AFDI Act Reporting Requirements – Audit and Accounting Guide Depository and Lending Institutions, 2nd Edition

Appendix A
FDI Act Reporting Requirements

This appendix is nonauthoritative and is included for informational purposes only.

A.01 Section 36 of the Federal Deposit Insurance Act (FDI Act) and its implementing regulation Title 12 U.S. Code of Federal Regulations Part 363 require reports by each institution’s management and its auditors over financial statements and internal control over financial reporting. Section 36 and Part 363 also establish minimum qualifications for auditors that provide audit and attest services to insured depository institutions. Section 36 and Part 363 apply to each FDIC-insured depository institution having total assets of $500 million or greater at the beginning of its fiscal year. The requirements specified in Section 36 and Part 363 are in addition to any other statutory and regulatory requirements otherwise applicable to an insured depository institution.

A.02 Part 363 was initially adopted by the FDIC’s Board of Directors in 1993 and was most recently amended in 2013. The general requirements are summarized in the following paragraphs; the side-by-side analysis of the detailed regulation and guidelines is presented in the exhibit that follows. Each institution’s management, board of directors, and audit committee, as well as independent public accountants that provide audit and attestation services to institutions subject to Part 363 are encouraged to read and become familiar with the Part 363 regulatory text, the guidelines and interpretations in appendix A to Part 363, “Guidelines and Interpretations,” and the illustrative management reports in appendix B to Part 363, “Illustrative Management Reports,” to obtain a complete understanding of the compliance requirements of Part 363.

Part 363 Annual Reports for Institutions With $500 Million or More but Less Than $1 Billion in Total Assets

A.03 Insured depository institutions with at least $500 million but less than $1 billion in total assets are required to file a Part 363 Annual Report that must include the following:

  1. a. Audited comparative annual financial statements.
  2. b. The independent public accountant’s report on the audited financial statements.
  3. c. A management report that contains

i.  a statement of management’s responsibilities for

(1)  preparing the annual financial statements;

(2)  establishing and maintaining an adequate internal control structure over financial reporting;1 and

(3)  complying with the designated safety and soundness laws and regulations pertaining to insider loans and dividend restrictions.

ii.  an assessment by management of the institution’s compliance with the designated laws and regulations pertaining to insider loans and dividend restrictions during the year, which must state management’s conclusion regarding compliance and disclose any noncompliance with these laws and regulations. The assessment must clearly state whether the institution has or has not complied with these regulations. Disclosure is not dependent on the degree or materiality of any noncompliance. Statements such as "management believes that the institution complied, in all material respects with the designated safety and soundness laws and regulations" do not present a definitive and unconditional conclusion regarding compliance as envisioned under Part 363.

A.04 In general, an institution that is required to file, or whose parent holding company is required to file, management’s assessment of the effectiveness of internal control over financial reporting with the SEC or the appropriate federal banking agency in accordance with Section 404 of the Sarbanes-Oxley Act of 2002 must submit a copy of such assessment with its Part 363 Annual Report as additional information. However, this assessment will not be considered part of the institution’s Part 363 Annual Report.

Part 363 Annual Reports for Institutions With $1 Billion or More in Total Assets

A.05 Insured depository institutions with $1 billion or more in total assets are required to file a Part 363 Annual Report that must include the following:

  1. a. Audited comparative annual financial statements.
  2. b. The independent public accountant’s report on the audited financial statements.
  3. c. A management report that contains

i.  a statement of management’s responsibilities for

(1)  preparing the annual financial statements;

(2)  establishing and maintaining an adequate internal control structure over financial reporting;2 and

(3)  complying with the designated safety and soundness laws and regulations pertaining to insider loans and dividend restrictions.

ii.  an assessment by management on the effectiveness of the institution’s internal control structure over financial reporting as of the end of the fiscal year that must

(1)  identify the internal control framework3 used by management to evaluate the effectiveness of internal control over financial reporting;

(2)  state that the assessment included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions and identify the regulatory reporting instructions;

(3)  state management’s conclusion regarding whether internal control over financial reporting is effective as of the institution’s fiscal year-end;4 and

(4)  disclose all material weaknesses in internal control over financial reporting, if any, that management has identified that have not been remediated prior to the institution’s fiscal year-end.

iii.  an assessment by management of the institution’s compliance with the designated laws and regulations pertaining to insider loans and dividend restrictions during the year, which must state management’s conclusion regarding compliance and disclose any noncompliance with these laws and regulations. The assessment must clearly state whether the institution has or has not complied with these regulations. Disclosure is not dependent on the degree or materiality of any noncompliance. Statements such as "management believes that the institution complied, in all material respects with the designated safety and soundness laws and regulations" do not present a definitive and unconditional conclusion regarding compliance as envisioned under Part 363.

  1. d. The independent public accountant’s attestation report concerning the effectiveness of the institution’s internal control structure over financial reporting. The accountant’s report must not be dated prior to the date of the management report and management’s assessment of the effectiveness of internal control over financial reporting and must

i.  identify the internal control framework used by the independent public accountant, which must be the same as the internal control framework used by management, to evaluate the effectiveness of the institution’s internal control over financial reporting;

ii.  state that the independent public accountant’s evaluation included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions and identify the regulatory reporting instructions;

iii.  state the independent public accountant’s conclusion regarding whether internal control over financial reporting is effective as of the institution’s fiscal year-end;5 and

iv.  disclose all material weaknesses in internal control over financial reporting, if any, that the independent public accountant has identified that have not been remediated prior to the institution’s fiscal year-end.

Filing Deadlines for Part 363 Annual Reports

A.06 An institution shall file its Part 363 Annual Report within 120 days after the end of its fiscal year if (1) it is neither a public company nor a subsidiary of a public company or (2) it is a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company’s insured depository institution subsidiaries) compose less than 75 percent of the consolidated total assets of the public holding company as of the beginning of its fiscal year.

A.07 An institution shall file its Part 363 Annual Report within 90 days after the end of its fiscal year if (1) it is a public company or (2) it is a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company’s insured depository institution subsidiaries) compose 75 percent or more of the consolidated total assets of the public holding company as of the beginning of its fiscal year.

A.08 If an institution will be unable to file its Part 363 Annual Report by the specified deadline, it must submit a notification of late filing.

Other Requirements—All Institutions With $500 Million or More in Total Assets

Other Reports and Letters Issued by the Independent Public Accountant

A.09 Except for the independent public accountant’s reports that are included in its Part 363 Annual Report, each insured depository institution must file with the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor a copy of any management letter or other report issued by its independent public accountant with respect to the institution and the audit and attestation services provided by the accountant within 15 days after receipt. Such reports include, but are not limited to

  • any written communication regarding matters that the accountant is required to communicate to the audit committee (for example, critical accounting policies, alternative accounting treatments discussed with management, and any schedule of unadjusted differences).
  • any written communication of significant deficiencies and material weaknesses in internal control required by the auditing or attestation standards of the AICPA or the PCAOB, as appropriate.
  • for an institution with consolidated total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year that is (1) a public company or (2) a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company’s insured depository institution subsidiaries) compose 75 percent or more of the consolidated total assets of the public holding company as of the beginning of its fiscal year, any report by the independent public accountant on the audit of internal control over financial reporting required by Section 404 of the Sarbanes-Oxley Act of 2002 and the PCAOB’s auditing standards.
  • for an institution that is (1) a public company or (2) a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company’s insured depository institution subsidiaries) comprise 75 percent or more of the consolidated total assets of the public holding company as of the beginning of its fiscal year, any written communication by the independent public accountant of all deficiencies in internal control over financial reporting that are of a lesser magnitude than significant deficiencies, which is required by the PCAOB’s auditing standards.
  • for an institution that is (1) a nonpublic company or (2) a subsidiary of a nonpublic holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company’s insured depository institution subsidiaries) compose 75 percent or more of the consolidated total assets of the nonpublic holding company as of the beginning of its fiscal year, any written communication by the independent public accountant of all deficiencies in internal control over financial reporting that are of a lesser magnitude than significant deficiencies, which is required by the AICPA’s auditing and attestation standards.

Notice of Engagement, Change, Dismissal, or Resignation of Accountants

A.10 Within 15 days after a change in or the dismissal or resignation of the institution’s independent public accountant or the engagement of a new independent public accountant, the institution must file written notice with the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor. Also, within 15 days after the institution’s independent public accountant resigns or is dismissed, the independent public accountant must file written notice with the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor. These written notices should set forth in reasonable detail the reasons for the resignation or dismissal of the institution’s independent public accountant.

A.11 In this regard, before engaging an independent public accountant, the institution’s audit committee should satisfy itself that the independent public accountant is in compliance with the qualifications and other requirements applicable to independent public accountants set forth in Part 363, including the independence standards of the AICPA, the SEC, and the PCAOB. Also, the audit committee should ensure that engagement letters and any related agreements with the independent public accountant for audit and attestation services to be performed under Part 363 do not contain any limitation of liability provisions that (1) indemnify the independent public accountant against claims made by third parties; (2) hold harmless or release the independent public accountant from liability for claims or potential claims that might be asserted by the client institution, other than claims for punitive damages; or (3) limit the remedies available to the client institution.

Peer Reviews and Inspection Reports

A.12 Within 15 days of receiving notification that a peer review has been accepted or a PCAOB inspection report has been issued, or before commencing any audit or attestation service under Part 363, whichever is earlier, the independent public accountant must file two copies of its most recent peer review report and the public portion of its most recent PCAOB inspection report, if any, accompanied by any letters of comments, response, and acceptance, with the FDIC, Accounting and Securities Disclosure Section, 550 17th Street, NW, Washington, DC 20429, if the report has not already been filed. Also, within 15 days of the PCAOB making public a previously nonpublic portion of an inspection report, the independent public accountant must file 2 copies of the previously nonpublic portion of the inspection report with the FDIC.

Notification of Late Filing

A.13 An institution that is unable to timely file all or any portion of its Part 363 Annual Report or any other report or notice required to be filed by Part 363 must submit a written notice of late filing to the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor. The notice shall disclose the institution’s inability to timely file the report or notice and the reasons for the late filing in reasonable detail and state the date by which the report or notice will be filed. The written notice should be filed on or before the deadline for filing the Part 363 Annual Report or any other required report or notice, as appropriate.

Standards for Audits of Financial Statements and Internal Control Over Financial Reporting

A.14 The financial statement audit is to be performed in accordance with generally accepted auditing standards or the PCAOB’s auditing standards, if applicable and Section 37 of the FDI Act. The examination of management's assertion about the institution’s internal controls over financial reporting is to be performed in accordance with generally accepted standards for attestation engagements or the PCAOB’s auditing standards, if applicable.

General Qualifications of Auditors

A.15 To provide audit and attest services to insured depository institutions, an independent public accountant should be registered or licensed to practice as a public accountant and be in good standing under the laws of the state or other political subdivision of the United States in which the home office of the institution (or the insured branch of a foreign bank) is located. The accountant must also agree to provide regulators with copies of any working papers, policies, and procedures related to services performed under Part 363. Independent accountants should be familiar with Interpretation No. 1, "Providing Access to or Copies of Audit Documentation to a Regulator," (AICPA, Professional Standards, AU-C sec. 9230 par. .01–.15) of AU-C section 230, Audit Documentation.

A.16 The independent public accountant must comply with the independence standards and interpretations of the AICPA, the SEC, and the PCAOB. To the extent that any of the rules within any one of these independence standards (AICPA, SEC, and PCAOB) is more or less restrictive than the corresponding rule in the other independence standards, the independent public accountant must comply with the more restrictive rule.

Enforcement Actions Against Accountants

A.17 In August 2003, the FDIC, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Office of Thrift Supervision, prior to its transfer of powers to the federal banking agencies, (the agencies) jointly issued final rules that establish procedures under which the agencies can remove, suspend, or bar an accountant or firm from performing audit and attestation services for insured depository institutions subject to the annual audit and reporting requirements of Section 36 of the FDI Act. The final rule can be accessed at www.fdic.gov/news/news/financial/2003/fil0366.html.

A.18 Under the final rules, certain violations of law, negligent conduct, reckless violations of professional standards, or lack of qualifications to perform auditing services may be considered good cause to remove, suspend, or bar an accountant or firm from providing audit and attestation services for institutions subject to Section 36 of the FDI Act and Part 363. In addition, the rules prohibit an accountant or accounting firm from performing these services if the accountant or firm has been removed, suspended, or debarred by one of the agencies, or if the SEC or the PCAOB takes certain disciplinary actions against the accountant or firm. The rules also permit immediate suspensions of accountants and firms in limited circumstances.

Communication With Auditors

A.19 Section 36(h) of the FDI Act and Guideline 17 to Part 363 require an institution to provide its auditor with certain information including copies of the institution's most recent reports of condition and examination; any supervisory memorandum of understanding or written agreement with any federal or state regulatory agency; and a report of any action initiated or taken by federal or state banking regulators.

Audit Committees

A.20 Each insured depository institution is required to establish an audit committee of its board of directors, the composition of which complies with paragraphs (a)(1), (2), and (3) and (b) of Section 363.5. The duties of the audit committees shall include the appointment, compensation, and oversight of the independent public accountant who performs services required under Part 363, and review with management and the independent public accountant the basis for the reports issued under Part 363. Each insured depository institution with total assets of $1 billion or more as of the beginning of its fiscal year shall establish an independent audit committee of its board of directors, the members of which shall be outside directors who are independent of management of the institution.  Each insured depository institution with total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year shall establish an audit committee of its board of directors, the members of which shall be outside directors, the majority of whom shall be independent of management of the institution. Each insured depository institution with total assets of $3 billion or more as of the beginning of its fiscal year shall include in its audit committee members with banking or financial management expertise, have access to outside counsel, and not include any large customers of the institution. Guideline 35 to Part 363 provides transition guidance for forming and restructuring audit committees.

Audit and Reporting Requirements

A.21 Reprinted here is Part 363 of the FDIC’s rules and regulations, Part 363—Annual Independent Audits and Reporting Requirements, (left column) and appendix A to Part 363 (right column). Part 363 and appendix A were initially published in 1993. The most recent amendments to this regulation were published in 2013. Appendix B provides guidance regarding reporting scenarios that satisfy the annual reporting requirements of Part 363, illustrative management reports, and an illustrative cover letter for use when an institution complies with the annual reporting requirements at the holding company level.6

TABLE 1 TO APPENDIX A
Designated Federal Laws and Regulations Applicable to:

                                                                          National
    Banks    
State
Member

    Banks    
State
Nonmember

    Banks    
Savings
    Associations    
Insider Loans—Parts and/or Sections of Title 12 of the United States Code
375a Loans to Executive Officers of Banks (A) (A)
375b Extensions of Credit to Executive Officers, Directors, and Principal Shareholders of Banks (A) (A)
1468(b) Extensions of Credit to Executive Officers, Directors, and Principal Shareholders ............... ............... ...............
1828(j)(2) Extensions of Credit to Officers, Directors, and Principal Shareholders ............... ............... ...............
1828(j)(3)(B) Extensions of Credit to Officers, Directors, and Principal Shareholders (B) ............... (C) ...............
Parts and/or Sections of Title 12 of the Code of Federal Regulations
31 Extensions of Credit to Insiders ............... ............... ...............
32 Lending Limits ............... ............... ...............
215 Loans to Executive Officers, Directors, and Principal Shareholders of Member Banks (D) (E)
337.3 Limits on Extensions of Credit to Executive Officers, Directors, and Principal Shareholders of Insured Nonmember Banks ............... ............... ...............
563.43 Loans by Savings Associations to Their Executive Officers, Directors, and Principal Shareholders ............... ............... ...............
Dividend Restrictions—Parts and/or Sections of Title 12 of the United States Code
56 Prohibition on Withdrawal of Capital and Unearned Dividends ............... ...............
60 Dividends and Surplus Fund ............... ...............
1467a(f) Declaration of Dividends ............... ............... ...............
1831o(d)(1) Prompt Corrective Action—Capital Distributions Restricted
Parts and/or Sections of Title 12 of the Code of Federal Regulations
5 Subpart E Payment of Dividends ............... ............... ...............
6.6 Prompt Corrective Action—Restrictions on Undercapitalized Institutions ............... ............... ...............
208.5 Dividends and Other Distributions ............... ............... ...............
208.45 Prompt Corrective Action—Restrictions on Undercapitalized Institutions ............... ............... ...............
325.105 or 324.403, as applicable Prompt Corrective Action—Restrictions on Undercapitalized Institutions ............... ............... ...............
563 Subpart E Capital Distributions ............... ............... ...............
565.6 Prompt Corrective Action—Restrictions on Undercapitalized Institutions ............... ............... ...............
                                   

(A) Subsections (g) and (h) of section 22 of the Federal Reserve Act [12 U.S.C. 375a, 375b].

(B) Applies only to insured Federal branches of foreign banks.

(C) Applies only to insured State branches of foreign banks.

(D) See 12 CFR 337.3.

(E) See 12 CFR 563.43.

Notes

__________________________