By: Bill Curtis, CPA
On November 25, 2025, the Federal Deposit Insurance Corporation (FDIC) finalized a significant rule change that modernizes the Annual Independent Audits and Reporting Requirements under 12 CFR Part 363 (Part 363). This is the most substantial update to these thresholds in decades, designed to reduce the regulatory burden for community and regional banks.
Effective January 1, 2026, these changes fundamentally adjust the compliance thresholds for audit and internal control reporting.
Crucial Note on Timing: The rule offers immediate relief. If your institution is not subject to the new thresholds as of January 1, 2026, you are not required to comply with the old requirements for your December 31, 2025, fiscal year-end.
We have analyzed the final rule to determine the strategic implications for your institution. Below is our guidance based on your asset size.
For Institutions with Total Assets Between $500 Million and $1 Billion
(Previously subject to mandatory Part 363 external audits)
The Headline: You are now exempt from the mandatory audit and reporting requirements of Part 363.
What Changed: Previously, crossing the $500 million mark triggered the requirement for an annual independent audit, preparing the financial statements and footnotes, and a dedicated audit committee made of outside directors. The new rule raises this threshold to $1 billion.
Our Strategic Advice:
- Review Your Obligations: While the FDIC no longer mandates an audit for Part 363, you likely still require a financial statement audit to satisfy holding company requirements, debt covenants, investor expectations, or state banking laws.
- Compliance Alert: The definition of large and supervised lenders with respect to Department of Housing and Urban Development (HUD) and Federal Housing Administration (FHA) compliance audits is tied to the Part 363 thresholds. Management should be aware of potential impacts across regulations.
- Governance Opportunities: The pressure to recruit specific “independent” directors to satisfy Part 363 is reduced. This can ease recruitment challenges, particularly in smaller markets. However, maintaining a strong, objective audit committee remains a governance best practice we strongly recommend.
For Institutions with Total Assets Between $1 Billion and $5 Billion
(Previously subject to stringent ICFR attestation requirements)
The Headline: You are exempt from the Internal Control over Financial Reporting (ICFR) attestation requirement.
What Changed: Previously, the “billion-dollar mark” was a major hurdle, triggering the requirement for management’s assessment and an external auditor’s attestation on internal controls (often called “FDICIA” compliance). The new rule raises this threshold to $5 billion.
Clarification on Management Reporting: It is important to note the distinction between responsibility and assessment.
- Management must still sign a report acknowledging its responsibility for preparing financial statements and maintaining internal controls.
- However, the formal assessment of ICFR effectiveness—and the accompanying audit (and auditor attestation)—is no longer required until you reach $5 billion.
- Audit Committee: Your committee must be composed of outside directors, with a majority being independent of management (relaxed from the previous stricter independence rules for larger banks).
Our Strategic Advice:
- Reallocate, Don’t Undo: We strongly advise against undoing your existing control framework. Risk persists regardless of asset size. If you have already invested in a robust ICFR framework, abandoning it would be a waste of that investment. Instead, take the resources previously spent on compliance “box-checking” and reallocate them toward technology, innovation, and local lending.
- Shift to “Risk-Based” Testing: You now have the freedom to move from a “compliance-based” testing model to a “risk-based” one, potentially reducing total internal audit hours while increasing the value of the insights you receive. We recommend modifying your internal audit program to:
- Rotate testing of lower-risk controls (e.g., test every two years rather than annually).
- Maintain annual focus on high-risk areas, specifically fraud prevention, cybersecurity, and wire transfers.
- Safety and Soundness Standards: Remember that while the specific reporting requirement is gone, the underlying safety and soundness standards remain. Regulators will still expect a functioning internal control environment. A sudden drop in control testing could raise red flags during your next safety and soundness exam.
Future-Proofing: Inflation Indexing
A final, positive detail in the new rule is that these thresholds are no longer static. The FDIC has introduced an indexing methodology that will adjust these thresholds every two years based on the Consumer Price Index. This ensures that future inflation will not arbitrarily drag community banks into regulatory tiers intended for larger institutions.
Next Steps
Regulatory compliance is a critical component of your institution’s stewardship. These changes likely impact your engagement letters and budgets for the upcoming year.
Please reach out to your Mauldin & Jenkins advisor to discuss how we can adapt your audit and internal control programs to capture these efficiencies while maintaining strong governance.
