What Banks Need to Know About FDIC Audit Requirements

As an insured depository institution approaches $500 million in assets, it needs to start preparing to comply with the Annual Independent Audits and Reporting Requirements of the Federal Deposit Insurance Corporation (FDIC). Banks nearing or exceeding this threshold need to understand the FDIC rules and regulations so they can avoid non-compliance.

In the midst of the Great Recession in 2009, the FDIC implemented regulation 12 CFR Part 363 in an effort to identify financial difficulties at insured depository institutions. The regulation applies to an insured depository institution when its total assets, measured on the first day of its fiscal year, are greater than or equal to $500 million. Once a bank reaches $1 billion in assets, additional requirements apply.

Audit and reporting requirements

If your financial institution is nearing $500 million in assets, you are most likely already having your financial statements audited. However, once you reach that mark, your financial statements will need to be attested and reported to regulators, and you will need to provide specific management reports to regulators.

Requirements for financial institutions with between $500 million and $1 billion in assets:

• Annual reporting requirements: The institution must provide audited comparative financial statements to regulators along with the independent public accountant’s report on the audited financial statements. The audit may be performed at the holding company parent level if 75% or more of its consolidated assets consist of the subsidiary financial institution as of the beginning of the fiscal year. Otherwise, the audit must be performed at the financial institution level.

• Management representation: The institution must provide written statement of management’s responsibilities for preparing the institution’s financial statements, establishing and maintaining internal controls over financial reporting, and complying with safety and soundness of laws and regulations related to insider loans and dividend restrictions. In addition, management must provide their assessment of the institution’s compliance with the designated laws and regulations, including their conclusion regarding compliance and a disclosure of any noncompliance issues.

• Audit committee requirements: The audit committee membership needs to be structured so that a majority of members are independent of the institution’s management.

Once your financial institution reaches $1 billion in assets, you will have additional requirements, particularly regarding management reports and the audit committee.

• Annual reporting requirements: Same as listed above.

• Management representation: The major difference between the requirements for a $500-million-plus institution versus a $1-billion-plus institution is that the latter is required to provide a report containing management’s assessment of the effectiveness of the internal control structure over financial reporting as of the end of the fiscal year. The other requirements for management representation are the same as those listed above. The independent public accountants must also issue an attestation report concerning the effectiveness of the institution’s internal control structure over financial reporting.

• Audit committee requirements: Another difference is in the audit committee structure. Institutions with $1 billion in assets or more are required to structure audit committee membership as an independent board of directors (all audit committee members must be outside directors and independent of bank management).

Filing deadlines and noncompliance

An insured depository institution that is public or a subsidiary of a public company (whose total assets comprise 75% or more of the holding company’s consolidated assets), must file the required reports under 12 CFR Part 363 within 90 days after the end of its fiscal year. Institutions that are not public companies must file their required reports within 120 days after the end of their fiscal year.

There is no extension for filing the required reports. If your institution is unable to complete the filing requirements, you must submit a notification of late filing on or before the filing deadline; it must detail the reasons for the late filing along with the planned filing date. In addition to the FDIC, the appropriate state supervisory agency and the appropriate federal banking agency (which would include the applicable Federal Reserve Bank) need to be notified.

Examiners will investigate any willful acts of noncompliance with laws or regulations, which could result in civil money penalties or other administrative actions under Section 8 of the Federal Deposit Insurance Act.

Contact me or another member of Kaufman Rossin’s Risk Advisory Services consulting team to learn more about how these rules may impact your financial institution.