On November 25, 2025, the Federal Deposit Insurance Corporation (FDIC) issued a final rule that adjusts and indexes several regulatory thresholds across its regulations, including 12 CFR Part 363 (Part 363), which governs annual independent audit and reporting requirements for insured depository institutions (IDIs).
Effective January 1, 2026, the rule recalibrates thresholds to reflect inflation and establishes a systemic indexing methodology to ensure they remain aligned with economic conditions over time. However, the final rule provides immediate burden relief for IDIs that will not be subject to part 363 requirements under the updated thresholds in effect as of January 1, 2026, which means these IDIs do not have to comply with the applicable part 363 requirements in effect as of December 31, 2025. By tying thresholds to inflation, institutions are not subject to heightened requirements simply because of price-level changes, but rather based on real changes to growth, complexity, and risk profile.
The final rule was largely unchanged from the proposed Notice of Proposed Rulemaking (NPR), dated July 15, 2025. For more information, see our FORsights™, FDIC Considers New Policy for Updated Regulatory Thresholds, and FDIC Proposal on Part 363 Audit & Reporting Requirements for Community Banks. The final rule does, however, include important modifications or clarifications in the following areas:
| Topic/Regulation | Proposed Provision(s) | Final Rule(s) |
|---|---|---|
| Indexing Methodology for Future Threshold Adjustments | “Under the proposal, the FDIC generally would announce threshold adjustments pursuant to the indexing methodology by publishing a final rule in the Federal Register…The adjusted thresholds would be effective on April 1 of the year during which the adjustment occurs.” | The final rule provides that such adjustments will take effect on October 1. |
| Part 363 Applicability | N/A | If an IDI likely will no longer be subject to a part 363 requirement as a result of a threshold adjustment that is scheduled to occur during the IDI’s current fiscal year, the final rule permits the IDI’s appropriate Federal banking agency to exercise discretion to provide exemptive relief to the IDI. |
Part 363 has long been a focal point for compliance leaders as it sets the standards for Federal Deposit Insurance Corporation Improvement Act (FDICIA) annual audit and reporting requirements, and audit committee composition and compensation. Under the final rule, the threshold for requiring an annual independent audit has been raised from $500 million in total assets to $1 billion, providing significant relief for FDICIA annual audit requirements for smaller institutions. Similarly, the total asset threshold for requiring management reports on internal controls has increased from $1 billion to $5 billion. Finally, thresholds for audit committee independence requirements were increased from $3 billion in total assets to $5 billion, with the compensation threshold for independent committee members increased from $100,000 to $120,000. The implications of these changes are significant. For smaller community banks, relief from audit and reporting requirements allows them to free up resources that can be reallocated into technology and innovation updates, ongoing controls testing, or local lending. Institutions that had crossed prior thresholds due to inflation-driven asset growth will now find themselves relieved of certain obligations. In addition, the introduction of an indexing methodology enhances predictability and transparency as thresholds will be automatically adjusted every two years, or sooner if cumulative inflation exceeds eight percent. Together, these revisions provide institutions with a clear schedule for compliance planning and balance sheet management, reducing uncertainty about future obligations and allowing for more strategic growth decisions.
It is important to note that, at present, the Federal Reserve Board has not modified the reporting requirements for the Y-6. While the Federal Reserve Board has indicated a willingness to consider changes to asset thresholds, there are currently no proposals to do so. We are monitoring future developments.
Next Steps
Forvis Mazars, as a resource to the community banks we serve, sees this proposal as a positive step forward to help relieve burden for community banks. However, we remain of the mindset that management should review their organization’s risk profile with consideration to maintaining a robust internal control environment. While the final rule eliminates certain audit and reporting requirements for qualifying institutions, it does not eliminate the need to maintain effective internal controls, especially those over financial reporting.
As the effective date approaches, bank executives and compliance leaders should take several steps to prepare:
- Institutions should assess their current asset level to determine whether they will remain subject to Part 363 or related requirements under the new thresholds.
- While part 363 is the focal point, this change may have ancillary impacts across the regulatory landscape. For example, the definition of large and supervised lenders with respect to Department of Housing and Urban Development (HUD) and Federal Housing Administration (FHA) compliance audits is tied to the FDICIA threshold. Management should be aware of potential impacts across regulations.
- Governance structures, particularly audit committee composition, should be reviewed to ensure alignment with the updated requirements.
- Compliance teams should incorporate the biennial indexing schedule into planning models, anticipating future adjustments and integrating them into strategic growth strategies.
At Forvis Mazars, we are dedicated to providing you with strategic insights. Rather than halting progress, we suggest tailoring these processes to help efficiently identify, monitor, measure, and manage risks. For more information on how we can help evaluate and enhance your program, please contact us.
Part 363 Threshold Updates
| Regulation | Citation | Citation Detail (Current Threshold) | Proposed Threshold |
|---|---|---|---|
| 12 CFR Part 363: Annual Independent Audits and Reporting Requirements | 363.1(a) | 363.1(a): This part applies to any insured depository institution with respect to any fiscal year in which its consolidated total assets as of the beginning of such fiscal year are $500 million or more. | $1 billion |
| 363.2(b)(3) | 363.2(b)(3): For an insured depository institution with consolidated total assets of $1 billion or more as of the beginning of such fiscal year, an assessment by management of the effectiveness of such internal control structure and procedures | $5 billion | |
| 363.3(b) | 363.3(b): For each insured depository institution with total assets of $1 billion or more at the beginning of the institution’s fiscal year, the independent public accountant who audits the institution’s financial statements shall examine, attest to, and report separately on the assertion of management concerning the effectiveness of the institution’s internal control structure and procedures for financial reporting. | $5 billion | |
| 363.4(a)(2) | 363.4(a)(2): Subject to the criteria specified in § 363.1(b), each insured depository institution with consolidated total assets of less than $1 billion as of the beginning of its fiscal year that is required to file, or whose parent holding company is required to file, management’s assessment of the effectiveness of internal control over financial reporting with the SEC or the appropriate Federal banking agency in accordance with section 404 of SOX must submit a copy of such assessment to the FDIC, the appropriate Federal banking agency, and any appropriate State bank supervisor with its Part 363 Annual Report as additional information. This assessment will not be considered part of the institution’s Part 363 Annual Report. | $5 billion | |
| 363.4(c)(3) | 363.4(c)(3): For institutions with total assets of less than $1 billion as of the beginning of their fiscal year that are public companies or subsidiaries of public companies that meet the criterion specified in § 363.1(b)(1), any independent public accountant’s report on the audit of internal control over financial reporting required by section 404 of SOX and the PCAOB’s auditing standards; and | $5 billion | |
| 363.5(a)(1) | 363.5(a)(1): Each insured depository institution with total assets of $1 billion or more as of the beginning of its fiscal year shall establish an independent audit committee of its board of directors, the members of which shall be outside directors who are independent of management of the institution. | $5 billion | |
| 363.5(a)(2) | 363.5(a)(2): Each insured depository institution with total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year shall establish an audit committee of its board of directors, the members of which shall be outside directors, the majority of whom shall be independent of management of the institution. | $1 billion | |
| 363.5(a)(2) | 363.5(a)(2): >=$1 billion | $5 billion | |
| 363.5(b) | 363.5(b): Committees of large institutions. The audit committee of any insured depository institution with total assets of more than $3 billion as of the beginning of its fiscal year shall include members with banking or related financial management expertise, have access to its own outside counsel, and not include any large customers of the institution. If a large institution is a subsidiary of a holding company and relies on the audit committee of the holding company to comply with this rule, the holding company’s audit committee shall not include any members who are large customers of the subsidiary institution. | $5 billion | |
| Guideline 8A | Appendix A to Part 363—Guidelines and Interpretation – 8A:Management’s Reports on Internal Control over Financial Reporting under Part 363 and Section 404 of SOX. An institution with $1 billion or more in total assets as of the beginning of its fiscal year that is subject to both part 363 and the SEC’s rules implementing section 404 of SOX (as well as a public holding company permitted under the holding company exception in § 363.1(b)(2) to file an internal control report on behalf of one or more subsidiary institutions with $1 billion or more in total assets)… | $5 billion | |
| Guideline 10 | Appendix A to Part 363—Guidelines and Interpretation – 10: Standards for Internal Control. The management of each insured depository institution with $1 billion or more in total assets as of the beginning of its fiscal year should base its assessment of the effectiveness of the institution’s internal control over financial reporting on a suitable, recognized control framework … | $5 billion | |
| Guideline 18A | Appendix A to Part 363—Guidelines and Interpretation – 18A: Internal Control Attestation Standards for Independent Auditors. … the independent public accountant’s attestation and report on management’s assertion concerning the effectiveness of an institution’s internal control structure and procedures for financial reporting shall be made in accordance with generally accepted standards for attestation engagements or the PCAOB’s auditing standards, … for institutions with $1 billion or more in total assets | $5 billion | |
| Guideline 27 | Appendix A to Part 363—Guidelines and Interpretation – 10: Audit Committees Composition. … at least annually, the board of an institution with $1 billion or more in total assets as of the beginning of its fiscal year should determine whether all existing and potential audit committee members are “independent of management of the institution” and the board of an institution with total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year should determine whether the majority of all existing and potential audit committee members are “independent of management of the institution.” |
| |
| Guideline 28(b)(4) | Appendix A to Part 363—Guidelines and Interpretation – 28(b)(4): The director has received, or has an immediate family member who has received, during any twelve-month period within the last three years, more than $100,000 in direct and indirect compensation from the institution, its subsidiaries, and its affiliates… | $120 thousand | |
| Guideline 30(b) | Appendix A to Part 363—Guidelines and Interpretation – 30(b): When an insured depository institution subsidiary with total assets of $1 billion or more as of the beginning of its fiscal year does not meet the requirements for the holding company exception … | $5 billion | |
| Guideline 30(c) | Appendix A to Part 363—Guidelines and Interpretation – 30(c): Holding Company Audit Committees.When an insured depository institution with total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year does not meet the requirements for the holding company exception… | $1 billion | |
| Guideline 35(a) | Appendix A to Part 363—Guidelines and Interpretation – 35(a): When an insured depository institution’s total asset as of the beginning of its fiscal year are $500 million or more for the first time and it thereby becomes subject to part 363, no regulatory action will be taken if the institution… | $1 billion | |
| Guideline 35(b) | Appendix A to Part 363—Guidelines and Interpretation – 35(b)): When an insured depository institution’s total assets as of the beginning of its fiscal year are $1 billion or more for the first time, no regulatory action will be taken if the institution forms or restructures its audit committee to comply with § 363.5(a)(1) by the end of that fiscal year, provided … | $5 billion | |
| Guideline 35(c) | Appendix A to Part 363—Guidelines and Interpretation – 35(c): When an insured depository institution’s total asset as of the beginning of its fiscal year are $3 billion or more for the first time, no regulatory action will be taken if the institution forms or restructures its audit committee to comply with § 363.5(b) by the end of that fiscal year, provided … | $5 billion | |
| Appendix B item 7.2(b) | Appendix B to Part 363—Illustrative Management Reports – 7.2(b): For an institution with total assets of $1 billion or more as of the beginning of its fiscal year, the assessment by management of the effectiveness of internal control over financial reporting and the independent public accountant’s attestation on management’s assertion as to the effectiveness of internal control over financial reporting, if applicable, must both be performed at the same level, i.e., either at the insured depository institution level or at the holding company level. | $5 billion |