Banks previously not subject to the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) may soon find themselves with new reporting requirements. A culmination of factors, including COVID-19 relief efforts and stimulus programs, as well as historically low federal interest rates have dramatically increased the volume of assets held by banks. These assets may push banks over the $1 billion threshold for internal control testing requirements under FDICIA.
How We Got Here
Prior to COVID-19, the U.S. economy showed signs of growth and stability. Federal interest rates were low, which prompted more mortgages, auto loans and commercial lending from bank customers, which appear as assets on a bank’s balance sheet.
COVID-19, while disruptive, also ended up increasing asset size for banks because the government loans provided under the Paycheck Protection Program (PPP) and now the second iteration of the program, PPP2, among other federal lending initiatives also counted as bank assets for financial reporting purposes (because banks serve as the intermediary between the government and the SBA loan applicant). The combination of low interest rates, a strong economy and the COVID-19 relief loans may be propelling many banks toward FDICIA requirements for the first time. For banks already over the $1 billion threshold, it’s worth noting that FDICIA has additional requirements at $3 billion or more in total assets.
A FDICIA Refresher
FDICIA compliance for banks means that a bank must have a financial controls environment that adheres to a recognized control framework, such as COSO 2013. Generally, when evaluating these controls, one could refer to the concept of internal controls over financial reporting (ICFR), which is a common term/phrase in the financial statement audit space. The additional scrutiny on controls for banks under FDICIA is the equivalent of Sarbanes-Oxley (SOX) for public companies. Just as public companies are required to do for SOX, banks are asked to undergo a specific type of internal audit for FDICIA compliance to ensure that the financial reporting process and controls are in place and operating as intended.
Generally speaking, banks must demonstrate compliance with FDICIA in the year after they’ve reached the $1 billion asset threshold. So, if on Dec. 31, 2020 a bank has $1 billion or more in assets, then it must demonstrate FDICIA compliance by Dec. 31, 2021.
Because of the disruption experienced in 2020, banks newly eligible for FDICIA will have a longer than normal grace period to undergo their FDICIA internal audit. The Federal Deposit Insurance Corporation is permitting banks that had $1 billion in consolidated total assets during its fiscal year ending in 2020 to elect to use the lesser of the consolidated total assets they had in place on Dec. 31, 2019 or consolidated assets as of Jan. 1, 2021 to determine applicability of FDICIA requirements for fiscal years ending in 2021. Essentially, the election would give banks that reached the $1 billion threshold during their 2020 fiscal year end an additional year to undergo the FDICIA internal control implementation and testing requirement.
What Banks Should Do If They’re On the Brink
Banks between $850 million and $1 billion should be actively planning for their approach to FDICIA internal control compliance. A reasonable time to begin the compliance process is 12-18 months out from when the compliance would be due.
To prepare for FDICIA compliance, banks will need to identify and design a system for ICFR and be able to demonstrate this control environment was operating effectively over the fiscal year. Evaluating the current internal audit committee or creating an audit committee will also be vital. All audit committee members must be independent of management teams. As best practice, and required for banks over $3 billion in assets, the audit committee should include members with banking or related financial management expertise, have access to their own outside counsel and not include any large customers of the institution as defined in FDICIA regulations.
Bank management must also assess risk and document control activities. A third-party internal controls expert can assist in the control environment review process prior to the FDICIA internal controls tests beginning.
It is important to plan thoroughly leading up to the testing, particularly given the time sensitivity of the new control obligations. A clear timeline can be established between you and the third-party controls expert who performs the FDICIA control design and tests of operating effectiveness. Quality assurances can also be tested at regular intervals prior to the FDICIA requirement period beginning. Through this process, banks can address any control deficiencies and evaluate the effectiveness of current systems.
While the compliance process can be complex and require extensive documentation, it provides a focused training opportunity for those in your organization who need to understand and refresh documentation strategies.
For more information on achieving FDICIA compliance, download your FDICIA Timeline and Checklistor contact a member of our team.