Industry Overview—Banks and Savings Institutions
1.01 Banks and savings institutions provide a link between entities that have capital and entities that need capital. They accept deposits from entities with idle funds and lend to entities with investment or spending needs. This process of financial intermediation benefits the economy by increasing the supply of money available for investment and spending. It also provides an efficient means for the payment and transfer of funds between entities.
1.02 Government, at both the federal and state levels, has long recognized the importance of financial intermediation by offering banks and savings institutions special privileges and protections. These incentives—such as access to credit through the Board of Governors of the Federal Reserve System (Federal Reserve) and federal insurance of deposits—have not been similarly extended to commercial enterprises. Accordingly, the benefits and responsibilities associated with their public role as financial intermediaries have brought banks and savings institutions under significant governmental oversight. Federal and state regulations affect every aspect of banks and savings institutions' operations. Similarly, legislative and regulatory developments in the last decade have radically changed the business environment for banks and savings institutions.
1.03 Although banks and savings institutions continue in their traditional role as financial intermediaries, the ways in which they carry out that role became increasingly complex in the most recent decade. Under continuing pressure to operate profitably, the industry adopted innovative approaches to carrying out the basic process of gathering and lending funds. The management of complex assets and liabilities, development of additional sources of income, reactions to technological advances, responses to changes in regulatory policy, and competition for deposits all added to the risks and complexities of the business of banking. These include the following:
- Techniques for managing assets and liabilities that allow institutions to manage financial risks and maximize income have evolved.
- Income, traditionally derived from the excess of interest collected over interest paid, became dependent on fees and other income streams from specialized transactions and services.
- Technological advances accommodated complex transactions, such as the sale of securities backed by cash flows from other financial assets.
- Regulatory policy alternately fostered or restricted innovation. Institutions have looked for new transactions to accommodate changes in the amount of funds they generally must keep in reserve or to achieve the desired levels of capital in relation to their assets.
- Regulatory policy has expanded and become increasingly complex in response to increasing complexities in the industry and recent economic recessions.
1.04 In addition, competition arose from within the industry, and from other competitors such as investment companies, brokers and dealers in securities, insurers, and financial subsidiaries of commercial enterprises. These entities increased business directly with potential depositors and borrowers in transactions traditionally executed through banks and savings institutions. This disintermediation increased the need for innovative approaches to attracting depositors and borrowers.
1.05 Disintermediation also led to a sharp increase in consolidation within the financial institution industry, which created several large and highly complex financial holding companies. With the changes previously mentioned and the increased size of many financial institutions, a dramatic shift in lending, capital market activities, and sources of funding occurred. During this transformation of the industry, the regulatory system issued additional guidance in an effort to keep pace with the changes in the industry.
1.06 The economic recession, which officially began in 2007, revealed vulnerabilities in financial institutions and the regulatory system that contributed to unprecedented strain and stress on financial institutions and in financial markets. As a result, certain financial institutions either failed or came close to failure and many additional widespread repercussions affected or continue to affect this industry. Total assets of “problem” institutions reached their highest levels since 1993 during the first quarter of 2010, per the FDIC’s Quarterly Banking Profile. In addition, the number of bank failures reached the highest level since 1992. The economic crisis fueled the demand for financial reform. As a result, on July 21, 2010, the president signed the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank Act) into law in response to weaknesses in the financial services industry that were believed to have contributed to the economic recession. See further discussion of the Dodd-Frank Act beginning at paragraph 1.31.
1.07 The innovation and complexity related to this industry creates a constantly changing body of business and economic risks. These risk factors, and related considerations for auditors, are identified and discussed throughout this guide.
1.08 As previously discussed, the importance of financial intermediation has driven governments to play a role in the banking and savings institutions industry. Banks and savings institutions have been given unique privileges and protections, including the insurance of their deposits by the federal government through the FDIC and access to the Federal Reserve's discount window and payments system. (See chapter 2, "Industry Overview—Credit Unions," of this guide for the roles and responsibilities of the National Credit Union Administration [NCUA]). Currently, the federal oversight of institutions receiving these privileges falls to the following three agencies:
- a. The Federal Reserve, established in 1913 as the central bank of the United States, which has supervisory responsibilities for bank and saving and loan holding companies, state chartered banks that are members of the Federal Reserve, and foreign banking organizations operating in the United States
- b. The FDIC, established in 1934 to restore confidence in the banking system through the federal insurance of deposits, which has supervisory responsibilities for state chartered banks and savings institutions that are not members of the Federal Reserve
- c. The Office of the Comptroller of the Currency (OCC), created in 1863, which regulates and provides federal charters for national banks and federal savings associations
1.09 The Federal Reserve and the FDIC are independent agencies of the federal government. The OCC is a bureau of the U.S. Department of Treasury (Treasury). Each state has a banking department and are members of an organization called the Conference of State Bank Supervisors.
1.10 Although each agency has its own jurisdiction and authority, the collective regulatory and supervisory responsibilities of federal and state banking agencies include the following:
- Establishing (either directly or as a result of legislative mandate) the rules and regulations that govern institutions' operations
- Supervising institutions' operations and activities
- Reviewing and approving organization, conversion, consolidation, merger, or other changes in control of the institutions and their branches
- Appraising (in part through on-site examinations) institutions' financial condition, the safety and soundness of operations, the quality of management, the adequacy and quality of capital, asset quality, liquidity needs, and compliance with laws and regulations
1.11 Given the nature of their duties to consider a bank’s risk characteristics and loss behavior, the banking agencies also have significant influence in aiding banks and savings institutions with technical details on the application of U.S. generally accepted accounting principles (GAAP) in regulatory reporting. For example, the agencies also have certain authority over the activities of auditors serving the industry. Further, the Federal Reserve, the FDIC, the OCC, and the NCUA constitute the Federal Financial Institutions Examination Council (FFIEC). The FFIEC sets forth uniform examination and supervisory guidelines in certain areas related to banks’ and savings institutions’ and credit unions’ activities, including those involving regulatory reporting matters.
1.12 This chapter discusses the current regulatory approach to the supervision of banks and savings institutions and provides an overview of major areas of regulation and related regulatory reporting. Legislative efforts over time to regulate, deregulate, and reregulate banks and savings institutions are also addressed in this chapter. Other specific regulatory considerations are identified throughout this guide in the relevant chapters.
1.13 In addition to supervision and regulation by the federal and state banking agencies, publicly held holding companies are generally subject to the requirements of federal securities laws, including the Securities Act of 1933 and the Securities Exchange Act of 1934 (the 1934 Act). Holding companies whose securities are registered under the 1934 Act must comply with its reporting requirements through periodic filings with the SEC. Publicly held institutions that are not part of a holding company are required under Section 12(i) of the 1934 Act to make equivalent filings directly with their primary federal regulators. Each of the agencies has regulations that provide for the adoption of forms, disclosure rules, and other registration requirements equivalent to those of the SEC as mandated by the 1934 Act.
1.14 Both the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) and the FDIC Improvement Act of 1991 (FDICIA) were adopted to protect the federal deposit insurance funds through the early detection and intervention in problem institutions, with an emphasis on capital adequacy.
1.15 Declining real estate markets in the mid-1980s contributed heavily to widespread losses in the savings institutions industry, evidenced by the insolvency of the savings industry's federal deposit insurance fund. The FIRREA provided funds for the resolution of thrift institutions, replaced the existing regulatory structure, introduced increased regulatory capital requirements, established limitations on certain investments and activities, and enhanced regulators' enforcement authority. The FIRREA redefined responsibilities for federal deposit insurance by designating separate insurance funds, the Bank Insurance Fund (BIF), and the Savings Associations Insurance Fund (SAIF). The FIRREA also established the Resolution Trust Corporation (RTC) to dispose of the assets of failed thrifts. The RTC is no longer in existence and its work is now being done by the FDIC.
1.16 As the 1980s came to a close, record numbers of bank failures began to drain the BIF. The FDICIA provided additional funding for the BIF but also focused the least-cost resolution of and prompt corrective action (PCA) for troubled institutions and improved supervision and examinations. The FDICIA also focused the regulatory enforcement mechanism on capital adequacy. Many of the FDICIA's provisions were amendments or additions to the existing Federal Deposit Insurance Act (FDI Act).
1.17 In April 2006, the FDIC merged the BIF and the SAIF to form the Deposit Insurance Fund (DIF). This action was pursuant to the provisions in the Federal Deposit Insurance Reform Act of 2005 (Reform Act). Under the Reform Act, the FDIC may set the designated reserve ratio, calculated as the target insurance fund size as a percentage of estimated insured deposits, within a range of 1.15 percent to 1.50 percent of estimated insured deposits.
1.18 A desire to allow banks to serve a broad spectrum of customer financial needs caused Congress to pass legislation in 1999. The Gramm-Leach-Bliley Act (also known as the Financial Services Modernization Act) changed the types of activities that are permissible for bank holding company affiliates and for subsidiaries of banks. The bill created so-called financial holding companies that may engage in a broad array of activities. Financial holding company affiliates could provide insurance as principal, agent, or broker and may issue annuities. These affiliates may engage in expanded underwriting, dealing in, or making a market in securities, as well as engage in expanded merchant banking activities. The legislation affirmed the concept of functional regulation.
1.19 Federal banking regulators continue to be the primary supervisors of the banking affiliates of financial holding companies and state insurance authorities supervise the insurance companies, and the SEC and securities self-regulatory organizations supervise the securities business. Each functional regulator determines appropriate capital standards for the companies it supervises. The Treasury and the Federal Reserve have the authority to approve additional activities to be permissible for financial holding companies. To maintain financial holding company status, all of a bank holding company's insured deposit taking subsidiaries must be "well capitalized," "well managed," and have at least a satisfactory Community Reinvestment Act rating.
1.20 In 1970, the Bank Secrecy Act (BSA) was enacted to address the problem of money laundering. The BSA authorized the Treasury to issue regulations requiring financial institutions to file reports, keep certain records, implement anti-money-laundering programs and compliance procedures, and report suspicious transactions to the government. (See Title 31 U.S. Code of Federal Regulations [CFR] Chapter X). These regulations, promulgated under the authority of the BSA, and subsequently the USA-Patriot Act of 2001, are intended to help federal authorities detect, deter, and prevent criminal activity. The Financial Crimes Enforcement Network (FinCEN), an arm of the Treasury, administers these regulations.
1.21 On December 2, 2014, the FFIEC released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (manual). The revised manual provides current guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The manual has been updated to further clarify supervisory expectations and incorporate regulatory changes since the manual’s 2010 update.
1.22 In 2002, the Sarbanes-Oxley Act was enacted in response to high-profile business failures which called into question the effectiveness of the CPA profession's self-regulatory process as well as the effectiveness of the audit to uphold the public trust in the capital markets. The requirements of the Sarbanes-Oxley Act and the SEC regulations implementing the Act are wide-ranging. The banking regulatory agencies also passed regulations implementing certain provisions of the Sarbanes-Oxley Act. Paragraphs 1.99–.111 provide additional information regarding regulatory issuances related to the Sarbanes-Oxley Act. In addition, the Sarbanes-Oxley Act created the PCAOB, which has the authority to set and enforce auditing, attestation, quality control, and ethics (including independence) standards for auditors of entities subject to the oversight authority of the PCAOB. It also is empowered to inspect the auditing operations of public accounting firms that audit entities subject to the oversight authority of the PCAOB as well as impose disciplinary and remedial sanctions for violations of the board's rules, securities laws, and professional auditing and accounting standards.
1.23 Key economic issues affecting the regulations are centered on the ability of financial institutions to operate profitably—for example, the costs and benefits of regulations, the effects of unemployment and future corporate layoff plans, levels of interest rates, and the availability of credit.
Deposit Insurance Fund
1.24 On October 7, 2008, the FDIC established a Restoration Plan for the DIF to return the DIF to its statutorily mandated minimum reserve ratio of 1.15 percent within 5 years. In February 2009, the FDIC amended its Restoration Plan to extend the restoration period from 5 to 7 years. Congress then amended the statute governing the Restoration Plan, in May 2009, to allow the FDIC up to 8 years to return the DIF reserve ratio to 1.15 percent. In September 2009, the FDIC amended the Restoration Plan consistent with the statutory change and, pursuant to the amended Restoration Plan, adopted a uniform 3 basis point increase in initial assessment rates effective January 1, 2011.
1.25 The Dodd-Frank Act requires the FDIC to set a designated reserve ratio of not less than 1.15 percent for any year and to increase the level of the DIF to 1.35 percent of estimated insured deposits by September 30, 2020.1 In March 2016, the FDIC approved a final rule, effective July 1, to increase the DIF to the statutorily required minimum level of 1.35 on institutions with total consolidated assets of $10 billion or more while providing credits to institutions that have assets or less than $10 billion. Readers are encouraged to consult the full text of this final rule on FDIC’s website at www.fdic.org. The Dodd-Frank Act also called for a revision to the definition of the deposit insurance assessment base. The intent of changing the assessment base was to shift a greater percentage of overall total assessments away from community institutions and toward the largest institutions.
1.26 In response to the provisions of the Dodd-Frank Act, in February 2011, the FDIC’s board of directors, through the issuance of Financial Institution Letter (FIL)-8-2011, adopted the final rule Deposit Insurance Assessment Base, Assessment Rate Adjustments, Dividends, Assessment Rates, and Large Bank Pricing Methodology to redefine the deposit insurance assessment base, as required by the Dodd-Frank Act; alter the assessment rates; implement the Dodd-Frank Act’s DIF dividend provisions; and revise the risk-based assessment system for all large insured depository institutions (IDIs).2 The final rule
- redefines the deposit insurance assessment base as average consolidated total assets minus average tangible equity (the assessment base had previously been defined as total domestic deposits).
- makes generally conforming changes to the unsecured debt and brokered deposit adjustments to assessment rates.
- creates a depository institution debt adjustment.
- eliminates the secured liability adjustment.
- adopts a new assessment rate schedule which became effective April 1, 2011, and, in lieu of dividends, other rate schedules when the reserve ratio reaches certain levels.
1.27 In addition, the final rule establishes a new methodology for calculating deposit insurance assessment rates for highly complex and other large IDIs (commonly referred to as the Large Bank Pricing Rule). The new methodology combines capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk (CAMELS) ratings and financial measures to produce a score that is converted into an institution's assessment rate. The Large Bank Pricing Rule authorizes the FDIC to adjust, up or down, an institution's total score by 15 basis points. The final rule became effective on April 1, 2011. For further information, readers can access the final rule on the FDIC website at www.fdic.gov.
1.28 In September 2011, the FDIC adopted guidelines describing the process that the FDIC will follow to determine whether to make an adjustment, to determine the size of any adjustment, and to notify an institution of an adjustment made to its assessment rate score, as allowed under the Large Bank Pricing Rule. The guidelines also provide examples of circumstances that might give rise to an adjustment. Further information on the guidelines can be found in FIL-64-2011, Assessments: Assessment Rate Adjustment Guidelines, on the FDIC website at www.fdic.gov.
1.29 In October 2012, the FDIC’s board of directors, through the issuance of FIL-44-2012, Assessments: Final Rule on Assessments, Large Bank Pricing, adopted a final rule to amend and clarify definitions related to higher risk assets as used by the deposit insurance pricing scorecards for large and highly complex IDIs. The rule applies only to institutions with $10 billion or more in assets. Specifically, the rule revises the definition of certain higher risk assets, such as leveraged loans and subprime consumer loans; clarifies the timing of identifying an asset as higher risk; clarifies the way securitizations (including those that meet the definition of nontraditional mortgage loans) are identified as higher risk; and further defines terms that are used in the large bank pricing rule adopted in February 2011. The final rule became effective on April 1, 2013. For further information, readers are encouraged to access the final rule in FIL-44-2012 on the FDIC website at www.fdic.gov.
1.30 In November 2014, the FDIC issued the Assessments final rule to revise the FDIC’s risk-based deposit insurance assessment system to reflect changes in the regulatory capital rules. The final rule
- conforms the capital ratios and ratio thresholds in the small institution assessment system to the new PCA capital ratios and ratio thresholds.
- conforms the assessment base calculation for custodial banks to the new asset risk weights using the standardized approach in the regulatory capital rules.
- requires that all highly complex institutions measure counterparty exposure for the assessment purposes using the Basel III standardized approach credit equivalent amount for derivatives and the Basel III standardized approach exposure amount for securities financing transactions in the regulatory capital rules.
For further information, readers can access the final rule in FIL-57-2014, Assessments: Final Rule, on the FDIC website at www.fdic.gov.
The Dodd-Frank Act
1.31 The Dodd-Frank Act was signed into law by President Obama on July 21, 2010. It aims to promote U.S. financial stability by improving accountability and transparency in the financial system, putting an end to the belief that certain financial institutions were too big to fail, protecting American taxpayers by ending bailouts, and protecting consumers from abusive financial services practices. The Dodd-Frank Act contains many provisions; some highlights that may be of particular interest to readers are summarized in the following sections.
1.32 A copy of the full Dodd-Frank Act, as signed by the president, can be found at www.gpo.gov. The AICPA is also following any developments related to the Dodd-Frank Act on its website at aicpa.org on the "Federal Issues" page under “Advocacy.”
Financial Stability Oversight Council
1.33 The Dodd-Frank Act created a new systemic risk regulator called the Financial Stability Oversight Council (FSOC). The two main goals of the FSOC are to identify risks to the financial stability of the United States banking system and to promote market discipline by eliminating the moral hazard of "too big to fail." To meet these goals, the FSOC has many powers to identify any company, product, or activity that could threaten U.S. financial stability. The FSOC is chaired by the Secretary of the Treasury, and voting members are heads of nine federal financial regulatory agencies, including chairmen of the Federal Reserve, the FDIC, and the SEC, among others. The FSOC is authorized to facilitate regulatory coordination, facilitate information sharing and collection, designate nonbank financial companies for consolidated supervision, designate systemic financial market utilities and systemic payment, clearing or settlement activities, and recommend stricter standards for the largest, most interconnected firms, break up firms that pose a "grave threat" to financial stability, and recommend Congress close specific gaps in regulation. Further information on the FSOC and proposed rulings can be found at www.treasury.gov/initiatives/pages/fsoc-index.aspx.
Leverage and Risk-Based Capital Requirements
1.34 Title 1, "Financial Stability," of the Dodd-Frank Act requires the appropriate federal banking agencies to establish minimum leverage and risk-based capital requirements, on a consolidated basis, for IDIs, depository institution holding companies, and nonbank financial companies supervised by the Federal Reserve. The minimum leverage and risk-based capital requirements for IDIs established by the agencies under this section of the Dodd-Frank Act should not be less than the generally applicable requirements, which should serve as a floor for any capital requirements that the agencies may require, nor be quantitatively lower than the generally applicable requirements that were in effect for IDIs as of the date of enactment. The provisions of Section 171 of the Dodd-Frank Act regarding trust preferred securities can be found in paragraph 17.20 of this guide.
1.35 Title VI, "Improvements to Regulation," of the Dodd-Frank Act mandates stronger capital requirements for all IDIs, depository institution holding companies, and any company that controls an IDI and provides that any company in control be accountable for the financial strength of that entity.
Consumer Financial Protection Bureau
1.36 The Consumer Financial Protection Bureau (CFPB) is an independent agency that consolidates much of the federal regulation of financial services offered to consumers. The CFPB is expected to ensure that consumers receive clear, accurate information to shop for mortgages, credit cards, and other financial products (but not products subject to securities or insurance regulations); to provide consumers with one dedicated advocate; and to protect them from hidden fees and deceptive practices. The CFPB also oversees the enforcement of federal laws intended to ensure the fair, equitable, and nondiscriminatory access to credit for individuals. The director of the CFPB replaces the director of the Office of Thrift Supervision (OTS) on the FDIC board. The CFPB is led by an independent director appointed by the president and confirmed by the Senate and has a dedicated budget in the Federal Reserve.
1.37 The CFPB has the authority to examine and enforce regulations for banks and credit unions with assets of over $10 billion; all mortgage-related businesses (nondepository institution lenders, servicers, mortgage brokers, and foreclosure operators); providers of payday loans; student lenders; and other nonbank financial entities, such as debt collectors and consumer reporting agencies. Banks and credit unions with assets of $10 billion or less will be examined for consumer compliance by the appropriate regulator. The CFPB also can autonomously write rules for consumer protections governing all financial institutions (banks and nonbanks) offering consumer financial services or products.
1.38 For further information on the CFPB and the progress the agency has made since its inception, readers can access the CFPB website at www.consumerfinance.gov.
1.39 The Dodd-Frank Act provided the SEC and the Commodity Futures Trading Commission (CFTC) with the authority to regulate over-the-counter derivatives and required central clearing and exchange trading for derivatives. The SEC has regulatory authority over specific security-based swaps (including credit default swaps), and the CFTC has primary regulatory authority over all other swaps, including energy-rate swaps, interest-rate swaps, and broad-based security group or index swaps. Standardized swaps will be traded on an exchange or in other centralized trading facilities, which will promote transparency; standardized derivatives will also have to be handled by central clearinghouses. The Dodd-Frank Act requires all cleared swaps to be traded on a registered exchange or board of trade.3
1.40 The Dodd-Frank Act also provided regulators the authority to impose capital and margin requirements on swap dealers and major swap participants.4 The credit exposure from derivative transactions will be considered in banks’ lending limits.
1.41 Banks can continue engaging in principal transactions involving interest-rate, foreign-exchange, gold, silver, and investment-grade credit default swaps, subject to Section 619 of the Dodd-Frank Act (commonly referred to as the Volcker Rule) limitations on proprietary trading. See discussion of the Volcker Rule in paragraph 1.48. For commodities, most other metals, energy, and equities, banks must shift their swap operations to a separately capitalized affiliate within the holding entity.
1.42 Section 610 of the Dodd-Frank Act revises the statutory definition of loans and extensions of credit to include credit exposures arising from derivative transactions, repurchase agreements, reverse repurchase agreements, securities lending transactions, and securities borrowing transactions (collectively, securities financing transactions). This revised definition also is applicable to all savings associations.
1.43 In June 2013, the OCC finalized its lending limits interim rule, which consolidated the lending limits rules applicable to national banks and savings associations, removed the separate OCC regulation governing lending limits for savings associations, and implemented Section 610 of the Dodd-Frank Act. The final rule outlines the methods that banks can choose from to measure credit exposures of derivative transactions and securities financing transactions. A bank may choose which method it will use; however, the OCC may specify that a bank use a particular method for safety and soundness reasons. Banks may request OCC approval to use a different method to calculate credit exposure for certain transactions. If the Model Method5 is used, the OCC must approve the use of the model and any subsequent changes to an approved model. The final rule continues to provide that loans and extensions of credit, including those that arise from derivative transactions and securities financing transactions, must be consistent with safe and sound banking practices.
1.44 Derivative transactions. Banks can generally choose to measure the credit exposure of derivatives transactions through
1.45 For credit derivatives (transactions in which banks buy or sell credit protection against loss on a third-party reference entity), the final rule provides a special rule for calculating credit exposure based on exposure to the counterparty and reference entity.
1.46 Securities financing transactions. The final rule specifically exempts securities financing transactions relating to Type I securities (such as U.S. or state government obligations) from the lending limits calculations. For other securities financing transactions, banks can choose to measure credit exposure by the following methods:
- Locking in the attributable exposure based on the type of transaction
- Using an OCC-approved internal model
- Using the Basel Collateral Haircut Method8
1.47 Information for community banks. The final rule minimizes the compliance burden on small and midsize banks of measuring the credit exposure of derivative transactions and securities financing transactions by providing different options for measuring the exposures for each transaction type. The options permit banks to adopt compliance alternatives that fit their size and risk management requirements, consistent with safety and soundness and the goals of the statute. Community banks should note that derivative transactions include interest rate swaps; however, community banks may use the Conversion Factor Matrix Method, which is an easy-to-use lookup table that locks in the attributable exposure at the execution of the transaction. The simplest calculation of securities financing transactions, excluding those related to Type 1 securities, is the Basic Method, which locks in the attributable exposure based on the type of transaction.
1.48 The Volcker Rule prohibits banking entities and affiliated companies from proprietary trading; acquiring or retaining any equity, partnership, or other ownership interest in a hedge fund or private equity fund; and sponsoring a hedge fund or private equity fund. Proprietary trading consists of transactions made by an entity that affect the entity’s own account but not the accounts of its clients. Banks can make de minimis investments in hedge funds and private equity funds using no more than 3 percent of their tier 1 capital in all such funds combined. Also, a bank’s investment in a private fund may not exceed 3 percent of the fund’s total ownership interest. Nonbank financial institutions supervised by the Federal Reserve also have restrictions on proprietary trading, hedge fund investments, and private equity investments. See discussion on final rulings enacted as a result of the Volcker Rule in paragraphs 18.77–.78 of this guide.
1.49 The Dodd-Frank Act abolished the OTS, which had been the federal supervisor for federal savings associations and thrift holding companies. Its authority for federal savings associations and rulemaking for all savings associations was transferred to the OCC, its authority for state savings associations was transferred to the FDIC, and its authority for thrift holding companies (also known as savings and loan holding companies or SLHCs) was transferred to the Federal Reserve. However, the thrift charter has been preserved. In January 2011, the Federal Reserve, the FDIC, the OCC, and the OTS issued a Joint Implementation Plan to provide an overview of actions taken by the agencies to efficiently and effectively implement Sections 301–326 of the Dodd-Frank Act. The transfer of authority took place on July 21, 2011, and certain regulations have been enacted in response, as subsequently discussed.
1.50 In July 2011, the OCC issued an interim final rule that republishes regulations issued by the OTS, prior to its transfer of powers, that the OCC has authority to promulgate and enforce. This rule, which was effective immediately, renumbers and issues these former OTS regulations as new OCC regulations (recodified in Chapter I at Parts 100–197), with nomenclature and other technical amendments to reflect the OCC supervision of federal savings associations. These newly issued OCC regulations supersede the OTS regulations for purposes of the OCC supervision of federal savings associations.
1.51 In August 2011, the Federal Reserve issued an interim final rule establishing regulations for SLHCs. This rule provides for the corresponding transfer from the OTS to the Federal Reserve of the regulations necessary for the Federal Reserve to administer the statutes governing SLHCs. The three components to the rule include new Regulation LL (Part 238), which sets forth regulations generally governing SLHCs; new Regulation MM (Part 239), which sets forth regulations governing SLHCs in mutual form; and technical amendments to current Federal Reserve regulations necessary to accommodate the transfer of supervisory authority for SLHCs from the OTS to the Federal Reserve.
1.52 In August 2011, the FDIC published an interim final rule reissuing and redesigning certain transferring OTS regulations. In republishing these rules, the FDIC only made technical changes to existing OTS regulations. The OTS regulations were recodified in Chapter III at Parts 390–391.
1.53 In December 2011, the OCC issued Bulletin OCC 2011-47, OTS Integration: Supervisory Policy Integration Process, to outline the process that the OCC intends to follow to fully integrate the OTS policy guidance documents into a common set of supervisory policies that applies to both national banks and federal savings associations. Phase 1 involves rescinding a significant number of documents including OTS documents that transmitted or summarized rules, interagency guidance, or Examination Handbook sections that are no longer useful because of the elimination of the OTS, the passage of time, or duplicate existing OCC guidance. The OCC has announced the rescission through numerous bulletins. Phase II focuses on guidance that requires further review, substantive revision, or combination or guidance that is considered unique to federal savings associations. Readers are encouraged to access the “OTS Integration” page on the OCC website for further developments on the integration of the two agencies.9
1.54 The FDIC and the Federal Reserve issued a joint rule to implement Section 165(d) of the Dodd-Frank Act. This rule requires bank holding companies with assets of $50 billion or more and companies designated as systemically important by the FSOC to report periodically to the FDIC and the Federal Reserve the company’s plan for its rapid and orderly resolution in the event of material financial distress or failure.
1.55 The goal of this rule is to achieve a rapid and orderly resolution of an organization that would not cause a systemic risk to the financial system. The final rule also establishes specific standards for the resolution plans (commonly referred to as living wills), including requiring a strategic analysis of the plan’s components; a description of the range of specific actions to be taken in the resolution; and analyses of the company’s organization, material entities, interconnections and interdependencies, and management information systems, among other elements.
1.56 The rule requires companies to update their plans annually. A company that experiences a material event after a plan is submitted has 45 days to notify regulators of the event.
1.57 Separately, the FDIC’s board of directors approved a complementary final rule under the FDI Act to require IDIs with $50 billion or more in total assets to submit periodic contingency plans to the FDIC for resolution in the event of the depository institution failure. The final rule became effective on April 1, 2012.
1.58 The final rule requires these IDIs to submit a resolution plan that will enable the FDIC, as receiver, to resolve the bank to ensure that depositors receive access to their insured deposits within one business day of the institution’s failure, maximize the net present value return from the sale or disposition of its assets, and minimize the amount of any loss to be realized by the institution’s creditors.
1.59 Both the final rule related to certain bank holding companies and systemically important companies and the final rule related to certain IDIs can be found on the FDIC website at www.fdic.gov.
1.60 Section 165(i) of the Dodd-Frank Act requires certain companies to conduct annual stress tests (commonly referred to as Dodd-Frank Act Stress Testing) in accordance with the regulations proposed by their respective primary financial regulatory agencies, as well as semiannual company-run stress tests. Specifically, it requires the primary financial regulatory agency to define the stress tests; establish methodologies for the conduct of the stress tests, which must include at least three different sets of conditions (baseline, adverse, and severely adverse); establish the form and content of the report that institutions are required to submit; and instruct the institution to publish a summary of the results of the Dodd-Frank Act institutional stress test.
1.61 In May 2012, the Federal Reserve, the OCC, and the FDIC jointly issued final supervisory guidance on stress testing for banking organizations with more than $10 billion in total consolidated assets that became effective on July 23, 2012. The guidance highlights the importance of stress testing as an ongoing risk management practice that supports a banking organization’s forward-looking assessment of its risks. In addition, the guidance highlights five principles that should be part of a banking organization’s stress testing framework. The framework should (a) include activities and exercises that are tailored to the exposures, activities, and risks of the organization; (b) employ multiple conceptually sound activities and approaches; (c) be forward looking and flexible; (d) be clear, actionable, well supported, and used in the decision-making process, and (e) include strong governance and effective internal control. Furthermore, the guidance discusses four types of stress testing approaches and applications, which include scenario analysis, sensitivity analysis, enterprise-wide stress testing, and reverse stress testing. Readers can access the supervisory guidance from any of the agencies’ websites.
1.62 In conjunction with the release of stress testing guidance, the Federal Reserve, the FDIC, and the OCC also released a statement to clarify that community banks are not required or expected to conduct the type of stress testing required of larger organizations. However, the statement also noted that all banking organizations, regardless of size, should have the capacity to analyze the potential impact of adverse outcomes on their financial condition. Examples of such interagency guidance that addresses potential adverse outcomes as a part of sound risk management practices include, but are not limited to, interest rate risk (IRR) management, commercial real estate concentrations, and funding and liquidity management.
1.63 On October 9, 2012, the Federal Reserve, the FDIC, and the OCC issued final rules on company-run stress testing for companies with more than $10 billion in total assets as required by the Dodd-Frank Act. Readers can access the stress test requirements of each agency from the respective agencies' websites.11
1.64 Capital is the primary tool used by regulators to monitor the financial health of insured financial institutions. Regulatory intervention is focused primarily on an institution's capital levels relative to regulatory standards. The agencies have a uniform framework for PCA, as well as specific capital adequacy guidelines set forth by each agency.12
1.65 In addition to assessing financial statement disclosures, which are discussed in chapter 17, "Equity and Disclosures Regarding Capital Matters," of this guide, the auditor considers regulatory capital from the perspective that noncompliance or expected noncompliance with regulatory capital requirements may be a condition, when considered with other factors, that could indicate substantial doubt about an entity's ability to continue as a going concern. This discussion provides an overview to help auditors understand regulatory capital requirements. Capital regulations are complex, and their application by management requires a thorough understanding of specific requirements and the potential impact of noncompliance. Accordingly, the auditor should consult the relevant regulations and regulatory guidance, as necessary, when considering regulatory capital matters.
1.66 The FDIC, the OCC, and the Federal Reserve historically had common capital adequacy guidelines which differed in some respects from those of the OTS, prior to its transfer of powers, involving minimum (a) leverage capital and (b) risk-based capital requirements.13 Capital adequacy guidelines are now substantially the same for banks and savings associations. A summary of the general requirements follows. Specific requirements are set forth in Title 12, Banks and Banking, of U.S. CFR and in the instructions for the FFIEC’s Consolidated Reports of Condition and Income (Call Report) and the Federal Reserve's Consolidated Financial Statements for Holding Companies—FR Y-9C. The reports are required to be filed quarterly and contain certain financial information, including information used in calculating regulatory capital ratios and amounts.14
1.67 The OCC, the Federal Reserve, and the FDIC established a minimum common equity tier 1 capital ratio of 4.5 percent, tier 1 capital ratio of 6 percent, total capital ratio of 8 percent, and leverage ratio of 4 percent. The capital rules limit capital distributions and certain discretionary bonus payments if banks do not maintain a capital conservation buffer of common equity tier 1 capital above minimum capital requirements. Advanced approaches organizations (defined as banking organizations with $250 billion or more in total consolidated assets or total consolidated on-balance sheet foreign exposure of $10 billion or more) must also maintain a minimum supplementary leverage ratio of 3 percent. Although advanced approaches banking organizations are not required to comply with the minimum supplementary leverage ratio until January 1, 2018, they were required to begin reporting the ratio as of January 1, 2015. By statute, the FDIC and the OCC also require all federal and state savings associations to maintain a tangible capital requirement of 1.5 percent of assets. The advanced approaches and standardized capital ratio calculations can be found at 12 CFR 3.10 (OCC), 12 CFR 217.10 (Federal Reserve), and 12 CFR 324.10 (FDIC).
1.68 Risk-based capital standards of the FDIC, the OCC, and the Federal Reserve explicitly identify concentrations of credit risk, risks of nontraditional activities, and IRR as qualitative factors to be considered in examiner assessments of an institution's overall capital adequacy; however, the standards require no specific quantitative measure of such risks.
1.69 The FDIC, the OCC, and the Federal Reserve have augmented their IRR requirements through a joint policy statement, Joint Agency Policy Statement on Interest Rate Risk, that explains how examiners will assess institutions' IRR exposure.15,16 The policy statement also suggests that institutions with complex systems for measuring IRR may seek assurance about the institution's risk management process from internal and external auditors.
1.70 The Market Risk Rule (MRR) establishes risk-based regulatory capital requirements for bank holding companies, state member banks, SLHCs, national banks, federal savings associations, and state savings associations (collectively, banking organizations) with significant exposure to certain market risks. The MRR implements the Amendment to the Capital Accord (Market Risk Amendment or MRA) to incorporate market risks issued by the Basel Committee on Banking Supervision in 1996 and modified in 1997, 2005, 2009, and 2010. The MRR is set forth at 12 CFR 217, subpart F (Federal Reserve), 12 CFR 3, subpart F (OCC), and 12 CFR 324, subpart F (FDIC).
1.71 The effect of the market risk capital rules is that any banking organization regulated by the federal banking agencies, with significant exposure to market risk, generally must measure that risk using its own internal value at risk model, and hold a commensurate amount of capital. The amount of capital required to be held includes tier 1 and tier 2 capital. The regulatory capital requirements only apply to banking organizations whose trading activity on a worldwide consolidated basis equals 10 percent or more of the total assets or totals $1 billion or more.
1.72 In June 2012, the OCC, the Federal Reserve, and the FDIC amended the market risk capital rule. The amendment revises the calculation of market risk to better characterize the risks facing a particular institution and to help ensure the adequacy of capital related to the institution’s market risk-related positions. Under the amendment, additional charges were implemented for stressed VaR, credit risk, correlation trading, and other securitizations. The amendment became effective on January 1, 2013, and can be accessed from any of the agencies’ websites.
1.73 Institutions are required to report certain financial information to regulators in quarterly Call Reports, which include amounts used in calculations of the institution's various regulatory capital ratios and amounts.
1.74 Under the capital adequacy standards of the OCC, the Federal Reserve, and the FDIC, a banking organization must deduct certain assets from common equity tier 1 capital. A banking organization is permitted to net associated deferred tax liability against some of those assets prior to making the deduction from tier 1 capital, if the deferred tax liability is associated with the assets and the deferred tax liability would be extinguished if the associated asset becomes impaired or is derecognized under GAAP. Deductions from common equity tier 1 capital include goodwill and other intangible, deferred tax assets that arise from net operating loss and tax credit carryforwards, gains on sale in connection with a securitization, any defined benefit pension fund net asset held by entities that are not depository institutions (unless the banking organizations has unrestricted and unfettered access to the assets in that fund), investments in a banking organization’s own capital instruments, mortgage servicing rights (above certain levels) and investments in the capital of unconsolidated financial institutions (above certain levels).
Prompt Corrective Action
1.75 The FDICIA made capital an essential tool for regulators to monitor the financial health of insured banks and savings institutions. Regulatory intervention is now focused primarily on an institution's capital levels relative to regulatory standards. In Section 38, "Rules, Regulations, and Orders," of the FDI Act, the FDICIA added (to the existing capital adequacy guidelines set forth by each agency) a uniform framework for prompt corrective regulatory action. Holding companies are not subject to the PCA provisions.
1.76 Section 38 provides for supervisory action at certain institutions based on their capital levels. Each institution falls into one of five regulatory capital categories (see paragraph 1.79) based primarily on four capital measures, total risk-based capital; tier 1 based capital; common equity tier 1 capital; and leverage ratios.17 These capital ratios are defined in the same manner for Section 38 purposes as under the respective agencies' capital adequacy guidelines and regulations. For savings associations, tier 1 leverage capital is comparable to core capital.
1.77 Regulations also specify a minimum requirement for tangible equity, which is defined as tier 1 capital plus outstanding perpetual preferred stock not included in tier 1 capital. In calculating the tangible capital ratio, the regulations specify specific deductions that should be applied to total assets included in the ratio denominator.
1.78 An institution may be reclassified between certain capital categories if its condition or an activity is deemed by regulators to be unsafe or unsound. A change in an institution's capital category initiates certain mandatory—and possibly additional discretionary—action by regulators.
1.79 Under Section 38 of the FDI Act, an institution is considered
- a. well capitalized if its capital level significantly exceeds the required minimum level for each relevant capital measure;
- b. adequately capitalized if its capital levels meets the required minimum level for each relevant capital measure;
- c. undercapitalized if its capital level fails to meet the required minimum level for each relevant capital measure;
- d. significantly undercapitalized if its capital level is significantly below the required minimum level for each relevant capital measure; and
- e. critically undercapitalized if its capital level fails to meet any level specified under subsection (c)(3)(A) of Section 38 of the FDI Act.
1.80 The PCA levels are defined as follows:
|Well capitalized||>10 and||>8 and||>6.5 and||>5|
|Adequately capitalized||>8 and||>6 and||>4.5 and||>4|
|Undercapitalized||<8 or||<6 or||<4.5 or||<4|
|Significantly undercapitalized||<6 or||<4 or||<3 or||<3|
* With respect to an advanced approaches national bank or advanced approaches federal savings association, on January 1, 2018, and thereafter, the leverage measure also includes capital adequacy guidelines for the supplementary leverage ratio in determination of both adequate capitalization and undercapitalization.
1.81 Critically undercapitalized institutions are those having a ratio of tangible equity to total assets of 2 percent or less.
1.82 An institution will not be considered well capitalized if it is under a capital-related cease-and-desist order, formal agreement, capital directive, or PCA capital directive.
1.83 Actions that may be taken under the PCA provisions range from the restriction or prohibition of certain activities to the appointment of a receiver or conservator of the institution's net assets.
1.84 Regulators will also require undercapitalized institutions to submit a plan for restoring the institution to an acceptable capital category. For example, each undercapitalized institution is generally required to submit a plan that specifies the following:
- Steps the institution will take to become adequately capitalized
- Targeted capital levels for each year of the plan
- How the institution will comply with other restrictions or requirements put into effect
- Types and levels of activities in which the institution will engage
1.85 Noncompliance or expected noncompliance with regulatory capital requirements may be a condition that, when considered with other factors, could indicate substantial doubt about an entity's ability to continue as a going concern. The implementation of the PCA provisions warrants similar attention by independent accountants when considering an institution's ability to remain a going concern.
1.86 The primary source of annual independent audits and reporting requirements is Section 36, Early Identification of Needed Improvements in Financial Management, of the FDI Act. In 1991, Section 112 of the FDICIA added Section 36 of the FDI Act. 12 CFR 363 (Part 363) of the FDIC’s regulations implements Section 36 of the FDI Act. Part 363 was initially adopted by the FDIC’s Board of Directors in 1993 and was most recently amended in 2013. Section 36 and Part 363 also establish minimum qualifications for auditors that provide audit and attest services to IDIs. Section 36 and Part 363 apply to each FDIC IDI having total assets of $500 million or more at the beginning of its fiscal year. The requirements specified in Section 36 and Part 363 are in addition to any other statutory and regulatory requirements otherwise applicable to an IDI.
1.87 Notwithstanding the requirements of Section 36 of the FDI Act and Part 363, the Federal Reserve requires certain bank holding companies to submit audited financial statements (under authority of 12 CFR 225.5 [Regulation Y]).
1.88 Also, audit requirements for savings associations, state savings associations, and SLHCs are set forth in 12 CFR 162.4 (OCC), 12 CFR 238.5 (Federal Reserve), and 12 CFR 390.322 (FDIC). In general, the OCC, the Federal Reserve, and the FDIC may require an independent audit of any such entity that they supervise when needed for any identified safety and soundness reason. However, audits for safety and soundness are required as follows:
- Savings associations supervised by the OCC, regardless of size, with a composite safety and soundness CAMELS rating of 3, 4, or 5
- SLHCs supervised by the Federal Reserve, which control savings association subsidiary(ies) with aggregate consolidated assets of $500 million or more
- State savings associations supervised by the FDIC, regardless of size, with a composite safety and soundness CAMELS rating of 3, 4, or 5
12 CFR 162.4 (OCC), 12 CFR 238.5 (Federal Reserve), and 12 CFR 390.322 (FDIC) provide that these audits should be conducted by an independent public accountant who is in compliance with the AICPA Code of Professional Conduct and meets the independence requirements and interpretations of the SEC.18
1.89 Part 363, "Annual Independent Audits and Reporting Requirements," of the FDIC’s rules and regulations, which implements Section 36 of the FDI Act, also includes guidelines and interpretations (guidelines) to facilitate a better understanding of, and full compliance with, the provisions of the Section 36. On July 20, 2009, a final rule which amended the regulation and guidelines in Part 363 was published in the Federal Register (Vol. 74, No. 137 [20 July 2009], pp. 35726–35761). The final rule applies to Part 363 Annual Reports with filing deadlines on or after the effective date of the amendments, which was August 6, 2009. The compliance date for the provision of the final rule that requires institutions’ boards of directors to develop and adopt written criteria pertaining to audit committee member independence was delayed until December 31, 2009. The provision of the final rule that requires the consolidated total assets of a holding company’s IDI subsidiaries to comprise 75 percent or more of the holding company’s consolidated total assets for an institution to be eligible to comply with Part 363 at the holding company level became effective for fiscal years ending on or after June 15, 2010.
1.90 Part 363 applies to any IDI with total assets above certain thresholds and requires annual independent audits, assessments of the effectiveness of internal control over financial reporting, and compliance with laws and regulations pertaining to insider loans and dividend restrictions, the establishment of independent audit committees, and related reporting requirements. The asset size threshold for reporting on an institution’s internal control is $1 billion and the threshold for the other requirements generally is $500 million. The FDIC’s FIL-33-2009, Annual Audit and Reporting Requirements: Final Amendments to Part 363, issued on June 23, 2009, provides a summary of the final rule and highlights certain amended annual and other reporting requirements. The general requirements, as amended, are summarized in the following text.
1.91 Annual reporting requirements. According to Sections 363.2 and 363.4, management is required to prepare and file a Part 363 Annual Report that includes the following:19
- a. Comparative financial statements in accordance with GAAP, which should be audited by an independent public accountant.
- b. A management report that must contain the following:
i. A statement of management's responsibilities for preparing the institution's annual financial statements, for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and for complying with laws and regulations relating to safety and soundness pertaining to insider loans and dividend restrictions, which are designated by the FDIC and the appropriate federal banking agency.
ii. An assessment by management of the institution's compliance with the designated laws and regulations pertaining to insider loans and dividend restrictions during such fiscal year. The assessment must state management’s conclusion regarding compliance and disclose any noncompliance with these laws and regulations. The assessment must clearly state whether the institution has or has not complied with these regulations. Disclosure is not dependent on the degree or materiality of any noncompliance. Statements such as "management believes that the institution complied, in all material respects with the designated safety and soundness laws and regulations" do not present a definitive and unconditional conclusion regarding compliance as envisioned under Part 363.
iii. For an institution with consolidated total assets of $1 billion or more at the beginning of its fiscal year, an assessment by management of the effectiveness of such internal control structure and procedures as of the end of such fiscal year. (See paragraphs 1.104–.105 for additional information regarding the internal control reporting requirements.)
- c. The management report must be signed by the CEO and the chief accounting officer or the CFO at the insured depository level or the holding company level as specified in Section 363.2(c).
1.92 Independent public accountant. As amended, Section 363.3 clarifies the independence standards applicable to accountants and requires the following:
- a. Each IDI should engage an independent public accountant to audit and report on its annual financial statements in accordance with generally accepted auditing standards or the PCAOB's auditing standards, if applicable, and Section 37 of the FDI Act.
- b. For each IDI with total assets of $1 billion or more at the beginning of the institution's fiscal year, the independent public accountant who audits the institution's financial statements should examine, attest to, and report separately on the assertion of management concerning the effectiveness of the institution's internal control structure and procedures for financial reporting. The attestation and report should be made in accordance with attestation standards established by the AICPA or the PCAOB’s auditing standards, if applicable. The accountant’s report must not be dated prior to the date of the management report and management’s assessment of the effectiveness of internal control over financial reporting.
- c. When the independent public accountant performing services under Part 363 ceases to be the institution’s accountant, the accountant must provide the FDIC, the appropriate Federal banking agency, and any appropriate State bank supervisor with written notification of such termination within 15 days after the occurrence of such an event. Guideline 20 to Part 363 provides additional guidance regarding an independent public accountant’s notice of termination.
- d. The auditors must report certain communications on a timely basis to the audit committee. The requirements for communications with audit committees, consistent with the requirements under Section 363.3(d), are set forth in the applicable professional standards. The applicable AICPA professional standards, which include AU-C section 260, The Auditor’s Communication With Those Charged With Governance; AU-C section 240, Consideration of Fraud in a Financial Statement Audit; AU-C section 265, Communicating Internal Control Related Matters Identified in an Audit; and AU-C section 940, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements (AICPA, Professional Standards), provide guidance regarding certain matters required to be communicated to those charged with governance, such as audit committees. PCAOB AS 1301, Communications with Audit Committees, and AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements (AICPA, PCAOB Standards and Related Rules), address the requirements for communication of certain matters to audit committees for audits of entities subject to the oversight authority of the PCAOB.
- e. The auditors must retain the working papers related to the audit of the IDI's financial statements and, if applicable, the evaluation of the institution's internal control over financial reporting for seven years from the report release date, unless a longer period of time is required by law.
- f. The auditors must comply with the independence standards and interpretations of the AICPA, the SEC, and the PCAOB. To the extent that any of the rules within any one of these independence standards (AICPA, SEC, and PCAOB) is more or less restrictive than the corresponding rule in the other independence standards, auditors must comply with the more restrictive rule.
- g. Prior to commencing any services for an IDI under Part 363, the independent public accountant must have received a peer review, or be enrolled in a peer review program, that meets acceptable guidelines. Acceptable peer reviews include peer reviews performed in accordance with the AICPA's Peer Review standards and inspections conducted by the PCAOB. For auditors required to conduct their audits in accordance with PCAOB standards, registration with the PCAOB is mandatory. Within 15 days of receiving notification that a peer review has been accepted or a PCAOB inspection report has been issued, or before commencing any audit under this part, whichever is earlier, the independent public accountant must file two copies of the most recent peer review report and the public portion of the most recent PCAOB inspection report, if any, accompanied by any letters of comments, response, and acceptance, with the FDIC. Also, within 15 days of the PCAOB making public a previously nonpublic portion of an inspection report, the independent public accountant must file two copies of the previously nonpublic portion of the inspection report with the FDIC.
1.93 Filing and notice requirements. As amended, Section 363.4 extends the annual report filing deadline for nonpublic institutions and includes the following requirements:
- a. A Part 363 Annual Report must contain the following:
i. Audited comparative annual financial statements
ii. The independent public accountant's report thereon
iii. A management report (see appendix B to Part 363 for illustrative management reports)
iv. For an institution with consolidated total assets of $1 billion or more at the beginning of its fiscal year, an assessment by management of the effectiveness of such internal control structure and procedures as of the end of such fiscal year
v. If applicable, the independent public accountant's attestation report on management's assessment concerning the institution's internal control structure and procedures for financial reporting
Generally, the filing deadline for a Part 363 Annual Report is 120 days after the end of the fiscal year for an institution that is neither a public company nor a subsidiary of a public company, and 90 days after the end of the fiscal year for an institution that is a public company or a subsidiary of public company.
- b. Except for the Part 363 Annual Report and the peer reviews and inspection reports, as previously described, which should be available for public inspection, all other reports and notifications required under Part 363 are exempt from public disclosure by the FDIC.
- c. Institutions must file with the FDIC a copy of any management letter or other report issued by its independent public accountant with respect to such institution and the services provided by such accountant pursuant to Part 363 within 15 days after receipt. (See Section 363.4(c) for examples of such reports.)
1.94 Audit committees. Section 363.5 and Guidelines 27 to 35 to Part 363 provide guidance, address the composition requirements for audit committees, specify the audit committee’s duties regarding the independent public accountant, require audit committees to ensure that audit engagement letters do not contain unsafe and unsound limitation of liability provisions, and require boards of directors to develop and apply written criteria for evaluating audit committee members’ independence.
1.95 General qualifications. Section 36(g)(3)(A) of the FDI Act provides that all audit services required by Section 36 should be performed by an independent public accountant who has agreed to provide regulators with access to audit documentation related to such services, if requested; and has received a peer review that meets guidelines acceptable to the FDIC. Guideline 13 to Part 363 also requires accountants to agree to provide copies of audit documentation to regulators. Interpretation No. 1, "Providing Access to or Copies of Audit Documentation to a Regulator" (AICPA, Professional Standards, AU-C sec. 9230 par. .01–.15), of AU-C section 230, Audit Documentation, and AU-C section 230 provide additional information to auditors.
1.96 Enforcement actions against auditors. In August 2003, the FDIC, the OCC, the Federal Reserve, and the OTS jointly issued final rules that establish procedures under which the agencies can remove, suspend, or bar an accountant or firm from performing audit and attestation services for IDIs subject to the annual audit and reporting requirements of Section 36 of the FDI Act. The final rule can be accessed at www.fdic.gov/news/news/financial/2003/fil0366.html.
1.97 Under the final rules, certain violations of law, negligent conduct, reckless violations of professional standards, or lack of qualifications to perform auditing services may be considered good cause to remove, suspend, or bar an accountant or firm from providing audit and attestation services for institutions subject to Section 36 of the FDI Act and Part 363. In addition, the rules prohibit an accountant or accounting firm from performing these services if the accountant or firm has been removed, suspended, or debarred by one of the agencies, or if the SEC or the PCAOB takes certain disciplinary actions against the accountant or firm. The rules also permit immediate suspensions of accountants and firms in limited circumstances.
1.98 Communication with independent auditors. Section 36(h) of the FDI Act and Guideline 17 to Part 363 require an institution to provide its auditor with certain information including copies of the institution's most recent reports of condition and examination; any supervisory memorandum of understanding or written agreement with any federal or state regulatory agency; and a report of any action initiated or taken by Federal or State banking regulators.
Additional Regulatory Requirements Concerning the Sarbanes-Oxley Act, Corporate Governance, and Services Outsourced to External Auditors
1.99 In connection with the Sarbanes-Oxley Act of 2002, the SEC issued regulations implementing sections of the act, addressing various areas such as certification of financial statements, auditor independence, non-U.S. GAAP financial measures, accounting firms’ record retention, audit committees, influencing auditors, and other matters. These regulations are not unique to financial institutions. Management, the board of directors, the audit committee, and auditors generally should be aware of the requirements of the Sarbanes-Oxley Act and the implementing SEC regulations.
1.100 In addition to the previously mentioned regulations, in June 2003, the SEC adopted rules requiring companies subject to the reporting requirements of the 1934 Act, other than registered investment companies, to assess the effectiveness of their internal control and include in their annual reports a report of management on the company's internal control over financial reporting. The rule also mandates quarterly reports on changes in internal control. See paragraphs 1.102–.105 and 1.111 for additional information regarding these rules.
1.101 The banking regulatory agencies also implemented regulations in connection with the Sarbanes-Oxley Act. These regulations can affect nonpublic as well as public entities. These regulations include the following:
- On March 17, 2003, the FDIC, the OTS, the OCC, and the Federal Reserve issued Interagency Policy Statement on the Internal Audit Function and Its Outsourcing.20 This policy statement reflects the passage of the Sarbanes-Oxley Act and prohibits an external auditor from providing internal audit services during the same period for which the external auditor expresses an opinion on the financial statements. This prohibition applies to banks, savings associations, and their holding companies that
— have a class of securities registered with either the SEC or the respective savings association agency under Section 12 of the 1934 Act or are required to file reports with the SEC under Section 15(d) of that act (commonly referred to as public companies) and, therefore, required to have an external audit.
— are savings associations and banks with assets of $500 million or more that are subject to the FDIC's external audit and reporting requirements under Part 363.
— are savings associations and savings association holding companies that are required to have an external audit by their respective primary federal regulator pursuant to 12 CFR 162 (OCC), 12 CFR 238.5 (Federal Reserve), or Subpart R to 12 CFR 390 (FDIC).
For all other banks, savings associations, and their holding companies that have external audits of their financial statements but are not mandated to do so, the policy encourages such organizations to follow the internal audit outsourcing prohibition in Section 201 of the Sarbanes-Oxley Act when the SEC's regulations implementing this prohibition take effect.
On March 5, 2003, the FDIC issued FIL-17-2003, Corporate Governance, Audits, and Reporting Requirements, and the Federal Reserve, the OCC, and the OTS, in May 2003, issued Statement on Application of Recent Corporate Governance Initiatives to Non-Public Banking Organizations. This letter and statement require or recommend that certain nonpublic financial institutions comply with certain sections of the Sarbanes-Oxley Act. Familiarity with this guidance is recommended for external auditors.
- On August 12, 2003, the FDIC, the OCC, the Federal Reserve, and the OTS jointly issued final rules that establish procedures under which the agencies could remove, suspend, or bar an accountant or firm from performing audit and attestation services for IDIs subject to the annual audit and reporting requirements of Section 36. Section 36 applies to institutions with $500 million or more in total assets.
- Effective April 1, 2003, the Federal Reserve adopted a final rule to reflect the amendments made to Section 12(i) of the 1934 Act. These amendments vest the Federal Reserve with the authority to administer and enforce several of the enhanced reporting, disclosure, and corporate governance obligations imposed by the Sarbanes-Oxley Act in respect to state member banks that have a class of securities registered under the 1934 Act.
- On June 30, 2005, the FFIEC issued the BSA/AML manual. The manual was the result of a collaborative effort of the federal banking agencies and the Treasury's FinCEN. The manual does not set new standards; instead, it is a compilation of existing regulatory requirements, supervisory expectations, and sound practices in the BSA/AML area.
- On November 28, 2005, the FDIC amended Part 363 of its regulations by raising the asset-size threshold from $500 million to $1 billion for internal control assessments by management and external auditors. For institutions between $500 million and $1 billion in assets, the audit committee of its board of directors should be outside directors, the majority of whom should be independent of management of the institution.
- In June 2009, as previously noted, the FDIC’s Board of Directors approved amendments to Part 363 of its regulations. Among other requirements, the amendments require both management’s assessment and the auditor’s report on internal control over financial reporting to disclose the internal control framework used by management and the auditor and to identify all material weaknesses that have been identified that have not been remediated as of the end of the institution’s fiscal year. See the following for additional information.
1.102 Sarbanes-Oxley Act Section 404 and Part 363. Public companies that are subject to Section 36 of the FDI Act and Part 363 (more than $500 million in assets) must prepare reports for the SEC, the FDIC, and other regulators that are similar in nature. Section 404(a) of the Sarbanes-Oxley Act mandates that registrants (a) take responsibility for establishing and maintaining adequate internal control structure and procedures and (b) assess their effectiveness at the end of each fiscal year. According to the SEC’s final rule Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, management generally must create a Management’s Annual Internal Control Report as part of the Annual Report. (Quarterly updating is necessary only if the internal control environment has changed or is likely to change materially.) The report must contain the following:
- A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company.
- A statement identifying the framework used by management to evaluate the effectiveness of this internal control.
- Management’s assessment of the effectiveness of internal control as of the end of the company’s most recent fiscal year, including a statement about whether internal control over financial reporting is effective.
- Disclosure of any material weaknesses. Management is not permitted to conclude that the registrant’s internal control over financial reporting is effective if there are one or more material weaknesses in the issuer’s internal control over financial reporting.
- A statement that its auditor has issued an attestation report on management’s assessment, which is normally included in the company’s annual report.
1.103 The SEC coordinated with the FDIC to eliminate any unnecessary duplication between the aforementioned requirements and Section 36 of the FDI Act and Part 363. Many internal control requirements of the Sarbanes-Oxley Act were structured after Section 36 of the FDI Act and Part 363. A comparison of Sarbanes-Oxley and the Part 363 management requirements are indicated in the following table for clarity.
|Sarbanes-Oxley||FDIC Improvement Act of 1991|
|A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company||Insured depository institutions (IDIs) with at least $500 million in total assets, a statement of management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting (Financial reporting generally must encompass both financial statements prepared in accordance with U.S. generally accepted accounting principles and those prepared for regulatory purposes.)|
|Not required by Sarbanes-Oxley||IDIs with at least $500 million in total assets, a statement of management’s responsibility for preparing the institution’s financial statements|
|Not required by Sarbanes-Oxley||IDIs with at least $500 million in total assets, a statement of management’s responsibility for complying with designated laws and regulations relating to safety and soundness pertaining to insider loans and dividend restrictions|
|A statement identifying the framework used by management to evaluate the effectiveness of internal control over financial reporting||IDIs with $1 billion or more in total assets, a statement identifying the internal control framework used by management to evaluate the effectiveness of internal control over financial reporting|
|Management’s assessment of the effectiveness of internal control over financial reporting as of the end of the company’s most recent fiscal year||IDIs with $1 billion or more in total assets, a statement expressing management’s conclusion concerning whether internal control over financial reporting is effective as of the end of its fiscal year|
|Disclosure of any material weakness (and the related stipulation that management is not permitted to conclude that the company’s internal control over financial reporting is effective if there are one or more material weaknesses)||For IDIs with $1 billion or more in total assets, management must disclose all material weaknesses in internal control over financial reporting, if any, that it has identified that have not been remediated prior to the IDI’s fiscal year-end. Management is precluded from concluding that the institution’s internal control over financial reporting is effective if there are one or more material weaknesses|
|A statement that a registered public accounting firm has issued an attestation report on the effectiveness of internal control over financial reporting||Not required by Part 363|
|Inclusion of the registered public accounting firm’s attestation report on the effectiveness of internal control over financial reporting in the annual report||For IDIs with $1 billion or more in total assets, the management report component of the annual report must include the independent public accountant’s attestation report concerning the effectiveness of the institution's internal control structure over financial reporting|
1.104 IDIs with $1 billion or more in total assets as of the beginning of its fiscal year that are subject to both Part 363 and the SEC’s rules implementing Section 404 of Sarbanes-Oxley Act (as well as holding companies permitted to file an internal control report on behalf of their IDI subsidiaries in satisfaction of the FDIC and SEC regulations) can choose to either prepare two separate management reports to satisfy the FDIC’s and Sarbanes-Oxley Act Section 404 requirements or prepare a single management report that satisfies both the FDIC and Sarbanes-Oxley Act Section 404 requirements.
1.105 If a single report is prepared it must contain the following combined requirements of the preceding chart:
- A statement of management’s responsibility for preparing the registrant’s annual financial statements, for establishing and maintaining adequate internal control over financial reporting for the registrant, and for the institution’s compliance with laws and regulations relating to safety and soundness designated by the FDIC and the appropriate federal banking agencies.
- A statement identifying the framework used by management to evaluate the effectiveness of the registrant’s internal control over financial reporting as required by the 1934 Act Rule 13a-15 or 15d-15.
- Management’s assessment of the effectiveness of the registrant’s internal control over financial reporting as of the end of the registrant’s most recent fiscal year, including a statement regarding whether or not management has concluded that the registrant’s internal control over financial reporting is effective, and of the institution’s compliance with the designated safety and soundness laws and regulations pertaining to insider loans and dividend restrictions during the fiscal year. This discussion must include disclosure of any material weakness in the registrant’s internal control over financial reporting identified by management and disclosure of any instances of noncompliance with the designated safety and soundness laws and regulations pertaining to insider loans and dividend restrictions.
- A statement that the registered public accounting firm that audited the financial statements included in the registrant’s annual report, has issued an attestation report on the effectiveness of the registrant’s internal control over financial reporting.
Finally, it is important to note that the institution or holding company will have to provide the registered public accounting firm’s attestation report on management’s assessment in its annual report filed under the 1934 Act. For purposes of the report of management and the attestation report, financial reporting generally must encompass both financial statements prepared in accordance with GAAP and those prepared for regulatory reporting purposes.
1.106 Section 404(b) of the Sarbanes-Oxley Act and Part 363 require the external auditor to attest to, and publicly report on the effectiveness of the company’s internal control and procedures for financial reporting. Section 404(b) states, that any such attestation should not be the subject of a separate engagement. Auditors are expected to expand their scope in relation to internal control.
1.107 In September 2010, the SEC issued Final Rule Release No. 33-9142, Internal Control Over Financial Reporting in Exchange Act Periodic Reports of Non-Accelerated Filers, to conform its rules to Section 404(c) of the Sarbanes-Oxley Act, as added by Section 989G of the Dodd-Frank Act. Section 404(c) provides that Section 404(b) of the Sarbanes-Oxley Act should not apply with respect to any audit report prepared for an issuer that is neither an accelerated filer nor a large accelerated filer as defined in Rule 12b-2 under the 1934 Act. Prior to enactment of the Dodd-Frank Act, a nonaccelerated filer would have been required, under existing SEC rules, to include an attestation report of its registered public accounting firm on internal control over financial reporting in the filer’s annual report filed with the SEC for fiscal years ending on or after June 15, 2010. For further information on conforming changes adopted as a result of this ruling, Final Rule Release No. 33-9142 can be accessed on the SEC website at www.sec.gov. Notwithstanding the SEC’s final rule, IDIs subject to Part 363 of the FDIC’s rules and regulations must continue to comply with the requirements of Section 363.3(b) regarding the independent public accountant’s attestation report on management’s assessment of the effectiveness of internal control over financial reporting.
1.108 For an institution that is a public company or a subsidiary of a public company that is required to comply with the auditor attestation requirement of Section 404 of the Sarbanes-Oxley Act, the auditor’s report would be prepared in accordance with AS 2201.
1.109 Generally, for an institution that is not a public company or a subsidiary of a public company, the auditor’s report would be prepared in accordance with AU-C section 940.
1.110 Guideline 18A of Part 363 of the FDIC’s regulations provides additional guidance regarding the standards that auditors should follow when reporting on internal control.
1.111 Section 404 of the Sarbanes-Oxley Act does not specify where the management report might appear. However, SEC Final Rule Release No. 33-8238, Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, explains that it is important for management's report to be in close proximity to the corresponding attestation report issued by the company's registered public accounting firm. Positioning the report near the company’s Management’s Discussion and Analysis disclosure or immediately preceding the company’s financial statements would be two appropriate locations.
1.112 Banks and savings institutions often engage auditors to perform assurance services other than those required by Section 36 of the FDI Act. Such engagements may relate to the following:
- a. Student loans. Lenders participating in the Federal Family Education Loan Program may be required to engage an auditor to examine and report on management’s assertions regarding compliance with certain U.S. Department of Education requirements. This examination is performed in accordance with (i) Government Auditing Standards (also known as the Yellow Book) issued by the Comptroller General of the United States, (ii) AT-C section 315, Compliance Attestation (AICPA, Professional Standards), and (iii) the Audit Guide Compliance Audits (Attestation Engagements) for Lenders and Lender Servicers Participating in the Federal Family Education Loan Program issued by the U.S. Department of Education. This examination requirement applies to lenders with origination levels exceeding a specified dollar amount.21
- b. Federal Home Loan Mortgage Corporation (Freddie Mac) borrowings. Banks or savings institutions that are members of the Freddie Mac system may borrow from their respective district Federal Home Loan Bank. Borrowings are generally secured by the pledging of assets, often in the form of a blanket lien. The district banks maintain separate and distinct credit policies that have varying requirements concerning a member bank’s engagement of auditors to render assurance services relating to the adequacy of collateral maintenance levels. It is incumbent on the auditor to ascertain the professional standards that may be applicable to the requested services. The engagement generally takes the form of (i) an agreed-upon procedures engagement performed in accordance with AT-C section 215, Agreed-Upon Procedures Engagements (AICPA, Professional Standards), or (ii) an audit engagement performed in accordance with AU-C section 806, Reporting on Compliance With Aspects of Contractual Agreements or Regulatory Requirements in Connection With Audited Financial Statements (AICPA, Professional Standards).
- c. Loan servicing. Lenders who service mortgage loans for others may be required to engage an auditor to examine management’s assertions about compliance with minimum servicing standards set forth in the Uniform Single Attestation Program for Mortgage Bankers (USAP). Companies that are issuers or servicers, or both, of publicly registered commercial-mortgage backed securities and private label residential-mortgage backed securities must also submit reports prepared in accordance with Item 1122; and compliance with applicable servicing criteria, of Regulation AB, Asset-Backed Securities, published by the SEC in 2004.22 The Item 1122 engagement largely encompasses and expands upon the USAP engagement. Both the USAP and Regulation AB are attestation engagements performed in accordance with AT-C section 315 as further described in paragraphs 4.40–.41 of this guide.
- d. U.S. Department of Housing and Urban Development (HUD) programs. To the extent that a bank or savings institution originates or services HUD loans through a subsidiary that is designated a nonsupervised mortgagee, or a supervised mortgagee, compliance with the Consolidated Audit Guide for Audits of HUD Programs is required, as further described in paragraphs 4.37–.39 of this guide.
- e. FDIC Loss Sharing Purchase and Assumption (P&A) Transactions. The FDIC’s Resolutions Handbook states that a loss sharing transaction is a P&A transaction that the FDIC commonly uses as a resolution tool for handling failed institutions with more than $500 million in assets. A P&A is a resolution transaction in which a healthy institution purchases some or all of the assets of a failed bank or thrift and assumes some or all of the liabilities, including all insured deposits. The Resolutions Handbook also states that a loss sharing P&A uses the basic P&A structure, except for the provision regarding transferred assets. Instead of selling some or all of the assets to the acquirer at a discounted price, the FDIC agrees to share in future loss experienced by the acquirer on a fixed pool of assets (covered assets). The Resolutions Handbook for P&A agreements requires that "[w]ithin 90 days after each calendar year end, the acquiring bank must furnish the FDIC a report signed by its independent public accountant containing specified statements23 relative to the accuracy of any computations made regarding shared loss assets. AICPA Technical Questions and Answers (Q&A) section 9110.16, "Example Reports on Federal Deposit Insurance Corporation Loss Sharing Purchase and Assumption Transactions" (AICPA, Technical Questions and Answers), provides examples of how the auditor might respond.