Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Corporate Governance and Auditing Programs

Part 363 — Summary Of Filing Requirements

Section 36 of the Federal Deposit Insurance Act (FDI Act) and Part 363 of the FDIC’s regulations impose annual audit and reporting requirements on insured depository institutions (institutions) with $500 million or more in consolidated total assets. Because Section 36 was added to the FDI Act by Section 112 of the Federal Deposit Insurance Corporation Improvement Act (FDICIA), these annual audit and reporting requirements are often referred to as the “FDICIA requirements.”
The following information is an overview of the annual and certain other reporting requirements of Part 363. The management, board of directors, and audit committee of each institution subject to Part 363 and independent public accountants that provide audit services to institutions subject to Part 363 are encouraged to read and become familiar with the Part 363 regulatory text, the Guidelines and Interpretations in Appendix A of Part 363, and the Illustrative Management Reports in Appendix B of Part 363 to obtain a complete understanding of the compliance requirements of Part 363.

COVID-19-Related Relief

The information below addressing Part 363 Annual Report Requirements and Other Reporting Requirements provides an overview of the general requirements of Part 363, including those involving asset thresholds and filing deadlines. The FDIC has issued COVID-19-related relief regarding both the measurement of consolidated total assets to be used for determining whether various sections of Part 363 apply to an individual insured depository institution (IDI) and the filing deadlines associated with the Part 363 Annual Report. Institutions with consolidated total assets approaching or exceeding the $500 million and $1 billion thresholds are encouraged to familiarize themselves with these relief provisions in conjunction with the general requirements summarized below.

Asset Thresholds – The FDIC issued an interim final rule (IFR) effective October 23, 2020, to provide relief to those institutions that experience temporary asset growth as a result of participation in various COVID-19-related government stimulus efforts. Some IDIs have experienced increases to their consolidated total assets as a result of large cash inflows resulting from participation in the Paycheck Protection Program, the Money Market Mutual Fund Liquidity Facility, the Paycheck Protection Program Liquidity Facility, and the effects of other government stimulus efforts. Since these inflows may be temporary, but are significant and unpredictable, the IFR allows IDIs to determine the applicability of Part 363 for fiscal years ending in 2021 based on the lesser of their consolidated total assets as of December 31, 2019, or consolidated total assets as of the beginning of their fiscal years ending 2021. Notwithstanding any temporary relief provided by the IFR, an IDI would continue to be subject to any otherwise applicable statutory and regulatory audit and reporting requirements. The IFR also reserves the FDIC’s authority to require an IDI to comply with one or more requirements of Part 363 if the FDIC determines that asset growth was related to a merger or acquisition. On December 22, 2020, the FDIC provided information as to how it intends to exercise this reservation of authority, including factors it will consider in the process, in Information Regarding the FDIC’s Reservation of Authority for Determining Part 363 Compliance Requirements for Insured Depository Institutions (FIL-116-2020). IDIs that have experienced temporary asset growth are encouraged to review the IFR when determining whether consolidated total asset thresholds have been met.

Filing Deadlines – The FDIC issued the Statement on Filing Reports Required by Part 363 of the FDIC Rules and Regulations in Response to the Coronavirus on March 27, 2020. The Statement indicates that the FDIC will not take action against an IDI if the Part 363 Annual Report is submitted with 45 days of the IDI’s respective 90- or 120-day filing deadline. If an IDI is not able to file the Part 363 Annual Report within the 45-day extended timeframe, the FDIC will not take action against the IDI if it files the required notification of late filing within 45 days of its respective 90- or 120-day filing deadline. IDIs that may not be able to file the Part 363 Annual Report within the 45-day extended timeframe are encouraged to review the Statement.

Part 363 Annual Report Requirements

The following information is intended to clarify what must be included in a Part 363 Annual Report for (1) institutions with $500 million or more but less than $1 billion in consolidated total assets and (2) institutions with $1 billion or more in consolidated total assets. Other requirements that are applicable to all institutions subject to Part 363 also are discussed. With certain exceptions, the Part 363 annual reporting requirements may be satisfied by an institution’s holding company if services and functions comparable to those required of the institution are provided at the holding company level. An institution’s total assets are measured as of the beginning of its fiscal year.

Part 363 Annual Reports for Institutions with $500 Million or More but Less Than $1 Billion in Consolidated Total Assets

The Part 363 Annual Report for institutions with at least $500 million but less than $1 billion in consolidated total assets must include the following:

  1. Audited comparative annual financial statements;
  2. The independent public accountant’s report on the audited financial statements;
  3. A management report that contains:
    1. A statement of management’s responsibilities for:
      1. Preparing the annual financial statements;
      2. Establishing and maintaining an adequate internal control structure over financial reporting1; and
      3. Complying with the designated safety and soundness laws and regulations pertaining to insider loans and dividend restrictions; and
    2. An assessment by management of the institution’s compliance with the designated laws and regulations pertaining to insider loans and dividend restrictions during the year, which must state management’s conclusion regarding compliance and disclose any noncompliance with these laws and regulations.

In general, an institution that is required to file, or whose parent holding company is required to file, management’s assessment of the effectiveness of internal control over financial reporting with the Securities and Exchange Commission (SEC) or the appropriate federal banking agency in accordance with Section 404 of the Sarbanes-Oxley Act of 2002 must submit a copy of such assessment with its Part 363 Annual Report as additional information. However, this assessment is not considered part of the institution’s Part 363 Annual Report.

Part 363 Annual Reports for Institutions with $1 Billion or More in Consolidated Total Assets

The Part 363 Annual Report for institutions with $1 billion or more in consolidated total assets must include the following:

  1. Audited comparative annual financial statements;
  2. The independent public accountant’s report on the audited financial statements;
  3. A management report that contains:
    1. A statement of management’s responsibilities for:
      1. Preparing the annual financial statements;
      2. Establishing and maintaining an adequate internal control structure over financial reporting2; and
      3. Complying with the designated safety and soundness laws and regulations pertaining to insider loans and dividend restrictions;
    2. An assessment by management of the institution’s compliance with the designated laws and regulations pertaining to insider loans and dividend restrictions during the year, which must state management’s conclusion regarding compliance and disclose any noncompliance with these laws and regulations; and

    3. An assessment by management of the effectiveness of the institution’s internal control structure over financial reporting as of the end of the fiscal year; and
  4. The independent public accountant’s report on the effectiveness of the institution’s internal control structure over financial reporting3. The accountant’s report must not be dated prior to the date of the management report and management’s assessment of the effectiveness of internal control over financial reporting.

Management’s assessment of the effectiveness of internal control over financial reporting must:
 

  • Identify the internal control framework4 used by management to evaluate the effectiveness of internal control over financial reporting;
  • State that the assessment included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions and identify the regulatory reporting instructions;
  • State management’s conclusion as to whether internal control over financial reporting is effective as of the institution’s fiscal year-end5; and
  • Disclose all material weaknesses in internal control over financial reporting, if any, that management has identified that have not been remediated prior to the institution’s fiscal year end.

The independent public accountant’s report on the effectiveness of the institution’s internal control over financial reporting must:
 

  • Identify the internal control framework used by the independent public accountant, which must be the same as the internal control framework used by management, to evaluate the effectiveness of the institution’s internal control over financial reporting;
  • State that the independent public accountant’s evaluation included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions and identify the regulatory reporting instructions;
  • State the independent public accountant’s conclusion as to whether internal control over financial reporting is effective as of the institution’s fiscal year-end6; and
  • Disclose all material weaknesses in internal control over financial reporting, if any, that the independent public accountant has identified that have not been remediated prior to the institution’s fiscal year-end.

Filing Deadlines for Part 363 Annual Reports

An institution shall file its Part 363 Annual Report within 120 days after the end of its fiscal year if (1) it is neither a public company nor a subsidiary of a public company7 or (2) it is a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company’s insured depository institution subsidiaries) comprise less than 75 percent of the consolidated total assets of the public holding company as of the beginning of its fiscal year.

An institution shall file its Part 363 Annual Report within 90 days after the end of its fiscal year if (1) it is a public company or (2) it is a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company’s insured depository institution subsidiaries) comprise 75 percent or more of the consolidated total assets of the public holding company as of the beginning of its fiscal year.

If an institution will be unable to file its Part 363 Annual Report by the specified deadline, it must submit a notification of late filing, which is discussed below.


Other Reporting Requirements – All Institutions with $500 Million or More in Consolidated Total Assets

Other Reports and Letters Issued by the Independent Public Accountant

Except for the independent public accountant’s reports that are included in its Part 363 Annual Report, each institution must file with the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor a copy of any management letter or other report issued by its independent public accountant with respect to the institution and the audit services provided by the accountant within 15 days after receipt. Such reports include, but are not limited to:

  • Any written communication regarding matters that the accountant is required to communicate to the audit committee (for example, critical accounting policies, alternative accounting treatments discussed with management, any schedule of unadjusted differences, and relationships that bear on the accountant’s independence);
  • Any written communication of significant deficiencies and material weaknesses in internal control required by the auditing standards of the American Institute of Certified Public Accountants (AICPA) or the Public Company Accounting Oversight Board (PCAOB), as appropriate;
  • For an institution with consolidated total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year that is (1) a public company or (2) a subsidiary of a public holding company and its consolidated total assets (or the consolidated total assets of all of its parent holding company’s insured depository institution subsidiaries) comprise 75 percent or more of the consolidated total assets of the public holding company as of the beginning of its fiscal year, any report by the independent public accountant on the audit of internal control over financial reporting required by Section 404 of the Sarbanes-Oxley Act of 2002 and the PCAOB’s auditing standards;
  • Any written communication by the independent public accountant of all deficiencies in internal control over financial reporting that are of a lesser magnitude than significant deficiencies required by the AICPA’s auditing standards or the PCAOB’s auditing standards.

Notice of Engagement, Change, Dismissal, or Resignation of Accountants

Within 15 days after a change in or the dismissal or resignation of an institution’s independent public accountant or the engagement of a new independent public accountant, the institution must file written notice with the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor. Also, within 15 days after the institution’s independent public accountant resigns or is dismissed, the independent public accountant must file written notice with the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor. These written notices should set forth in reasonable detail the reasons for the resignation or dismissal of the institution’s independent public accountant.

In this regard, before engaging an independent public accountant, the institution’s audit committee should satisfy itself that the independent public accountant is in compliance with the qualifications and other requirements applicable to independent public accountants set forth in Part 363, including the independence standards of the AICPA, the SEC, and the PCAOB, regardless of whether the institution or its parent holding company, if any, is a public company. Also, the audit committee should ensure that engagement letters and any related agreements with the independent public accountant for audit services to be performed under Part 363 do not contain any limitation of liability provisions that: (1) indemnify the independent public accountant against claims made by third parties; (2) hold harmless or release the independent public accountant from liability for claims or potential claims that might be asserted by the client institution, other than claims for punitive damages; or (3) limit the remedies available to the client institution.

Peer Reviews and Inspection Reports

Within 15 days of receiving notification that a peer review has been accepted or a PCAOB inspection report has been issued, or before commencing any audit or attestation service under Part 363, whichever is earlier, an independent public accountant must file two copies of its most recent peer review report and the public portion of its most recent PCAOB inspection report, if any, accompanied by any letters of comments, response, and acceptance, with the FDIC, Accounting and Securities Disclosure Section, 550 17th Street, NW, Washington, DC 20429, if the report has not already been filed. Also, within 15 days of the PCAOB making public a previously nonpublic portion of an inspection report, the independent public accountant must file two copies of the previously nonpublic portion of the inspection report with the FDIC’s Accounting and Securities Disclosure Section.

Notification of Late Filing

An institution that is unable to timely file all or any portion of its Part 363 Annual Report or any other report or notice required to be filed by Part 363 must submit a written notice of late filing to the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor. The notice shall disclose the institution’s inability to timely file the report or notice and the reasons for the late filing in reasonable detail and state the date by which the report or notice will be filed. The written notice should be filed on or before the deadline for filing the Part 363 Annual Report or any other required report or notice, as appropriate.

Place for Filing Reports and Notices

Except for the peer review reports and inspection reports discussed above, the Part 363 Annual Report, any written notification of late filing, and any other required report or notice should be filed as follows:
 

  1. FDIC: Voluntarily file electronically through FDICconnect – Supervisory Business Center. Otherwise, file copies with the appropriate FDIC Division of Risk Management Supervision Regional or Area Office, i.e., the FDIC Regional or Area Office in the FDIC Region or Area that is responsible for monitoring the institution or, in the case of a subsidiary institution of a holding company, the consolidated company. A filing made on behalf of several institutions subject to Part 363 that are owned by the same parent holding company should be accompanied by a transmittal letter identifying all of the institutions within the scope of the filing.
  2. Office of the Comptroller of the Currency (OCC): Appropriate OCC Supervisory Office.
  3. Federal Reserve: Appropriate Federal Reserve District Bank.
  4. State bank supervisor: The filing office of the appropriate state bank supervisor.

Helpful Links:



 

  • 1

    For purposes of Part 363, financial reporting encompasses both financial statements prepared in accordance with generally accepted accounting principles and those prepared for regulatory reporting purposes.

  • 2

    See footnote 1.

  • 3

    For periods ending on or after December 15, 2016, auditors of nonpublic banks and nonpublic holding companies must comply with the internal control over financial reporting requirements of Part 363 by performing integrated audits in accordance with Statement on Auditing Standards No. 130.

  • 4

    For example, in the United States, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission has published Internal Control – Integrated Framework, including an addendum on safeguarding assets. Known as the COSO report, this publication provides a suitable and available framework for purposes of management’s assessment.

  • 5

    If one or more material weaknesses have been identified, but not remediated, before the institution’s fiscal year-end, management must conclude that internal control over financial reporting is ineffective as of year-end.

  • 6

    If one or more material weaknesses have been identified, but not remediated, before the institution’s fiscal year-end, the independent public accountant must conclude that internal control over financial reporting is ineffective as of year-end.

  • 7

    As defined in Section 363.1(d)(4) of the FDIC’s regulations, a "public company" is an insured depository institution or other company that has a class of securities registered with the U.S. Securities and Exchange Commission or the appropriate Federal banking agency under Section 12 of the Securities Exchange Act of 1934. A "nonpublic company" is an insured depository institution or other company that does not meet the definition of a public company. The term "public company" for purposes of Part 363 is not synonymous with the term "public business entity" as defined in U.S. generally accepted accounting principles.

Last Updated: August 3, 2024