Over the past 30 years, there’s been a steady decline in the number of bank charters, due to the increase in bank failures during the economic downturn and, most recently, the increase in merger and acquisition activity. With this activity, more and more community banks find themselves pushing their asset size toward FDICIA thresholds.
As your bank increases its asset size closer to $500 million and $1 billion, it’s critical that executives understand the FDICIA requirements for the respective thresholds and plan accordingly. Planning 18-to-24 months ahead of expected required compliance will ensure you’re properly prepared to meet these requirements. If you delay, emergency preparation can bring chaos, stress, and added costs, and may require you take valuable resources away from other important initiatives.
As banks increase their asset size closer to $500 million and $1 billion, it’s critical that executives understand the FDICIA requirements for the respective thresholds and plan accordingly.
FDICIA requirement details
Individually chartered banks reaching $500 million in total assets as of January 1 (measurement date) are required to have an independent financial statement audit, as well as an audit committee comprising mostly of outside directors. Additionally, banks are required to submit an annual report that includes the following, as determined by the FDIC’s Part 363 annual independent audits and reporting requirements:
- Audited, comparative financial statements
- Independent auditor’s report on the audited financial statements
- Annual management reports, including — but not limited to — a statement for management’s responsibility for preparing the financial statements and establishing and maintaining an adequate internal control structure over financial reporting
- Independent auditor’s report to the audit committee, including all annual required communications
One item that may surprise you as your bank crosses $500 million in assets is that your independent auditor must follow SEC independence standards. Those standards place additional prohibitions on services the independent auditor can provide, such as preparing the financial statements and the annual tax provision, or the support of outsourced internal audit or other risk management activities.
Individually chartered banks reaching $1 billion in assets must have a completely independent audit committee and submit all of the above, as well as the following items:
- Expansion in the management reporting information, including their assertion on the effectiveness of internal controls over financial reporting based on a recognized internal control framework (COSO framework is almost exclusively used)
- Independent auditor’s attestation report on the effectiveness of internal controls over financial reporting as of the end of the year
At face value, these requirements may seem fairly straightforward but, in practice, they can feel overwhelming without a focused plan. Consider the independent audit committee requirement, which may require current audit committee and/or board members to be replaced.
The most time consuming of all requirements is the enhanced documentation and testing of key financial reporting controls related to management’s assertion on the effectiveness of their Internal Control over Financial Reporting (ICFR), which must be in place for your CEO and CFO to attest to the effectiveness of the internal controls. Likewise, the independent auditor’s attestation report requires the same significant documentation and testing of the key financial reporting controls throughout your bank.
At face value, these requirements may seem fairly straightforward but, in practice, they can feel overwhelming without a focused plan.
The FDICIA planning phase
Establishing the processes and resources to meet FDICIA compliance can be a complex undertaking without a focused plan. Early preparation, starting 18-to-24 months prior to the expected milestone, gives your bank time to document each significant business process, identify key financial reporting controls, and “pre-test” the controls to confirm their operating effectiveness. This “practice” testing ensures you’re prepared for the actual FDICIA testing and reporting requirements.
During the planning phase you should:
- Designate a FDICIA implementation leader and team, which may include key business process owners, executive management, audit committee, external auditor, and internal auditor, among others. The internal auditor typically plays a key role in testing.
- Determine the key business areas within scope, and establish a FDICIA implementation plan that includes milestones to keep all parties on track. Work backward to allow enough time for the “practice testing” and remediation process, as noted below.
- Execute according to your implementation plan, which will include documenting the business process, identifying key financial reporting controls, and creating the testing plan.
- Communicate internally with each business process owner to confirm that the documentation noted above is an accurate reflection of each business area. Discuss this documentation with your external auditor for feedback.
- Begin the testing process for each business area by testing each key financial reporting controls, working with each business process owner to be certain they reflect key financial reporting controls. Identify any weaknesses and/or inaccuracies throughout this process.
- Implement a remediation plan to address any issues noted and/or update the risk control documentation to accurately reflect the actual process.
FDICIA implementation tips
While the transition process can be challenging, it also serves as a great training ground to refresh documentation and create a partnership between internal audit and the process owners.
Here are some tips to ensure FDICIA implementation goes well:
- Start early and keep going. As stated above, the ideal timeframe for preparation is 18 to 24 months. You may identify significant control issues that need remediation. It’s not uncommon for transition teams to find duplications of controls or controls that can operate in a more efficient manner, ultimately creating a more effective reporting process. If things are going well, don’t be tempted to slow down; stay the course.
- Start simple. Begin with an area that’s easy to understand, such as wires or payroll. Then, move into more complex areas, such as deposits and investments, before you try to tackle commercial lending or information technology. Save IT until the end because it’s typically an area that’s subject to change and could be updated during this timeframe. IT is also woven throughout all other departments, which adds to the complexity.
- Coordinate with an external auditor. From the start, ensure business process owners agree on the controls that represent their business process. Then, send them to an external auditor, providing plenty of time to allow them to review and respond before testing begins.
- Maintain constant communication. Using established milestones, the transition team should share regular updates or have regular meetings with all identified parties, including business managers, executive management, the audit committee, and the external auditor. Any issues that arise should be addressed immediately.
If you have questions about how FDICIA transitions may affect you or if you want to learn more about the requirements, contact us today.