Our FirmAttorney ProfilesPractice AreasThe Advisory






Cullen and Dykman LLP



FDIC Issues Letter on Effect of Sarbanes-Oxley on FDIC-Insured Institutions

In response to questions, the FDIC has issued a letter describing the effect of the Sarbanes-Oxley Act ("Sarbanes-Oxley") on FDIC insured depository institutions. The FDIC notes that applicability of Sarbanes-Oxley depends to a great extent on the size of a bank and whether it is a public company or subsidiary of a public company. The FDIC guidance distinguishes between (1) FDIC Banks that are public companies or subsidiaries of public companies, (2) non-public FDIC banks with less than $500 million in assets and (3) FDIC banks with $500 million or more in total assets.

  1. FDIC Banks that are Public Companies or Subsidiaries of Public Companies.

    The FDIC confirms that banks that are public companies or subsidiaries of public companies, and their independent public accountants, must comply with Sarbanes-Oxley and the implementing regulations of the Securities and Exchange Commission ("SEC"), including the provisions for auditor independence, corporate responsibility and financial disclosure.

  2. Non-Public FDIC Banks with Less than $500 Million in Total Assets.

The FDIC confirms that non-public banks with less than $500 million of total assets are not subject to Sarbanes-Oxley and the implementing regulation of the SEC. The FDIC has presented, however, selected provisions of Sarbanes-Oxley regarding corporate governance which are not mandatory for these banks, but which the FDIC encourages these non-public banks with assets of less than $500 million to implement to the extent feasible consistent with the size, complexity and risk profile of the bank, as follows:

  • Registered Public Accounting Firm. Section 102 of Sarbanes-Oxley only permits public accounting firms registered with the Public Company Accounting Oversight Board to audit financial statements of public companies. The FDIC confirms that non-public banks with assets of less than $500 million are not limited to using a registered public accounting firm.
  • Auditor Independence. Sections 201 and 202 of Sarbanes-Oxley and the SEC's implementing regulations establish guidelines for auditor independence, including restricting outside services which can be provided by the audit firm, and require pre-approval by the audit committee of all audit and non-audit services provided by the outside auditor of a public company. The FDIC encourages these non-public banks with less than $500 million in assets and having audited financial statements, along with their public accounting firms, to follow the regulations of the SEC regarding auditor independence.
  • Recognizing that certain banks of this size, however, may find it appropriate to retain one audit firm to perform both the internal and outside audit function, the FDIC has provided guidance for these banks to manage that process. If one of these non-public banks considers having its outside auditor perform additional service which would be prohibited pursuant to Section 201 of Sarbanes-Oxley in the case of a public company, the FDIC encourages the audit committee or board of directors of the bank to discuss the effect of the additional service on the independence of the auditor.
  • Audit Partner Rotation. Section 203 of Sarbanes-Oxley and the SEC's implementing regulations establish audit partner rotation and time out periods for purposes of establishing auditor independence for public companies. The FDIC encourages non-public banks with less than $500 million in assets to incorporate audit partner rotation and time out periods into engagement letters with their outside auditors.
  • Outside Auditor Reports to Audit Committee. Section 204 of Sarbanes-Oxley and the SEC's regulations require the outside auditor of a public company to report to the audit committee on critical accounting policies used by the company, alternative accounting treatments discussed with management and other written correspondence with the management. The FDIC encourages non-public banks with assets of less than $500 million to incorporate these practices into their engagement letter with their outside auditors.
  • Conflicts of Interest. Section 206 of Sarbanes-Oxley and the SEC's regulations prohibit a public company from having a chief executive officer, chief financial officer or equivalent officer who was employed by the company's outside accounting firm and participated in the audit during the one year period prior to the beginning of the current audit. The FDIC encourages non-public banks with assets of less than $500 million to conform to this rule.
  • Audit Committees. Section 301 of Sarbanes-Oxley and the SEC's regulations require the audit committee of a public company to be responsible for the appointment, compensation and oversight of the outside auditor. The audit committee must consist of independent members of the board of directors and the audit committee must establish a mechanism for employees to submit confidential and anonymous concerns about accounting and auditing matters and for investigation of these matters. The FDIC notes that the 1999 Interagency Policy Statement on External Audits already encourages non-public banks to establish audit committees consisting of outside directors not having material business dealings with the bank. The FDIC also encourages these non-public banks to establish mechanisms for submission of employee complaints.
  • Financial Reporting. Section 302 of Sarbanes-Oxley and the SEC's implementing regulations require a public company's principal executive officer and principal financial officer to certify the quarterly and annual reports. The FDIC suggests that non-public banks with assets of less than $500 million that issue financial statements consider having their principal executive officer and principal financial officer certify to their review of the financial statements and, based on their knowledge, that the statements are true and fairly represent the bank's financial condition and results of operations.
  • Conduct of Audits. Section 303 of Sarbanes-Oxley prohibits any officer or director of a public company from coercing, misleading or fraudulently influencing the outside auditor to prepare materially misleading financial statements. The FDIC strongly encourages non-public banks with assets of less than $500 million to comply with Section 303 no matter what form of outside auditing is used by the bank.
  • Disclosure of Correcting Adjustments and Off-Balance Sheet Transactions. Section 401 of Sarbanes-Oxley requires financial reports of public companies filed with the SEC to reflect material correcting adjustments from the outside auditor. Section 401 also requires the financial statements of public companies to disclose material off-balance sheet transactions. The FDIC strongly encourages non-public banks with assets of less than $500 million to make material correcting adjustments and disclose material off-balance sheet transactions.
  • Loans to Directors and Executive Officers. Section 402 of Sarbanes-Oxley precludes a public company from making a loan to a director or executive officer, except for certain consumer loans. The FDIC notes Section 402 of Sarbanes-Oxley does not apply to depository institution loans subject to Regulation O and directs that non-public banks should continue compliance with Regulation O.
  • Assessment of Internal Controls. Section 404 of Sarbanes-Oxley requires public companies in their annual reports to contain a statement of management's responsibility for maintaining an internal control structure and an assessment of that structure which is attested to by the outside auditor. The FDIC encourages non-public banks with assets of less than $500 million to have an internal control assessment by management which is attested to by the independent auditor.
  • Code of Ethics for Senior Financial Officers. Section 406 of Sarbanes-Oxley and the SEC's implementing regulations require public companies to disclose whether they have adopted a code of ethics for their principal executive officer, principal financial officer and equivalent officers. If a public company has not adopted such a code, the company must explain why in its disclosures. The FDIC notes that its 1987 Guidelines for Compliance with the Bank Bribery Law encouraged FDIC banks to adopt codes of conduct prohibiting self-dealing and requiring disclosure of conflicts of interest. The FDIC also encourages non-public banks with assets of less than $500 million to adopt a code of ethics for senior financial officers consistent with the requirements of Section 406 of Sarbanes-Oxley and, failing to do so, to explain the reason in the minutes of the board.
  • Audit Committee Financial Expert. Section 407 of Sarbanes-Oxley and the SEC's implementing regulations require a public company to disclose whether there is at least one "audit committee financial expert" on the audit committee and, if not, the reasons why. The FDIC states that the extent to which audit committees of public companies will be able to satisfy the SEC's definition of "audit committee financial expert" is not known. The FDIC further states that it does not expect non-public banks with assets of less than $500 million to disclose whether or not it has an "audit committee financial expert" on its audit committee, but a bank may do so on its own.

  3.     FDIC Banks with $500 Million or More in Total Assets.

The FDIC provides guidance for FDIC banks with $500 million or more in assets in three separate categories: (a) notice of possible amendment of Part 363 of the FDIC regulations to incorporate provisions of Sarbanes-Oxley; (b) guidance on compliance with the requirements of Sarbanes-Oxley for non-public banks with $500 million or more in assets and (c) review of the relationship between three specific areas of Sarbanes-Oxley and the annual audit and reporting requirements of the FDIC regulations applicable to all FDIC banks with $500 million or more in assets.

a. Notice of Possible Amendment to Part 363.

The FDIC notes that all banks with $500 million or more of assets, whether public or non-public, must comply with the FDIC regulations on annual audit and reporting requirements at Part 363. The FDIC states that it is considering amending Part 363 to extend coverage of some of the provisions of Sarbanes-Oxley discussed above at Section 2 of this memorandum to all FDIC insured banks with $500 million or more of assets. Since all of the provisions of Sarbanes-Oxley already apply to public banks, it would seem that the practical effect of this action by the FDIC would be to mandate non-public banks with $500 million or more of assets to also comply with the provisions of Sarbanes-Oxley selected by the FDIC for inclusion in an amended Part 363.

b. Guidance for Non-Public FDIC Banks with $500 Million or More of Assets.

Until such time that the FDIC amends Part 363 to extend its coverage to mandate that non-public banks with $500 million or more of assets comply with other provisions of Sarbanes-Oxley, the FDIC states that those banks should consider the FDIC's guidance concerning corporate governance and compliance with Sarbanes-Oxley for non-public FDIC banks with assets of less than $500 million as discussed above at Section 2 of this memorandum, consistent with the non-public bank's size, complexity and risk profile, and the additional guidance of the FDIC as described immediately below at Section 3. c of this memorandum.

 c.  Relationship of Sarbanes-Oxley and the FDIC Annual Audit and Reporting Requirements Applicable to Public and Non-Public Banks with $500 Million or More in Assets.

The FDIC guidelines also review three aspects of Sarbanes-Oxley and their relation to the annual audit and reporting requirements of the FDIC at Part 363 which apply to both public and non-public banks with $500 million or more in assets.

                     i. Auditor Independence.

The FDIC states that its guidelines on the qualifications of independent public accountants require the accountant to comply with the auditor independence requirements of the SEC. Accordingly, the FDIC requires all public and non-public banks with $500 million or more of assets to comply with the auditor independence guidelines approved by the SEC on January 22, 2003 and as contained in Sections 201, 202, 203 and 206 of Sarbanes-Oxley. (The requirements of these Sections of Sarbanes-Oxley are discussed above at Section 2 of this memorandum.) The FDIC states that the banks and their outside accountants should ensure compliance with the rules consistent with the transitional requirements as contained in the SEC's implementing regulations. The FDIC particularly specifies that public and non-public banks with $500 million or more of assets should conform to the SEC's audit partner rotation requirements, unless the SEC's small firm exception applies in the case of those audit firms with less than five public audit clients and less than ten audit partners.

                     ii. Management Responsibility for Financial Reporting and Controls.

The FDIC notes that Section 302 of Sarbanes-Oxley requires a separate certification by the principal executive officer and principal financial officer of each quarterly and annual report as to the accuracy of the financial reports by specified language. (This requirement is discussed above in this memorandum at Section 2.) The FDIC notes that Part 363 of its regulations separately requires each FDIC-insured bank with $500 million assets or more to include a management report to the FDIC with its annual report. The management report must be signed by the chief executive officer and chief financial officer and must state management's responsibility for preparing annual financial statements, maintaining adequate internal controls and complying with safety and soundness regulations.

The FDIC first states that the certification required pursuant to Section 302 of Sarbanes-Oxley cannot be submitted by a bank which is a public company in place of the management report required pursuant to Part 363. The FDIC also states that many FDIC-insured banks are failing to comply with the management report and internal control requirements of Part 363 by failing to include the required statement of management responsibility in the financial statements. The FDIC directs the chief executive officer and chief financial officer of public and non-public banks with $500 million or more of assets to make certain the reports are properly prepared before signing them.

                   iii. Management Assessment of Internal Controls and Accountant's Attestation.

The FDIC notes that Part 363 of its regulations requires a bank with $500 million or more of assets to have its public accountant examine and attest separately on management's assertions on internal control. That attestation must be included in the annual report filed by these banks with the FDIC.

The FDIC also notes that Section 404 of Sarbanes-Oxley requires a public company to include an internal control report and accountant's attestation in its annual report filed with the SEC. Since the SEC has not yet specified rules for the report and attestation, however, the FDIC states that it will continue to require compliance with the internal control report and attestation requirements of Part 363 until the FDIC has had the opportunity to determine whether the SEC rules will suffice.

If you have any questions concerning these new guidelines, please contact us at 516-357-3707 or via e-mail to tdouglas@cullenanddykman.com.

 

  Home | Contact Us | Office Locations | Disclaimer  ©2010 Cullen and Dykman LLP. All rights reserved.