Financial Services

The FDIC and Part 363:
Flexibility Without Forbearance

December 12, 2005

By Christopher C. Gallagher*


The FDIC has amended Part 363's annual reporting requirement, raising the asset size for certain costly compliance headaches from $500 million to $1 billion, while relaxing the eligibility criteria for audit committee membership. And, by timing its effective date, the change has been made retroactive. This change does not affect institutions covered by Sarbanes-Oxley, but it demonstrates the FDIC's willingness to "walk the walk" by addressing competitive community bank compliance costs and leaving a door open for more change when or if the SEC Rules for Sarbanes-Oxley covering smaller, publicly traded institutions (now on hold) are also modified.

This again confirms FDIC's commitment to community banking, evidenced already by the John Reich Community Bank Study, Basel 1A, and ex-Chairman Powell's recent initiative to preserve the viability of the dual banking system. It appears that the Corporation will continue to pursue regulatory burden relief that recognizes the unique benefits of community banks by providing needed flexibility without promoting forbearance that might threaten safety and soundness. Accordingly, the FDIC has earned the respect and gratitude of all who strive to support the continued viability of community banking.

The Change

Success in competitive markets requires efficiency in pricing, brand projection, staffing, product and service delivery, and capital deployment. In some markets, however, success in these areas is still not enough to survive and thrive. In banking, these operational and financial efficiencies also must be meshed with supervisory oversight and compliance-activity that can significantly retard efficiency. Supersized and regional banks can better absorb such burden by spreading it across a wider array of products and services. Smaller community banks must allocate compliance cost among fewer products, services, and customers. When it comes to compliance cost and efficiencies, size matters.

These disparate costs pose a significant and continuous competitive challenge for community banks. In response, some simplify their operations, limiting their products and services to avoid the cost and complexity of matching them with effective internal controls. But this approach can cost them capacity to meet customer needs. Others cling to the old tradition, where compliance represented a "compromise" between squabbling internal departments. But layering compliance on top of operations is dangerously expensive. The most efficient approach is to weave effective internal controls into line operations.This is harder to accomplish, but worth it in the long run. In today's highly competitive financial services arena, however, every community bank must be concerned about the competitive implications of disparate cost impact. So, when federal regulators recognize and respond to this problem, there is reason to rejoice.

The Outcome

Effective December 28, 2005, the FDIC has amended the annual report section of Part 363 (which implements Section 36 of FDICIA). Raising the asset-size threshold from $500 million to $1 billion, the Corporation has provided new relief from existing requirements for management assessments of internal controls and external auditor attestation. This will enhance the operating efficiency of affected "nonpublic" banking institutions that are not otherwise covered by Sarbanes-Oxley. American Banker gave scant, sidebar coverage to this event; but its significance is not lost on those who care about community banking, especially if there is "more to come," as hinted at in the text.

The Way It Was

All banks must maintain an effective internal controls structure. But now, in their annual audit, external auditors not only must review this control system and report on it to the audit committee, the management of banks covered by Part 363 also must assess and certify the effectiveness of the bank's procedures for financial reporting. The external auditors must then examine and attest to management's assertions that such internal controls are effective, reviewing both the system and bank management's review process. This "belt and suspenders" exercise is both expensive and disruptive. Worse, locating such audit assistance can be difficult.

Part 363 now requires that bank board audit committees be comprised entirely of outside directors who are "independent of management" of the bank. Section 36 of FDICIA, the statutory basis for Part 363 (and the statutory stalking-horse for Sarbanes-Oxley), gives the FDIC discretion to select an asset-size threshold of $150 million or more. In 1993, when it enacted Part 363, the FDIC selected the $500 million asset-size level. Relief for some is in sight.

The New Rule

Effective December 28, 2005, the threshold has been raised to $1 billion for annual reporting of internal control "assessments" by management and "attestations" by external auditors. For institutions between $500 million and $1 billion, it also allows a majority of the audit committee to be "independent of management" while providing for a hardship exemption to that requirement. All audit committee members must still be outside directors and must always exercise "independent judgment." Moreover, the effective date was carefully chosen to provide this relief to banks whose fiscal year ended September 30th.

The Process

The Supplementary Information section of the Final Rule provides a window into the FDIC's concern with regulatory burden on community banks. It is well worth a read. The elimination of the double assessment and attestation process speaks for itself. The audit committee discussion in particular is quite revealing. It should be required reading for all bank board members.

Addressing the plight of those banks unable to find audit committee members who fit the requirements of Part 363, the FDIC originally proposed a good faith standard that would have completely opened audit committee membership to outside directors who have "independent judgment" but are not necessarily "independent of management." This would have allowed legal counsel or other qualified consultants (or even management relatives) to serve. In a thoughtful response to one comment, the proposed "good faith" criterion was replaced with a hardship exemption. Expressly noting the unique characteristics of community banks, the FDIC chose "not to restrict institutions or itself to a specific list" of criteria that would constitute good faith. It favored regulatory flexibility.

The Conference of State Bank Supervisors (CSBS) submitted commentary acknowledging the problem of finding qualified persons willing and able to serve, but for safety and soundness reasons, preferred that for $500 million to $1 billion banks, the "independent of management" criterion apply to the audit committee chair and a majority of its membership. In response, the FDIC modified its initial proposal by accepting CSBS's majority of membership requirement, reserving hardship exemption authority to each appropriate federal banking agency "by order or regulation."

It seems ironic in today's banking environment that CSBS would be seeking less relief from regulatory burden rather than more. State banking supervisors face a shrinking constituency caused in part by the uneven competitive impacts of regulations like Part 363. As the FDIC indicates, (in its discussion of an even more rigid position suggested by FDIC's Office of Inspector General) a federal banking agency (and presumably its state counterparts) is always free to address identified weaknesses in any situation with appropriate added requirements, including the need for management assessments, external auditor attestations, and greater independence of management for any board or audit committee member. But the FDIC found no reason to tie its own hands. Since FDIC shares supervision of non-member banks with state supervisors, it appears to have compromised with its state-based regulatory partners. For its thoughtful efforts to impose more flexibility into the supervisory process, the FDIC deserves the gratitude of all who care about the long-term viability of smaller community banks, including, we presume, those state bank supervisors concerned about constituency shrinkage caused by conversions to federal charter and creeping consolidation.

It is important to note what has not been changed in Part 363's annual report. Banks must still include audited financials, statements of management's responsibilities, assessments of the bank's compliance with laws and regulations, and an auditors' report on the financial statement. There has been no change in the continuing requirement that all banks maintain an effective internal control structure. So while the "suspenders" of account attestations may be removed for some, the "belt" of effective internal controls over financials, operations, and compliance is still required. And the FDIC did not rule out, when appropriate, the imposition of more stringent requirements relative to external audit attestation and management assessment.

Most importantly, the FDIC has again demonstrated that it is sincere about mitigating the competitive plight of its non-member banks, moving towards flexibility without offering forbearance and without sacrificing safety and soundness. It also has gently tugged its sister supervisor in the CSBS in a better direction, hinting that it will do more (if it can) for similarly situated banks now covered by Sarbanes-Oxley. The number of institutions affected by this change may be small. But the impact of the Corporation's clear choices, confirmed by its express reasoning, will be larger. The Powell-Reich FDIC was clearly headed in the right direction. Community bankers can only hope that what began under their leadership will be continued by those who follow.

* Christopher C. Gallagher is admitted in New Hampshire.

Return to Financial Services articles
Return to Resources index

You may contact
the author at