On July 15, 2025, the Federal Deposit Insurance Corporation (FDIC) Board of Directors approved a notice of proposed rulemaking (NPR) that would adjust certain regulatory thresholds, including those in 12 CFR part 363 related to annual independent audit and reporting requirements, based on historical inflation, and establish an indexing methodology for future adjustments.
The proposal is the first part of a multi-phase initiative to reevaluate the FDIC’s regulatory thresholds, which are used to tailor the regulatory framework to the size, complexity, and risk profile of each financial institution.
The proposal would raise the general applicability threshold from $500 million to $1 billion, the internal control over financial reporting (ICFR) asset threshold from $1 billion to $5 billion, and thresholds related to audit committee composition generally from $500 million to $1 billion, and from $1 billion and $3 billion to $5 billion.
By making these adjustments, the FDIC seeks to ensure sound financial management of the institutions posing the greatest potential risk to the Deposit Insurance Fund while maintaining consistency with the historical scope of applicability and reducing potential burdens on smaller institutions.
However, it is important to note that these perceived burdens are subjective. Many institutions that embrace FDICIA requirements have seen value beyond financial reporting, including the standardization of processes, risk mitigation, and a better understanding of the organization, which can ultimately reduce costs and add value.
The proposed increase in the asset threshold under 12 CFR Part 363 from $1 billion to $5 billion may inadvertently undermine sound risk management by weakening internal control discipline in growing banks. Frameworks such as COSO 2013 and guidance from The Institute of Internal Auditors (IIA) emphasize that effective ICFR is essential regardless of size, particularly as organizations become more complex—not solely based on asset size for banks. These frameworks advocate for a scalable and principles-based approach that supports governance, risk mitigation, and financial integrity.
Raising the threshold risks encouraging smaller banks to scale back their control efforts, even though many are experiencing growth, expanding product offerings, and increasing operational risks. A $1 billion bank, while below the proposed threshold, still poses material financial reporting risk to stakeholders, including depositors, investors, and regulators. The unintended consequences of the revised ruling could, in fact:
- Create an abundance of banks that do not inspect the control environment effectively and therefore are subject to additional regulatory concerns (perhaps even consent orders), affecting the safety and soundness of these banks.
- Create blind spots in governance and financial accuracy, contrary to best practices that call for proportionate, risk-based control environments regardless of size. This can result in higher costs to banks, monetary penalties, and/or an overall downgrade in bank ratings.
However, if the proposed change takes effect, it does not necessarily mean that audits of ICFR will cease. Rather, the current FDICIA effort could shift to more standard internal audit practice rather than relieve perceived cost burdens.
Another emerging trend impacting community banks, “New insights from the Office of the Comptroller of the Currency’s 2025 Request for Information (RFI) on community bank digitalization” describes challenging obstacles for these institutions as they are predominantly ill-equipped to change internal processes and traditional thinking that is necessary to address the demands of a digital-first world or “risk obsolescence.”
The FDIC seeks comments on all aspects of the proposal, including alternative approaches to updating thresholds, alternative indices to measure inflation, other indices that could be used as a basis for adjustments (i.e., measures of economic or banking industry activity), the scope of regulations impacted, and the frequency and manner in which adjustments should be made. Comments will be accepted until Sept. 26, 2025.
In addition to our core audit and tax services, CBIZ’s Financial Services Industry Group can accommodate project demands from financial institutions that are closely monitoring their costs , providing quality service while containing costs and maximizing efficiencies. Check out an overview of our services for financial institutions, and reach out to an industry professional to learn more about how CBIZ can help you navigate change with confidence.
© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.
“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.