As a trusted advisor of financial institutions across the nation, we hear first-hand from community banks regarding the challenges of managing regulatory change and uncertainty. In an ever-changing regulatory environment, bankers want to know what needs to be done as an industry to operate in a safe and sound manner, to remain in compliance with federal and state laws, and to survive an exam with minimal issues. While many of the regulatory changes made by the prudential regulators and the Consumer Protection Financial Bureau (CFPB) are done so with the intent to reduce regulatory burden, remaining lingering uncertainty has led to uneasiness within management of some banks.
On July 15, 2025, the FDIC issued a proposal to adjust and modernize Part 363 of its regulations, which includes the rules that govern audit and reporting requirements for insured depository institutions. The proposed changes aim to increase a wide range of asset-based thresholds that have remained static for decades, despite inflation and shifts in the banking landscape over the years. The proposal not only increases these thresholds but would tie them to an index that would continue to adjust over time with changes in the rate of inflation as measured by the consumer price index.1
What’s happening
While the proposal would adjust all of the thresholds in Part 363, the most impactful adjustment from this proposed rule relates to changes in the audit requirements for institutions within the following asset sizes:
Table 1
| Previous Asset Threshold | New Asset Threshold | Requirements Impacted |
|---|---|---|
| $500 million or more | $1 billion or more | Independent external financial statement audit |
| $1 billion or more | $5 billion or more | Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) controls and testing by management and independent public accountant |
Note: See Table 2 for a more detailed summary of the threshold changes proposed for part 363.
While this is a proposed rule, it is very likely to be finalized as proposed, with little likelihood that the thresholds would revert back in later rulemakings. As noted in the FDIC’s proposal, consideration of these threshold changes started in 2024 as a result of comments received from the periodic review of regulations required by the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (EGRPRA).
The initial scope of application for Part 363 was intended to help promote sound financial management of those institutions posing the greatest potential risk to the Deposit Insurance Fund (DIF). However, given the growth of the banking system as well as the overall economy, over time the scope of application of Part 363 began to capture institutions that did not pose elevated risks to the DIF. Even with adjusting the threshold from $1 billion to $5 billion in assets for FDICIA controls and testing, the FDIC noted that the new requirements would cover the group of banks that hold 89 percent of the industry assets, which is more than at the inception of Part 363 where approximately 75% of industry assets were covered. In its proposal, the FDIC estimated that the increase of the $500 million threshold to $1 billion could provide burden relief to approximately 774 banks, and the increase of the $1 billion threshold to $5 billion could provide burden relief to as many as 752 additional banks.
The FDIC stated in the proposal: “The thresholds set forth in the proposal also would achieve meaningful burden reduction for the smallest institutions, which would be removed from the scope of applicability for reporting requirements and internal control assessments. Furthermore, experience has demonstrated that smaller community institutions, particularly those in rural areas, have had difficulty complying with the audit committee composition requirements. Specifically, these institutions frequently report that it is increasingly difficult to attract and retain individuals who are willing and capable of serving as a member of an audit committee, thereby making compliance with the audit committee composition requirements of part 363 challenging.”
Next steps
With the proposal in place, the next question is: what do we do now? Do we celebrate and stop everything? Do we keep going as is?
These are all great questions that deserve to be asked. Forvis Mazars, as a resource to the community banks we serve, sees this proposal as a positive step forward to help relieve burden for community banks. We, however, believe that banks need to take a look at their institution’s profile to determine aspects of the current control framework that can be removed due to overlap while maintaining what is beneficial for the bank to continue in order to have the necessary controls and testing in place to limit and control risk. After all, these requirements were put into place to help manage the risk of bank failure and problems within the banking system.
A robust internal control environment is still essential for maintaining the safety and soundness of a financial institution. This proposed rule does not eliminate the need for all internal controls, especially those over financial reporting. However, the burden of documentation and compliance with reporting requirements could be lessened for many institutions. There is an opportunity to thoughtfully reevaluate institution wide risk and the corresponding internal controls ultimately tested by management. If you are within the $1 billion to $5 billion asset range, here are the questions you should be asking:
- What controls are beneficial and help control our risk profile (operational, financial reporting, and IT)?
- What corporate governance responsibilities will we continue to have for maintaining and documenting our compliance of an effective internal control environment? How will this impact our existing risk assessment processes, business process and control documentation, and testing by our internal audit function?
- Does a change in rules allow for reevaluation of our audit committee structure and recruitment of new talent?
- What areas should we continue to focus upon as we eliminate lower risk or areas with overlap?
- What is our strategic plan for the next 3 to 5 years? If we are looking to grow or acquire, should we change anything if the plan moves us beyond the $5 billion threshold?
The importance of risk assessing these areas and finding the controls that are beneficial to the bank will be essential before this rule is finalized.
At Forvis Mazars, we are dedicated to providing you with strategic insights. Rather than halting progress, we suggest tailoring these processes to efficiently identify, monitor, measure, and manage risks. For more information on how we can help evaluate and enhance your program, please contact us.
Table 2
Part 363 Proposed Threshold Updates2
| Regulation | Citation | Citation Detail (Current Threshold) | Proposed Threshold |
|---|---|---|---|
| 12 CFR Part 363: Annual Independent Audits and Reporting Requirements3 | 363.1(a) | 363.1(a): This part applies to any insured depository institution with respect to any fiscal year in which its consolidated total assets as of the beginning of such fiscal year are $500 million or more. | $1 billion |
363.2(b)(3) | 363.2(b)(3): For an insured depository institution with consolidated total assets of $1 billion or more as of the beginning of such fiscal year, an assessment by management of the effectiveness of such internal control structure and procedures | $5 billion | |
363.3(b) | 363.3(b): For each insured depository institution with total assets of $1 billion or more at the beginning of the institution’s fiscal year, the independent public accountant who audits the institution’s financial statements shall examine, attest to, and report separately on the assertion of management concerning the effectiveness of the institution’s internal control structure and procedures for financial reporting. | $5 billion | |
363.4(a)(2) | 363.4(a)(2): Subject to the criteria specified in § 363.1(b), each insured depository institution with consolidated total assets of less than $1 billion as of the beginning of its fiscal year that is required to file, or whose parent holding company is required to file, management’s assessment of the effectiveness of internal control over financial reporting with the SEC or the appropriate Federal banking agency in accordance with section 404 of SOX must submit a copy of such assessment to the FDIC, the appropriate Federal banking agency, and any appropriate State bank supervisor with its Part 363 Annual Report as additional information. This assessment will not be considered part of the institution’s Part 363 Annual Report. | $5 billion | |
363.4(c)(3) | 363.4(c)(3): For institutions with total assets of less than $1 billion as of the beginning of their fiscal year that are public companies or subsidiaries of public companies that meet the criterion specified in § 363.1(b)(1), any independent public accountant’s report on the audit of internal control over financial reporting required by section 404 of SOX and the PCAOB’s auditing standards; and | $5 billion | |
363.5(a)(1) | 363.5(a)(1): Each insured depository institution with total assets of $1 billion or more as of the beginning of its fiscal year shall establish an independent audit committee of its board of directors, the members of which shall be outside directors who are independent of management of the institution. | $5 billion | |
363.5(a)(2) | 363.5(a)(2): Each insured depository institution with total assets of $500 million or more but lessthan $1 billion as of the beginning of its fiscal year shall establish an audit committee of its board of directors, the members of which shall be outside directors, the majority of whom shall be independent of management of the institution. | $1 billion | |
363.5(a)(2) | 363.5(a)(2): >=$1 billion | $5 billion | |
363.5(b) | 363.5(b): Committees of large institutions. The audit committee of any insured depository institution with total assets of more than $3 billion as of the beginning of its fiscal year shall include members with banking or related financial management expertise, have access to its own outside counsel, and not include any large customers of the institution. If a large institution is a subsidiary of a holding company and relies on the audit committee of the holding company to comply with this rule, the holding company’s audit committee shall not include any members who are large customers of the subsidiary institution. | $5 billion | |
Guideline 8A | Appendix A to Part 363—Guidelines and Interpretation – 8A:Management’s Reports on Internal Control over Financial Reporting under Part 363 and Section 404 of SOX. An institution with $1 billion or more in total assets as of the beginning of its fiscal year that is subject to both part 363 and the SEC’s rules implementing section 404 of SOX (as well as a public holding company permitted under the holding company exception in § 363.1(b)(2) to file an internal control report on behalf of one or more subsidiary institutions with $1 billion or more in total assets)… | $5 billion | |
Guideline 10 | Appendix A to Part 363—Guidelines and Interpretation – 10: Standards for Internal Control. The management of each insured depository institution with $1 billion or more in total assets as of the beginning of its fiscal year should base its assessment of the effectiveness of the institution’s internal control over financial reporting on a suitable, recognized control framework … | $5 billion | |
Guideline 18A | Appendix A to Part 363—Guidelines and Interpretation – 18A: Internal Control Attestation Standards for Independent Auditors. … the independent public accountant’s attestation and report on management’s assertion concerning the effectiveness of an institution’s internal control structure and procedures for financial reporting shall be made in accordance with generally accepted standards for attestation engagements or the PCAOB’s auditing standards, … for institutions with $1 billion or more in total assets | $5 billion | |
Guideline 27 | Appendix A to Part 363—Guidelines and Interpretation – 10: Audit Committees Composition. … at least annually, the board of an institution with $1 billion or more in total assets as of the beginning of its fiscal year should determine whether all existing and potential audit committee members are “independent of management of the institution” and the board of an institution with total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year should determine whether the majority of all existing and potential audit committee members are “independent of management of the institution.” | $5 billion $1 billion | |
Guideline 28(b)(4) | Appendix A to Part 363—Guidelines and Interpretation – 28(b)(4): The director has received, or has an immediate family member who has received, during any twelve-month period within the last three years, more than $100,000 in direct and indirect compensation from the institution, its subsidiaries, and its affiliates… | $120 thousand | |
Guideline 30(b) | Appendix A to Part 363—Guidelines and Interpretation – 30(b): When an insured depository institution subsidiary with total assets of $1 billion or more as of the beginning of its fiscal year does not meet the requirements for the holding company exception … | $5 billion | |
Guideline 30(c) | Appendix A to Part 363—Guidelines and Interpretation – 30(c): Holding Company Audit Committees.When an insured depository institution with total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year does not meet the requirements for the holding company exception… | $1 billion | |
Guideline 35(a) | Appendix A to Part 363—Guidelines and Interpretation – 35(a): When an insured depository institution’s total asset as of the beginning of its fiscal year are $500 million or more for the first time and it thereby becomes subject to part 363, no regulatory action will be taken if the institution… | $1 billion | |
Guideline 35(b) | Appendix A to Part 363—Guidelines and Interpretation – 35(b)): When an insured depository institution’s total assets as of the beginning of its fiscal year are $1 billion or more for the first time, no regulatory action will be taken if the institution forms or restructures its audit committee to comply with § 363.5(a)(1) by the end of that fiscal year, provided … | $5 billion | |
Guideline 35(c) | Appendix A to Part 363—Guidelines and Interpretation – 35(c): When an insured depository institution’s total asset as of the beginning of its fiscal year are $3 billion or more for the first time, no regulatory action will be taken if the institution forms or restructures its audit committee to comply with § 363.5(b) by the end of that fiscal year, provided … | $5 billion | |
Appendix B item 7.2(b) | Appendix B to Part 363—Illustrative Management Reports – 7.2(b): For an institution with total assets of $1 billion or more as of the beginning of its fiscal year, the assessment by management of the effectiveness of internal control over financial reporting and the independent public accountant’s attestation on management’s assertion as to the effectiveness of internal control over financial reporting, if applicable, must both be performed at the same level, i.e., either at the insured depository institution level or at the holding company level. | $5 billion |
- 1 Specifically, the FDIC proposes to update the thresholds using the non-seasonally adjusted Consumer Price Index for Urban Wage Earners and Clerical Workers (CPI-W) as published by the U.S. Bureau of Labor Statistics.
- 2adjusting-and-indexing-certain-regulatory-thresholds-federal-register-notice.pdf
- 3eCFR :: 12 CFR Part 363 -- Annual Independent Audits and Reporting Requirements