Read Regs

Title 12 · Federal Reserve, OCC, FDIC

Annual Independent Audits And Reporting Requirements

12 C.F.R. Part 363 · Updated January 1, 2026

View on eCFR ↗

§ 363.0 — OMB control number.

The information collection requirements in this part have been approved by the Office of Management and Budget under OMB control number 3064-0113.

§ 363.1 — Scope and definitions.

(a) Applicability. This part applies to any insured depository institution with respect to any fiscal year in which its consolidated total assets as of the beginning of such fiscal year are $1 billion, as adjusted from time to time in accordance with 12 CFR 314.1, or more. The requirements specified in this part are in addition to any other statutory and regulatory requirements otherwise applicable to an insured depository institution.

(b) Compliance by subsidiaries of holding companies. (1) For an insured depository institution that is a subsidiary of a holding company, the audited financial statements requirement of § 363.2(a) may be satisfied:

(i) For fiscal years ending on or before June 14, 2010, by audited consolidated financial statements of the top-tier or any mid-tier holding company.

(ii) For fiscal years ending on or after June 15, 2010, by audited consolidated financial statements of the top-tier or any mid-tier holding company provided that the consolidated total assets of the insured depository institution (or the consolidated total assets of all of the holding company’s insured depository institution subsidiaries, regardless of size, if the holding company owns or controls more than one insured depository institution) comprise 75 percent or more of the consolidated total assets of this top-tier or mid-tier holding company as of the beginning of its fiscal year.

(2) The other requirements of this part for an insured depository institution that is a subsidiary of a holding company may be satisfied by the top-tier or any mid-tier holding company if the insured depository institution meets the criterion specified in § 363.1(b)(1) and if:

(i) The services and functions comparable to those required of the insured depository institution by this part are provided at this top-tier or mid-tier holding company level; and

(ii) The insured depository institution has as of the beginning of its fiscal year:

(A) Total assets of less than $5 billion; or

(B) Total assets of $5 billion or more and a composite CAMELS rating of 1 or 2.

(3) The appropriate Federal banking agency may revoke the exception in paragraph (b)(2) of this section for any institution with total assets in excess of $9 billion for any period of time during which the appropriate Federal banking agency determines that the institution’s exemption would create a significant risk to the Deposit Insurance Fund.

(c) Financial reporting. For purposes of the management report requirement of § 363.2(b) and the internal control reporting requirement of § 363.3(b), “financial reporting,” at a minimum, includes both financial statements prepared in accordance with generally accepted accounting principles for the insured depository institution or its holding company and financial statements prepared for regulatory reporting purposes. For recognition and measurement purposes, financial statements prepared for regulatory reporting purposes shall conform to generally accepted accounting principles and section 37 of the Federal Deposit Insurance Act.

(d) Definitions. For purposes of this part, the following definitions apply:

(1) AICPA means the American Institute of Certified Public Accountants.

(2) GAAP means generally accepted accounting principles.

(3) PCAOB means the Public Company Accounting Oversight Board.

(4) Public company means an insured depository institution or other company that has a class of securities registered with the U.S. Securities and Exchange Commission or the appropriate Federal banking agency under Section 12 of the Securities Exchange Act of 1934 and nonpublic company means an insured depository institution or other company that does not meet the definition of a public company.

(5) SEC means the U.S. Securities and Exchange Commission.

(6) SOX means the Sarbanes-Oxley Act of 2002.

§ 363.2 — Annual reporting requirements.

(a) Audited financial statements. Each insured depository institution shall prepare annual financial statements in accordance with GAAP, which shall be audited by an independent public accountant. The annual financial statements must reflect all material correcting adjustments necessary to conform with GAAP that were identified by the independent public accountant.

(b) Management report. Each insured depository institution annually shall prepare, as of the end of the institution’s most recent fiscal year, a management report that must contain the following:

(1) A statement of management’s responsibilities for preparing the institution’s annual financial statements, for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and for complying with laws and regulations relating to safety and soundness that are designated by the FDIC and the appropriate Federal banking agency;

(2) An assessment by management of the insured depository institution’s compliance with such laws and regulations during such fiscal year. The assessment must state management’s conclusion as to whether the insured depository institution has complied with the designated safety and soundness laws and regulations during the fiscal year and disclose any noncompliance with these laws and regulations; and

(3) For an insured depository institution with consolidated total assets of $5 billion, as adjusted from time to time in accordance with 12 CFR 314.1, or more as of the beginning of such fiscal year, an assessment by management of the effectiveness of such internal control structure and procedures as of the end of such fiscal year that must include the following:

(i) A statement identifying the internal control framework 14 used by management to evaluate the effectiveness of the insured depository institution’s internal control over financial reporting;

(ii) A statement that the assessment included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions including identification of such regulatory reporting instructions; and

(iii) A statement expressing management’s conclusion as to whether the insured depository institution’s internal control over financial reporting is effective as of the end of its fiscal year. Management must disclose all material weaknesses in internal control over financial reporting, if any, that it has identified that have not been remediated prior to the insured depository institution’s fiscal year-end. Management is precluded from concluding that the institution’s internal control over financial reporting is effective if there are one or more material weaknesses.

(c) Management report signatures. Subject to the criteria specified in § 363.1(b):

(1) If the audited financial statements requirement specified in § 363.2(a) is satisfied at the insured depository institution level and the management report requirement specified in § 363.2(b) is satisfied in its entirety at the insured depository institution level, the management report must be signed by the chief executive officer and the chief accounting officer or chief financial officer of the insured depository institution;

(2) If the audited financial statements requirement specified in § 363.2(a) is satisfied at the holding company level and the management report requirement specified in § 363.2(b) is satisfied in its entirety at the holding company level, the management report must be signed by the chief executive officer and the chief accounting officer or chief financial officer of the holding company; and

(3) If the audited financial statements requirement specified in § 363.2(a) is satisfied at the holding company level and (i) the management report requirement specified in § 363.2(b) is satisfied in its entirety at the insured depository institution level or (ii) one or more of the components of the management report specified in § 363.2(b) is satisfied at the holding company level and the remaining components of the management report are satisfied at the insured depository institution level, the management report must be signed by the chief executive officers and the chief accounting officers or chief financial officers of both the holding company and the insured depository institution and the management report must clearly indicate the level (institution or holding company) at which each of its components is being satisfied.

§ 363.3 — Independent public accountant.

(a) Annual audit of financial statements. Each insured depository institution shall engage an independent public accountant to audit and report on its annual financial statements in accordance with generally accepted auditing standards or the PCAOB’s auditing standards, if applicable, and section 37 of the Federal Deposit Insurance Act (12 U.S.C. 1831n). The scope of the audit engagement shall be sufficient to permit such accountant to determine and report whether the financial statements are presented fairly and in accordance with GAAP.

(b) Internal control over financial reporting. For each insured depository institution with total assets of $5 billion, as adjusted from time to time in accordance with 12 CFR 314.1, or more at the beginning of the institution’s fiscal year, the independent public accountant who audits the institution’s financial statements shall examine, attest to, and report separately on the assertion of management concerning the effectiveness of the institution’s internal control structure and procedures for financial reporting. The attestation and report shall be made in accordance with generally accepted standards for attestation engagements or the PCAOB’s auditing standards, if applicable. The accountant’s report must not be dated prior to the date of the management report and management’s assessment of the effectiveness of internal control over financial reporting. Notwithstanding the requirements set forth in applicable professional standards, the accountant’s report must include the following:

(1) A statement identifying the internal control framework used by the independent public accountant, which must be the same as the internal control framework used by management, to evaluate the effectiveness of the insured depository institution’s internal control over financial reporting;

(2) A statement that the independent public accountant’s evaluation included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions including identification of such regulatory reporting instructions; and

(3) A statement expressing the independent public accountant’s conclusion as to whether the insured depository institution’s internal control over financial reporting is effective as of the end of its fiscal year. The report must disclose all material weaknesses in internal control over financial reporting that the independent public accountant has identified that have not been remediated prior to the insured depository institution’s fiscal year-end. The independent public accountant is precluded from concluding that the insured depository institution’s internal control over financial reporting is effective if there are one or more material weaknesses.

(c) Notice by accountant of termination of services. An independent public accountant performing an audit under this part who ceases to be the accountant for an insured depository institution shall notify the FDIC, the appropriate Federal banking agency, and any appropriate State bank supervisor in writing of such termination within 15 days after the occurrence of such event, and set forth in reasonable detail the reasons for such termination. The written notice shall be filed at the place identified in § 363.4(f).

(d) Communications with audit committee. In addition to the requirements for communications with audit committees set forth in applicable professional standards, the independent public accountant must report the following on a timely basis to the audit committee:

(1) All critical accounting policies and practices to be used by the insured depository institution,

(2) All alternative accounting treatments within GAAP for policies and practices related to material items that the independent public accountant has discussed with management, including the ramifications of the use of such alternative disclosures and treatments, and the treatment preferred by the independent public accountant, and

(3) Other written communications the independent public accountant has provided to management, such as a management letter or schedule of unadjusted differences.

(e) Retention of working papers. The independent public accountant must retain the working papers related to the audit of the insured depository institution’s financial statements and, if applicable, the evaluation of the institution’s internal control over financial reporting for seven years from the report release date, unless a longer period of time is required by law.

(f) Independence. The independent public accountant must comply with the independence standards and interpretations of the AICPA, the SEC, and the PCAOB. To the extent that any of the rules within any one of these independence standards (AICPA, SEC, and PCAOB) is more or less restrictive than the corresponding rule in the other independence standards, the independent public accountant must comply with the more restrictive rule.

(g) Peer reviews and inspection reports. (1) Prior to commencing any services for an insured depository institution under this part, the independent public accountant must have received a peer review, or be enrolled in a peer review program, that meets acceptable guidelines. Acceptable peer reviews include peer reviews performed in accordance with the AICPA’s Peer Review Standards and inspections conducted by the PCAOB.

(2) Within 15 days of receiving notification that a peer review has been accepted or a PCAOB inspection report has been issued, or before commencing any audit under this part, whichever is earlier, the independent public accountant must file two copies of the most recent peer review report and the public portion of the most recent PCAOB inspection report, if any, accompanied by any letters of comments, response, and acceptance, with the FDIC, Accounting and Securities Disclosure Section, 550 17th Street, NW., Washington, DC 20429, if the report has not already been filed. The peer review reports and the public portions of the PCAOB inspection reports will be made available for public inspection by the FDIC.

(3) Within 15 days of the PCAOB making public a previously nonpublic portion of an inspection report, the independent public accountant must file two copies of the previously nonpublic portion of the inspection report with the FDIC, Accounting and Securities Disclosure Section, 550 17th Street, NW., Washington, DC 20429. Such previously nonpublic portion of the PCAOB inspection report will be made available for public inspection by the FDIC.

§ 363.4 — Filing and notice requirements.

(a) Part 363 Annual Report. (1) Each insured depository institution shall file with each of the FDIC, the appropriate Federal banking agency, and any appropriate State bank supervisor, two copies of its Part 363 Annual Report. A Part 363 Annual Report must contain audited comparative annual financial statements, the independent public accountant’s report thereon, a management report, and, if applicable, the independent public accountant’s attestation report on management’s assessment concerning the institution’s internal control structure and procedures for financial reporting as required by §§ 363.2(a), 363.3(a), 363.2(b), and 363.3(b), respectively.

(2) Subject to the criteria specified in § 363.1(b), each insured depository institution with consolidated total assets of less than $5 billion, as adjusted from time to time in accordance with 12 CFR 314.1, as of the beginning of its fiscal year that is required to file, or whose parent holding company is required to file, management’s assessment of the effectiveness of internal control over financial reporting with the SEC or the appropriate Federal banking agency in accordance with section 404 of SOX must submit a copy of such assessment to the FDIC, the appropriate Federal banking agency, and any appropriate State bank supervisor with its Part 363 Annual Report as additional information. This assessment will not be considered part of the institution’s Part 363 Annual Report.

(3)(i) Each insured depository institution that is neither a public company nor a subsidiary of a public company that meets the criterion specified in § 363.1(b)(1) shall file its Part 363 Annual Report within 120 days after the end of its fiscal year. (ii) Each insured depository institution that is a public company or a subsidiary of public company that meets the criterion specified in § 363.1(b)(1) shall file its Part 363 Annual Report within 90 days after the end of its fiscal year.

(b) Public availability. Except for the annual report in paragraph (a)(1) of this section and the peer reviews and inspection reports in § 363.3(g), which shall be available for public inspection, the FDIC has determined that all other reports and notifications required by this part are exempt from public disclosure by the FDIC.

(c) Independent public accountant’s letters and reports. Except for the independent public accountant’s reports that are included in its Part 363 Annual Report, each insured depository institution shall file with the FDIC, the appropriate Federal banking agency, and any appropriate State bank supervisor, a copy of any management letter or other report issued by its independent public accountant with respect to such institution and the services provided by such accountant pursuant to this part within 15 days after receipt. Such reports include, but are not limited to:

(1) Any written communication regarding matters that are required to be communicated to the audit committee (for example, critical accounting policies, alternative accounting treatments discussed with management, and any schedule of unadjusted differences),

(2) Any written communication of significant deficiencies and material weaknesses in internal control required by the AICPA’s or the PCAOB’s auditing standards;

(3) For institutions with total assets of less than $5 billion, as adjusted from time to time in accordance with 12 CFR 314.1, as of the beginning of their fiscal year that are public companies or subsidiaries of public companies that meet the criterion specified in § 363.1(b)(1), any independent public accountant’s report on the audit of internal control over financial reporting required by section 404 of SOX and the PCAOB’s auditing standards; and

(4) For all institutions that are public companies or subsidiaries of public companies that meet the criterion specified in § 363.1(b)(1), any independent public accountant’s written communication of all deficiencies in internal control over financial reporting that are of a lesser magnitude than significant deficiencies required by the PCAOB’s auditing standards.

(d) Notice of engagement or change of accountants. Each insured depository institution shall provide, within 15 days after the occurrence of any such event, written notice to the FDIC, the appropriate Federal banking agency, and any appropriate State bank supervisor of the engagement of an independent public accountant, or the resignation or dismissal of the independent public accountant previously engaged. The notice shall include a statement of the reasons for any such resignation or dismissal in reasonable detail.

(e) Notification of late filing. No extensions of time for filing reports required by § 363.4 shall be granted. An insured depository institution that is unable to timely file all or any portion of its Part 363 Annual Report or any other report or notice required by § 363.4 shall submit a written notice of late filing to the FDIC, the appropriate Federal banking agency, and any appropriate State bank supervisor. The notice shall disclose the institution’s inability to timely file all or specified portions of its Part 363 Annual Report or any other report or notice and the reasons therefore in reasonable detail. The late filing notice shall also state the date by which the report or notice will be filed. The written notice shall be filed on or before the deadline for filing the Part 363 Annual Report or any other report or notice, as appropriate.

(f) Place for filing. The Part 363 Annual Report, any written notification of late filing, and any other report or notice required by § 363.4 should be filed as follows:

(1) FDIC: Appropriate FDIC Regional or Area Office (Division of Supervision and Consumer Protection), i.e., the FDIC regional or area office in the FDIC region or area that is responsible for monitoring the institution or, in the case of a subsidiary institution of a holding company, the consolidated company. A filing made on behalf of several covered institutions owned by the same parent holding company should be accompanied by a transmittal letter identifying all of the institutions covered.

(2) Office of the Comptroller of the Currency (OCC): Appropriate OCC Supervisory Office.

(3) Federal Reserve: Appropriate Federal Reserve Bank.

(4) Office of Thrift Supervision (OTS): Appropriate OTS District Office.

(5) State bank supervisor: The filing office of the appropriate State bank supervisor.

§ 363.5 — Audit committees.

(a) Composition and duties. Each insured depository institution shall establish an audit committee of its board of directors, the composition of which complies with paragraphs (a)(1), (2), and (3) of this section. The duties of the audit committee shall include the appointment, compensation, and oversight of the independent public accountant who performs services required under this part, and reviewing with management and the independent public accountant the basis for the reports issued under this part.

(1) Each insured depository institution with total assets of $5 billion, as adjusted from time to time in accordance with 12 CFR 314.1, or more as of the beginning of its fiscal year shall establish an independent audit committee of its board of directors, the members of which shall be outside directors who are independent of management of the institution.

(2) Each insured depository institution with total assets of $1 billion, as adjusted from time to time in accordance with 12 CFR 314.1, or more but less than $5 billion, as adjusted from time to time in accordance with 12 CFR 314.1, as of the beginning of its fiscal year shall establish an audit committee of its board of directors, the members of which shall be outside directors, the majority of whom shall be independent of management of the institution. The appropriate Federal banking agency may, by order or regulation, permit the audit committee of such an insured depository institution to be made up of less than a majority of outside directors who are independent of management, if the agency determines that the institution has encountered hardships in retaining and recruiting a sufficient number of competent outside directors to serve on the audit committee of the institution.

(3) An outside director is a director who is not, and within the preceding fiscal year has not been, an officer or employee of the institution or any affiliate of the institution.

(b) Committees of large institutions. The audit committee of any insured depository institution with total assets of more than $5 billion, as adjusted from time to time in accordance with 12 CFR 314.1, as of the beginning of its fiscal year shall include members with banking or related financial management expertise, have access to its own outside counsel, and not include any large customers of the institution. If a large institution is a subsidiary of a holding company and relies on the audit committee of the holding company to comply with this rule, the holding company’s audit committee shall not include any members who are large customers of the subsidiary institution.

(c) Independent public accountant engagement letters. (1) In performing its duties with respect to the appointment of the institution’s independent public accountant, the audit committee shall ensure that engagement letters and any related agreements with the independent public accountant for services to be performed under this part do not contain any limitation of liability provisions that:

(i) Indemnify the independent public accountant against claims made by third parties;

(ii) Hold harmless or release the independent public accountant from liability for claims or potential claims that might be asserted by the client insured depository institution, other than claims for punitive damages; or

(iii) Limit the remedies available to the client insured depository institution.

(2) Alternative dispute resolution agreements and jury trial waiver provisions are not precluded from engagement letters provided that they do not incorporate any limitation of liability provisions set forth in paragraph (c)(1) of this section.

§ 363.6 — Discretion to exempt certain insured depository institutions from this part.

If an insured depository institution likely will no longer be subject to a requirement of this part as a result of the application of a threshold adjusted in accordance with § 314.1 of this chapter that is scheduled to occur during the insured depository institution’s current fiscal year, the appropriate Federal banking agency with respect to the insured depository institution may exercise discretion to not require compliance from the insured depository institution with respect to such requirement as of the beginning of the insured depository institution’s current fiscal year. If the insured depository institution’s total assets exceed such a threshold subsequent to the threshold adjustment occurring, the insured depository institution would be required to comply with the relevant requirement notwithstanding this section, unless the appropriate Federal banking agency again drew the same conclusion with respect to a future threshold adjustment.