FDICIA readiness: What you need to know and next steps

FDICIA: Key provisions and regulatory requirements

FDICIA introduced key provisions that continue to shape banking compliance today, primarily including:

• The prompt corrective action (PCA) provision. This provision requires federal banking agencies to take action when an insured depository institution’s capital is classified as undercapitalized, significantly undercapitalized or critically undercapitalized (as determined by selected capital measures). These interventions, an effort to minimize losses for all involved parties, depend on the level of undercapitalization and may include placement into conservatorship or receivership.
• Least-cost resolution provisions. These provisions require the FDIC to choose a resolution method for failed insured depository institutions that minimizes the costs to taxpayers. The FDIC is limited in its ability to absorb losses, with an exception for preserving institutions that are "too big to fail,” as the FDIC characterizes them.
• Improved examinations. FDICIA adjusted the conditions that allowed an institution to qualify for an 18-month, full scope, on-site examination, in effect increasing the volume of institutions subject to these examinations. FDICIA also requires the appropriate federal banking agencies to improve the quality of their examinations through reviews of the agencies and their staff training and increasing the number of examiners, supervisors and others employed by the agencies.
• Truth in Savings Act (TISA). The TISA was enacted as part of the passage of FDICIA and requires banks to disclose to consumers the rates (annual percentage yields) and fees associated with their accounts.

Section 36 and Part 363

Section 36 of the Federal Deposit Insurance Act (which was added by Section 112 of FDICIA) and Part 363 of the FDIC’s regulations aim to facilitate the early identification of problems in financial management at insured depository institutions over a certain asset threshold size. The institutions subject to the requirements under Section 36 and Part 363 are commonly referred to as “covered institutions.”

Effective Jan. 1, 2026, the FDICIA asset size thresholds were adjusted to reflect inflation and are currently defined as institutions with $1 billion or more in total assets. Additional requirements become effective once a covered institution reaches $5 billion in total assets.

As part of the FDIC’s final rule that adjusted the thresholds, an indexing methodology was also implemented to allow for subsequent periodic adjustments to the thresholds included in Part 363.

This indexing methodology will be applied automatically every two consecutive years or during any intervening year when the cumulative change in the relevant index (e.g., the consumer price index) since the last adjustment increases by the percentage stated in the FDIC’s rules and regulations.

Annual audits and reporting package submissions

The Part 363 annual reporting package should include a combination of items, including financial statements, audit reports and management reports, with the specific requirements dependent on the size of the covered institution.

Reporting packages are due within 90 days after the end of the covered institution’s fiscal year if it is: (a) a public company or (b) a subsidiary of a public holding company and its consolidated total assets comprise 75% or more of the consolidated total assets of the public holding company as of the beginning of its fiscal year.

Reporting packages are due within 120 days after the end of the covered institution’s fiscal year if it is: (a) not a public company or a subsidiary of a public company or (b) a subsidiary of a public holding company and its consolidated total assets comprise less than 75% of the consolidated total assets of the public holding company as of the beginning of its fiscal year.

Audited financial statements

Audited comparative financial statements and a corresponding independent public accountant’s report on the audited financial statements are required for all covered institutions.

The level of financial statements that satisfies the reporting requirements depends on the organizational structure of the consolidated company and the relative size of the insured depository institution (IDI). For IDIs that are subsidiaries of holding companies, the audited financial statements submitted may be the consolidated financial statements of the top-tier or any mid-tier holding company if the total assets of the IDI (or multiple IDIs if applicable) comprise 75% or more of the consolidated total assets as of the beginning of the fiscal year.

All other requirements in the reporting package may also be satisfied at the holding company level if both of the following conditions are met:

• The services and functions of the IDI and holding company are similar.
• The IDI has, as of the beginning of its fiscal year, total assets of less than $5 billion or total assets of greater than $5 billion and a composite CAMELS rating of 1 or 2.

Management report

Management is required to provide a report regarding its responsibilities and certain conclusions with respect to internal controls and compliance with designated laws and regulations.

The following elements of the management report are required based on the size of the covered institution:

Independent auditor’s report on internal control over financial reporting (ICFR)

In certain cases, an assessment of the effectiveness of ICFR is also required as part of the annual reporting package submitted to the FDIC. An effective internal control structure is considered critical to the safety and soundness of insured depository institutions.

An independent auditor’s report on ICFR is required when a covered institution has $5 billion or more in total assets. No such assessment and report by an independent auditor is required when total assets are under $5 billion.

However, management is required to make certain statements in its management report regarding its internal control structure, and thus management is still responsible for establishing and maintaining an adequate internal control structure even when holding under $5 billion in total assets.

For institutions that are not public filers, the internal control audit is conducted in accordance with the American Institute of Certified Public Accountants (AICPA) standards (AU-C 940, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements).

For institutions that are public filers and that are subject to a Sarbanes-Oxley Act (SOX) 404 integrated audit, the internal controls audit is generally conducted in accordance with the Public Company Accounting Oversight Board’s (PCAOB) standards (AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated With An Audit of Financial Statements).

Audit committee

Part 363 requires each covered institution to establish an independent audit committee of its board of directors, comprised of outside directors: individuals who are not, and within the preceding year have not been, an officer or employee of the institution or any of its affiliates.

Ultimately, the audit committee is responsible for the appointment, compensation and oversight of the independent public accountant and for reviewing the reports included in the annual report submitted to the FDIC.

For covered institutions with total assets of $1 billion but less than $5 billion, the majority of the audit committee’s members (outside directors) should be independent of management.

For covered institutions with total assets of $5 billion or more, the audit committee must adhere to the following requirements:

• All members must be outside directors that are independent of management.
• The committee must include members with banking or related financial management expertise.
• The committee must have access to its own outside counsel.
• Committee members must not include any large customers.

At least annually, the board of directors should determine whether the existing and potential audit committee members are independent of management. Consideration should be given not only to the member themself, but also to any relationships or affiliations that the member may have with related parties of the institution. Paragraph 28 of Appendix A to Part 363 (Guidelines and Interpretations) includes guidance for making this determination.

FDICIA readiness

Preparation is critical to success in FDICIA compliance. An institution should consistently monitor its growth and strategic plan in an effort to project when it is approximately one to two years from reaching the $1 billion and $5 billion thresholds.

This will allow the organization to ensure compliance once the asset threshold is triggered, identify necessary resources, and develop a thorough plan that integrates management, the audit committee, the board of directors, the independent public accountant and internal audit. The best advice may be to begin acting like an FDICIA-covered institution, so to speak, before the provisions are effective.

To ensure your organization is ready to implement the requirements of FDICIA, consider doing the following:

Measure total assets

The provisions of FDICIA are effective when total assets meet or exceed $1 billion as of the beginning of the fiscal year. Total assets over $5 billion then trigger additional requirements under Part 363.

When measuring total assets, the institution should use total assets as reported on its most recent report of condition (call report). The date of the most recent call report should coincide with the end of the preceding fiscal year for those institutions with a fiscal year-end that ends on a calendar quarter (e.g., March 31, June 30, Sept. 30, Dec. 31).

In other words, to evaluate applicability for the 20X2 fiscal year, a calendar year-end institution would use the call report from Dec. 31, 20X1, which also represents the opening balance as of Jan. 1, 20X2. If the institution’s fiscal year-end falls on a date other than the end of a calendar quarter, it should use the call report for the quarter-end immediately preceding the end of its fiscal year (e.g., March 31 for an April 30, non-calendar-quarter fiscal year-end).

The measurement exercise in the preceding graphic is a continuous process. If a covered institution’s total assets fall below the applicable threshold in a subsequent period, the covered institution remains subject to FDICIA requirements until its next measurement period (i.e., next fiscal year-end call report date).

Modifying and expanding upon the previous example, if the covered institution’s total assets had fallen below $1 billion as of March 31, 20X2, and remained under $1 billion as of Dec. 31, 20X2, then it would not be subject to requirements for the 20X3 audit. However, it would still be subject to requirements for 20X2 because the threshold was met as of Dec. 31, 20X1.

This example would also apply when a covered institution is approaching the $5 billion threshold, which would trigger the additional requirements under Part 363.

Create an FDCIA roadmap and detailed project plan

Once the institution determines that it is approaching or has already met the asset thresholds for FDICIA, management should work to create a detailed FDICIA roadmap and project plan. Starting with the end date in mind (e.g., the first annual audit for which the FDICIA reporting package must be submitted or the first period in which an ICFR audit is required), the institution should work backward to determine key milestones.

From this roadmap, it should then create a detailed project plan that incorporates various stakeholders—including management, operational leaders, the audit committee, the board of directors and the internal audit function—to address all elements of compliance.

For the internal audit function, specifically, a one-to-two-year plan to perform additional risk assessment, identify key controls for FDICIA purposes, ensure compliance with the Committee of Sponsoring Organization’s (COSO) 2013 framework (or other acceptable framework), and either develop a testing plan or integrate existing testing with the FDICIA requirements is integral to FDICIA readiness.

The covered institution should consider a one-year or two-year dry run for the internal control evaluation to allow time to confirm and/or update controls, identify and remediate any existing control deficiencies, and properly train personnel. It may be helpful to start with less complex areas such as cash and deposits and then move on to higher risk sections such as the allowance for loan losses.

Ensure auditor independence and review nonaudit services

The independent public accountant must comply with the independence standards of the AICPA, the Securities and Exchange Commission and the PCAOB for all covered institutions, regardless of whether the covered institution is a public company.

SEC and PCAOB standards are generally more restrictive than AICPA standards with respect to permissible nonaudit services. Thus, as your covered institution nears the $1 billion total asset threshold, it is important to inventory the services performed by the independent public accountant and to determine whether those services remain permissible under the SEC and PCAOB independence standards.

Common nonaudit services that are permissible under AICPA standards, but not under SEC and PCAOB standards, include but are not limited to:

• Preparation of financial statements, including rolling forward report templates, preparation of or substantial assistance with the statements and footnotes, and report processing functions such as typing, printing, copying and binding.
• Appraisal or valuation services or fairness opinions.
• Internal audit services, including outsourced loan review.
• Tax services relating to marketing, planning or opining in favor of the tax treatment of a transaction that is a confidential transaction under U.S. Treasury regulations or that is based on an aggressive interpretation of applicable tax laws and regulations. Tax compliance services generally present little or no threat to auditor independence and are permissible.
• Tax services to a person in a financial reporting oversight role or an immediate family member (spouse, spousal equivalent or dependent).

Once a covered institution meets the $1 billion threshold in total assets, any permitted nonaudit services should be discussed with and preapproved by the audit committee prior to commencing such services under SEC independence rules. Refer to Rule 2-01 of Regulation S-X and PCAOB Rules 3524−3526 for further details relating to the audit committee’s role in the approval of permitted nonaudit services.

Gain an understanding of COSO 2013

COSO’s Internal Control – Integrated Framework includes five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring), 17 internal control principles, and 81 points of focus considered necessary for an effective internal control environment. While other frameworks may be acceptable, COSO 2013 is the most prevalent.

Evaluate and educate the audit committee

As the institution approaches the applicable asset thresholds, it should also consider the existing makeup of its board of directors and, if applicable, its audit committee.

Once an institution reaches $1 billion in total assets, it is required to have an independent audit committee. Because one of the primary responsibilities of the audit committee is to appoint the independent public accountant, the institution should ensure it has an appropriate audit committee in place prior to reaching this threshold and before engaging the independent public accountant for its initial FDICIA audit.

The audit committee should also be educated on the independence rules and knowledgeable about the nonaudit services, if any, performed by the independent public accountant. Any required preapprovals of nonaudit services should be scheduled and completed.

Refer to RSM’s Audit Committee Guide for Financial Institutions for further information on audit committee responsibilities, including its role in evaluating the control environment and in risk assessment, as well as specific FDICIA-related considerations.

Discuss oversight responsibilities with the board of directors

Beyond discussing the basic provisions and requirements of FDICIA, the board of directors should also understand its responsibilities for oversight.

Specifically, Part 363 requires that the board of directors determine whether each existing or potential audit committee member meets the requirements to be an outside director and, as applicable based on the asset threshold of the covered institution, is independent of management. The minutes of the board of directors’ meetings should include the procedures performed, the basis for determinations and the results of these assessments.

The board of directors should also consider the management team’s experience and expertise to determine whether the most appropriate people are in place once the FDICIA requirements apply. Management needs the ability to make the assessments included in its report, including by having a deep understanding of the entity and its control environment and sufficient oversight of the operations of the institution.

Additional members of management may be needed to supplement the knowledge and experience of existing managers, particularly with respect to internal controls and risk assessment.

Assess and/or implement an internal audit function

With the requirement that management establish and maintain an adequate internal control structure, there is generally a need for a formal, sophisticated internal audit function at the institution. Depending on the current state of the internal audit function, it may be necessary to supplement personnel, restructure reporting lines and enhance procedures performed throughout the year.

Generally, the organization should have established processes in place for tasks such as risk assessment, personnel education, evaluation of control design, testing of operating effectiveness, reporting of results and monitoring.

Additionally, these processes should be performed and overseen by competent individuals with requisite experience. Whether the internal audit work is to be performed internally or externally, the responsibility still rests with management for implementing and monitoring a sound control environment at both the entity and transaction levels.

Remember the IT function

To ensure the effectiveness of internal controls as a whole for the covered institution, the IT environment and related controls must be considered. A formal internal audit plan may need to be developed or an existing plan may need to be expanded to meet FDICIA requirements.

For the entire entity and for each in-scope IT application identified, the institution should evaluate logical security, security administration, operations, change management, business continuity and disaster recovery, cybersecurity and vendor management.

Remediate any identified material weaknesses in ICFR

A material weakness is defined as a deficiency, or a combination of deficiencies, in ICFR that results in a reasonable possibility that a material misstatement of the financial statements will not be prevented, or detected and corrected, in a timely manner.

Pursuant to Part 363, management and the independent public accountant are precluded from concluding that ICFR is effective if one or more material weaknesses exist. Thus, the institution should work to correct any known material weaknesses in ICFR and develop safeguards in the control environment to reduce the risk that material weaknesses will arise.

Consider the need for entity-wide training

Often, those responsible for executing many of the controls on a regular basis (commonly referred to as control operators) may not understand the implications of these procedures from a regulatory standpoint. A sound internal control environment requires an appropriate level of awareness and commitment from various levels within the organization.

It may be beneficial to host training sessions for employees throughout the organization on topics such as the COSO framework, FDICIA, the internal and external audit processes, and the importance of employees’ role as control operators in ensuring that controls are properly designed, operating effectively and adequately documented.

How can RSM help?

RSM has assisted numerous banks in sorting through the complexities of FDICIA compliance, including helping institutions as they cross over the $1 billion and $5 billion total asset thresholds.

For banks that are not audit clients: We can provide assistance in initial FDICIA compliance efforts or in optimizing the existing internal control environment and compliance program. We can also provide certain outsourcing, co-sourcing or loaned staff services.

For banks that are audit clients: We can provide limited assistance in the assessment of enterprise risk management activities and in certain regulatory compliance matters.

RSM’s depth of experience and industry specialization are what set us apart. Our professionals bring insights gained as former bank executives, regulators, internal auditors, IT specialists and accounting professionals. This knowledge allows us to anticipate challenges and deliver practical solutions tailored to your institution’s size, structure and growth trajectory.

We combine technical knowledge with a collaborative approach. Our team works closely with management and audit committees to strengthen governance, improve internal controls and prepare the institution for regulatory examinations. By leveraging proven methodologies and technology-enabled tools, we help institutions achieve compliance efficiently while enhancing operational resilience.