SUPPORTING STATEMENT
FINAL RULE
ON ANNUAL AUDIT AND REPORTING REQUIREMENTS (PART 363) AND RELATED TECHNICAL AMENDMENTS TO PART 308, SUBPART U
3064-0113
A. Justification
1. Circumstances and Need.
Section 36 of the Federal Deposit Insurance Act (FDI Act) and the FDIC’s implementing regulations (Part 363) are generally intended to facilitate early identification of problems in financial management at insured depository institutions with total assets above certain thresholds through annual independent audits, assessments of the effectiveness of internal control over financial reporting and compliance with designated laws and regulations, the establishment of independent audit committees, and related reporting requirements. The asset-size threshold for internal control assessments and certain audit committee membership requirements is $1 billion and the threshold for the other requirements is $500 million. Given changes in the industry; certain sound audit, reporting, and audit committee practices incorporated in the Sarbanes-Oxley Act of 2002 (SOX); and the FDIC’s experience in administering Part 363 of its regulations, this final rule amends Part 363 and makes conforming changes to Part 308 to further the objectives of Section 36 by incorporating these sound practices into Part 363 and to provide clearer and more complete guidance to institutions and independent public accountants concerning compliance with the requirements of Section 36 and Part 363.
The most significant substantive revisions included in the final rule: (1) extend the time period for a non-public institution to file its Part 363 Annual Report by 30 days and replace the 30-day extension of the filing deadline that may be granted if an institution (public or non-public) is confronted with extraordinary circumstances beyond its reasonable control with a late filing notification requirement that would have general applicability; (2) provide relief from the annual reporting requirements for institutions that are merged out of existence before the filing deadline; (3) provide relief from reporting on internal control over financial reporting for businesses acquired during the fiscal year; (4) require management’s assessment of compliance with the laws and regulations pertaining to insider loans and dividend restrictions to state management’s conclusion regarding compliance and disclose any noncompliance with such laws and regulations; (5) require an institution’s management and the independent public accountant to identify the internal control framework used to evaluate internal control over financial reporting and disclose all identified material weaknesses that have not been corrected prior to the institution’s fiscal year-end; (6) clarify the independence standards with which independent public accountants must comply and enhance the enforceability of compliance with these standards; (7) specify that the duties of the audit committee include the appointment, compensation, and oversight of the independent public accountant, including ensuring that audit engagement letters do not contain unsafe and unsound limitation of liability provisions; (8) require certain communications by independent public accountants to audit committees; (9) establish retention requirements for audit working papers; (10) require boards of directors to adopt written criteria for evaluating an audit committee member’s independence and provide expanded guidance for boards of directors to use in determining independence; (11) provide that ownership of 10 percent or more of any class of voting securities of an institution is not an automatic bar for considering an outside director independent of management; (12) require the total assets of a holding company’s insured depository institution subsidiaries to comprise 75 percent or more of the holding company’s consolidated total assets in order for an institution to be eligible to comply with Part 363 at the holding company level; and (13) provide illustrative management reports to assist institutions in complying with the annual reporting requirements.
The principal revisions that bear on the collection of information under Part 363 are: (1) the extension of the filing deadline for the Part 363 Annual Report from 90 to 120 days after the end of the fiscal year for an institution that is not a public company or a subsidiary of a public company, (2) the replacement of 30-day extension requests (when an institution is confronted with extraordinary circumstances beyond its reasonable control) with late filing notices (regardless of the reason), (3) the modification of the criteria governing the acceptability of reports at the holding company level rather than at the institution level, (4) the expanded guidance on the content of the management report and the independent public accountant’s internal control attestation report, (4) the board of directors’ use of an approved set of written criteria for determining whether an audit committee member is an outside director and is “independent of management,” and (5) the new guidelines for institutions merged out of existence and for internal control reports for acquired businesses.
2. Use of Information Collected
The currently approved collection of information requires each insured depository institution which has consolidated total assets of $500 million or more to:
file an annual report with the FDIC and its appropriate federal and state banking regulators that includes audited financial statements, a statement of management’s responsibilities, and an assessment by management of compliance with designated laws and regulations,
notify the FDIC when it selects or changes its independent public accountant, and
file any management letter, qualification, and other report issued by the independent public accountant pertaining to its financial reporting.
In addition, the annual report filed by an insured depository institution which has total assets of $1 billion or more must include an assessment by management of the effectiveness of internal control over financial reporting and an auditor’s attestation report on internal control over financial reporting.
An interagency Policy Statement on External Auditing Programs of Banks and Savings Associations was approved on October 15, 1999. The Policy Statement encourages institutions with assets less than $500 million to adopt an annual external auditing program, preferably a financial statement audit by an independent public accountant.
a. Insured Institutions with consolidated total assets of $500 million or more.
The information collected in the Part 363 Annual Report, other reports, and the notice of selection or change in accountant is used by the FDIC and other federal and state banking agencies for supervisory/surveillance, regulatory, and informational purposes. The information is used in the offsite evaluation of the institutions and to determine the frequency and scope of examinations. The Part 363 Annual Reports are also available to the public.
b. Insured Institutions with assets less than $500 million.
The information provided in the external auditor’s report and the notice of selection or change in external auditor is used by the FDIC and other federal and state banking agencies for supervisory/ surveillance, regulatory, and informational purposes. The information is used in the offsite evaluation of the institutions and to determine the frequency and scope of examinations.
3. Use of Technology to Reduce Burden
The information is not collected electronically.
4. Efforts to Identify Duplication
a. Insured Institutions with assets of $500 million or more.
The collection requirements parallel the statutory language of Section 36. Much of the information in the annual report and notice of selection or change in accountant is currently required to be filed by institutions and holding companies registered under the Securities Exchange Act of 1934 (public companies) with the appropriate federal banking agency or the Securities and Exchange Commission (SEC). The requirements of Part 363 were developed so that institutions that are public companies or subsidiaries of public companies will be able to file identical information with the SEC and the FDIC, supplemented by the additional information required by the differing statutory mandates.
b. Insured Institutions with assets of less than $500 million.
For institutions registered under the Securities Exchange Act of 1934 with the appropriate federal banking agency, the information requested, such as the auditor’s report and any notice of selection or change in accountant, is currently required to be filed. Other institutions are requested to submit the report that they obtain from the performance of their external auditing program and a notice of any change in auditors. However, they are not required to file any specific type of report, and may use the report required by the state or their by-laws under certain circumstances.
5. Minimizing the Burden on Small Institutions
The SBA defines “small” banks as those with assets of $165 million or less. All small institutions (in fact, all institutions with less than $500 million in assets) are exempt from Part 363. However, with the Policy Statement, the agencies recommend that even small institutions consider their need for an external auditing program and record the rationale for their decision regarding it. Unless required to do so under another law or regulation, obtaining an external audit is voluntary for small institutions under the Policy Statement. The burden estimates for this collection take account of the small institutions that file voluntarily.
6. Consequences of Less Frequent Collections
The frequency of collection is consistent with the statutory mandate in Section 36 of the FDI Act. Less frequent collection would result in non-compliance with the law. For institutions not subject to Section 36, an annual external auditing program is consistent with longstanding commercial practices in the banking industry.
7. Special Circumstances
None.
8. Consultation with Persons Outside the FDIC
This collection was developed through extensive consultation with the other financial institutions regulators, and its requirements were not finalized until after the notice-and-comment rulemaking process had been completed.
9. Payment or Gift to Respondents
Not applicable.
10. Confidentiality
Part 363 Annual Reports are available to the public. Other reports and notices filed under Part 363 and reports and notices filed under the Policy Statement are afforded confidential treatment.
11. Information of a Sensitive Nature
No questions of a sensitive nature are included in the collection.
12. Estimates of Annual Burden
a. FDIC-Supervised Institutions with assets of $1 billion or more.
Number of Respondents: 296
Annual Responses: 1,038
Annual Burden Hours: 67,525
b. FDIC-Supervised Institutions with assets of $500 million or more but less than $1 billion.
Number of Respondents: 377
Annual Responses: 1,529
Annual Burden Hours: 12,400
c. FDIC-Supervised Institutions with assets less than $500 million.
Number of Respondents: 4,532
Annual Responses: 13,596
Annual Burden Hours: 3,399
Total number of respondents: 5,205
Total annual responses: 16,163
Total annual burden hours: 83,324
13 Estimates of Annualized Cost.
None.
14. Estimates of Cost to the Government
a. FDIC-Supervised Institutions with assets of $500 million or more.
The FDIC estimates that it will spend approximately 8 hours having the professional staff (average $38 per hour) review this information and 2 hours on clerical functions (average $22 per hour). With 673 respondents, the annual cost to the government is approximately $234,204.
b. FDIC-Supervised Institutions with assets of less than $500 million or more.
The FDIC estimates that it will spend approximately 4 hours having the professional staff (average $38 per hour) review this information and 1 hour on clerical functions (average $22 per hour). With 4,532 respondents, the annual cost to the government is approximately $788,568.
The total annual cost to the government for all FDIC-supervised institutions, 5,205 respondents, is estimated to be $1,022,772.
15. Reason for Change in Burden
There is no change in burden. On October 6, 2008, FDIC requested OMB approval for the renewal of the then currently approved information collection, which was to expire on October 31, 2008. To insure that the most reliable revised estimate of burden was provided with this October 2008 renewal request, FDIC adopted the estimated burden set forth in the proposed rule amending Part 363; thereby taking into account the effect of all the paperwork related revisions set forth in the proposed rule. OIRA approved the revised information collection on November 20, 2008. The final rule restates the paperwork related provisions in the proposed rule and makes no change to the burden estimate. Accordingly the final rule does not change the burden estimate set forth in the currently approved information collection.
16. Publication
The reports and notices filed with the FDIC are not published. The information is retained in the files of the Regional Offices of the Division of Supervision and Consumer Protection, FDIC. Part 363 Annual Reports are available to the public.
17. Display of Expiration Dates
Not Applicable.
18. Exceptions to Certification
None.
B. STATISTICAL METHODS
Statistical methods are not employed in this collection.
Attachments
1. Section 36 of the Federal Deposit Insurance Act (12 U.S.C. 1831m).
2. 60-day and 30-day Notices for October 2008 Renewal of Collection
3. Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations.
4. Final Rule on Annual Audit and reporting Requirements (Part 363) and Related Technical Amendments to Part 308, Subpart U
| File Type | application/msword |
| File Title | SUPPORTING STATEMENT |
| Author | HMessite |
| Last Modified By | hmessite |
| File Modified | 2009-06-19 |
| File Created | 2009-06-08 |