Navigating Banking Requirements Beyond the Billion-Dollar Asset Threshold

Written by: Michaela E. Herrholz , CPA ,

Adding extra zeros to the asset line and surpassing the coveted billion-dollar mark opens doors to new opportunities for a financial institution, but it also presents a host of new challenges under Part 363 of the Federal Deposit Insurance Act (FDICIA). This article explores the reporting and accounting requirements that kick in at this new asset threshold, and how to prepare for reaching $1 billion in assets.

Measuring Consolidated Total Assets

Total consolidated assets are measured as of the beginning of the fiscal year. To determine to what level an insured depository institution (IDI) must comply with the requirements of FDICIA Part 363, the institution should use the total assets as reported on its most recent Call Report at the beginning of the fiscal year. For example, if an institution’s total assets were $1 billion as of December 31, 2023, the institution would have to comply with the additional requirements of FDICIA for 2024. If total assets exceeded $1 billion during 2023, but were less than $1 billion as of December 31, 2023, additional FDICIA requirements would not apply for the following period as the measurement date is the most recent Call Report at the beginning of the fiscal year.

Annual Reporting Requirements

All IDIs subject to FDICIA Part 363 must file two copies of their Annual Report with their regulators, as follows:

• Non-public IDI: 120 days after the end of its fiscal year
• Public IDI: 90 days after the end of its fiscal year

The Annual Report must include:

1. Audited comparative annual financial statements including the independent public accountant’s report (i.e. the audit opinion contained in the financial statements). Note that management is required to prepare the financial statements, including disclosures and tax accrual.
2. A management report. The management report contains 3 main components:
   1. A statement of management’s responsibilities for preparing the annual financial statements, establishing and maintaining an adequate internal control structure and procedures for financial reporting, and complying with laws and regulations relating to safety and soundness that are designated by the FDIC and the appropriate federal banking agency.
   2. For those IDIs with greater than $1 billion in total consolidated assets, an assessment by management on the effectiveness of the institution’s internal control structure over financial reporting as of the end of the fiscal year.
   3. An assessment by management of the IDI’s compliance with such laws and regulations during the fiscal year. Illustrative management reports can be found in Appendix B of FDICIA Part 363.
3. For those IDIS with greater than $1 billion in total consolidated assets, the independent public accountant’s audit report (opinion) regarding the effectiveness of the institution’s internal control over financial reporting.

All reports the independent public accountant sends to the institution must be filed with the regulators within 15 days of receipt, including management letters issued by the independent public accountant if applicable. The date of receipt may not necessarily align with the audit report date. For example, if the audit report concerning the institution’s internal control over financial reporting dated February 2, 2024, is received by a calendar year-end institution on February 10, 2024, the institution must file it with the regulators no later than February 25, 2024.

Note that there is a caveat to this as IDIs must still file the annual report and other required documents within 90 days of the end of the fiscal year for public companies and 120 days for non-public companies, at the latest. Therefore, as an example for a non-public company, if the audit report is received by the institution on April 21, 2024, the institution must file it with the regulators no later than April 30, 2024.

There are practical expedient options for satisfying the reporting requirements at the holding company level if preferred. Please refer to FDICIA Part 363 for holding company considerations. See the ICFR section below, which applies to IDIs with $1 billion or more in total assets.

Internal Control Over Financial Reporting (ICFR) Requirements

Thorough readiness for the mandated FDICIA reporting is crucial, given the substantial time and effort needed to guarantee the financial institution is prepared for FDICIA compliance. This preparatory phase, typically initiated at least a year prior to reaching the $1 billion threshold, should encompass:

• A risk assessment to identify and document key ICFR controls, and a controls assessment against the Committee for Sponsoring Organization’s 2013 control framework (COSO). ICFR controls are internal controls that prevent or detect errors in financial reporting.
• Documentation that controls are designed effectively and that management has assessed controls for operating effectiveness.
• Control gap identification, and instituting new controls, as needed.

The above-noted readiness items should be completed annually and IFCR testing should be done throughout the entire fiscal year to ensure controls are operating as expected for the entire period under audit. Consider using an internal auditor to perform risk assessment, documentation of controls, and testing of controls. The internal audit group should work to complete a risk assessment and then develop an audit plan and program for each of the key areas identified. Internal audit should coordinate or perform all testing and report findings to management, the board, and the audit committee.

Audit Committee

Institutions that hit the greater than $1 billion in assets threshold must evaluate the composition of their audit committee. The audit committee members are required to consist of external directors who are all independent of the institution’s management, as opposed to just an independent majority. When an institution reaches total assets of $3 billion or more, the audit committee shall meet the requirements for covered institutions with $1 billion or more in total assets noted above, and also include members with banking or financial management expertise, have access to outside counsel, and not include any large customers of the institution.

Independence

All institutions subject to FDICIA and the independent public accountant are required to follow SEC independence standards including principal rotation every five years, pre-approval of non-audit services before the services can begin, and restrictions on the institution hiring a member of the audit engagement team.

Additional Considerations

Apart from the FDICIA Part 363 stipulations, additional complexities may surface when an institution surpasses the $1 billion threshold. These may encompass, among other things:

• Enterprise Risk Management: Regulatory expectations often include the establishment of a formalized function soon after surpassing the $1 billion threshold.
• Information Technology (IT) & Systems: Evaluating the adequacy of the current IT infrastructure is important for an institution as it navigates growth beyond the $1 billion mark. Ensuring current systems have the capacity for sustained expansion, improved reporting, and enhanced decision-making capabilities is essential for the institution to operate efficiently.
• Model Validation Considerations: The OCC, Federal Reserve, and FDIC developed the Supervisory Guidance on Model Risk Management which outlines sound practices for model risk management programs, including expectations for model validation. The guidance highlights that model validation is important to help prevent adverse consequences (including financial loss) of decisions based on models that are incorrect or misused. This guidance is primarily targeted to institutions with greater than $1 billion in total assets.
• Organizational Structure: Increased expectations and scrutiny may arise regarding the operational aspects of the institution, including reporting structures and staffing. If the institution continues to operate in the same manner as it did at $500 million, regulators may intensify their focus on specific areas of the institution to ensure that the institution is appropriately addressing risks as it grows.

The FDIC Summary of Filing Requirements is a valuable reference for additional details, as is the electronic version of the Code of Federal Regulations Part 363 – Summary of Filing Requirements. For additional questions and assistance with your filings, reach out to our team at Wolf & Company today!