
Small Business Regulatory Enforcement
Fairness Act
The Small Business Regulatory
Enforcement Fairness Act of 1996
(SBREFA) (Title II, Pub. L. 104–121)
provides generally for agencies to report
rules to Congress and the General
Accountability Office (GAO) for review.
The reporting requirement is triggered
when a Federal agency issues a final
rule. The FDIC will file the appropriate
reports with Congress and the GAO as
required by SBREFA. The Office of
Management and Budget has
determined that the rule does not
constitute a ‘‘major rule’’ as defined by
SBREFA.
List of Subjects
12 CFR Part 308
Administrative practice and
procedure, Bank deposit insurance,
Banks, Banking, Claims, Crime, Equal
access to justice, Investigations,
Lawyers, Penalties, State nonmember
banks.
12 CFR Part 363
Accounting, Administrative practice
and procedure, Banks, Banking,
Reporting and recordkeeping
requirements.
■ For the reasons set forth in the
preamble, the Board of Directors of the
FDIC amends title 12, chapter III, of the
Code of Federal Regulations as follows:
PART 308—RULES OF PRACTICE AND
PROCEDURE
Subpart U—Removal, Suspension, and
Debarment of Accountants From
Performing Audit Services
1. The authority citation for part 308
continues to read as follows:
■
Authority: 5 U.S.C. 504, 554–557; 12
U.S.C. 93(b), 164, 505, 1815(e), 1817, 1818,
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
32245
1820, 1828, 1829, 1829b, 1831i, 1831m(g)(4),
1831o, 1831p–1, 1832(c), 1884(b), 1972,
3102, 3108(a), 3349, 3909, 4717; 15 U.S.C.
78(h) and (i), 78o–4(c), 78o–5, 78q–1, 78s,
78u, 78u–2, 78u–3 and 78w, 6801(b),
6805(b)(1); 28 U.S.C. 2461 note; 31 U.S.C.
330, 5321; 42 U.S.C. 4012a; Sec. 3100(s), Pub.
L. 104–134, 110 Stat. 1321–358.
2. Revise § 308.604(c) to read as
follows:
■
§ 308.604 Notice of removal, suspension,
or debarment.
*
*
*
*
*
(c) Timing and place of notice.
Written notice required by this
paragraph shall be given no later than
15 calendar days following the effective
date of an order or action, or 15 calendar
days before an accountant or accounting
firm accepts an engagement to provide
audit services, whichever date is earlier.
The written notice must be filed by the
independent public accountant or
accounting firm with the FDIC,
Accounting and Securities Disclosure
Section, 550 17th Street, NW.,
Washington, DC 20429.
■ 3. Revise part 363 to read as follows:
PART 363—ANNUAL INDEPENDENT
AUDITS AND REPORTING
REQUIREMENTS
Sec.
363.0 OMB control number.
363.1 Scope and definitions.
363.2 Annual reporting requirements.
363.3 Independent public accountant.
363.4 Filing and notice requirements.
363.5 Audit committees.
Appendix A to Part 363—Guidelines and
Interpretations
Appendix B to Part 363—Illustrative
Management Reports
Authority: 12 U.S.C 1831m.
§ 363.0
OMB control number.
The information collection
requirements in this part have been
approved by the Office of Management
and Budget under OMB control number
3064–0113.
§ 363.1
Scope and definitions.
(a) Applicability. This part applies to
any insured depository institution with
respect to any fiscal year in which its
consolidated total assets as of the
beginning of such fiscal year are $500
million or more. The requirements
specified in this part are in addition to
any other statutory and regulatory
requirements otherwise applicable to an
insured depository institution.
(b) Compliance by subsidiaries of
holding companies. (1) For an insured
depository institution that is a
subsidiary of a holding company, the
audited financial statements
E:\FR\FM\07JYR2.SGM
07JYR2
32246
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
requirement of § 363.2(a) may be
satisfied:
(i) For fiscal years ending on or before
June 14, 2010, by audited consolidated
financial statements of the top-tier or
any mid-tier holding company.
(ii) For fiscal years ending on or after
June 15, 2010, by audited consolidated
financial statements of the top-tier or
any mid-tier holding company provided
that the consolidated total assets of the
insured depository institution (or the
consolidated total assets of all insured
depository institutions, regardless of
size, if the holding company owns or
controls more than one insured
depository institution) comprise 75
percent or more of the consolidated total
assets of this top-tier or mid-tier holding
company as of the beginning of its fiscal
year.
(2) The other requirements of this part
for an insured depository institution
that is a subsidiary of a holding
company may be satisfied by the top-tier
or any mid-tier holding company if the
insured depository institution meets the
criterion specified in § 363.1(b)(1) and
if:
(i) The services and functions
comparable to those required of the
insured depository institution by this
part are provided at this top-tier or midtier holding company level; and
(ii) The insured depository institution
has as of the beginning of its fiscal year:
(A) Total assets of less than $5 billion;
or
(B) Total assets of $5 billion or more
and a composite CAMELS rating of 1 or
2.
(3) The appropriate Federal banking
agency may revoke the exception in
paragraph (b)(2) of this section for any
institution with total assets in excess of
$9 billion for any period of time during
which the appropriate Federal banking
agency determines that the institution’s
exemption would create a significant
risk to the Deposit Insurance Fund.
(c) Financial reporting. For purposes
of the management report requirement
of § 363.2(b) and the internal control
reporting requirement of § 363.3(b),
‘‘financial reporting,’’ at a minimum,
includes both financial statements
prepared in accordance with generally
accepted accounting principles for the
insured depository institution or its
holding company and financial
statements prepared for regulatory
reporting purposes. For recognition and
measurement purposes, financial
statements prepared for regulatory
reporting purposes shall conform to
generally accepted accounting
principles and section 37 of the Federal
Deposit Insurance Act.
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
(d) Definitions. For purposes of this
part, the following definitions apply:
(1) AICPA means the American
Institute of Certified Public
Accountants.
(2) GAAP means generally accepted
accounting principles.
(3) PCAOB means the Public
Company Accounting Oversight Board.
(4) Public company means an insured
depository institution or other company
that has a class of securities registered
with the U.S. Securities and Exchange
Commission or the appropriate Federal
banking agency under Section 12 of the
Securities Exchange Act of 1934 and
nonpublic company means an insured
depository institution or other company
that does not meet the definition of a
public company.
(5) SEC means the U.S. Securities and
Exchange Commission.
(6) SOX means the Sarbanes-Oxley
Act of 2002.
§ 363.2
Annual reporting requirements.
(a) Audited financial statements. Each
insured depository institution shall
prepare annual financial statements in
accordance with GAAP, which shall be
audited by an independent public
accountant. The annual financial
statements must reflect all material
correcting adjustments necessary to
conform with GAAP that were
identified by the independent public
accountant.
(b) Management report. Each insured
depository institution annually shall
prepare, as of the end of the institution’s
most recent fiscal year, a management
report that must contain the following:
(1) A statement of management’s
responsibilities for preparing the
institution’s annual financial
statements, for establishing and
maintaining an adequate internal
control structure and procedures for
financial reporting, and for complying
with laws and regulations relating to
safety and soundness that are
designated by the FDIC and the
appropriate Federal banking agency;
(2) An assessment by management of
the insured depository institution’s
compliance with such laws and
regulations during such fiscal year. The
assessment must state management’s
conclusion as to whether the insured
depository institution has complied
with the designated safety and
soundness laws and regulations during
the fiscal year and disclose any
noncompliance with these laws and
regulations; and
(3) For an insured depository
institution with consolidated total assets
of $1 billion or more as of the beginning
of such fiscal year, an assessment by
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
management of the effectiveness of such
internal control structure and
procedures as of the end of such fiscal
year that must include the following:
(i) A statement identifying the
internal control framework 1 used by
management to evaluate the
effectiveness of the insured depository
institution’s internal control over
financial reporting;
(ii) A statement that the assessment
included controls over the preparation
of regulatory financial statements in
accordance with regulatory reporting
instructions including identification of
such regulatory reporting instructions;
and
(iii) A statement expressing
management’s conclusion as to whether
the insured depository institution’s
internal control over financial reporting
is effective. Management must disclose
all material weaknesses in internal
control over financial reporting, if any,
that it has identified that have not been
remediated prior to the insured
depository institution’s fiscal year-end.
Management is precluded from
concluding that the institution’s internal
control over financial reporting is
effective if there are one or more
material weaknesses.
(c) Management report signatures.
Subject to the criteria specified in
§ 363.1(b):
(1) If the audited financial statements
requirement specified in § 363.2(a) is
satisfied at the insured depository
institution level and the management
report requirement specified in
§ 363.2(b) is satisfied in its entirety at
the insured depository institution level,
the management report must be signed
by the chief executive officer and the
chief accounting officer or chief
financial officer of the insured
depository institution;
(2) If the audited financial statements
requirement specified in § 363.2(a) is
satisfied at the holding company level
and the management report requirement
specified in § 363.2(b) is satisfied in its
entirety at the holding company level,
the management report must be signed
by the chief executive officer and the
chief accounting officer or chief
financial officer of the holding
company; and
(3) If the audited financial statements
requirement specified in § 363.2(a) is
1 For example, in the United States, the
Committee of Sponsoring Organizations (COSO) of
the Treadway Commission has published Internal
Control—Integrated Framework, including an
addendum on safeguarding assets. Known as the
COSO report, this publication provides a suitable
and available framework for purposes of
management’s assessment.
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
satisfied at the holding company level
and:
(i) The management report
requirement specified in § 363.2(b) is
satisfied in its entirety at the insured
depository institution level, or
(ii) One or more of the components of
the management report specified in
§ 363.2(b) is satisfied at the holding
company level and the remaining
components of the management report
are satisfied at the insured depository
institution level, the management report
must be signed by the chief executive
officers and the chief accounting officers
or chief financial officers of both the
holding company and the insured
depository institution and the
management report must clearly
indicate the level (institution or holding
company) at which each of its
components is being satisfied.
§ 363.3
Independent public accountant.
(a) Annual audit of financial
statements. Each insured depository
institution shall engage an independent
public accountant to audit and report on
its annual financial statements in
accordance with generally accepted
auditing standards or the PCAOB’s
auditing standards, if applicable, and
section 37 of the Federal Deposit
Insurance Act (12 U.S.C. 1831n). The
scope of the audit engagement shall be
sufficient to permit such accountant to
determine and report whether the
financial statements are presented fairly
and in accordance with GAAP.
(b) Internal control over financial
reporting. For each insured depository
institution with total assets of $1 billion
or more at the beginning of the
institution’s fiscal year, the independent
public accountant who audits the
institution’s financial statements shall
examine, attest to, and report separately
on the assertion of management
concerning the effectiveness of the
institution’s internal control structure
and procedures for financial reporting.
The attestation and report shall be made
in accordance with generally accepted
standards for attestation engagements or
the PCAOB’s auditing standards, if
applicable. The accountant’s report
must not be dated prior to the date of
the management report and
management’s assessment of the
effectiveness of internal control over
financial reporting. Notwithstanding the
requirements set forth in applicable
professional standards, the accountant’s
report must include the following:
(1) A statement identifying the
internal control framework used by the
independent public accountant, which
must be the same as the internal control
framework used by management, to
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
evaluate the effectiveness of the insured
depository institution’s internal control
over financial reporting;
(2) A statement that the independent
public accountant’s evaluation included
controls over the preparation of
regulatory financial statements in
accordance with regulatory reporting
instructions including identification of
such regulatory reporting instructions;
and
(3) A statement expressing the
independent public accountant’s
conclusion as to whether the insured
depository institution’s internal control
over financial reporting is effective. The
report must disclose all material
weaknesses in internal control over
financial reporting that the independent
public accountant has identified that
have not been remediated prior to the
insured depository institution’s fiscal
year-end. The independent public
accountant is precluded from
concluding that the insured depository
institution’s internal control over
financial reporting is effective if there
are one or more material weaknesses.
(c) Notice by accountant of
termination of services. An independent
public accountant performing an audit
under this part who ceases to be the
accountant for an insured depository
institution shall notify the FDIC, the
appropriate Federal banking agency,
and any appropriate State bank
supervisor in writing of such
termination within 15 days after the
occurrence of such event, and set forth
in reasonable detail the reasons for such
termination. The written notice shall be
filed at the place identified in § 363.4(f).
(d) Communications with audit
committee. In addition to the
requirements for communications with
audit committees set forth in applicable
professional standards, the independent
public accountant must report the
following on a timely basis to the audit
committee:
(1) All critical accounting policies and
practices to be used by the insured
depository institution,
(2) All alternative accounting
treatments within GAAP for policies
and practices related to material items
that the independent public accountant
has discussed with management,
including the ramifications of the use of
such alternative disclosures and
treatments, and the treatment preferred
by the independent public accountant,
and
(3) Other written communications the
independent public accountant has
provided to management, such as a
management letter or schedule of
unadjusted differences.
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
32247
(e) Retention of working papers. The
independent public accountant must
retain the working papers related to the
audit of the insured depository
institution’s financial statements and, if
applicable, the evaluation of the
institution’s internal control over
financial reporting for seven years from
the report release date, unless a longer
period of time is required by law.
(f) Independence. The independent
public accountant must comply with the
independence standards and
interpretations of the AICPA, the SEC,
and the PCAOB. To the extent that any
of the rules within any one of these
independence standards (AICPA, SEC,
and PCAOB) is more or less restrictive
than the corresponding rule in the other
independence standards, the
independent public accountant must
comply with the more restrictive rule.
(g) Peer reviews and inspection
reports. (1) Prior to commencing any
services for an insured depository
institution under this part, the
independent public accountant must
have received a peer review, or be
enrolled in a peer review program, that
meets acceptable guidelines. Acceptable
peer reviews include peer reviews
performed in accordance with the
AICPA’s Peer Review Standards and
inspections conducted by the PCAOB.
(2) Within 15 days of receiving
notification that a peer review has been
accepted or a PCAOB inspection report
has been issued, or before commencing
any audit under this part, whichever is
earlier, the independent public
accountant must file two copies of the
most recent peer review report and the
public portion of the most recent
PCAOB inspection report, if any,
accompanied by any letters of
comments, response, and acceptance,
with the FDIC, Accounting and
Securities Disclosure Section, 550 17th
Street, NW., Washington, DC 20429, if
the report has not already been filed.
The peer review reports and the public
portions of the PCAOB inspection
reports will be made available for public
inspection by the FDIC.
(3) Within 15 days of the PCAOB
making public a previously nonpublic
portion of an inspection report, the
independent public accountant must
file two copies of the previously
nonpublic portion of the inspection
report with the FDIC, Accounting and
Securities Disclosure Section, 550 17th
Street, NW., Washington, DC 20429.
Such previously nonpublic portion of
the PCAOB inspection report will be
made available for public inspection by
the FDIC.
E:\FR\FM\07JYR2.SGM
07JYR2
32248
§ 363.4
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
Filing and notice requirements.
(a) Part 363 Annual Report. (1) Each
insured depository institution shall file
with each of the FDIC, the appropriate
Federal banking agency, and any
appropriate State bank supervisor, two
copies of its Part 363 Annual Report. A
Part 363 Annual Report must contain
audited comparative annual financial
statements, the independent public
accountant’s report thereon, a
management report, and, if applicable,
the independent public accountant’s
attestation report on management’s
assessment concerning the institution’s
internal control structure and
procedures for financial reporting as
required by §§ 363.2(a), 363.3(a),
363.2(b), and 363.3(b), respectively.
(2) Subject to the criteria specified in
§ 363.1(b), each insured depository
institution with consolidated total assets
of less than $1 billion as of the
beginning of its fiscal year that is
required to file, or whose parent holding
company is required to file,
management’s assessment of the
effectiveness of internal control over
financial reporting with the SEC or the
appropriate Federal banking agency in
accordance with section 404 of SOX
must submit a copy of such assessment
to the FDIC, the appropriate Federal
banking agency, and any appropriate
State bank supervisor with its Part 363
Annual Report as additional
information. This assessment will not be
considered part of the institution’s Part
363 Annual Report.
(3)(i) Each insured depository
institution that is neither a public
company nor a subsidiary of a public
company that meets the criterion
specified in § 363.1(b)(1) shall file its
Part 363 Annual Report within 120 days
after the end of its fiscal year.
(ii) Each insured depository
institution that is a public company or
a subsidiary of public company that
meets the criterion specified in
§ 363.1(b)(1) shall file its Part 363
Annual Report within 90 days after the
end of its fiscal year.
(b) Public availability. Except for the
annual report in paragraph (a)(1) of this
section and the peer reviews and
inspection reports in § 363.3(g), which
shall be available for public inspection,
the FDIC has determined that all other
reports and notifications required by
this part are exempt from public
disclosure by the FDIC.
(c) Independent public accountant’s
letters and reports. Except for the
independent public accountant’s reports
that are included in its Part 363 Annual
Report, each insured depository
institution shall file with the FDIC, the
appropriate Federal banking agency,
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
and any appropriate State bank
supervisor, a copy of any management
letter or other report issued by its
independent public accountant with
respect to such institution and the
services provided by such accountant
pursuant to this part within 15 days
after receipt.
Such reports include, but are not
limited to:
(1) Any written communication
regarding matters that are required to be
communicated to the audit committee
(for example, critical accounting
policies, alternative accounting
treatments discussed with management,
and any schedule of unadjusted
differences),
(2) Any written communication of
significant deficiencies and material
weaknesses in internal control required
by the AICPA’s or the PCAOB’s auditing
standards;
(3) For institutions with total assets of
less than $1 billion as of the beginning
of their fiscal year that are public
companies or subsidiaries of public
companies that meet the criterion
specified in § 363.1(b)(1), any
independent public accountant’s report
on the audit of internal control over
financial reporting required by section
404 of SOX and the PCAOB’s auditing
standards; and
(4) For all institutions that are public
companies or subsidiaries of public
companies that meet the criterion
specified in § 363.1(b)(1), any
independent public accountant’s
written communication of all
deficiencies in internal control over
financial reporting that are of a lesser
magnitude than significant deficiencies
required by the PCAOB’s auditing
standards.
(d) Notice of engagement or change of
accountants. Each insured depository
institution shall provide, within 15 days
after the occurrence of any such event,
written notice to the FDIC, the
appropriate Federal banking agency,
and any appropriate State bank
supervisor of the engagement of an
independent public accountant, or the
resignation or dismissal of the
independent public accountant
previously engaged. The notice shall
include a statement of the reasons for
any such resignation or dismissal in
reasonable detail.
(e) Notification of late filing. No
extensions of time for filing reports
required by § 363.4 shall be granted. An
insured depository institution that is
unable to timely file all or any portion
of its Part 363 Annual Report or any
other report or notice required by
§ 363.4 shall submit a written notice of
late filing to the FDIC, the appropriate
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
Federal banking agency, and any
appropriate State bank supervisor. The
notice shall disclose the institution’s
inability to timely file all or specified
portions of its Part 363 Annual Report
or any other report or notice and the
reasons therefore in reasonable detail.
The late filing notice shall also state the
date by which the report or notice will
be filed. The written notice shall be
filed on or before the deadline for filing
the Part 363 Annual Report or any other
report or notice, as appropriate.
(f) Place for filing. The Part 363
Annual Report, any written notification
of late filing, and any other report or
notice required by § 363.4 should be
filed as follows:
(1) FDIC: Appropriate FDIC Regional
or Area Office (Division of Supervision
and Consumer Protection), i.e., the FDIC
regional or area office in the FDIC region
or area that is responsible for
monitoring the institution or, in the case
of a subsidiary institution of a holding
company, the consolidated company. A
filing made on behalf of several covered
institutions owned by the same parent
holding company should be
accompanied by a transmittal letter
identifying all of the institutions
covered.
(2) Office of the Comptroller of the
Currency (OCC): Appropriate OCC
Supervisory Office.
(3) Federal Reserve: Appropriate
Federal Reserve Bank.
(4) Office of Thrift Supervision (OTS):
Appropriate OTS District Office.
(5) State bank supervisor: The filing
office of the appropriate State bank
supervisor.
§ 363.5
Audit committees.
(a) Composition and duties. Each
insured depository institution shall
establish an audit committee of its board
of directors, the composition of which
complies with paragraphs (a)(1), (2), and
(3) of this section. The duties of the
audit committee shall include the
appointment, compensation, and
oversight of the independent public
accountant who performs services
required under this part, and reviewing
with management and the independent
public accountant the basis for the
reports issued under this part.
(1) Each insured depository
institution with total assets of $1 billion
or more as of the beginning of its fiscal
year shall establish an independent
audit committee of its board of
directors, the members of which shall be
outside directors who are independent
of management of the institution.
(2) Each insured depository
institution with total assets of $500
million or more but less than $1 billion
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
as of the beginning of its fiscal year shall
establish an audit committee of its board
of directors, the members of which shall
be outside directors, the majority of
whom shall be independent of
management of the institution. The
appropriate Federal banking agency
may, by order or regulation, permit the
audit committee of such an insured
depository institution to be made up of
less than a majority of outside directors
who are independent of management, if
the agency determines that the
institution has encountered hardships
in retaining and recruiting a sufficient
number of competent outside directors
to serve on the audit committee of the
institution.
(3) An outside director is a director
who is not, and within the preceding
fiscal year has not been, an officer or
employee of the institution or any
affiliate of the institution.
(b) Committees of large institutions.
The audit committee of any insured
depository institution with total assets
of more than $3 billion as of the
beginning of its fiscal year shall include
members with banking or related
financial management expertise, have
access to its own outside counsel, and
not include any large customers of the
institution. If a large institution is a
subsidiary of a holding company and
relies on the audit committee of the
holding company to comply with this
rule, the holding company’s audit
committee shall not include any
members who are large customers of the
subsidiary institution.
(c) Independent public accountant
engagement letters. (1) In performing its
duties with respect to the appointment
of the institution’s independent public
accountant, the audit committee shall
ensure that engagement letters and any
related agreements with the
independent public accountant for
services to be performed under this part
do not contain any limitation of liability
provisions that:
(i) Indemnify the independent public
accountant against claims made by third
parties;
(ii) Hold harmless or release the
independent public accountant from
liability for claims or potential claims
that might be asserted by the client
insured depository institution, other
than claims for punitive damages; or
(iii) Limit the remedies available to
the client insured depository institution.
(2) Alternative dispute resolution
agreements and jury trial waiver
provisions are not precluded from
engagement letters provided that they
do not incorporate any limitation of
liability provisions set forth in
paragraph (c)(1) of this section.
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
Appendix A to Part 363—Guidelines
and Interpretations
Table of Contents
Introduction
Scope of Rule and Definitions (§ 363.1)
1. Measuring Total Assets
2. Insured Branches of Foreign Banks
3. Compliance by Holding Company
Subsidiaries
4. Comparable Services and Functions
4A. Financial Reporting
Annual Reporting Requirements (§ 363.2)
5. Annual Financial Statements
5A. Institutions Merged Out of Existence
6. Holding Company Statements
7. Insured Branches of Foreign Banks
7A. Compliance With Designated Laws and
Regulations
8. Management Report
8A. Management’s Reports on Internal
Control Over Financial Reporting Under
Part 363 and Section 404 of SOX
8B. Internal Control Reports and Part 363
Annual Reports for Acquired Businesses
8C. Management’s Disclosure of
Noncompliance With the Designated Laws
and Regulations
9. Safeguarding of Assets
10. Standards for Internal Control
11. Service Organizations
12. Reserved
Role of Independent Public Accountant
(§ 363.3)
13. General Qualifications
14. Reserved
15. Peer Review Guidelines
16. Reserved
17. Information To Be Provided to the
Independent Public Accountant
18. Attestation Report and Management
Letters
18A. Internal Control Attestation Standards
for Independent Auditors
19. Reviews With Audit Committee and
Management
20. Notice of Termination
21. Reliance on Internal Auditors
Filing and Notice Requirements (§ 363.4)
22. Reserved
23. Notification of Late Filing
24. Public Availability
25. Reserved
26. Notices Concerning Accountants
Audit Committees (§ 363.5)
27. Composition
28. ‘‘Independent of Management’’
Considerations
29. Reserved
30. Holding Company Audit Committees
31. Duties
32. Banking or Related Financial
Management Expertise
33. Large Customers
34. Access to Counsel
35. Transition Period for Forming and
Restructuring Audit Committees
Other
36. Modifications of Guidelines
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
32249
Introduction
Congress added section 36, ‘‘Early
Identification of Needed Improvements in
Financial Management’’ (section 36), to the
Federal Deposit Insurance Act (FDI Act) in
1991.
The FDIC Board of Directors adopted 12
CFR part 363 of its rules and regulations (the
Rule) to implement those provisions of
section 36 that require rulemaking. The FDIC
also approved these ‘‘Guidelines and
Interpretations’’ (the Guidelines) and
directed that they be published with the Rule
to facilitate a better understanding of, and
full compliance with, the provisions of
section 36.
Although not contained in the Rule itself,
some of the guidance offered restates or refers
to statutory requirements of section 36 and is
therefore mandatory. If that is the case, the
statutory provision is cited.
Furthermore, upon adopting the Rule, the
FDIC reiterated its belief that every insured
depository institution, regardless of its size or
charter, should have an annual audit of its
financial statements performed by an
independent public accountant, and should
establish an audit committee comprised
entirely of outside directors.
The following Guidelines reflect the views
of the FDIC concerning the interpretation of
section 36. The Guidelines are intended to
assist insured depository institutions
(institutions), their boards of directors, and
their advisors, including their independent
public accountants and legal counsel, and to
clarify section 36 and the Rule. It is
recognized that reliance on the Guidelines
may result in compliance with section 36 and
the Rule which may vary from institution to
institution. Terms which are not explained in
the Guidelines have the meanings given them
in the Rule, the FDI Act, or professional
accounting and auditing literature.
Scope of Rule and Definitions (§ 363.1)
1. Measuring Total Assets. To determine
whether this part applies, an institution
should use total assets as reported on its most
recent Report of Condition (Call Report) or
Thrift Financial Report (TFR), the date of
which coincides with the end of its
preceding fiscal year. If its fiscal year ends
on a date other than the end of a calendar
quarter, it should use its Call Report or TFR
for the quarter end immediately preceding
the end of its fiscal year.
2. Insured Branches of Foreign Banks.
Unlike other institutions, insured branches of
foreign banks are not separately incorporated
or capitalized. To determine whether this
part applies, an insured branch should
measure claims on non-related parties
reported on its Report of Assets and
Liabilities of U.S. Branches and Agencies of
Foreign Banks (form FFIEC 002).
3. Compliance by Holding Company
Subsidiaries. Audited consolidated financial
statements and other reports or notices
required by this part that are submitted by a
holding company for any subsidiary
institution should be accompanied by a cover
letter identifying all subsidiary institutions
subject to part 363 that are included in the
holding company’s submission. When
submitting a Part 363 Annual Report, the
E:\FR\FM\07JYR2.SGM
07JYR2
32250
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
cover letter should identify all subsidiary
institutions subject to part 363 included in
the consolidated financial statements and
state whether the other annual report
requirements (i.e., management’s statement
of responsibilities, management’s assessment
of compliance with designated safety and
soundness laws and regulations, and, if
applicable, management’s assessment of the
effectiveness of internal control over
financial reporting and the independent
public accountant’s attestation report on
management’s internal control assessment)
are being satisfied for these institutions at the
holding company level or at the institution
level. An institution filing holding company
consolidated financial statements as
permitted by § 363.1(b)(1) also may report on
changes in its independent public accountant
on a holding company basis. An institution
that does not meet the criteria in § 363.1(b)(2)
must satisfy the remaining provisions of this
part on an individual institution basis and
maintain its own audit committee. Subject to
the criteria in §§ 363.1(b)(1) and (2), a multitiered holding company may satisfy all of the
requirements of this part at the top-tier or any
mid-tier holding company level.
4. Comparable Services and Functions.
Services and functions will be considered
‘‘comparable’’ to those required by this part
if the holding company:
(a) Prepares reports used by the subsidiary
institution to meet the requirements of this
part;
(b) Has an audit committee that meets the
requirements of this part appropriate to its
largest subsidiary institution; and
(c) Prepares and submits management’s
assessment of compliance with the
Designated Laws and Regulations defined in
guideline 7A and, if applicable,
management’s assessment of the effectiveness
of internal control over financial reporting
based on information concerning the relevant
activities and operations of those subsidiary
institutions within the scope of the Rule.
4A. Financial Statements Prepared for
Regulatory Reporting Purposes. (a) As set
forth in § 363.3(c) of this part, ‘‘financial
reporting,’’ at a minimum, includes both
financial statements prepared in accordance
with generally accepted accounting
principles for the insured depository
institution or its holding company and
financial statements prepared for regulatory
reporting purposes. More specifically,
financial statements prepared for regulatory
reporting purposes include the schedules
equivalent to the basic financial statements
that are included in an insured depository
institution’s or its holding company’s
appropriate regulatory report (for example,
Schedules RC, RI, and RI–A in the
Consolidated Reports of Condition and
Income (Call Report) for an insured bank; and
Schedules SC and SO, and the Summary of
Changes in Equity Capital section in
Schedule SI in the Thrift Financial Report
(TFR) for an insured thrift institution). For
recognition and measurement purposes,
financial statements prepared for regulatory
reporting purposes shall conform to generally
accepted accounting principles and section
37 of the Federal Deposit Insurance Act.
(b) Financial statements prepared for
regulatory reporting purposes do not include
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
regulatory reports prepared by a non-bank
subsidiary of a holding company or an
institution. For example, if a bank holding
company or an insured depository institution
owns an insurance subsidiary, financial
statements prepared for regulatory reporting
purposes would not include any regulatory
reports that the insurance subsidiary is
required to submit to its appropriate
insurance regulatory agency.
Annual Reporting Requirements (§ 363.2)
5. Annual Financial Statements. Each
institution (other than an insured branch of
a foreign bank) should prepare comparative
annual consolidated financial statements
(balance sheets and statements of income,
changes in equity capital, and cash flows,
with accompanying footnote disclosures) in
accordance with GAAP for each of its two
most recent fiscal years. Statements for the
earlier year may be presented on an
unaudited basis if the institution was not
subject to this part for that year and audited
statements were not prepared.
5A. Institutions Merged Out of Existence.
An institution that is merged out of existence
after the end of its fiscal year, but before the
deadline for filing its Part 363 Annual Report
(120 days after the end of its fiscal year for
an institution that is neither a public
company nor a subsidiary of a public
company that meets the criterion specified in
§ 363.1(b)(1), and 90 days after the end of its
fiscal year for an institution that is a public
company or a subsidiary of a public company
that meets the criterion specified in
§ 363.1(b)(1)), is not required to file a Part
363 Annual Report for the last fiscal year of
its existence.
6. Holding Company Statements. Subject to
the criterion specified in § 363.1(b)(1),
subsidiary institutions may file copies of
their holding company’s audited financial
statements filed with the SEC or prepared for
their FR Y–6 Annual Report under the Bank
Holding Company Act of 1956 to satisfy the
audited financial statements requirement of
§ 363.2(a).
7. Insured Branches of Foreign Banks. An
insured branch of a foreign bank should
satisfy the financial statements requirement
by filing one of the following for each of its
two most recent fiscal years:
(a) Audited balance sheets, disclosing
information about financial instruments with
off-balance-sheet risk;
(b) Schedules RAL and L of form FFIEC
002, prepared and audited on the basis of the
instructions for its preparation; or
(c) With written approval of the
appropriate Federal banking agency,
consolidated financial statements of the
parent bank.
7A. Compliance with Designated Laws and
Regulations. The designated laws and
regulations are the Federal laws and
regulations concerning loans to insiders and
the Federal and, if applicable, State laws and
regulations concerning dividend restrictions
(the Designated Laws and Regulations). Table
1 to this Appendix A lists the designated
Federal laws and regulations pertaining to
insider loans and dividend restrictions (but
not the State laws and regulations pertaining
to dividend restrictions) that are applicable
to each type of institution.
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
8. Management Report. Management
should perform its own investigation and
review of compliance with the Designated
Laws and Regulations and, if required, the
effectiveness of internal control over
financial reporting. Management should
maintain records of its determinations and
assessments until the next Federal safety and
soundness examination, or such later date as
specified by the FDIC or the appropriate
Federal banking agency. Management should
provide in its assessment of the effectiveness
of internal control over financial reporting, or
supplementally, sufficient information to
enable the accountant to report on its
assertions. The management report of an
insured branch of a foreign bank should be
signed by the branch’s managing official if
the branch does not have a chief executive
officer or a chief accounting or financial
officer.
8A. Management’s Reports on Internal
Control Over Financial Reporting Under Part
363 and Section 404 of SOX. An institution
with $1 billion or more in total assets as of
the beginning of its fiscal year that is subject
to both part 363 and the SEC’s rules
implementing section 404 of SOX (as well as
a public holding company permitted under
the holding company exception in
§ 363.1(b)(2) to file an internal control report
on behalf of one or more subsidiary
institutions with $1 billion or more in total
assets) can choose either of the following two
options for filing management’s report on
internal control over financial reporting.
(i) Management can prepare two separate
reports on the institution’s or the holding
company’s internal control over financial
reporting to satisfy the FDIC’s part 363
requirements and the SEC’s section 404
requirements; or
(ii) Management can prepare a single report
on internal control over financial reporting
provided that it satisfies all of the FDIC’s part
363 requirements and all of the SEC’s section
404 requirements.
8B. Internal Control Reports and Part 363
Annual Reports for Acquired Businesses.
Generally, the FDIC expects management’s
and the related independent public
accountant’s report on an institution’s
internal control over financial reporting to
include controls at an institution in its
entirety, including all of its consolidated
entities. However, it may not always be
possible for management to conduct an
assessment of the internal control over
financial reporting of an acquired business in
the period between the consummation date
of the acquisition and the due date of
management’s internal control assessment.
(a) In such instances, the acquired
business’s internal control structure and
procedures for financial reporting may be
excluded from management’s assessment
report and the accountant’s attestation report
on internal control over financial reporting.
However, the FDIC expects management’s
assessment report to identify the acquired
business, state that the acquired business is
excluded, and indicate the significance of
this business to the institution’s consolidated
financial statements. Notwithstanding
management’s exclusion of the acquired
business’s internal control from its
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
assessment, management should disclose any
material change to the institution’s internal
control over financial reporting due to the
acquisition of this business. Also,
management may not omit the assessment of
the acquired business’s internal control from
more than one annual part 363 assessment
report on internal control over financial
reporting. When the acquired business’s
internal control over financial reporting is
excluded from management’s assessment, the
independent public accountant may likewise
exclude this acquired business’s internal
control over financial reporting from the
accountant’s evaluation of internal control
over financial reporting.
(b) If the acquired business is or has a
consolidated subsidiary that is an insured
depository institution subject to part 363 and
the institution is not merged out of existence
before the deadline for filing its Part 363
Annual Report (120 days after the end of its
fiscal year for an institution that is neither a
public company nor a subsidiary of a public
company that meets the criterion specified in
§ 363.1(b)(1), and 90 days after the end of its
fiscal year for an institution that is a public
company or a subsidiary of public company
that meets the criterion specified in
§ 363.1(b)(1)), the acquired institution must
continue to comply with all of the applicable
requirements of part 363, including filing its
Part 363 Annual Report.
8C. Management’s Disclosure of
Noncompliance With the Designated Laws
and Regulations. Management’s disclosure of
noncompliance, if any, with the Designated
Laws and Regulations should separately
indicate the number of instances or
frequency of noncompliance with the Federal
laws and regulations pertaining to insider
loans and the Federal (and, if applicable,
State) laws and regulations pertaining to
dividend restrictions. The disclosure is not
required to specifically identify by name the
individuals (e.g., officers or directors) who
were responsible for or were the subject of
any such noncompliance. However, the
disclosure should include appropriate
qualitative and quantitative information to
describe the nature, type, and severity of the
noncompliance and the dollar amount of the
insider loan(s) or dividend(s) involved.
Similar instances of noncompliance may be
aggregated as to number of instances and
quantified as to the dollar amounts or the
range of dollar amounts of insider loans and/
or dividends for which noncompliance
occurred. Management may also wish to
describe any corrective actions taken in
response to the instances of noncompliance
as well any controls or procedures that are
being developed or that have been developed
and implemented to prevent or detect and
correct future instances of noncompliance on
a timely basis.
9. Safeguarding of Assets. ‘‘Safeguarding of
assets,’’ as the term relates to internal control
policies and procedures regarding financial
reporting and which has precedent in
accounting and auditing literature, should be
encompassed in the management report and
the independent public accountant’s
attestation discussed in guideline 18. Testing
the existence of and compliance with
internal controls on the management of
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
assets, including loan underwriting and
documentation, represents a reasonable
implementation of section 36. The FDIC
expects such internal controls to be
encompassed by the assertion in the
management report, but the term
‘‘safeguarding of assets’’ need not be
specifically stated. The FDIC does not require
the accountant to attest to the adequacy of
safeguards, but does require the accountant
to determine whether safeguarding policies
exist.2
10. Standards for Internal Control. The
management of each insured depository
institution with $1 billion or more in total
assets as of the beginning of its fiscal year
should base its assessment of the
effectiveness of the institution’s internal
control over financial reporting on a suitable,
recognized control framework established by
a body of experts that followed due-process
procedures, including the broad distribution
of the framework for public comment. In
addition to being available to users of
management’s reports, a framework is
suitable only when it:
• Is free from bias;
• Permits reasonably consistent qualitative
and quantitative measurements of an
institution’s internal control over financial
reporting;
• Is sufficiently complete so that those
relevant factors that would alter a conclusion
about the effectiveness of an institution’s
internal control over financial reporting are
not omitted; and
• Is relevant to an evaluation of internal
control over financial reporting.
In the United States, Internal Control—
Integrated Framework, including its
addendum on safeguarding assets, which was
published by the Committee of Sponsoring
Organizations of the Treadway Commission,
and is known as the COSO report, provides
a suitable and recognized framework for
purposes of management’s assessment. Other
suitable frameworks have been published in
other countries or may be developed in the
future. Such other suitable frameworks may
be used by management and the institution’s
independent public accountant in
assessments, attestations, and audits of
internal control over financial reporting.
11. Service Organizations. Although
service organizations should be considered in
determining if internal control over financial
reporting is effective, an institution’s
independent public accountant, its
management, and its audit committee should
exercise independent judgment concerning
that determination. Onsite reviews of service
organizations may not be necessary to
prepare the report required by the Rule, and
the FDIC does not intend that the Rule
establish any such requirement.
12. [Reserved.]
Role of Independent Public Accountant
(§ 363.3)
13. General Qualifications. To provide
audit and attest services to insured
2 It is management’s responsibility to establish
policies concerning underwriting and asset
management and to make credit decisions. The
auditor’s role is to test compliance with
management’s policies relating to financial
reporting.
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
32251
depository institutions, an independent
public accountant should be registered or
licensed to practice as a public accountant,
and be in good standing, under the laws of
the State or other political subdivision of the
United States in which the home office of the
institution (or the insured branch of a foreign
bank) is located. As required by section
36(g)(3)(A)(i), the accountant must agree to
provide copies of any working papers,
policies, and procedures relating to services
performed under this part.
14. [Reserved.]
15. Peer Review Guidelines. The following
peer review guidelines are acceptable:
(a) The external peer review should be
conducted by an organization independent of
the accountant or firm being reviewed, as
frequently as is consistent with professional
accounting practices;
(b) The peer review (other than a PCAOB
inspection) should be generally consistent
with AICPA Peer Review Standards; and
(c) The review should include, if available,
at least one audit on an insured depository
institution or consolidated depository
institution holding company.
16. [Reserved.]
17. Information to be Provided to the
Independent Public Accountant. Attention is
directed to section 36(h) which requires
institutions to provide specified information
to their accountants. An institution also
should provide its accountant with copies of
any notice that the institution’s capital
category is being changed or reclassified
under section 38 of the FDI Act, and any
correspondence from the appropriate Federal
banking agency concerning compliance with
this part.
18. Attestation Report and Management
Letters. The independent public accountant
should provide the institution with any
management letter and, if applicable, an
internal control attestation report (as required
by section 36(c)(1)) at the conclusion of the
audit. The independent public accountant’s
attestation report on internal control over
financial reporting must specifically include
a statement as to regulatory reporting. If a
holding company subsidiary relies on its
holding company’s management report to
satisfy the Part 363 Annual Report
requirements, the accountant may attest to
and report on the management’s assertions in
one report, without reporting separately on
each subsidiary covered by the Rule. The
FDIC has determined that management letters
are exempt from public disclosure.
18A. Internal Control Attestation
Standards for Independent Auditors. (a)
§ 363.3(b) provides that the independent
public accountant’s attestation and report on
management’s assertion concerning the
effectiveness of an institution’s internal
control structure and procedures for financial
reporting shall be made in accordance with
generally accepted standards for attestation
engagements or the PCAOB’s auditing
standards, if applicable. The standards that
should be followed by the institution’s
independent public accountant concerning
internal control over financial reporting for
institutions with $1 billion or more in total
assets can be summarized as follows:
(1) For an insured institution that is neither
a public company nor a subsidiary of a
E:\FR\FM\07JYR2.SGM
07JYR2
32252
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
public company, its independent public
accountant need only follow the AICPA’s
attestation standards.
(2) For an insured institution that is a
public company that is required to comply
with the auditor attestation requirement of
section 404 of SOX, its independent public
accountant should follow the PCAOB’s
auditing standards.
(3) For an insured institution that is a
public company but is not required to
comply with the auditor attestation
requirement of section 404 of SOX, its
independent public accountant is not
required to follow the PCAOB’s auditing
standards. In this case, the accountant need
only follow the AICPA’s attestation
standards.
(4) For an insured institution that is a
subsidiary of a public company that is
required to comply with the auditor
attestation requirement of section 404 of
SOX, but is not itself a public company, the
institution and its independent public
accountant have flexibility in complying
with the internal control requirements of part
363. If the conditions specified in
§ 363.1(b)(2) are met, management and the
independent public accountant may choose
to report on internal control over financial
reporting at the consolidated holding
company level. In this situation, the
independent public accountant’s work would
be performed for the public company in
accordance with the PCAOB’s auditing
standards. Alternatively, the institution may
choose to comply with the internal control
reporting requirements of part 363 at the
institution level and its independent public
accountant could follow the AICPA’s
attestation standards.
(b) If an independent public accountant
need only follow the AICPA’s attestation
standards, the accountant and the insured
institution may instead agree to have the
internal control attestation performed under
the PCAOB’s auditing standards.
19. Reviews With Audit Committee and
Management. The independent public
accountant should meet with the institution’s
audit committee to review the accountant’s
reports required by this part before they are
filed. It also may be appropriate for the
accountant to review its findings with the
institution’s board of directors and
management.
20. Notice of Termination. The notice of
termination required by § 363.3(c) should
state whether the independent public
accountant agrees with the assertions
contained in any notice filed by the
institution under § 363.4(d), and whether the
institution’s notice discloses all relevant
reasons for the accountant’s termination.
Subject to the criterion specified in
§ 363.1(b)(1) regarding compliance with the
audited financial statements requirement at
the holding company level, the independent
public accountant for an insured depository
institution that is a public company and files
reports with its appropriate Federal banking
agency, or is a subsidiary of a public
company that files reports with the SEC, may
submit the letter it furnished to management
to be filed with the institution’s or the
holding company’s current report (e.g., SEC
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
Form 8–K) concerning a change in
accountant to satisfy the notice requirements
of § 363.3(c). Alternatively, if the
independent public accountant confirms that
management has filed a current report (e.g.,
SEC Form 8–K) concerning a change in
accountant that satisfies the notice
requirements of § 363.4(d) and includes an
independent public accountant’s letter that
satisfies the requirements of § 363.3(c), the
independent public accountant may rely on
the current report (e.g., SEC Form 8–K) filed
with the FDIC by management concerning a
change in accountant to satisfy the notice
requirements of § 363.3(c).
21. Reliance on Internal Auditors. Nothing
in this part or this Appendix is intended to
preclude the ability of the independent
public accountant to rely on the work of an
institution’s internal auditor.
Filing and Notice Requirements (§ 363.4)
22. [Reserved.]
23. Notification of Late Filing. (a) An
institution’s submission of a written notice of
late filing does not cure the requirement to
timely file the Part 363 Annual Report or
other reports or notices required by § 363.4.
An institution’s failure to timely file is
considered an apparent violation of part 363.
(b) If the late filing notice submitted
pursuant to § 363.4(e) relates only to a
portion of a Part 363 Annual Report or any
other report or notice, the insured depository
institution should file the other components
of the report or notice within the prescribed
filing period together with a cover letter that
indicates which components of its Part 363
Annual Report or other report or notice are
omitted. An institution may combine the
written late filing notice and the cover letter
into a single notice that is submitted together
with the other components of the report or
notice that are being timely filed.
24. Public Availability. Each institution’s
Part 363 Annual Report should be available
for public inspection at its main and branch
offices no later than 15 days after it is filed
with the FDIC. Alternatively, an institution
may elect to mail one copy of its Part 363
Annual Report to any person who requests it.
The Part 363 Annual Report should remain
available to the public until the Part 363
Annual Report for the next year is available.
An institution may use its Part 363 Annual
Report under this part to meet the annual
disclosure statement required by 12 CFR
350.3, if the institution satisfies all other
requirements of 12 CFR Part 350.
25. [Reserved.]
26. Notices Concerning Accountants. With
respect to any selection, change, or
termination of an independent public
accountant, an institution’s management and
audit committee should be familiar with the
notice requirements in § 363.4(d) and
guideline 20, and management should send
a copy of any notice required under
§ 363.4(d) to the independent public
accountant when it is filed with the FDIC. An
insured depository institution that is a public
company and files reports required under the
Federal securities laws with its appropriate
Federal banking agency, or is a subsidiary of
a public company that files such reports with
the SEC, may use its current report (e.g., SEC
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
Form 8–K) concerning a change in
accountant to satisfy the notice requirements
of § 363.4(d) subject to the criterion of
§ 363.1(b)(1) regarding compliance with the
audited financial statements requirement at
the holding company level.
Audit Committees (§ 363.5)
27. Composition. The board of directors of
each institution should determine whether
each existing or potential audit committee
member meets the requirements of section 36
and this part. To do so, the board of directors
should maintain an approved set of written
criteria for determining whether a director
who is to serve on the audit committee is an
outside director (as defined in § 363.5(a)(3))
and is independent of management. At least
annually, the board of each institution
should determine whether each existing or
potential audit committee member is an
outside director. In addition, at least
annually, the board of an institution with $1
billion or more in total assets as of the
beginning of its fiscal year should determine
whether all existing and potential audit
committee members are ‘‘independent of
management of the institution’’ and the board
of an institution with total assets of $500
million or more but less than $1 billion as
of the beginning of its fiscal year should
determine whether the majority of all
existing and potential audit committee
members are ‘‘independent of management of
the institution.’’ The minutes of the board of
directors should contain the results of and
the basis for its determinations with respect
to each existing and potential audit
committee member. Because an insured
branch of a foreign bank does not have a
separate board of directors, the FDIC will not
apply the audit committee requirements to
such branch. However, any such branch is
encouraged to make a reasonable good faith
effort to see that similar duties are performed
by persons whose experience is generally
consistent with the Rule’s requirements for
an institution the size of the insured branch.
28. ‘‘Independent of Management’’
Considerations. It is not possible to
anticipate, or explicitly provide for, all
circumstances that might signal potential
conflicts of interest in, or that might bear on,
an outside director’s relationship to an
insured depository institution and whether
the outside director should be deemed
‘‘independent of management.’’ When
assessing an outside director’s relationship
with an institution, the board of directors
should consider the issue not merely from
the standpoint of the director himself or
herself, but also from the standpoint of
persons or organizations with which the
director has an affiliation. These
relationships can include, but are not limited
to, commercial, banking, consulting,
charitable, and family relationships. To assist
boards of directors in fulfilling their
responsibility to determine whether existing
and potential members of the audit
committee are ‘‘independent of
management,’’ paragraphs (a) through (d) of
this guideline provide guidance for making
this determination.
(a) If an outside director, either directly or
indirectly, owns or controls, or has owned or
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
controlled within the preceding fiscal year,
10 percent or more of any outstanding class
of voting securities of the institution, the
institution’s board of directors should
determine, and document its basis and
rationale for such determination, whether
such ownership of voting securities would
interfere with the outside director’s exercise
of independent judgment in carrying out the
responsibilities of an audit committee
member, including the ability to evaluate
objectively the propriety of management’s
accounting, internal control, and reporting
policies and practices. Notwithstanding the
criteria set forth in paragraphs (b), (c), and (d)
of this guideline, if the board of directors
determines that such ownership of voting
securities would interfere with the outside
director’s exercise of independent judgment,
the outside director will not be considered
‘‘independent of management.’’
(b) The following list sets forth additional
criteria that, at a minimum, a board of
directors should consider when determining
whether an outside director is ‘‘independent
of management.’’ The board of directors may
conclude that additional criteria are also
relevant to this determination in light of the
particular circumstances of its institution.
Accordingly, an outside director will not
be considered ‘‘independent of management’’
if:
(1) The director serves, or has served
within the last three years, as a consultant,
advisor, promoter, underwriter, legal
counsel, or trustee of or to the institution or
its affiliates.
(2) The director has been, within the last
three years, an employee of the institution or
any of its affiliates or an immediate family
member is, or has been within the last three
years, an executive officer of the institution
or any of its affiliates.
(3) The director has participated in the
preparation of the financial statements of the
institution or any of its affiliates at any time
during the last three years.
(4) The director has received, or has an
immediate family member who has received,
during any twelve-month period within the
last three years, more than $100,000 in direct
and indirect compensation from the
institution, its subsidiaries, and its affiliates
for consulting, advisory, or other services
other than director and committee fees and
pension or other forms of deferred
compensation for prior service (provided
such compensation is not contingent in any
way on continued service). Direct
compensation also would not include
compensation received by the director for
former service as an interim chairman or
interim chief executive officer.
(5) The director or an immediate family
member is a current partner of a firm that
performs internal or external auditing
services for the institution or any of its
affiliates; the director is a current employee
of such a firm; the director has an immediate
family member who is a current employee of
such a firm and who participates in the firm’s
audit, assurance, or tax compliance practice;
or the director or an immediate family
member was within the last three years (but
no longer is) a partner or employee of such
a firm and personally worked on the audit of
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
the insured depository institution or any of
its affiliates within that time.
(6) The director or an immediate family
member is, or has been within the last three
years, employed as an executive officer of
another entity where any of the present
executive officers of the institution or any of
its affiliates at the same time serves or served
on that entity’s compensation committee.
(7) The director is a current employee, or
an immediate family member is a current
executive officer, of an entity that has made
payments to, or received payments from, the
institution or any of its affiliates for property
or services in an amount which, in any of the
last three fiscal years, exceeds the greater of
$200 thousand, or 5 percent of such entity’s
consolidated gross revenues. This would
include payments made by the institution or
any of its affiliates to not-for-profit entities
where the director is an executive officer or
where an immediate family member of the
director is an executive officer.
(8) For purposes of paragraph (b) of this
guideline:
(i) An ‘‘immediate family member’’
includes a person’s spouse, parents, children,
siblings, mothers and fathers-in-law, sons
and daughters-in-law, brothers and sisters-inlaw, and anyone (other than domestic
employees) who shares such person’s home.
(ii) The term affiliate of, or a person
affiliated with, a specified person, means a
person or entity that directly, or indirectly
through one or more intermediaries, controls,
or is controlled by, or is under common
control with, the person specified.
(iii) The term indirect compensation for
consulting, advisory, or other services
includes the acceptance of a fee for such
services by a director’s immediate family
member or by an organization in which the
director is a partner or principal that
provides accounting, consulting, legal,
investment banking, or financial advisory
services to the institution, any of its
subsidiaries, or any of its affiliates.
(iv) The terms direct and indirect
compensation and payments do not include
payments, such as dividends arising solely
from investments in the institution’s equity
securities provided the same per share
amounts are paid to all shareholders of that
class; interest income from investments in
the institution’s deposit accounts and debt
securities; loans from the institution that
conform to all regulatory requirements
applicable to such loans except that interest
payments or other fees paid in association
with such loans would be considered
payments; and payments under nondiscretionary charitable contribution
matching programs.
(c) An insured depository institution that
is a public company and a listed issuer (as
defined in Rule 10A–3 of the Securities
Exchange Act of 1934 (Exchange Act)), or is
a subsidiary of a public company that meets
the criterion specified in § 363.1(b)(1) and is
a listed issuer, may choose to use the
definition of audit committee member
independence set forth in the listing
standards applicable to the public institution
or its public company parent for purposes of
determining whether an outside director is
‘‘independent of management.’’
PO 00000
Frm 00029
Fmt 4701
Sfmt 4700
32253
(d) All other insured depository
institutions may choose to use the definition
of audit committee member independence set
forth in the listing standards of a national
securities exchange that is registered with the
SEC pursuant to section 6 of the Exchange
Act or a national securities association that
is registered with the SEC pursuant to section
15A(a) of the Exchange Act for purposes of
determining whether an outside director is
‘‘independent of management.’’
29. [Reserved.]
30. Holding Company Audit Committees.
(a) When an insured depository institution
satisfies the requirements for the holding
company exception specified in
§§ 363.1(b)(1) and (2), the audit committee
requirement of this part may be satisfied by
the audit committee of the top-tier or any
mid-tier holding company. Members of the
audit committee of the holding company
should meet all the membership
requirements applicable to the largest
subsidiary depository institution subject to
part 363 and should perform all the duties of
the audit committee of a subsidiary
institution subject to part 363, even if the
holding company directors are not directors
of the institution.
(b) When an insured depository institution
subsidiary with total assets of $1 billion or
more as of the beginning of its fiscal year
does not meet the requirements for the
holding company exception specified in
§§ 363.1(b)(1) and (2) or maintains its own
separate audit committee to satisfy the
requirements of this part, the members of the
audit committee of the top-tier or any midtier holding company may serve on the audit
committee of the subsidiary institution if
they are otherwise independent of
management of the subsidiary institution,
and, if applicable, meet any other
requirements for a large subsidiary
institution covered by this part.
(c) When an insured depository institution
with total assets of $500 million or more but
less than $1 billion as of the beginning of its
fiscal year does not meet the requirements for
the holding company exception specified in
§§ 363.1(b)(1) and (2) or maintains its own
separate audit committee to satisfy the
requirements of this part, the members of the
audit committee of the top-tier or any midtier holding company may serve on the audit
committee of the subsidiary institution
provided a majority of the institution’s audit
committee members are independent of
management of the subsidiary institution.
(d) Officers and employees of a top-tier or
any mid-tier holding company may not serve
on the audit committee of a subsidiary
institution subject to part 363.
31. Duties. The audit committee should
perform all duties determined by the
institution’s board of directors and it should
maintain minutes and other relevant records
of its meetings and decisions. The duties of
the audit committee should be appropriate to
the size of the institution and the complexity
of its operations, and, at a minimum, should
include the appointment, compensation, and
oversight of the independent public
accountant; reviewing with management and
the independent public accountant the basis
for their respective reports issued under
E:\FR\FM\07JYR2.SGM
07JYR2
32254
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
§§ 363.2(a) and (b) and §§ 363.3(a) and (b);
reviewing and satisfying itself as to the
independent public accountant’s compliance
with the required qualifications for
independent public accountants set forth in
§§ 363.3(f) and (g) and guidelines 13 through
16; ensuring that audit engagement letters
comply with the provisions of § 363.5(c)
before engaging an independent public
accountant; being familiar with the notice
requirements in § 363.4(d) and guideline 20
regarding the selection, change, or
termination of an independent public
accountant; and ensuring that management
sends a copy of any notice required under
§ 363.4(d) to the independent public
accountant when it is filed with the FDIC.
Appropriate additional duties could include:
(a) Reviewing with management and the
independent public accountant the scope of
services required by the audit, significant
accounting policies, and audit conclusions
regarding significant accounting estimates;
(b) Reviewing with management and the
accountant their assessments of the
effectiveness of internal control over
financial reporting, and the resolution of
identified material weaknesses and
significant deficiencies in internal control
over financial reporting, including the
prevention or detection of management
override or compromise of the internal
control system;
(c) Reviewing with management the
institution’s compliance with the Designated
Laws and Regulations identified in guideline
7A;
(d) Discussing with management and the
independent public accountant any
significant disagreements between
management and the independent public
accountant; and
(e) Overseeing the internal audit function.
32. Banking or Related Financial
Management Expertise. At least two members
of the audit committee of a large institution
shall have ‘‘banking or related financial
management expertise’’ as required by
section 36(g)(1)(C)(i). This determination is to
be made by the board of directors of the
insured depository institution. A person will
be considered to have such required
expertise if the person has significant
executive, professional, educational, or
regulatory experience in financial, auditing,
accounting, or banking matters as determined
by the board of directors. Significant
experience as an officer or member of the
board of directors or audit committee of a
financial services company would satisfy
these criteria. A person who has the
attributes of an ‘‘audit committee financial
expert’’ as set forth in the SEC’s rules would
also satisfy these criteria.
33. Large Customers. Any individual or
entity (including a controlling person of any
such entity) which, in the determination of
the board of directors, has such significant
direct or indirect credit or other relationships
with the institution, the termination of which
likely would materially and adversely affect
the institution’s financial condition or results
of operations, should be considered a ‘‘large
customer’’ for purposes of § 363.5(b).
34. Access to Counsel. The audit
committee should be able to retain counsel
at its discretion without prior permission of
the institution’s board of directors or its
management. Section 36 does not preclude
advice from the institution’s internal counsel
or regular outside counsel. It also does not
require retaining or consulting counsel, but if
the committee elects to do either, it also may
elect to consider issues affecting the
counsel’s independence. Such issues would
include whether to retain or consult only
counsel not concurrently representing the
institution or any affiliate, and whether to
place limitations on any counsel representing
the institution concerning matters in which
such counsel previously participated
personally and substantially as outside
counsel to the committee.
35. Transition Period for Forming and
Restructuring Audit Committees.
(a) When an insured depository
institution’s total assets as of the beginning
of its fiscal year are $500 million or more for
the first time and it thereby becomes subject
to part 363, no regulatory action will be taken
if the institution (1) develops and approves
a set of written criteria for determining
whether a director who is to serve on the
audit committee is an outside director and is
independent of management and (2) forms or
restructures its audit committee to comply
with § 363.5(a)(2) by the end of that fiscal
year.
(b) When an insured depository
institution’s total assets as of the beginning
of its fiscal year are $1 billion or more for the
first time, no regulatory action will be taken
if the institution forms or restructures its
audit committee to comply with § 363.5(a)(1)
by the end of that fiscal year, provided that
the composition of its audit committee meets
the requirements specified in § 363.5(a)(2) at
the beginning of that fiscal year, if such
requirements were applicable.
(c) When an insured depository
institution’s total assets as of the beginning
of its fiscal year are $3 billion or more for the
first time, no regulatory action will be taken
if the institution forms or restructures its
audit committee to comply with § 363.5(b) by
the end of that fiscal year, provided that the
composition of its audit committee meets the
requirements specified in § 363.5(a)(1) at the
beginning of that fiscal year, if such
requirements were applicable.
Other
36. Modifications of Guidelines. The
FDIC’s Board of Directors has delegated to
the Director of the FDIC’s Division of
Supervision and Consumer Protection
authority to make and publish in the Federal
Register minor technical amendments to the
Guidelines in this Appendix and the
guidance and illustrative reports in
Appendix B, in consultation with the other
appropriate Federal banking agencies, to
reflect the practical experience gained from
implementation of this part. It is not
anticipated any such modification would be
effective until affected institutions have been
given reasonable advance notice of the
modification. Any material modification or
amendment will be subject to review and
approval of the FDIC Board of Directors.
TABLE 1 TO APPENDIX A
Designated federal laws and regulations applicable to
State
member
banks
National
banks
State
nonmember
banks
Savings
associations
Insider Loans—Parts and/or Sections of Title 12 of the United States Code
375a .........................................
375b .........................................
1468(b) .....................................
1828(j)(2) ..................................
1828(j)(3)(B) .............................
Loans to Executive Officers of Banks .......................................
Extensions of Credit to Executive Officers, Directors, and
Principal Shareholders of Banks.
Extensions of Credit to Executive Officers, Directors, and
Principal Shareholders.
Extensions of Credit to Officers, Directors, and Principal
Shareholders.
Extensions of Credit to Officers, Directors, and Principal
Shareholders.
√
√
√
√
(A)
(A)
(A)
(A)
................
................
................
√
................
................
√
(B)
................
(C)
Parts and/or Sections of Title 12 of the Code of Federal Regulations
31 .............................................
32 .............................................
VerDate Nov<24>2008
14:49 Jul 06, 2009
Extensions of Credit to Insiders ................................................
Lending Limits ...........................................................................
Jkt 217001
PO 00000
Frm 00030
Fmt 4701
Sfmt 4700
E:\FR\FM\07JYR2.SGM
√
√
07JYR2
32255
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
TABLE 1 TO APPENDIX A—Continued
Designated federal laws and regulations applicable to
State
member
banks
National
banks
215 ...........................................
337.3 ........................................
563.43 ......................................
Loans to Executive Officers, Directors, and Principal Shareholders of Member Banks.
Limits on Extensions of Credit to Executive Officers, Directors, and Principal Shareholders of Insured Nonmember
Banks.
Loans by Savings Associations to Their Executive Officers,
Directors, and Principal Shareholders.
State
nonmember
banks
Savings
associations
√
√
(D)
................
................
√
................
................
................
√
................
√
√
√
(E)
Dividend Restrictions—Parts and/or Sections of Title 12 of the United States Code
56 .............................................
60 .............................................
1467a(f) ....................................
1831o(d)(1) ..............................
Prohibition on Withdrawal of Capital and Unearned Dividends
Dividends and Surplus Fund .....................................................
Declaration of Dividend .............................................................
Prompt Corrective Action—Capital Distributions Restricted .....
√
√
................
√
√
√
................
√
Parts and/or Sections of Title 12 of the Code of Federal Regulations
5 Subpart E ..............................
6.6 ............................................
208.5 ........................................
208.45 ......................................
325.105 ....................................
563 Subpart E ..........................
565.6 ........................................
Payment of Dividends ...............................................................
Prompt Corrective Action—Restrictions on Undercapitalized
Institutions.
Dividends and Other Distributions ............................................
Prompt Corrective Action—Restrictions on Undercapitalized
Institutions.
Prompt Corrective Action—Restrictions on Undercapitalized
Institutions.
Capital Distributions ..................................................................
Prompt Corrective Action—Restrictions on Undercapitalized
Institutions.
√
√
................
................
√
√
................
................
√
................
................
................
................
................
................
√
√
A. Subsections (g) and (h) of section 22 of the Federal Reserve Act [12 U.S.C. 375a, 375b].
B. Applies only to insured Federal branches of foreign banks.
C. Applies only to insured State branches of foreign banks.
D. See 12 CFR 337.3.
E. See 12 CFR 563.43.
Appendix B to Part 363—Illustrative
Management Reports
Table of Contents
1. General
2. Reporting Scenarios for Institutions that
are Holding Company Subsidiaries
3. Illustrative Statements of Management’s
Responsibilities
4. Illustrative Reports on Management’s
Assessment of Compliance With
Designated Laws and Regulations
5. Illustrative Reports on Management’s
Assessment of Internal Control Over
Financial Reporting
6. Illustrative Management Report—
Combined Statement of Management’s
Responsibilities, Report on Management’s
Assessment of Compliance With
Designated Laws and Regulations, and
Report on Management’s Assessment of
Internal Control Over Financial Reporting
7. Illustrative Cover Letter—Compliance by
Holding Company Subsidiaries
1. General. The reporting scenarios,
illustrative management reports, and the
cover letter (when complying at the holding
company level) in Appendix B to part 363 are
intended to assist managements of insured
depository institutions in complying with the
annual reporting requirements of § 363.2 and
guideline 3, Compliance by Holding
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
Company Subsidiaries, of Appendix A to part
363. However, use of the illustrative
management reports and cover letter is not
required. The managements of insured
depository institutions are encouraged to
tailor the wording of their management
reports and cover letters to fit their particular
circumstances, especially when reporting on
material weaknesses in internal control over
financial reporting or noncompliance with
designated laws and regulations. Terms that
are not explained in Appendix B have the
meanings given them in part 363, the FDI
Act, or professional accounting and auditing
literature. Instructions to the preparer of the
management reports are shown in brackets
within the illustrative reports.
2. Reporting Scenarios for Institutions that
are Holding Company Subsidiaries.
(a) Subject to the criteria specified in
§ 363.1(b), an insured depository institution
that is a subsidiary of a holding company has
flexibility in satisfying the reporting
requirements of part 363. When reporting at
the holding company level, the management
report, or the individual components thereof,
should identify those subsidiary institutions
that are subject to part 363 and the extent to
which they are included in the scope of the
management report or a component of the
report. The following reporting scenarios
reflect how an insured depository institution
PO 00000
Frm 00031
Fmt 4701
Sfmt 4700
that meets the criteria set forth in § 363.1(b)
could satisfy the annual reporting
requirements of § 363.2. Other reporting
scenarios are possible.
(i) An institution that is a subsidiary of a
holding company may satisfy the
requirements for audited financial
statements; management’s statement of
responsibilities; management’s assessment of
the institution’s compliance with the Federal
laws and regulations pertaining to insider
loans and the Federal and, if applicable, State
laws and regulations pertaining to dividend
restrictions; management’s assessment of the
effectiveness of internal control over
financial reporting, if applicable; and the
independent public accountant’s attestation
on management’s assertion as to the
effectiveness of internal control over
financial reporting, if applicable, at the
insured depository institution level.
(ii) An institution that is a subsidiary of a
holding company may satisfy the
requirements for audited financial
statements; management’s statement of
responsibilities; management’s assessment of
the institution’s compliance with the Federal
laws and regulations pertaining to insider
loans and the Federal and, if applicable, State
laws and regulations pertaining to dividend
restrictions; management’s assessment of the
effectiveness of internal control over
E:\FR\FM\07JYR2.SGM
07JYR2
32256
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
financial reporting, if applicable;, and the
independent public accountant’s attestation
on management’s assertion as to the
effectiveness of internal control over
financial reporting, if applicable, at the
holding company level.
(iii) An institution that is a subsidiary of
a holding company may satisfy the
requirement for audited financial statements
at the holding company level and may satisfy
the requirements for management’s statement
of responsibilities; management’s assessment
of the institution’s compliance with the
Federal laws and regulations pertaining to
insider loans and the Federal and, if
applicable, State laws and regulations
pertaining to dividend restrictions;
management’s assessment of the effectiveness
of internal control over financial reporting, if
applicable; and the independent public
accountant’s attestation on management’s
assertion as to the effectiveness of internal
control over financial reporting, if applicable,
at the insured depository institution level.
(iv) An institution that is a subsidiary of a
holding company may satisfy the
requirements for audited financial
statements; management’s statement of
responsibilities; and management’s
assessment of the institution’s compliance
with the Federal laws and regulations
pertaining to insider loans and the Federal
and, if applicable, State laws and regulations
pertaining to dividend restrictions at the
insured depository institution level and may
satisfy the requirements for the assessment
by management of the effectiveness of
internal control over financial reporting, if
applicable; and the independent public
accountant’s attestation on management’s
assertion as to the effectiveness of internal
control over financial reporting, if applicable,
at the holding company level.
(b) For an institution with total assets of $1
billion or more as of the beginning of its
fiscal year, the assessment by management of
the effectiveness of internal control over
financial reporting and the independent
public accountant’s attestation on
management’s assertion as to the
effectiveness of internal control over
financial reporting, if applicable, must both
be performed at the same level, i.e., either at
the insured depository institution level or at
the holding company level.
(c) Financial statements prepared for
regulatory reporting purposes encompass the
schedules equivalent to the basic financial
statements in an institution’s appropriate
regulatory report, e.g., the bank Consolidated
Reports of Condition and Income (Call
Report) and the Thrift Financial Report
(TFR). Guideline 4A in Appendix A to part
363 identifies the schedules equivalent to the
basic financial statements in the Call Report
and TFR. When internal control assessments
and attestations are performed at the holding
company level, the FDIC believes that
holding companies have flexibility in
interpreting ‘‘financial reporting’’ as it relates
to ‘‘regulatory reporting’’ and has not
objected to several reporting approaches
employed by holding companies to cover
‘‘regulatory reporting.’’ Certain holding
companies have had management’s
assessment and the accountant’s attestation
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
cover the schedules equivalent to the basic
financial statements that are included in the
appropriate regulatory report, e.g., Call
Report and the TFR, of each subsidiary
institution subject to part 363. Other holding
companies have had management’s
assessment and the accountant’s attestation
cover the schedules equivalent to the basic
financial statements that are included in the
holding company’s year-end regulatory
report (FR Y–9C report) to the Federal
Reserve Board.
3. Illustrative Statements of Management’s
Responsibilities. The following illustrative
statements of management’s responsibilities
satisfy the requirements of § 363.2(b)(1).
(a) Statement Made at Insured Depository
Institution Level
Jane Doe, Chief Financial Officer
Date: llllllllllllllllll
4. Illustrative Reports on Management’s
Assessment of Compliance With Designated
Laws and Regulations. The following
illustrative reports on management’s
assessment of compliance with Designated
Laws and Regulations satisfy the
requirements of § 363.2(b)(2).
(a) Statement Made at Insured Depository
Institution Level—Compliance With
Designated Laws and Regulations Pertaining
to Insider Loans and Dividend Restrictions
Management’s Assessment of Compliance
With Designated Laws and Regulations
The management of ABC Depository
Institution (the ‘‘Institution’’) has assessed
the Institution’s compliance with the Federal
Statement of Management’s Responsibilities
laws and regulations pertaining to insider
The management of ABC Depository
loans and the Federal and, if applicable, State
Institution (the ‘‘Institution’’) is responsible
laws and regulations pertaining to dividend
for preparing the Institution’s annual
restrictions during the fiscal year that ended
financial statements in accordance with
generally accepted accounting principles; for on December 31, 20XX. Based upon its
assessment, management has concluded that
establishing and maintaining an adequate
the Institution complied with the Federal
internal control structure and procedures for
laws and regulations pertaining to insider
financial reporting, including controls over
loans and the Federal and, if applicable, State
the preparation of regulatory financial
laws and regulations pertaining to dividend
statements in accordance with the
restrictions during the fiscal year that ended
instructions for the [specify the regulatory
on December 31, 20XX.
report]; and for complying with the Federal
ABC Depository Institution
laws and regulations pertaining to insider
loans and the Federal and, if applicable, State lllllllllllllllllllll
laws and regulations pertaining to dividend
John Doe, Chief Executive Officer
restrictions.
Date: llllllllllllllllll
ABC Depository Institution
lllllllllllllllllllll
lllllllllllllllllllll
Jane Doe, Chief Financial Officer
John Doe, Chief Executive Officer
Date: llllllllllllllllll
Date: llllllllllllllllll
(b) Statement Made at Insured Depository
lllllllllllllllllllll
Institution Level—Noncompliance With
Jane Doe, Chief Financial Officer
Designated Laws and Regulations Pertaining
Date: llllllllllllllllll to Both Insider Loans and Dividend
Restrictions
(b) Statement Made at Holding Company
Level
Management’s Assessment of Compliance
With Designated Laws and Regulations
Statement of Management’s Responsibilities
The management of ABC Depository
The management of BCD Holding
Company (the ‘‘Company’’) is responsible for Institution (the ‘‘Institution’’) has assessed
the Institution’s compliance with the Federal
preparing the Company’s annual financial
laws and regulations pertaining to insider
statements in accordance with generally
loans and the Federal and, if applicable, State
accepted accounting principles; for
laws and regulations pertaining to dividend
establishing and maintaining an adequate
restrictions during the fiscal year that ended
internal control structure and procedures for
on December 31, 20XX. Based upon its
financial reporting, including controls over
assessment, management has determined
the preparation of regulatory financial
that, because of the instance(s) of
statements in accordance with the
noncompliance noted below, the Institution
instructions for the [specify the regulatory
did not comply with the Federal laws and
report]; and for complying with the Federal
regulations pertaining to insider loans and
laws and regulations pertaining to insider
the Federal and, if applicable, State laws and
loans and the Federal and, if applicable, State
regulations pertaining to dividend
laws and regulations pertaining to dividend
restrictions during the fiscal year that ended
restrictions. The following subsidiary
on December 31, 20XX.
institutions of the Company that are subject
[Identify and describe the instance or
to Part 363 are included in this statement of
instances of noncompliance with the Federal
management’s responsibilities: [Identify the
laws and regulations pertaining to insider
subsidiary institutions.]
loans and the Federal and, if applicable, State
BCD Holding Company
laws and regulations pertaining to dividend
lllllllllllllllllllll restrictions, including appropriate qualitative
and quantitative information to describe the
John Doe, Chief Executive Officer
nature, type, and severity of the
Date: llllllllllllllllll noncompliance and the dollar amounts of the
lllllllllllllllllllll insider loan(s) and dividend(s) involved.]
PO 00000
Frm 00032
Fmt 4701
Sfmt 4700
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
ABC Depository Institution
lllllllllllllllllllll
John Doe, Chief Executive Officer
Date: llllllllllllllllll
lllllllllllllllllllll
Jane Doe, Chief Financial Officer
Date: llllllllllllllllll
(c) Statement Made at Insured Depository
Institution Level—Compliance With
Designated Laws and Regulations Pertaining
to Insider Loans and Noncompliance With
Designated Laws and Regulations Pertaining
to Dividend Restrictions
Management’s Assessment of Compliance
With Designated Laws and Regulations
The management of ABC Depository
Institution (the ‘‘Institution’’) has assessed
the Institution’s compliance with the Federal
laws and regulations pertaining to insider
loans and the Federal and, if applicable, State
laws and regulations pertaining to dividend
restrictions during the fiscal year that ended
on December 31, 20XX. Based upon its
assessment, management has concluded that
the Institution complied with the Federal
laws and regulations pertaining to insider
loans during the fiscal year that ended on
December 31, 20XX. Also, based upon its
assessment, management has determined
that, because of the instance(s) of
noncompliance noted below, the Institution
did not comply with the Federal and, if
applicable, State laws and regulations
pertaining to dividend restrictions during the
fiscal year that ended on December 31, 20XX.
[Identify and describe the instance or
instances of noncompliance with the Federal
and, if applicable, State laws and regulations
pertaining to dividend restrictions, including
appropriate qualitative and quantitative
information to describe the nature, type, and
severity of the noncompliance and the dollar
amount(s) of the dividend(s) involved.]
ABC Depository Institution
lllllllllllllllllllll
John Doe, Chief Executive Officer
Date: llllllllllllllllll
lllllllllllllllllllll
Jane Doe, Chief Financial Officer
Date: llllllllllllllllll
(d) Statement Made at Insured Depository
Institution Level—Noncompliance With
Designated Laws and Regulations Pertaining
to Insider Loans and Compliance With
Designated Laws and Regulations Pertaining
to Dividend Restrictions
Management’s Assessment of Compliance
With Designated Laws and Regulations
The management of ABC Depository
Institution (the ‘‘Institution’’) has assessed
the Institution’s compliance with the Federal
laws and regulations pertaining to insider
loans and the Federal and, if applicable, State
laws and regulations pertaining to dividend
restrictions during the fiscal year that ended
on December 31, 20XX. Based upon its
assessment, management has determined
that, because of the instance(s) of
noncompliance noted below, the Institution
did not comply with the Federal laws and
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
regulations pertaining to insider loans during
the fiscal year that ended on December 31,
20XX. Also, based upon its assessment,
management has concluded that the
Institution complied with the Federal and, if
applicable, State laws and regulations
pertaining to dividend restrictions during the
fiscal year that ended on December 31, 20XX.
[Identify and describe the instance or
instances of noncompliance with the Federal
laws and regulations pertaining to insider
loans, including appropriate qualitative and
quantitative information to describe the
nature, type, and severity of the
noncompliance and the dollar amount(s) of
the insider loan(s) involved.]
ABC Depository Institution
lllllllllllllllllllll
John Doe, Chief Executive Officer
Date: llllllllllllllllll
lllllllllllllllllllll
Jane Doe, Chief Financial Officer
Date: llllllllllllllllll
(e) Statement Made at Holding Company
Level—Compliance With Designated Laws
and Regulations Pertaining to Insider Loans
and Dividend Restrictions
Management’s Assessment of Compliance
With Designated Laws and Regulations
The management of BCD Holding
Company (the ‘‘Company’’) has assessed the
Company’s compliance with the Federal laws
and regulations pertaining to insider loans
and the Federal and, if applicable, State laws
and regulations pertaining to dividend
restrictions during the fiscal year that ended
on December 31, 20XX. Based upon its
assessment, management has concluded that
the Company complied with the Federal laws
and regulations pertaining to insider loans
and the Federal and, if applicable, State laws
and regulations pertaining to dividend
restrictions during the fiscal year that ended
on December 31, 20XX. The following
subsidiary institutions of the Company that
are subject to Part 363 are included in this
assessment of compliance with these
designated laws and regulations: [Identify the
subsidiary institutions.]
BCD Holding Company
lllllllllllllllllllll
John Doe, Chief Executive Officer
Date: llllllllllllllllll
lllllllllllllllllllll
Jane Doe, Chief Financial Officer
Date: llllllllllllllllll
(f) Statement Made at Holding Company
Level—Noncompliance With Designated
Laws and Regulations Pertaining to Both
Insider Loans and Dividend Restrictions
Management’s Assessment of Compliance
With Designated Laws and Regulations
The management of BCD Holding
Company (the ‘‘Company’’) has assessed the
Company’s compliance with the Federal laws
and regulations pertaining to insider loans
and the Federal and, if applicable, State laws
and regulations pertaining to dividend
restrictions during the fiscal year that ended
PO 00000
Frm 00033
Fmt 4701
Sfmt 4700
32257
on December 31, 20XX. The following
subsidiary institutions of the Company that
are subject to Part 363 are included in this
assessment of compliance with these
designated laws and regulations: [Identify the
subsidiary institutions.]
Based upon its assessment, management
has determined that, because of the
instance(s) of noncompliance noted below,
the Company did not comply with the
Federal laws and regulations pertaining to
insider loans and the Federal and, if
applicable, State laws and regulations
pertaining to dividend restrictions during the
fiscal year that ended on December 31, 20XX.
[Identify and describe the instance or
instances of noncompliance with the Federal
laws and regulations pertaining to insider
loans and the Federal and, if applicable, State
laws and regulations pertaining to dividend
restrictions, including appropriate qualitative
and quantitative information to identify the
subsidiary institutions of the Company that
are subject to Part 363 that had instances of
noncompliance and describe the nature, type,
and severity of the noncompliance and the
dollar amount(s) of the insider loan(s) and
dividend(s) involved.]
BCD Holding Company
lllllllllllllllllllll
John Doe, Chief Executive Officer
Date: llllllllllllllllll
lllllllllllllllllllll
Jane Doe, Chief Financial Officer
Date: llllllllllllllllll
(g) Statement Made at Holding Company
Level—Compliance With Designated Laws
and Regulations Pertaining to Insider Loans
and Noncompliance With Designated Laws
and Regulations Pertaining to Dividend
Restrictions
Management’s Assessment of Compliance
With Designated Laws and Regulations
The management of BCD Holding
Company (the ‘‘Company’’) has assessed the
Company’s compliance with the Federal laws
and regulations pertaining to insider loans
and the Federal and, if applicable, State laws
and regulations pertaining to dividend
restrictions during the fiscal year that ended
on December 31, 20XX. The following
subsidiary institutions of the Company that
are subject to Part 363 are included in this
assessment of compliance with these
designated laws and regulations: [Identify the
subsidiary institutions.]
Based upon its assessment, management
has concluded that the Company complied
with the Federal laws and regulations
pertaining to insider loans during the fiscal
year that ended on December 31, 20XX. Also,
based upon its assessment, management has
determined that, because of the instance(s) of
noncompliance noted below, the Company
did not comply with the Federal and, if
applicable, State laws and regulations
pertaining to dividend restrictions during the
fiscal year that ended on December 31, 20XX.
[Identify and describe the instance or
instances of noncompliance with the Federal
and, if applicable, State laws and regulations
pertaining to dividend restrictions, including
appropriate qualitative and quantitative
E:\FR\FM\07JYR2.SGM
07JYR2
32258
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
information to identify the subsidiary
institutions of the Company that are subject
to Part 363 that had instances of
noncompliance and describe the nature, type,
and severity of the noncompliance and the
dollar amount(s) of the dividend(s) involved.]
BCD Holding Company
lllllllllllllllllllll
John Doe, Chief Executive Officer
Date: llllllllllllllllll
lllllllllllllllllllll
Jane Doe, Chief Financial Officer
Date: llllllllllllllllll
(h) Statement Made at Holding Company
Level—Noncompliance With Designated
Laws and Regulations Pertaining to Insider
Loans and Compliance With Designated
Laws and Regulations Pertaining to Dividend
Restrictions
reporting satisfy the requirements of
§ 363.2(b)(3).
(a) Statement Made at Insured Depository
Institution Level—No Material Weaknesses
Management’s Assessment of Internal
Control Over Financial Reporting
ABC Depository Institution’s (the
‘‘Institution’’) internal control over financial
reporting is a process effected by those
charged with governance, management, and
other personnel, designed to provide
reasonable assurance regarding the reliability
of financial reporting and the preparation of
reliable financial statements in accordance
with accounting principles generally
accepted in the United States of America and
financial statements for regulatory reporting
purposes, i.e., [specify the regulatory
reports]. The Institution’s internal control
over financial reporting includes those
policies and procedures that (1) pertain to the
Management’s Assessment of Compliance
maintenance of records that, in reasonable
With Designated Laws and Regulations
detail, accurately and fairly reflect the
transactions and dispositions of the assets of
The management of BCD Holding
the Institution; (2) provide reasonable
Company (the ‘‘Company’’) has assessed the
Company’s compliance with the Federal laws assurance that transactions are recorded as
necessary to permit preparation of financial
and regulations pertaining to insider loans
and the Federal and, if applicable, State laws statements in accordance with accounting
principles generally accepted in the United
and regulations pertaining to dividend
States of America and financial statements
restrictions during the fiscal year that ended
for regulatory reporting purposes, and that
on December 31, 20XX. The following
receipts and expenditures of the Institution
subsidiary institutions of the Company that
are being made only in accordance with
are subject to Part 363 are included in this
authorizations of management and directors
assessment of compliance with these
of the Institution; and (3) provide reasonable
designated laws and regulations: [Identify the
assurance regarding prevention, or timely
subsidiary institutions.]
detection and correction of unauthorized
Based upon its assessment, management
acquisition, use, or disposition of the
has determined that, because of the
Institution’s assets that could have a material
instance(s) of noncompliance noted below,
effect on the financial statements.
the Company did not comply with the
Because of its inherent limitations, internal
Federal laws and regulations pertaining to
control over financial reporting may not
insider loans during the fiscal year that
prevent, or detect and correct misstatements.
ended on December 31, 20XX. Also, based
Also, projections of any evaluation of
upon its assessment, management has
effectiveness to future periods are subject to
concluded that the Company complied with
the risk that controls may become inadequate
the Federal and, if applicable, State laws and because of changes in conditions, or that the
regulations pertaining to dividend
degree of compliance with the policies and
restrictions during the fiscal year that ended
procedures may deteriorate.
on December 31, 20XX.
Management is responsible for establishing
[Identify and describe the instance or
and maintaining effective internal control
instances of noncompliance with the Federal over financial reporting including controls
laws and regulations pertaining to insider
over the preparation of regulatory financial
loans, including appropriate qualitative and
statements. Management assessed the
quantitative information to identify the
effectiveness of the Institution’s internal
subsidiary institutions of the Company that
control over financial reporting, including
are subject to Part 363 that had instances of
controls over the preparation of regulatory
noncompliance and describe the nature, type, financial statements in accordance with the
and severity of the noncompliance and the
instructions for the [specify the regulatory
dollar amount(s) of the insider loan(s)
report], as of December 31, 20XX, based on
involved.]
the framework set forth by the Committee of
BCD Holding Company
Sponsoring Organizations of the Treadway
lllllllllllllllllllll Commission in Internal Control—Integrated
Framework. Based upon its assessment,
John Doe, Chief Executive Officer
management has concluded that, as of
Date: llllllllllllllllll December 31, 20XX, the Institution’s internal
lllllllllllllllllllll control over financial reporting, including
controls over the preparation of regulatory
Jane Doe, Chief Financial Officer
financial statements in accordance with the
Date: llllllllllllllllll instructions for the [specify the regulatory
report], is effective based on the criteria
5. Illustrative Reports on Management’s
established in Internal Control—Integrated
Assessment of Internal Control Over
Framework.
Financial Reporting. The following
Management’s assessment of the
illustrative reports on management’s
effectiveness of internal control over
assessment of internal control over financial
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
PO 00000
Frm 00034
Fmt 4701
Sfmt 4700
financial reporting, including controls over
the preparation of regulatory financial
statements in accordance with the
instructions for the [specify the regulatory
report], as of December 31, 20XX, has been
audited by [name of auditing firm], an
independent public accounting firm, as
stated in their report dated March XX, 20XY.
ABC Depository Institution
lllllllllllllllllllll
John Doe, Chief Executive Officer
Date: llllllllllllllllll
lllllllllllllllllllll
Jane Doe, Chief Financial Officer
Date: llllllllllllllllll
(b) Statement Made at Insured Depository
Institution Level—One or More Material
Weaknesses
Management’s Assessment of Internal
Control Over Financial Reporting
ABC Depository Institution’s (the
‘‘Institution’’) internal control over financial
reporting is a process effected by those
charged with governance, management, and
other personnel, designed to provide
reasonable assurance regarding the reliability
of financial reporting and the preparation of
reliable financial statements in accordance
with accounting principles generally
accepted in the United States of America and
financial statements for regulatory reporting
purposes, i.e., [specify the regulatory
reports]. The Institution’s internal control
over financial reporting includes those
policies and procedures that (1) pertain to the
maintenance of records that, in reasonable
detail, accurately and fairly reflect the
transactions and dispositions of the assets of
the Institution; (2) provide reasonable
assurance that transactions are recorded as
necessary to permit preparation of financial
statements in accordance with accounting
principles generally accepted in the United
States of America and financial statements
for regulatory reporting purposes, and that
receipts and expenditures of the Institution
are being made only in accordance with
authorizations of management and directors
of the Institution; and (3) provide reasonable
assurance regarding prevention, or timely
detection and correction of unauthorized
acquisition, use, or disposition of the
Institution’s assets that could have a material
effect on the financial statements.
Because of its inherent limitations, internal
control over financial reporting may not
prevent, or detect and correct misstatements.
Also, projections of any evaluation of
effectiveness to future periods are subject to
the risk that controls may become inadequate
because of changes in conditions, or that the
degree of compliance with the policies and
procedures may deteriorate.
Management is responsible for establishing
and maintaining effective internal control
over financial reporting including controls
over the preparation of regulatory financial
statements. Management assessed the
effectiveness of the Institution’s internal
control over financial reporting, including
controls over the preparation of regulatory
financial statements in accordance with the
instructions for the [specify the regulatory
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
report], as of December 31, 20XX, based on
the framework set forth by the Committee of
Sponsoring Organizations of the Treadway
Commission in Internal Control—Integrated
Framework. Because of the material
weakness (or weaknesses) noted below,
management determined that the Institution’s
internal control over financial reporting,
including controls over the preparation of
regulatory financial statements in accordance
with the instructions the [specify the
regulatory report], was not effective as of
December 31, 20XX.
[Identify and describe the material
weakness or weaknesses.]
Management’s assessment of the
effectiveness of internal control over
financial reporting, including controls over
the preparation of regulatory financial
statements in accordance with the
instructions for the [specify the regulatory
report], as of December 31, 20XX, has been
audited by [name of auditing firm], an
independent public accounting firm, as
stated in their report dated March XX, 20XY.
ABC Depository Institution
lllllllllllllllllllll
John Doe, Chief Executive Officer
Date: llllllllllllllllll
lllllllllllllllllllll
Jane Doe, Chief Financial Officer
Date: llllllllllllllllll
(c) Statement Made at Holding Company
Level—No Material Weaknesses
Management’s Assessment of Internal
Control Over Financial Reporting
BCD Holding Company’s (the ‘‘Company’’)
internal control over financial reporting is a
process designed effected by those charged
with governance, management, and other
personnel, to provide reasonable assurance
regarding the reliability of financial reporting
and the preparation of reliable financial
statements in accordance with accounting
principles generally accepted in the United
States of America and financial statements
for regulatory reporting purposes, i.e.,
[specify the regulatory reports]. The
Company’s internal control over financial
reporting includes those policies and
procedures that (1) pertain to the
maintenance of records that, in reasonable
detail, accurately and fairly reflect the
transactions and dispositions of the assets of
the Company; (2) provide reasonable
assurance that transactions are recorded as
necessary to permit preparation of financial
statements in accordance with accounting
principles generally accepted in the United
States of America and financial statements
for regulatory reporting purposes, and that
receipts and expenditures of the Company
are being made only in accordance with
authorizations of management and directors
of the Company; and (3) provide reasonable
assurance regarding prevention, or timely
detection and correction of unauthorized
acquisition, use, or disposition of the
Company’s assets that could have a material
effect on the financial statements.
Because of its inherent limitations, internal
control over financial reporting may not
prevent, or detect and correct misstatements.
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
Also, projections of any evaluation of
effectiveness to future periods are subject to
the risk that controls may become inadequate
because of changes in conditions, or that the
degree of compliance with the policies and
procedures may deteriorate.
Management is responsible for establishing
and maintaining effective internal control
over financial reporting including controls
over the preparation of regulatory financial
statements. Management assessed the
effectiveness of the Company’s internal
control over financial reporting, including
controls over the preparation of regulatory
financial statements in accordance with the
instructions for the [specify the regulatory
report], as of December 31, 20XX, based on
the framework set forth by the Committee of
Sponsoring Organizations of the Treadway
Commission in Internal Control—Integrated
Framework. Based on that assessment,
management concluded that, as of December
31, 20XX, the Company’s internal control
over financial reporting, including controls
over the preparation of regulatory financial
statements in accordance with the
instructions for the [specify the regulatory
report], is effective based on the criteria
established in Internal Control—Integrated
Framework. The following subsidiary
institutions of the Company that are subject
to Part 363 are included in this assessment
of the effectiveness of internal control over
financial reporting: [Identify the subsidiary
institutions.]
Management’s assessment of the
effectiveness of internal control over
financial reporting, including controls over
the preparation of regulatory financial
statements in accordance with the
instructions for the [specify the regulatory
report], as of December 31, 20XX, has been
audited by [name of auditing firm], an
independent public accounting firm, as
stated in their report dated March XX, 20XY.
BCD Holding Company
lllllllllllllllllllll
Date: llllllllllllllllll
32259
detail, accurately and fairly reflect the
transactions and dispositions of the assets of
the Company; (2) provide reasonable
assurance that transactions are recorded as
necessary to permit preparation of financial
statements in accordance with accounting
principles generally accepted in the United
States of America and financial statements
for regulatory reporting purposes, and that
receipts and expenditures of the Company
are being made only in accordance with
authorizations of management and directors
of the Company; and (3) provide reasonable
assurance regarding prevention, or timely
detection and correction of unauthorized
acquisition, use, or disposition of the
Company’s assets that could have a material
effect on the financial statements.
Because of its inherent limitations, internal
control over financial reporting may not
prevent, or detect and correct misstatements.
Also, projections of any evaluation of
effectiveness to future periods are subject to
the risk that controls may become inadequate
because of changes in conditions, or that the
degree of compliance with the policies and
procedures may deteriorate.
Management is responsible for establishing
and maintaining effective internal control
over financial reporting including controls
over the preparation of regulatory financial
statements. Management assessed the
effectiveness of the Company’s internal
control over financial reporting, including
controls over the preparation of regulatory
financial statements in accordance with the
instructions for the [specify the regulatory
report], as of December 31, 20XX, based on
the framework set forth by the Committee of
Sponsoring Organizations of the Treadway
Commission in Internal Control—Integrated
Framework. Because of the material
weakness (or weaknesses) noted below,
management determined that the Company’s
internal control over financial reporting,
including controls over the preparation of
regulatory financial statements in accordance
with the instructions for the [specify the
John Doe, Chief Executive Officer
regulatory report], was not effective as of
lllllllllllllllllllll December 31, 20XX. The following
subsidiary institutions of the Company that
Date: llllllllllllllllll
are subject to Part 363 are included in this
Jane Doe, Chief Financial Officer
assessment of the effectiveness of internal
control over financial reporting: [Identify the
(d) Statement Made at Holding Company
subsidiary institutions.]
Level—One or More Material Weaknesses
[Identify and describe the material
Management’s Assessment of Internal
weakness or weaknesses.]
Control Over Financial Reporting
Management’s assessment of the
effectiveness of internal control over
BCD Holding Company’s (the ‘‘Company’’)
financial reporting, including controls over
internal control over financial reporting is a
the preparation of regulatory financial
process effected by those charged with
governance, management, and other
statements in accordance with the
personnel, designed to provide reasonable
instructions for the [specify the regulatory
assurance regarding the reliability of
report], as of December 31, 20XX, has been
financial reporting and the preparation of
audited by [name of auditing firm], an
reliable financial statements in accordance
independent public accounting firm, as
with accounting principles generally
stated in their report dated March XX, 20XY.
accepted in the United States of America and
BCD Holding Company
financial statements for regulatory reporting
lllllllllllllllllllll
purposes, i.e., [specify the regulatory
reports]. The Company’s internal control over Date: llllllllllllllllll
financial reporting includes those policies
John Doe, Chief Executive Officer
and procedures that (1) pertain to the
maintenance of records that, in reasonable
lllllllllllllllllllll
PO 00000
Frm 00035
Fmt 4701
Sfmt 4700
E:\FR\FM\07JYR2.SGM
07JYR2
32260
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
Date: llllllllllllllllll
Jane Doe, Chief Financial Officer
6. Illustrative Management Report—
Combined Statement of Management’s
Responsibilities, Report on Management’s
Assessment of Compliance With Designated
Laws and Regulations, and Report on
Management’s Assessment of Internal
Control Over Financial Reporting, if
applicable. The following illustrative
management reports satisfy the requirements
of §§ 363.2(b)(1), (2), and (3).
(a) Management Report Made at Insured
Depository Institution Level—Compliance
With Designated Laws and Regulations
Pertaining to Insider Loans and Dividend
Restrictions and No Material Weaknesses in
Internal Control Over Financial Reporting
Management Report
Statement of Management’s Responsibilities
The management of ABC Depository
Institution (the ‘‘Institution’’) is responsible
for preparing the Institution’s annual
financial statements in accordance with
generally accepted accounting principles; for
establishing and maintaining an adequate
internal control structure and procedures for
financial reporting, including controls over
the preparation of regulatory financial
statements in accordance with the
instructions for the [specify the regulatory
report]; and for complying with the Federal
laws and regulations pertaining to insider
loans and the Federal and, if applicable, State
laws and regulations pertaining to dividend
restrictions.
Management’s Assessment of Compliance
With Designated Laws and Regulations
The management of the Institution has
assessed the Institution’s compliance with
the Federal laws and regulations pertaining
to insider loans and the Federal and, if
applicable, State laws and regulations
pertaining to dividend restrictions during the
fiscal year that ended on December 31, 20XX.
Based upon its assessment, management has
concluded that the Institution complied with
the Federal laws and regulations pertaining
to insider loans and the Federal and, if
applicable, State laws and regulations
pertaining to dividend restrictions during the
fiscal year that ended on December 31, 20XX.
Management’s Assessment of Internal
Control Over Financial Reporting
The Institution’s internal control over
financial reporting is a process effected by
those charged with governance, management,
and other personnel, designed to provide
reasonable assurance regarding the reliability
of financial reporting and the preparation of
reliable financial statements in accordance
with accounting principles generally
accepted in the United States of America and
financial statements for regulatory reporting
purposes, i.e., [specify the regulatory
reports]. The Institution’s internal control
over financial reporting includes those
policies and procedures that (1) pertain to the
maintenance of records that, in reasonable
detail, accurately and fairly reflect the
transactions and dispositions of the assets of
the Institution; (2) provide reasonable
VerDate Nov<24>2008
14:49 Jul 06, 2009
Jkt 217001
assurance that transactions are recorded as
necessary to permit preparation of financial
statements in accordance with accounting
principles generally accepted in the United
States of America and financial statements
for regulatory reporting purposes, and that
receipts and expenditures of the Institution
are being made only in accordance with
authorizations of management and directors
of the Institution; and (3) provide reasonable
assurance regarding prevention, or timely
detection and correction, of unauthorized
acquisition, use, or disposition of the
Institution’s assets that could have a material
effect on the financial statements.
Because of its inherent limitations, internal
control over financial reporting may not
prevent, or detect and correct, misstatements.
Also, projections of any evaluation of
effectiveness to future periods are subject to
the risk that controls may become inadequate
because of changes in conditions, or that the
degree of compliance with the policies and
procedures may deteriorate.
Management assessed the effectiveness of
the Institution’s internal control over
financial reporting, including controls over
the preparation of regulatory financial
statements in accordance with the
instructions for the [specify the regulatory
report], as of December 31, 20XX, based on
the framework set forth by the Committee of
Sponsoring Organizations of the Treadway
Commission in Internal Control—Integrated
Framework. Based upon its assessment,
management has concluded that, as of
December 31, 20XX, the Institution’s internal
control over financial reporting, including
controls over the preparation of regulatory
financial statements in accordance with the
instructions for the [specify the regulatory
report], is effective based on the criteria
established in Internal Control—Integrated
Framework.
Management’s assessment of the
effectiveness of internal control over
financial reporting, including controls over
the preparation of regulatory financial
statements in accordance with the
instructions for the [specify the regulatory
report], as of December 31, 20XX, has been
audited by [name of auditing firm], an
independent public accounting firm, as
stated in their report dated March XX, 20XY.
ABC Depository Institution
lllllllllllllllllllll
John Doe, Chief Executive Officer
Date: llllllllllllllllll
management report required by Part 363: the
statement of management’s responsibilities,
the report on management’s assessment of
compliance with the Designated Laws and
Regulations pertaining to insider loans and
dividend restrictions, and the report on
management’s assessment of internal control
over financial reporting.]
In this management report, the following
subsidiary institutions of the BCD Holding
Company (the ‘‘Company’’) that are subject to
Part 363 are included in the statement of
management’s responsibilities; the report on
management’s assessment of compliance
with the Federal laws and regulations
pertaining to insider loans and the Federal
and, if applicable, State laws and regulations
pertaining to dividend restrictions; and the
report on management’s assessment of
internal control over financial reporting:
[Identify the subsidiary institutions.]
[Instruction—The following illustrative
introductory paragraph for the management
report is applicable if the same group of
subsidiary institutions of the holding
company that are subject to Part 363 are
included in the statement of management’s
responsibilities and management’s
assessment of compliance with the
Designated Laws and Regulations pertaining
to insider loans and dividend restrictions,
but only some of the subsidiary institutions
in the group are included in management’s
assessment of internal control over financial
reporting.]
In this management report, the following
subsidiary institutions of BCD Holding
Company (the ‘‘Company’’) that are subject to
Part 363 are included in the statement of
management’s responsibilities and the report
on management’s assessment of compliance
with the Federal laws and regulations
pertaining to insider loans and the Federal
and, if applicable, State laws and regulations
pertaining to dividend restrictions: [Identify
the subsidiary institutions.] In addition, the
following subsidiary institutions of the
Company that are subject to Part 363 are
included in the report on management’s
assessment of internal control over financial
reporting: [Identify the subsidiary
institutions.]
Statement of Management’s Responsibilities
The management of the Company is
responsible for preparing the Company’s
annual financial statements in accordance
with generally accepted accounting
principles; for establishing and maintaining
an adequate internal control structure and
Jane Doe, Chief Financial Officer
procedures for financial reporting, including
Date: llllllllllllllllll controls over the preparation of regulatory
(b) Management Report Made at Holding
financial statements in accordance with the
Company Level—Compliance With
instructions for the [specify the regulatory
Designated Laws and Regulations Pertaining
report]; and for complying with the Federal
to Insider Loans and Dividend Restrictions
laws and regulations pertaining to insider
and No Material Weaknesses in Internal
loans and the Federal and, if applicable, State
Control Over Financial Reporting
laws and regulations pertaining to dividend
restrictions.
Management Report
Management’s Assessment of Compliance
[Instruction—The following illustrative
With Designated Laws and Regulations
introductory paragraph for the management
report is applicable only if the same group of
The management of the Company has
subsidiary institutions of the holding
assessed the Company’s compliance with the
company that are subject to Part 363 are
Federal laws and regulations pertaining to
included in all three components of the
insider loans and the Federal and, if
PO 00000
Frm 00036
Fmt 4701
Sfmt 4700
E:\FR\FM\07JYR2.SGM
07JYR2
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules and Regulations
applicable, State laws and regulations
pertaining to dividend restrictions during the
fiscal year that ended on December 31, 20XX.
Based upon its assessment, management has
concluded that the Company complied with
the Federal laws and regulations pertaining
to insider loans and the Federal and, if
applicable, State laws and regulations
pertaining to dividend restrictions during the
fiscal year that ended on December 31, 20XX.
Management’s Assessment of Internal
Control Over Financial Reporting
The Company’s internal control over
financial reporting is a process effected by
those charged with governance, management,
and other personnel, designed to provide
reasonable assurance regarding the reliability
of financial reporting and the preparation of
reliable financial statements in accordance
with accounting principles generally
accepted in the United States of America and
financial statements for regulatory reporting
purposes, i.e., [specify the regulatory
reports]. The Company’s internal control over
financial reporting includes those policies
and procedures that (1) pertain to the
maintenance of records that, in reasonable
detail, accurately and fairly reflect the
transactions and dispositions of the assets of
the Company; (2) provide reasonable
assurance that transactions are recorded as
necessary to permit preparation of financial
statements in accordance with accounting
principles generally accepted in the United
States of America and financial statements
for regulatory reporting purposes, and that
receipts and expenditures of the Company
are being made only in accordance with
authorizations of management and directors
of the Company; and (3) provide reasonable
assurance regarding prevention, or timely
detection and correction of unauthorized
acquisition, use, or disposition of the
Company’s assets that could have a material
effect on the financial statements.
Institutions
subject to
part 363
ABC Depository Institution.
DEF Depository Institution.
Management’s
statement of
responsibilities
Holding Company
Level.
Holding Company
Level.
14:49 Jul 06, 2009
Jkt 217001
7. Illustrative Cover Letter—Compliance by
Holding Company Subsidiaries. The
following illustrative cover letter satisfies the
requirements of guideline 3, Compliance by
Holding Company Subsidiaries, of Appendix
A to part 363.
To: (Appropriate FDIC Regional or Area
Office) Division of Supervision and
Consumer Protection, FDIC, and
(Appropriate District or Regional Office
of the Primary Federal Regulator(s), if
not the FDIC), and (Appropriate State
Bank Supervisor(s), if applicable)
Dear [Insert addressees]:
BCD Holding Company (the ‘‘Company’’) is
filing two copies of the Part 363 Annual
Report for the fiscal year ended December 31,
20XX, on behalf of its insured depository
institution subsidiaries listed in the chart
below that are subject to Part 363. The Part
363 Annual Report contains audited
comparative annual financial statements, the
independent public accountant’s report on
the audited financial statements,
management’s statement of responsibilities,
management’s assessment of compliance
with the Designated Laws and Regulations
pertaining to insider loans and dividend
restrictions, and [if applicable] management’s
assessment of and the independent public
accountant’s attestation report on internal
control over financial reporting. The chart
below also indicates the level (institution or
holding company) at which the requirements
of Part 363 are being satisfied for each listed
insured depository institution subsidiary. [If
applicable] The Company’s other insured
depository institution subsidiaries that are
subject to Part 363, which comply with all of
the Part 363 annual reporting requirements at
Jane Doe, Chief Financial Officer
the institution level, have filed [or will file]
Date: llllllllllllllllll their Part 363 Annual Reports separately.
Management’s
assessment of
compliance with
designated laws and
regulations
Management’s
internal control
assessment
Holding Company
Level.
Institution Level .........
Holding Company
Level.
Institution Level .........
Holding Company
Level.
Institution Level .........
Audited
financial
statements
If you have any questions regarding the
annual report [or reports] of the Company’s
insured depository institution subsidiaries
subject to Part 363 or if you need any further
information, you may contact me at 987–
654–3210.
VerDate Nov<24>2008
Because of its inherent limitations, internal
control over financial reporting may not
prevent, or detect and correct misstatements.
Also, projections of any evaluation of
effectiveness to future periods are subject to
the risk that controls may become inadequate
because of changes in conditions, or that the
degree of compliance with the policies and
procedures may deteriorate.
Management assessed the effectiveness of
the Company’s internal control over financial
reporting, including controls over the
preparation of regulatory financial statements
in accordance with the instructions for the
[specify the regulatory report], as of
December 31, 20XX, based on the framework
set forth by the Committee of Sponsoring
Organizations of the Treadway Commission
in Internal Control—Integrated Framework.
Based upon its assessment, management has
concluded that, as of December 31, 20XX, the
Company’s internal control over financial
reporting, including controls over the
preparation of regulatory financial statements
in accordance with the instructions for the
[specify the regulatory report], is effective
based on the criteria established in Internal
Control—Integrated Framework.
Management’s assessment of the
effectiveness of internal control over
financial reporting, including controls over
the preparation of regulatory financial
statements in accordance with the
instructions for the [specify the regulatory
report], as of December 31, 20XX, has been
audited by [name of auditing firm], an
independent public accounting firm, as
stated in their report dated March XX, 20XX.
BCD Holding Company
lllllllllllllllllllll
John Doe, Chief Executive Officer
Date: llllllllllllllllll
32261
BCD Holding Company
lllllllllllllllllllll
Independent
auditor’s
internal control
attestation report
Holding Company
Level.
Institution Level.
By order of the Board of Directors.
Valerie J. Best,
Assistant Executive Secretary, Federal
[Insert officer’s name and title.]
Deposit Insurance Corporation.
Date: llllllllllllllllll [FR Doc. E9–15378 Filed 7–6–09; 8:45 am]
Dated at Washington, DC, this 23rd day of
BILLING CODE 6714–01–P
June 2009.
PO 00000
Frm 00037
Fmt 4701
Sfmt 4700
E:\FR\FM\07JYR2.SGM
07JYR2
Agencies
[Federal Register Volume 74, Number 128 (Tuesday, July 7, 2009)]
[Rules and Regulations]
[Pages 32226-32261]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-15378]
[[Page 32225]]
-----------------------------------------------------------------------
Part II
Federal Deposit Insurance Corporation
-----------------------------------------------------------------------
12 CFR Parts 308 and 363
Annual Independent Audits and Reporting Requirements; Final Rule
Federal Register / Vol. 74, No. 128 / Tuesday, July 7, 2009 / Rules
and Regulations
[[Page 32226]]
-----------------------------------------------------------------------
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Parts 308 and 363
RIN 3064-AD21
Annual Independent Audits and Reporting Requirements
AGENCY: Federal Deposit Insurance Corporation (FDIC).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The FDIC is amending part 363 of its regulations concerning
annual independent audits and reporting requirements for certain
insured depository institutions, which implements section 36 of the
Federal Deposit Insurance Act (FDI Act), largely as proposed, but with
certain modifications made in response to the comments received. The
amendments are designed to further the objectives of section 36 by
incorporating certain sound audit, reporting, and audit committee
practices from the Sarbanes-Oxley Act of 2002 (SOX) into part 363 and
they also reflect the FDIC's experience in administering part 363. The
amendments will provide clearer and more complete guidance to
institutions and independent public accountants concerning compliance
with the requirements of section 36 and part 363. As required by
section 36, the FDIC has consulted with the other Federal banking
agencies. The FDIC is also making a technical amendment to its rules
and procedures (part 308, subpart U) for the removal, suspension, or
debarment of accountants and accounting firms.
DATES: This final rule is effective August 6, 2009.
Applicability date: The final rule applies to part 363 Annual
Reports with a filing deadline on or after the effective date of these
amendments. Under the final rule, the filing deadline for Part 363
Annual Reports is 120 days after the end of its fiscal year for an
institution that is neither a public company nor a subsidiary of a
public company and 90 days after the end of its fiscal year for an
institution that is a public company or a subsidiary of public company.
Compliance date: The compliance date for the provision of the final
rule that directs covered institutions' boards of directors to develop
and adopt an approved set of written criteria for determining whether a
director who is to serve on the audit committee is an outside director
and is independent of management (guideline 27) is delayed until
December 31, 2009. The provision of the final rule that requires the
total assets of a holding company's insured depository institution
subsidiaries to comprise 75 percent or more of the holding company's
consolidated total assets in order for an institution to be eligible to
comply with part 363 at the holding company level (Sec.
363.1(b)(1)(ii)) is effective for fiscal years ending on or after June
15, 2010.
FOR FURTHER INFORMATION CONTACT: Harrison E. Greene, Jr., Senior Policy
Analyst (Bank Accounting), Division of Supervision and Consumer
Protection, at hgreene@fdic.gov or (202) 898-8905; or Michelle
Borzillo, Senior Counsel, Supervision and Legislation Section, Legal
Division, at mborzillo@fdic.gov or (202) 898-7400.
SUPPLEMENTARY INFORMATION:
I. Executive Summary
Section 36 of the Federal Deposit Insurance Act (FDI Act) and the
FDIC's implementing regulations (part 363) are generally intended to
facilitate early identification of problems in financial management at
insured depository institutions with total assets above certain
thresholds through annual independent audits, assessments of the
effectiveness of internal control over financial reporting and
compliance with laws and regulations pertaining to insider loans and
dividend restrictions, the establishment of independent audit
committees, and related reporting requirements. The asset-size
threshold for an institution for internal control assessments is $1
billion and the threshold for the other requirements generally is $500
million. Given changes in the industry; certain sound audit, reporting,
and audit committee practices incorporated in the Sarbanes-Oxley Act of
2002 (SOX); and the FDIC's experience in administering part 363, the
FDIC is amending part 363 of its regulations. These amendments are
designed to further the objectives of section 36 by incorporating these
sound practices into part 363 and to provide clearer and more complete
guidance to institutions and independent public accountants concerning
compliance with the requirements of section 36 and part 363.
After making certain modifications to the proposed amendments to
part 363 in response to the comments received, the most significant
revisions included in the final rule will: (1) Extend the time period
for a non-public institution to file its part 363 Annual Report by 30
days and replace the 30-day extension of the filing deadline that may
be granted if an institution (public or non-public) is confronted with
extraordinary circumstances beyond its reasonable control with a late
filing notification requirement that would have general applicability;
(2) provide relief from the annual reporting requirements for
institutions that are merged out of existence before the filing
deadline; (3) provide relief from reporting on internal control over
financial reporting for businesses acquired during the fiscal year; (4)
require management's assessment of compliance with the laws and
regulations pertaining to insider loans and dividend restrictions to
state management's conclusion regarding compliance and disclose any
noncompliance with such laws and regulations; (5) require an
institution's management and the independent public accountant to
identify the internal control framework used to evaluate internal
control over financial reporting and disclose all identified material
weaknesses that have not been remediated prior to the institution's
most recent fiscal year-end; (6) clarify the independence standards
with which independent public accountants must comply and enhance the
enforceability of compliance with these standards; (7) specify that the
duties of the audit committee include the appointment, compensation,
and oversight of the independent public accountant, including ensuring
that audit engagement letters do not contain unsafe and unsound
limitation of liability provisions; (8) require certain communications
by independent public accountants to audit committees; (9) establish
retention requirements for audit working papers; (10) require boards of
directors to adopt written criteria for evaluating an audit committee
member's independence and provide expanded guidance for boards of
directors to use in determining independence; (11) provide that
ownership of 10 percent or more of any class of voting securities of an
institution is not an automatic bar for considering an outside director
to be independent of management; (12) require the total assets of a
holding company's insured depository institution subsidiaries to
comprise 75 percent or more of the holding company's consolidated total
assets in order for an institution to be eligible to comply with part
363 at the holding company level; and (13) provide illustrative
management reports to assist institutions in complying with the annual
reporting requirements.
The FDIC is also amending its rules and procedures (part 308,
subpart U) for the removal, suspension, or debarment of accountants and
accounting firms from performing audit services required by section 36
of the FDI Act to specify
[[Page 32227]]
where an accountant or accounting firm should file required notices of
orders and actions with the FDIC.
II. Background
Section 112 of the Federal Deposit Insurance Corporation
Improvement Act of 1991 (FDICIA) added section 36, ``Early
Identification of Needed Improvements in Financial Management,'' to the
FDI Act (12 U.S.C. 1831m). Section 36 is generally intended to
facilitate early identification of problems in financial management at
insured depository institutions above a certain asset size threshold
through annual independent audits, assessments of the effectiveness of
internal control over financial reporting and compliance with
designated laws and regulations, and related reporting requirements.
Section 36 also includes requirements for audit committees at these
insured depository institutions. Section 36 grants the FDIC discretion
to set the asset size threshold for compliance with these statutory
requirements, but it states that the threshold cannot be less than $150
million. Sections 36(d) and (f) also obligate the FDIC to consult with
the other Federal banking agencies in implementing these sections of
the FDI Act, and the FDIC has performed the required consultation.
Part 363 of the FDIC's regulations (12 CFR part 363), which
implements section 36 of the FDI Act, was initially adopted by the
FDIC's Board of Directors in 1993. At present, part 363 requires each
insured depository institution with $500 million or more in total
assets (covered institution) to submit to the FDIC and other
appropriate Federal and State supervisory agencies an annual report
(Part 363 Annual Report) comprised of audited financial statements, and
a management report containing a statement of management's
responsibilities and an assessment by management of compliance with
laws and regulations pertaining to insider loans and dividend
restrictions. The management report component of the annual report for
an institution with $1 billion or more in total assets must also
include an assessment by management of the effectiveness of internal
control over financial reporting and an independent public accountant's
attestation report on internal control over financial reporting. In
addition, part 363 provides that each covered institution's board of
directors must establish an independent audit committee comprised of
outside directors. For an institution with between $500 million and $1
billion in total assets, part 363 requires a majority of the members of
the audit committee to be independent of management of the institution.
For a larger institution, all of the members of the audit committee
must be independent of management. Part 363 also includes Guidelines
and Interpretations (Appendix A to part 363), which are intended to
assist institutions and independent public accountants in understanding
and complying with section 36 and part 363.
III. Discussion of Proposed Amendments and Comments Received
On October 16, 2007, the FDIC's Board approved the publication of
proposed amendments to part 363 and part 308, subpart U, of the FDIC's
regulations, which were published in the Federal Register on November
2, 2007, for a 90-day comment period (72 FR 62310). The comment period
closed on January 31, 2008.
Given the number and extent of changes to part 363 and its
Guidelines and Interpretations and to enable readers to more easily
understand the context of the changes, this notice includes the entire
text of part 363 as amended, not just the amended text. Also, the
following ``Table of Changes to Part 363 and Appendices'' is intended
to assist readers in determining which sections of part 363 are
affected by the final rule.
Table of Changes to Part 363 and Appendices
----------------------------------------------------------------------------------------------------------------
Unchanged Revised New Reserved
----------------------------------------------------------------------------------------------------------------
Part 363--Annual Independent Audits and Reporting Requirements
----------------------------------------------------------------------------------------------------------------
Table of Contents....................................... ............ X ............ ............
OMB Control Number Sec. 363.0......................... X ............ ............ ............
Scope and Definitions:
Sec. 363.1(a)..................................... ............ X ............ ............
Sec. 363.1(b)(1).................................. ............ X ............ ............
Sec. 363.1(b)(2).................................. ............ X ............ ............
Sec. 363.1(b)(3).................................. X ............ ............ ............
Sec. 363.1(c)..................................... ............ ............ X ............
Sec. 363.1(d)..................................... ............ ............ X ............
Annual Reporting Requirements:
Sec. 363.2(a)..................................... ............ X ............ ............
Sec. 363.2(b)..................................... ............ X ............ ............
Sec. 363.2(b)(1).................................. ............ X ............ ............
Sec. 363.2(b)(2).................................. ............ X ............ ............
Sec. 363.2(b)(3).................................. ............ X ............ ............
Sec. 363.2(c)..................................... ............ ............ X ............
Independent Public Accountant:
Sec. 363.3(a)..................................... X ............ ............ ............
Sec. 363.3(b)..................................... ............ X ............ ............
Sec. 363.3(c)..................................... ............ X ............ ............
Sec. 363.3(d)..................................... ............ ............ X ............
Sec. 363.3(e)..................................... ............ ............ X ............
Sec. 363.3(f)..................................... ............ ............ X ............
Sec. 363.3(g)..................................... ............ ............ X ............
Filing and Notice Requirements:
Sec. 363.4(a)..................................... ............ X ............ ............
Sec. 363.4(b)..................................... ............ X ............ ............
Sec. 363.4(c)..................................... ............ X ............ ............
Sec. 363.4(d)..................................... X ............ ............ ............
Sec. 363.4(e)..................................... ............ ............ X ............
[[Page 32228]]
Sec. 363.4(f)..................................... ............ ............ X ............
Audit Committees:
Sec. 363.5(a)..................................... ............ X ............ ............
Sec. 363.5(b)..................................... ............ X ............ ............
Sec. 363.5(c)..................................... ............ ............ X ............
----------------------------------------------------------------------------------------------------------------
Appendix A to Part 363--Guidelines and Interpretations
----------------------------------------------------------------------------------------------------------------
Table of Contents....................................... ............ X ............ ............
Introduction............................................ X ............ ............ ............
Scope (Sec. 363.1):
Guideline 1......................................... X ............ ............ ............
Guideline 2......................................... X ............ ............ ............
Guideline 3......................................... ............ X ............ ............
Guideline 4......................................... ............ X ............ ............
Guideline 4A........................................ ............ ............ X ............
Annual Reporting Requirements (Sec. 363.2):
Guideline 5......................................... ............ X ............ ............
Guideline 5A........................................ ............ ............ X ............
Guideline 6......................................... ............ X ............ ............
Guideline 7......................................... ............ X ............ ............
Guideline 7A........................................ ............ ............ X ............
Guideline 8......................................... ............ X ............ ............
Guideline 8A........................................ ............ ............ X ............
Guideline 8B........................................ ............ ............ X ............
Guideline 8C........................................ ............ ............ X ............
Guideline 9......................................... ............ X ............ ............
Guideline 10........................................ ............ X ............ ............
Guideline 11........................................ ............ X ............ ............
Guideline 12........................................ ............ ............ ............ X
Role of Independent Public Accountant (Sec. 363.3):
Guideline 13........................................ ............ X ............ ............
Guideline 14........................................ ............ ............ ............ X
Guideline 15........................................ ............ X ............ ............
Guideline 16........................................ ............ ............ ............ X
Guideline 17........................................ X ............ ............ ............
Guideline 18........................................ ............ X ............ ............
Guideline 18A....................................... ............ ............ X ............
Guideline 19........................................ X ............ ............ ............
Guideline 20........................................ ............ X ............ ............
Guideline 21........................................ X ............ ............ ............
Filing and Notice Requirements (Sec. 363.4):
Guideline 22........................................ ............ ............ ............ X
Guideline 23........................................ ............ X ............ ............
Guideline 24........................................ X ............ ............ ............
Guideline 25........................................ ............ ............ ............ X
Guideline 26........................................ ............ X ............ ............
Audit Committees (Sec. 363.5):
Guideline 27........................................ ............ X ............ ............
Guideline 28........................................ ............ X ............ ............
Guideline 29........................................ ............ ............ ............ X
Guideline 30........................................ ............ X ............ ............
Guideline 31........................................ ............ X ............ ............
Guideline 32........................................ ............ X ............ ............
Guideline 33........................................ X ............ ............ ............
Guideline 34........................................ X ............ ............ ............
Guideline 35........................................ ............ X ............ ............
Other:
Guideline 36........................................ ............ X ............ ............
Table 1 to Appendix A:
Designated Federal Laws and Regulations............. ............ X ............ ............
Appendix B--Illustrative Management Reports............. ............ ............ X ............
----------------------------------------------------------------------------------------------------------------
In response to its request for comments, the FDIC received 23
comment letters that addressed the proposed amendments to part 363.
These commenters represented 12 financial institutions; 3 bankers'
trade organizations; 4 accounting firms; 1 accountants' trade
organization; 1 State regulatory organization; and 2 law firms.
Regarding the technical amendment to part 308, Subpart U, the FDIC
did not receive any comments on its proposal to specify the location
where an accountant or accounting firm should file required notices of
orders and actions regarding removal, suspension, or debarment.
[[Page 32229]]
With respect to the comments received on the proposed amendments to
part 363, eight commenters expressed general support for the proposal,
seven commenters were generally not supportive, and eight commenters
did not express an overall view on the proposal. While comments were
received on almost every aspect of the proposed amendments, no
commenter specifically commented on each aspect. However, eleven
commenters expressed concerns regarding the regulatory burden
associated with various aspects of the proposal. In addition,
commenters expressed concerns about the following aspects of the
proposed amendments:
Disclosure of noncompliance with the designated laws and
regulations,
Insured depository institution percentage-of-consolidated-
total-assets threshold for eligibility to comply with part 363 at a
holding company level,
Management's report on internal control over financial
reporting,
Independent public accountant's report on internal control
over financial reporting,
Independent public accountant's communications with audit
committees,
Time period for the retention of the independent public
accountant's working papers,
Independence standards applicable to independent public
accountants,
Filing requirement for and public availability of AICPA
peer review reports and PCAOB inspection reports on independent public
accountants,
Filing requirement for and public availability of audit
engagement letters, and
Audit committee member independence.
The following sections discuss the proposed amendments and the
comments and concerns raised by the commenters, including the responses
received on two specific aspects of the proposed amendments for which
the FDIC specifically requested comments: (1) Disclosure of
noncompliance with the designated safety and soundness laws and
regulations pertaining to insider loans and dividend restrictions, and
(2) the 75 percent of total assets threshold for eligibility to comply
with the requirements of part 363 at the holding company level.
A. Scope and Definitions (Sec. 363.1 and Guidelines 1-4A)
1. Applicability
The FDIC proposed to amend Sec. 363.1(a) to more clearly state
that part 363 applies to any insured depository institution that has
consolidated total assets of $500 million or more at the beginning of
its fiscal year.
One commenter that represents over 30 community banks recommended
that the FDIC raise the asset size threshold from $500 million to $1
billion for requiring compliance with part 363. In November 2005, when
the FDIC increased the asset size threshold for assessments of internal
control over financial reporting from $500 million to $1 billion, it
concluded that exempting all institutions below this higher size level
from all of the requirements of part 363 would not be consistent with
the objective of the underlying statute, i.e., early identification of
needed improvements in financial management. The Federal banking
agencies rely upon financial information to evaluate the condition of
insured depository institutions and to determine the adequacy of
regulatory capital. Accurate and reliable measurement of an
institution's loans, other assets, and earnings has a direct bearing on
the determination of regulatory capital. The agencies are able to place
greater reliance on measurements contained in financial statements that
have been subject to an independent audit. Independent audits help to
identify weaknesses in internal control over financial reporting and
risk management at institutions and reinforce corrective measures, thus
complementing supervisory efforts in contributing to the safety and
soundness of insured depository institutions. Therefore, after
considering this comment, the FDIC has determined that, except where a
$1 billion or higher asset threshold already applies, the $500 million
asset size threshold continues to be the appropriate level for
requiring compliance with part 363.
2. Compliance by Subsidiaries of Holding Companies
At present, an insured depository institution that is a subsidiary
of a holding company may use consolidated holding company financial
statements to satisfy the audited financial statements requirement of
part 363 regardless of whether the assets of the insured depository
institution subsidiary or subsidiaries of the holding company represent
substantially all or only a minor portion of the holding company's
consolidated total assets. When the assets of insured depository
institution subsidiaries do not comprise a substantial portion of a
holding company's consolidated total assets, the FDIC staff has found
that the holding company's consolidated financial statements, including
the accompanying notes to the financial statements, do not tend to
provide sufficient information that is indicative of the financial
position and results of operations of these institutions. Also, when
the insured depository institution subsidiaries do not contribute
significantly to the holding company's financial position and results
of operations, the extent of audit coverage given to these institutions
in the audit of the consolidated holding company may be limited. Such
limited audit coverage would not be consistent with the purpose and
intent of section 36 of the FDI Act, which focuses on insured
depository institutions rather than holding companies. In this
situation, the assurance that would be provided by an independent audit
performed substantially at the level of the insured depository
institution subsidiaries is not otherwise available.
Therefore, given the differing characteristics of the holding
companies that own insured depository institutions as well as the
relationship of an insured depository institution's total assets to the
consolidated total assets of its parent holding company, and in keeping
with the intent and purpose of section 36 of the FDI Act, the FDIC
proposed to amend Sec. Sec. 363.1(b)(1) and (2) by revising the
criteria for determining whether the audited financial statements
requirement and the other requirements of part 363 may be satisfied at
a holding company level. More specifically, in order for a covered
institution to be eligible to comply with the requirements of part 363
at the top-tier or any other mid-tier holding company level, the FDIC
proposed that the consolidated total assets of the insured depository
institution (or the consolidated total assets of all insured depository
institutions, regardless of size, if the top-tier or mid-tier holding
company owns or controls more than one insured depository institution)
must comprise 75 percent or more of the consolidated total assets of
the top-tier or mid-tier holding company. The FDIC believes that this
percentage-of-assets threshold should ensure that the extent of
independent audit work performed at the insured depository institution
level is sufficient to satisfy the intent of section 36 of the FDI Act,
that is, the early identification of needed improvements in financial
management at insured institutions. The FDIC also believes that this
threshold will continue to provide flexibility to the vast majority of
covered institutions that are part of a holding company structure with
respect to the level at which they may comply with part 363.
When determining an appropriate percentage-of-assets threshold for
[[Page 32230]]
compliance with part 363 at a holding company level, the FDIC
considered the range of percentage-of-assets ratios for covered
institutions that are part of a holding company structure. The vast
majority of insured institutions subject to part 363 that are in a
holding company structure are subsidiaries of organizations where the
assets of the insured depository institution subsidiaries of the
holding company comprise 90 percent or more of the holding company's
consolidated total assets. Of the remaining institutions subject to
part 363 that are in a holding company structure, most are subsidiaries
of organizations where the assets of the insured institutions comprise
either from 75 to 90 percent or less than 25 percent of the top-tier
parent company's consolidated total assets. Smaller numbers of
institutions are subsidiaries of organizations where the assets of the
insured institutions comprise from 25 to 50 percent or from 50 to 75
percent of the top-tier parent company's consolidated total assets.
However, in a number of cases where the insured institution
subsidiaries comprise less than 75 percent of the top-tier holding
company's consolidated total assets, the insured institution
subsidiaries that are subject to part 363 currently comply with the
regulation at a mid-tier holding company level where the assets of the
insured institution subsidiaries comprise 90 percent or more of the
mid-tier holding company's consolidated total assets. Thus, these
institutions would not need to change how they comply with part 363 in
response to the establishment of the proposed 75 percent threshold,
provided they continue to comply at the same mid-tier holding company
level and this holding company continues to meet the 75 percent
threshold.
To assist it in considering the costs and benefits of a threshold,
the FDIC specifically requested comment as to whether 75 percent or
more of consolidated total assets is an appropriate threshold. Six
commenters expressed views that the 75 percent threshold is reasonable,
is in the public's best interest, and provides ease of application
while obtaining appropriate audit coverage of the insured depository
institutions.
Three commenters were opposed to the proposed 75 percent threshold.
These commenters expressed the following concerns:
The goal is reasonable but the proposed 75 percent
threshold may not be appropriate. Instead, lower the threshold and
require institutions that are below the threshold to consult with the
FDIC prior to reporting at the holding company level.
Compliance at the holding company level should not be
dependent on the aggregate size of the subsidiary insured depository
institutions relative to the holding company.
Institutions should have until the end of their first full
fiscal year after the FDIC promulgates the final rule to comply with
the proposed change.
The 75 percent threshold is arbitrary and may result in
treating very similar institutions differently. An objectives-based
approach should be used.
The FDIC continues to recognize that those institutions currently
complying with part 363 at the holding company level that will not meet
the proposed 75-percent-of-consolidated-total-assets threshold will
incur additional costs from having to comply with the regulation at the
institution level or at a suitable mid-tier holding company level.
Requiring institutions that do meet the 75 percent threshold, or a
lower percentage threshold, to consult with the FDIC prior to reporting
at a holding company level would add a new element of regulatory burden
and would not provide certainty nor contribute to the ease of
application of the 75 percent threshold. The FDIC has concluded that
the 75-percent-of-assets threshold strikes an appropriate balance
between insured institution financial data and audit coverage and the
cost of compliance with part 363.
The FDIC agrees with the comment that institutions that currently
report at the holding company level, but do not meet the 75-percent-of-
consolidated-total-assets threshold, should be afforded sufficient time
to comply with this new requirement. Accordingly, the FDIC has decided
to delay the effective date for implementing this threshold until
fiscal years ending on or after June 15, 2010. Thus, for fiscal years
ending on or before June 14, 2010, all insured depository institutions
may continue to satisfy the audited financial statements requirement of
part 363 at a holding company level whether or not the institution's
consolidated total assets (or the consolidated total assets of all of
its parent holding company's insured institutions) comprise 75 percent
or more of the holding company's consolidated total assets at the
beginning of the fiscal year.
Guideline 3 to part 363, Compliance by Holding Company
Subsidiaries, states that when a holding company submits audited
consolidated financial statements and other reports or notices required
by part 363 on behalf of any subsidiary institution, an accompanying
cover letter should identify all subsidiary institutions to which the
statements, reports, or other notices pertain. Because many cover
letters received by the FDIC have not sufficiently identified these
subsidiary institutions, the FDIC proposed to amend guideline 3 to
clarify what information should be included in the cover letter. No
comments were received on this aspect of the proposal.
3. Financial Reporting
The FDIC proposed to add a new Sec. 363.1(c) and a new guideline
4A, Financial Reporting, to specify that ``financial reporting''
includes both financial statements prepared in accordance with
generally accepted accounting principles and those prepared for
regulatory reporting purposes. Also, as proposed, guideline 4A
clarifies that financial statements prepared for regulatory reporting
purposes consist of the schedules equivalent to the basic financial
statements that are included in an institution's appropriate regulatory
report and that financial statements prepared for regulatory reporting
purposes do not include regulatory reports prepared by a non-bank
subsidiary of a holding company or an institution.
One commenter recommended that the FDIC further clarify the
definition of financial reporting for purposes of part 363 to more
clearly align it with current reporting practices. This commenter also
stated that, when reporting at a holding company level, ``regulatory
reporting'' would not extend to assertions about internal control over
financial reporting at the subsidiary institution level. Another
commenter, an accountants' trade organization, stated that the proposed
amendment seems to imply that institutions' regulatory reports may not
be prepared in conformity with generally accepted accounting principles
(GAAP). This commenter recommended that the FDIC clarify the definition
of financial reporting to state that both financial statements and the
regulatory reports be prepared in accordance with GAAP to make it
consistent with current practice.
While the FDIC believes that the proposed amendments are consistent
with explanatory guidance it issued on this subject in December
1994,\1\ the FDIC has decided to modify the proposed definition of
financial reporting set forth in Sec. 363.1(c) and guideline 4A,
Financial Reporting, to state more clearly that, when reporting
[[Page 32231]]
at a holding company level, it includes the financial statements and
regulatory reports of an institution's holding company. The modified
definition would also state that, for recognition and measurement
purposes, regulatory reporting requirements shall conform to GAAP.
---------------------------------------------------------------------------
\1\ See FDIC Financial Institution Letter (FIL) 86-94, dated
December 23, 1994.
---------------------------------------------------------------------------
4. Definitions
The FDIC proposed to add Sec. 363.1(d), Definitions, to define
several common terms used in part 363 and the guidelines and received
no comments on these definitions.
B. Annual Reporting Requirements (Sec. 363.2 and Guidelines 5-12)
1. Audited Financial Statements
Consistent with sound management practices and the objective of
internal control over financial reporting, the FDIC proposed to amend
Sec. 363.2(a) to require that the annual financial statements reflect
all material correcting adjustments identified by the independent
public accountant. Financial statements issued by insured depository
institutions that are public companies or by their parent holding
companies that are public companies are already subject to such a
requirement pursuant to section 401 of SOX. The FDIC believes this
requirement should also apply to institutions subject to part 363 that
are not public companies.
In response to a commenter's recommendation, the FDIC revised this
proposed requirement to provide additional context regarding the phrase
``material correcting adjustments identified by the independent public
accountant'' by explaining that these adjustments should be those that
are necessary for the financial statements to conform with GAAP.
2. Part 363 Management Report Contents
The FDIC has noted differences in the content of the management
reports included in Part 363 Annual Reports and the adequacy of the
information in these management reports regarding the results of
management's assessments of the effectiveness of internal control over
financial reporting and compliance with the laws and regulations
pertaining to insider loans and dividend restrictions. Identified
material weaknesses in internal control over financial reporting and
instances of noncompliance with insider lending requirements and
dividend restrictions have not always been disclosed.
In addition, management's assessment of internal control over
financial reporting has often failed to disclose the internal control
framework used to perform the assessment of the effectiveness of these
controls and to clearly state whether controls over the preparation of
the regulatory financial statements have been included within the scope
of management's assessment. The omission of this information from an
institution's management report reduces the usefulness of the report as
a means of identifying needed improvements in financial management,
which is the objective of section 36 of the FDI Act. The regulations
adopted by the Securities and Exchange Commission (SEC) in 2003
implementing the requirement in section 404 of SOX for a management
report on internal control over financial reporting requires management
to identify the internal control framework it used to evaluate the
effectiveness of these controls and to disclose any identified material
weakness.
To provide clearer guidance on the information that should be
included in the management report, the FDIC proposed to expand Sec.
363.2(b) to require management's assessment of compliance with the laws
and regulations pertaining to insider loans and dividend restrictions
to include a clear statement as to management's conclusion regarding
compliance and to disclose any noncompliance with such laws and
regulations. In addition, the proposed amendment to Sec. 363.2(b)
would require management's assessment of internal control over
financial reporting to identify the internal control framework that
management used to make its evaluation, include a statement that the
evaluation included controls over the preparation of regulatory
financial statements, include a clear statement as to management's
conclusion regarding the effectiveness of internal control over
financial reporting, disclose all material weaknesses identified by
management, and preclude management from concluding that internal
control over financial reporting is effective if there are any material
weaknesses.
The FDIC specifically requested comment as to whether the
disclosure in the management report of instances of noncompliance with
the laws and regulations pertaining to insider loans and dividend
restrictions should be made available for public inspection or be
designated as privileged and confidential and not be made available to
the public by the FDIC. Three commenters supported public availability
only for disclosures of ``material'' noncompliance and twelve
commenters were not supportive of public availability of disclosures of
noncompliance. These commenters were concerned that minor errors may be
mistaken for a systemic compliance failure and stated that
noncompliance should be addressed through the examination process.
The FDIC has considered these comments and notes that all insured
depository institutions, regardless of size, are required to comply
with the designated safety and soundness laws and regulations that deal
with insider loans and dividend restrictions. Moreover, these laws and
regulations have not substantially changed since part 363 was first
implemented in 1993. Thus, well before an insured depository
institution reaches $500 million in total assets and becomes subject to
part 363, it should already have appropriate policies, procedures,
controls, and systems in place to monitor insider lending activities
and assess its dividend-paying capacity and thereby ensure compliance
with the safety and soundness laws and regulations in these two
designated areas. Public availability of disclosures of instances of
noncompliance with these designated laws and regulations should act as
a further stimulus to management's efforts to ensure that its policies,
procedures, controls, and systems are sound and operating effectively.
Therefore, the FDIC has concluded that, to reinforce the importance of
management's responsibility for complying with the laws and regulations
pertaining to insider loans and dividend restrictions, instances of
noncompliance with these laws and regulations should be disclosed in
management's assessment (that is included in the management report) and
made available to the public.
Nevertheless, based on the comments it received on this issue, the
FDIC believes it would be useful to provide further guidance regarding
disclosure of noncompliance with the designated safety and soundness
laws and regulations. Accordingly, the FDIC is adding guideline 8C,
Management's Disclosure of Noncompliance with Designated Laws and
Regulations, to Appendix A to part 363. This guideline states that
management is not required to specifically identify the individual or
individuals (e.g., officers or directors) who were responsible for or
were the subject of any such noncompliance and provides general
parameters for making the disclosure. For example, the disclosure
should include appropriate qualitative and quantitative information to
describe the nature, type, and severity of the noncompliance. Also,
similar instances of noncompliance may be aggregated.
[[Page 32232]]
While the majority of commenters did not comment on the proposed
revisions applicable to management's report on internal control over
financial reporting, four commenters expressed concerns or made
recommendations as follows:
The report is not necessary, its costs exceed the benefits
derived, and it is difficult for small community banks to recruit
personnel with the level of training and experience necessary to
implement the accounting and reporting rules.
Consider a ``delayed phase-in'' of the requirements for
assessing internal control over financial reporting similar to the
phase-in utilized by the SEC in its rules implementing section 404 of
SOX.
Raise the asset size threshold for this requirement from
$1 billion to $3 billion to ease regulatory burden.
The requirement to disclose all identified material
weaknesses in internal control over financial reporting in management's
report should be clarified as to whether the disclosure covers all
identified material weaknesses, regardless of their status as of the
institution's fiscal year-end, or only those in existence as of the end
of the fiscal year that have not been remediated prior to that date.
Management has been required to assess and report on the
effectiveness of an institution's internal control over financial
reporting since part 363 was first implemented in 1993. In November
2005, when the FDIC increased the asset size threshold for internal
control assessments from $500 million to $1 billion, it concluded, and
continues to believe, that the $1 billion asset size threshold is
appropriate for requiring assessments and reports on internal control
over financial reporting. Therefore, the FDIC has decided to retain the
$1 billion asset size threshold for requiring assessments and reports
on internal control over financial reporting. Also, for the reasons
previously stated, the FDIC does not believe that a ``delayed phase-
in'' of the requirement for assessing and reporting on internal control
over financial reporting is necessary or appropriate. Moreover, a
phase-in of the requirement for management to assess and report on
internal control over financial reporting in effect already exists
because this requirement takes effect only when an institution's total
assets exceed $1 billion, not when the institution first becomes
subject to the other audit and reporting requirements of section 36 and
part 363 when its assets reach $500 million.
With respect to management's reporting on the material weaknesses
it has identified in the management report component of its Part 363
Annual Report, the FDIC notes that section 36 of the FDI Act requires
management to perform an assessment of internal control over financial
reporting as of year-end. Therefore, to clarify management's reporting
responsibility, the FDIC has revised Sec. 363.2(b)(3)(iii) to explain
that management must disclose all material weaknesses in internal
control over financial reporting that it has identified and that have
not been remediated prior to the end of the institution's fiscal year.
Because part 363 and its guidelines provide only limited guidance
concerning the contents of the management report and the related
signature requirements for this report, institutions and auditors have
expressed interest in examples of acceptable reports. Therefore, to
assist managements of insured depository institutions in complying with
the annual reporting requirements of Sec. 363.2, the FDIC proposed to
add Appendix B to Part 363--Illustrative Management Reports. Appendix B
provides guidance regarding reporting scenarios that satisfy the annual
reporting requirements of part 363, illustrative management reports,
and an illustrative cover letter for use when an institution complies
with the annual reporting requirements at the holding company level.
The FDIC also states in Appendix B that the use of the illustrative
management reports and cover letter is not required. The FDIC
encourages the managements of insured depository institutions to tailor
the wording of their management reports to fit their particular
circumstances, especially when reporting on material weaknesses in
internal control over financial reporting or noncompliance with
designated laws and regulations.
Two commenters stated that the illustrative management reports are
helpful and will mitigate regulatory burden. Another commenter
suggested that the illustrative management reports would be better
suited in an accounting and auditing guide that could be updated
regularly to reflect changes in professional standards or other
requirements that would affect these reports and that the accounting
and auditing guide could illustrate the differences in reporting under
AICPA and PCAOB standards. This commenter also stated that the
illustrative management report on internal control over financial
reporting at the holding company level is inconsistent with current
practice and that it does not clearly and appropriately describe the
scope of the internal control assessments by management or the
independent public accountant. This commenter added that the language
in the illustrative management report on internal control at the
holding company level does not make it clear to a reader whether
management has separately assessed the effectiveness of internal
control over financial reporting at each subsidiary institution listed
in the report.
The FDIC has considered this commenter's suggestion that the
illustrative management reports would be better suited in an accounting
and auditing guide. In this regard, the FDIC notes that auditing and
attestation standards require auditors to evaluate the elements that
management is required to present in its report on its assessment of
internal control over financial reporting, but these standards do not
fully address the requirements of part 363 for management reports on
internal control nor do they provide guidance to management regarding
the preparation of management reports for part 363 purposes. Given the
varying degrees of familiarity of institution management with
professional auditing and attestation standards as well as the lack of
availability of illustrative management reports that satisfy the
requirements of part 363, the FDIC has determined that the illustrative
management reports should be provided in Appendix B to part 363.
However, in response to this commenter's statements concerning the
illustrative management reports on internal control over financial
reporting at the holding company level, the FDIC has revised the text
of these illustrative management reports, which are presented in
sections 5(c) and (d) and 6(b) of Appendix B. More specifically, the
sample text in these illustrative reports that identifies the
subsidiary institutions that are subject to part 363 has been revised
by removing the language stating that these institutions are included
in the scope of management's assessment of internal control over
financial reporting. The FDIC believes that the revised illustrative
management reports on internal control over financial reporting at the
holding company level are consistent with current practices and
professional auditing and attestation standards.
Regarding management's responsibility for assessing compliance with
the laws and regulations pertaining to insider loans and dividend
restrictions, the FDIC proposed to revise and update Table 1 to
Appendix A of part 363 to reflect changes in these laws and regulations
that have occurred since this table was last revised in 1997. The
[[Page 32233]]
FDIC received no comments on the revised and updated Table 1.
3. Management Report Signatures
Section 36(b)(2) of the FDI Act requires an institution's
management report to be signed by the chief executive officer and the
chief accounting officer or chief financial officer. In its reviews of
management reports, the FDIC has noted that these reports are often not
signed by the officers at the appropriate corporate level when the
audited financial statements requirement is satisfied at the holding
company level or when one or more of the components of the management
report is satisfied at the holding company level and the remaining
components of the management report are satisfied at the insured
depository institution level. Therefore, the FDIC proposed to add Sec.
363.2(c) to specify which corporate officers must sign the management
report and also the level of the corporate signers (i.e., insured
depository institution level or the holding company level). No comments
were received on this aspect of the proposal.
4. Institutions Merged Out of Existence
To reduce regulatory burden and provide certainty for merging
institutions, the FDIC proposed to add guideline 5A, Institutions
Merged Out of Existence, to explicitly provide relief from filing a
Part 363 Annual Report for an institution that is merged out of
existence after the end of its fiscal year, but before the deadline for
filing its Part 363 Annual Report. However, a covered institution that
is acquired after the end of its fiscal year, but retains its separate
corporate existence rather than being merged out of existence, would
continue to be required to file a Part 363 Annual Report for that
fiscal year. Three commenters commented in support of this aspect of
the proposal, one of whom stated that the proposed amendment will
reduce both regulatory burden and uncertainty.
5. Management's Assessment of the Effectiveness of Internal Control
Over Financial Reporting
The FDIC has publicly advised institutions with $1 billion or more
in total assets that are public companies or subsidiaries of public
companies that they have considerable flexibility in determining how
best to satisfy the SEC's requirements for management's assessment of
internal control over financial reporting which implement section 404
of SOX, and the FDIC's requirements in part 363.\2\ The reporting
flexibility available to institutions subject to both the section 404
and the part 363 requirements was initially described in the preamble
to the SEC's section 404 final rule release (68 FR 36642, June 18,
2003). This final rule release explained that the flexible reporting
approach described in the preamble had been developed by the SEC staff
in consultation with the staff of the Federal banking agencies. To
codify this reporting flexibility in part 363, the FDIC proposed to add
guideline 8A, Management's Assessment of the Effectiveness of Internal
Control Over Financial Reporting. For an institution with $1 billion or
more in total assets that is subject to both part 363 and the SEC's
rules implementing section 404 of SOX (or whose parent holding company
is subject to section 404 and the condition in Sec. 363.1(b)(2) is
met), the proposed guideline describes two options for complying with
the filing requirements regarding management's report on internal
control over financial reporting. These options are to prepare (1) two
separate reports, one to satisfy the FDIC's part 363 requirements and
another to satisfy the SEC's section 404 requirements, or (2) a single
report that satisfies all of the FDIC's part 363 requirements and all
of the SEC's section 404 requirements. No comments were received on
proposed new guideline 8A.
---------------------------------------------------------------------------
\2\ 70 FR 71231, November 28, 2005; 70 FR 44295, August 2, 2005;
FDIC Financial Institution Letter (FIL) 137-2004, December 21, 2004.
---------------------------------------------------------------------------
6. Internal Control Reports for Acquired Businesses
Currently, under the reporting requirements of part 363, both
management's and the independent public accountant's evaluation of an
institution's internal control over financial reporting must include
controls at an institution in its entirety, including all of its
consolidated businesses, including businesses that were recently
acquired. However, like the SEC staff, the FDIC recognizes that it may
not always be possible for management to conduct an evaluation of the
internal control over financial reporting of an acquired business in
the period between the consummation date of the acquisition and the due
date of management's internal control evaluation. The SEC staff has
provided guidance to public companies stating that the staff would not
object to the exclusion of the acquired business from management's
evaluation of internal control over financial reporting, provided
certain disclosures are made and other conditions are met.\3\ The FDIC
has received and granted several written requests from institutions
subject to the internal control reporting requirements of part 363 to
exclude recently acquired businesses from the scope of management's
internal control evaluation.
---------------------------------------------------------------------------
\3\ See Question 3 in the SEC staff's Frequently Asked Questions
on Management's Report on Internal Control Over Financial Reporting
and Certification of Disclosure in Exchange Act Periodic Reports at
https://www.sec.gov/info/accountants/controlfaq1004.htm.
---------------------------------------------------------------------------
To reduce regulatory burden, including the burden of submitting
written requests to the FDIC, and provide certainty to institutions,
the FDIC proposed to add guideline 8B, Internal Control Reports for
Acquired Businesses, to explicitly provide relief from the reporting
requirements regarding internal control over financial reporting
related to business acquisitions made by an institution during its
fiscal year. As proposed and consistent with the SEC staff's guidance,
guideline 8B would permit management's evaluation of internal control
over financial reporting to exclude internal control over financial
reporting for the acquired business, provided management's report
identifies the acquired business, states that the acquired business is
excluded from management's evaluation of internal control over
financial reporting, and indicates the significance of the acquired
business to the institution's consolidated financial statements. Also,
proposed guideline 8B would clarify that if the acquired business is an
insured depository institution that is subject to part 363 and it is
not merged out of existence before the deadline for filing its Part 363
Annual Report, the acquired business (institution) must continue to
comply with all of the applicable requirements of part 363. One
commenter commented on this aspect of the proposal and supported the
amendment as proposed, stating that it will reduce both regulatory
burden and uncertainty.
7. Standards for Internal Control
At present, guideline 10, Standards for Internal Control, provides
that each institution should determine its own standards for
establishing, maintaining, and assessing the effectiveness of its
internal control over financial reporting, but it does not describe the
characteristics of a suitable internal control framework. The FDIC
proposed to amend guideline 10 to provide guidance regarding the
attributes of a suitable internal control framework. The proposed
attributes are consistent with
[[Page 32234]]
the attributes the SEC described in the preamble to the SEC's section
404 final rule release (68 FR 36648, June 18, 2003). The FDIC believes
that a framework with these attributes is appropriate for all
institutions whether or not they are public companies. No comments were
received on this aspect of the proposal.
C. Independent Public Accountant (Sec. 363.3 and Guidelines 13-21)
1. Internal Control Over Financial Reporting
As with its experience in reviewing the portion of the management
report in which management provides its assessment of the effectiveness
of the institution's internal control over financial reporting, the
FDIC has found some independent public accountants' internal control
attestation reports to be less than sufficiently informative. Such
attestation reports are, therefore, inconsistent with the objectives of
section 36 of the FDI Act. As a consequence, the FDIC proposed to amend
Sec. 363.3(b), which governs the independent public accountant's
report on internal control over financial reporting, to specify that,
consistent with generally accepted standards for attestation
engagements, the Public Company Accounting Oversight Board's (PCAOB)
auditing standards, and related PCAOB staff implementation guidance,
the accountant's report must:
Not be dated prior to the date of management's report on
its assessment of the effectiveness of internal control over financial
reporting;
Identify the internal control framework that the
accountant used to make the evaluation (which must be the same as the
internal control framework used by management);
Include a statement that the accountant's evaluation
included controls over the preparation of regulatory financial
statements;
Include a clear statement as to the accountant's
conclusion regarding the effectiveness of internal control over
financial reporting;
Disclose all material weaknesses identified by the
accountant; and
Conclude that internal control is ineffective if there are
any material weaknesses.
The FDIC also proposed to amend guideline 18, Attestation Report,
to be consistent with Sec. 363.3(b)(2) by reiterating that the
attestation report on internal control over financial reporting should
include a statement as to regulatory reporting.
The majority of commenters did not comment on the independent
public accountant's report on internal control over financial
reporting. However, four commenters expressed concerns or made
recommendations as follows:
Since the AICPA Auditing Standards Board's proposed
revisions to the attestation standards for nonpublic companies will
likely be similar to the requirements for public companies, and based
upon the experiences of public companies complying with SOX 404, the
requirement for the independent public accountant to examine, attest
to, and report on management's assertion concerning internal control
over financial reporting for both GAAP and regulatory reporting
purposes will be too costly. Instead of having the accountant examine
internal control, banking regulators should assess the adequacy of
internal control over financial reporting as part of the examination
process.
The requirements that the independent public accountant's
report on internal control over financial reporting identify the
internal control framework used, state that the evaluation included
controls over the preparation of regulatory financial statements,
express the accountant's conclusion as to whether internal control is
effective, and disclose all material weaknesses that can be deleted
because they are already addressed by the AICPA and PCAOB standards.
The rule should instead refer to the professional auditing and
attestation standards.
The FDIC should consider a delayed phase-in of the
requirement for the independent public accountant to assess internal
control over financial reporting similar to the phase-in set forth in
the SEC's rules implementing SOX 404.
The requirement to disclose material weaknesses in
internal control over financial reporting in the independent public
accountant's report should be clarified as to whether the disclosure
covers all identified material weaknesses, regardle