• Applicability Of The Provisions Of The Sarbanes-Oxley Act Of 2002 To Insured Depository Institutions
  • October 23, 2003
  • Law Firm: Blank Rome LLP - Philadelphia Office
  • On March 5, 2003, the Federal Deposit Insurance Corporation ("FDIC") issued a financial institution letter providing guidance to insured institutions concerning selected provisions of the Sarbanes-Oxley Act of 2002 (the "Act"), so as to ensure that financial institutions follow sound corporate governance policies. The FDIC's letter covers the applicability of the auditor independence provisions of the Act and the Securities and Exchange Commission's ("SEC"), implementing regulations to institutions with $500 million or more in total assets and non-public financial institutions with less than $500 million in assets.

    The provisions of the Act are primarily directed towards those companies, including insured depository institutions, that have their securities registered with the SEC or the appropriate federal banking agency under Section 12 of the Securities Exchange Act of 1934 (the "1934 Act") ("Public Companies").

    All of the federal banking agencies have basically adopted the same position as the FDIC on the Act. These agencies include, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency and the Office of Thrift Supervision.

    FDIC-Supervised Banks as a Public Company or Subsidiaries of Public Companies.

    FDIC-supervised banks that have their securities registered with the FDIC or supervised banks that are subsidiaries of bank holding companies, which are public companies, must comply along with their independent public accountants with the Act including the provisions governing auditor independence, corporate responsibility, and enhanced financial disclosures. For banks whose securities are registered with the FDIC, the regulations currently incorporate applicable SEC regulations by reference.

    Non-Public FDIC Supervised Banks with Less Than $500 Million in Total Assets.

    For FDIC banks that have less than $500 million in total assets as of the beginning of the fiscal year, they are not subject to the annual audit and reporting requirements of the Federal Deposit Insurance Act (the "FDIC Act"). Generally these banks, which are not public companies or subsidiaries of public companies, are not covered within the scope of the Act and the SEC's implementing regulations. However, the FDIC has made it clear that its existing policy guidance relating to corporate governance and that of other banking agencies to a large extent closely follow or represent sound corporate governance policies and therefore should be followed by these institutions. While these guidelines are not mandatory for smaller non-public institutions, the FDIC recommends that each institution consider implementing them to the extent feasible given the institution's size, complexity, and risk profile. To point out the obvious, the FDIC would like these institutions to follow these otherwise non-mandatory policies and procedures.

    Insured Depository Institutions with $500 Million or More in Total Assets.

    Institutions with $500 million or more in total assets at the beginning of their fiscal year are subject to annual audit and reporting requirements under FDIC regulations. Some of these institutions are public companies or subsidiaries of public companies or currently satisfy the requirements of these regulations on a holding company basis. These institutions are generally subject to the provisions of the Act.

    Applicability Of The Sarbanes-Oxley Act Of 2002 To Banks With $500 Million Or More In Total Assets.

    Auditor Independence.

    Pursuant to Section 36 of the FDIC Act, the qualifications of an independent public accountant engaged by an insured institution are required to be in compliance with the AICPA's Code of Professional Conduct and meet the independence requirements and interpretations of the SEC and its staff. As a result, for each covered institution, whether or not it is a public company, its external auditor must comply with the SEC's auditor independence requirements. This requirement may be satisfied if the covered institution satisfies the annual independent audit requirements by relying upon its audit of its parent holding company so long as these auditors comply with the SEC's independence requirements.

    The SEC's rules on auditor independence, which implement the provisions of Sections 201, 202, 203 and 206 of Title II of the Act provide as follows:

    1. That non-audit services, if provided to an audit client, which would impair an accounting firm's independence, must be discontinued.
    2. Require that the public company's audit committee pre-approve all audit and non-audit services provided by the auditor of its financial statements.
    3. Provide that certain partners on an audit engagement team are limited to providing audit services for no more than five or seven consecutive years, depending upon the partner's involvement with the audit. A small accounting firm with less than five public company audit clients and less than ten audit partners may be exempted from this requirement.
    4. Prohibit an accounting firm from auditing a public company's financial statements if certain members of the management of the public company had been members of the audit firm's accounting engagement team within one year preceding the commencement of audit procedures.
    5. Provided that an audit partners receipt of compensation based on the sale of engagements of an audit client for services, other than audit, review and attest services, would impair the accountant's independence.

    Management's Responsibility for Financial Reporting and Controls.

    Section 302 of the Act requires a certification by the principal executive officer and the principal financial officer in each quarterly and annual report that a public company files under the 1934 Act. The SEC's rule provides specific wording for the required certification, which must be filed as an exhibit to the applicable report.

    Section 36 of the FDIC's regulations require that each covered institution include a management report in the annual report it files with the FDIC or its primary regulator or appropriate state supervisor. The institution's chief executive officer and chief financial officer must sign this report. It must contain a statement of management's responsibility for (1) preparing the institution's annual financial statements; (2) establishing and maintaining adequate internal control structure and procedures for financial reporting; and (3) complying with designated safety and soundness regulations.

    The management report must also include an assessment by management of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the fiscal year and the institution's compliance with the designated safety and soundness regulations during the fiscal year.

    The certification required by Section 302 of the Act is different from the contents of the management report required by Section 36 of the FDIC Act. For example, an institution that is a public company or a subsidiary of a public company may not submit a Section 302 certification in place of a required management report unless it is duly modified to cover all of the reviews required by Section 36 of the FDIC Act.

    Management's Assessment of Internal Controls and Accountant's Attestation on This Assessment.

    In addition to the management report requirements discussed above, Section 36 of the FDIC Act requires a covered institution's independent public accountant to examine, attest to, and report separately on management's assertion concerning internal control. This attestation report must be included in the report the covered institution files with the FDIC, its primary regulator and any appropriate state supervisor. The language required in Section 404 of the Act is substantially similar to the language in Section 36 of the FDIC Act.

    What does the FDIC expect?

    The FDIC encourages non-public companies to implement to the extent feasible these provisions. It is expected that non-public companies will be hearing from examiners on these issues if these suggestions are not followed.

    Applicability Of Selected Provisions Of The Sarbanes-Oxley Act Of 2002 To FDIC-Supervised Banks With Less Than $500 Million In Total Assets That Are Not Public Companies

    Public Company Accounting Oversight Board Registration.

    An accounting firm must register with the Public Company Accounting Oversight Board to audit the financial statements of a public company. It then becomes a "registered public accounting firm." Banks are not limited to "registered public accounting firms."

    Auditor Independence.

    To be considered independent, a registered public accounting firm that audits a public company's financial statements is not permitted to provide, contemporaneously with the audit, any of the non-audit services prohibited by Section 201 of the Act, or any other service the Public Company Accounting Oversight Board determines by regulation to be impermissible. Prohibited services include:

    • Bookkeeping or other services related to the accounting records or financial statements of the audit client;
    • Financial information systems design and implementation;
    • Appraisal or valuation services, fairness opinions, or contribution-in-kind reports;
    • Actuarial services;
    • Internal audit outsourcing services;
    • Management functions or human resources;
    • Broker or dealer, investment adviser, or investment banking services; and
    • Legal services and expert services unrelated to the audit.

    A registered independent public accountant can provide non-audit services that are not otherwise prohibited, including tax services, to a public company audit client only if the activity is approved in advance by the company's audit committee. The audit committee must pre-approve all audit and permissible non-audit services. The FDIC encourages banks to follow the internal audit outsourcing prohibition in Section 201.

    Many banks have determined that the benefits of having a full-time internal auditor do not exceed the costs of such an arrangement. The audit committee should document that it has pre-approved the internal audit outsourcing to its external auditor and has considered the independence issues associated with this arrangement.

    The audit committee should also consider how the bank will oversee the external auditor's performance under the internal audit outsourcing contract. This oversight should be provided by a competent employee who ideally has no managerial responsibility for the areas being audited under the outsourcing contract and who reports directly to the audit committee concerning internal audit issues.

    Audit Partner Rotation.

    A registered public accounting firm would not be considered independent of a public company audit client if the lead audit partner having primary responsibility for the audit, or the concurring audit partner responsible for reviewing the audit, has performed in this capacity for the audit client for five consecutive years. The SEC imposes a seven-year rotation requirement on certain other audit partners on the audit client's engagement team followed by a two-year "time out" period. These partner rotation rules are intended to strike a balance between the need to bring a fresh look to the audit engagement and the need to maintain continuity and audit quality. The SEC's final rules also contain an exemption from the rotation requirements for small accounting firms.

    Auditor Reports to Audit Committees.

    Each registered public accounting firm that audits a public company's financial statements should report on a timely basis to the company's audit committee:

    • All critical accounting policies used by the company;
    • Alternative accounting treatments that the accounting firm has discussed with the company's management along with the potential ramifications of using those alternatives, and the treatment preferred by the accounting firm; and
    • Other written communications the accounting firm has provided to the company's management, such as a management letter or a schedule of unadjusted differences.

    These reporting requirements are intended to strengthen the relationship between the audit committee and the auditor. The FDIC encourages each bank to institute these auditor reporting practices by incorporating them into its engagement letter with the auditor.

    Conflicts of Interest.

    A registered public accounting firm would not be considered independent of a public company audit client if the client's chief executive officer, controller, chief financial officer, chief accounting officer or equivalent officer was employed by the accounting firm and participated in the audit of the client during the one-year period before the beginning of the current audit. The FDIC encourages each bank and its external auditing firm to comply with this conflicts of interest requirement.

    Corporate Responsibility.

    Public Company Audit Committees.

    The audit committee of each public company listed on a securities exchange or Nasdaq are responsible for the appointment, compensation, and oversight of the work of a registered public accounting firm related to issuing audit reports. Each member of an audit committee must be a member of the board of directors and shall otherwise be independent. In addition, an audit committee member cannot accept any consulting, advisory, or compensatory fee from the public company, other than fees for serving as a board or committee member, or be affiliated with the company or a subsidiary of the company. The audit committee must establish procedures for processing complaints and processing confidential, anonymous submissions by employees regarding accounting, internal control, and auditing matters. Banks are encouraged to follow these rules.

    Corporate Responsibility for Financial Reports.

    A public company's principal executive officer and principal financial officer must include a certification in each quarterly and annual report filed under the 1934 Act. The SEC's rule implementing Section 302 requires these officers to certify that:

    • He or she has reviewed the quarterly or annual report;
    • Based on his or her knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact; and
    • Based on his or her knowledge, the financial statements and other financial information included in the report fairly present in all material respects the public company's financial condition, results of operations, and cash flows.

    The officers' certifications also must address matters pertaining to disclosure controls and procedures and internal control.

    When a bank files its Reports of Condition and Income (Call Report), an authorized officer of the bank must sign a declaration that the reports are true to the best of the officer's knowledge and belief. In addition, two bank directors must declare that they have examined the report and attest to its correctness. Banks that issue audited financial statements to their shareholders or others may also want to consider including with the financial statements a certification by the bank's principal executive officer and principal financial officer. The certification would state that the officers have reviewed the financial statements and, based on their knowledge, the statements are true and fairly present in all material respects the bank's financial condition, results of operations, and cash flows.

    Improper Influence on Conduct of Audits.

    No officer or director of a public company or anyone acting under their direction can mislead, coerce, manipulate, or fraudulently influence a registered independent public accounting firm preparing an audit report for the purpose of rendering it materially misleading. The FDIC strongly encourages banks to follow this rule.

    Enhanced Financial Disclosures.

    Disclosures in Periodic Reports.

    Financial reports filed with the SEC must reflect material correcting adjustments identified by a registered public accounting firm. The reports shall disclose all material off-balance sheet transactions, arrangements, obligations, and relationships that may have a material current or future effect on the company. The FDIC strongly encourages banks to follow this rule.

    Enhanced Conflict of Interest Provisions.

    Public companies would be prohibited from extending credit in the form of a loan to any director or executive officer. Certain consumer loans are permitted if made in the ordinary course of the consumer credit business of the company, are generally available to the public, and made on market terms. This provision does not apply to any loan made by an insured depository institution if the loan is subject to the insider lending restrictions under Section 22(h) of the Federal Reserve Act and Federal Reserve Regulation O. All banks must continue to comply with Regulation O in their lending to directors and executive officers.

    Management Assessment of Internal Controls.

    In their annual reports, public companies must include an internal control report that states that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting. The report also must contain an assessment, as of the end of the most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. The company's registered public accounting firm must attest to and report on management's assessment. The FDIC encourages banks to consider the benefits and costs of supplementing the audit with an internal control assessment by management and an attestation of this assessment by the bank's independent public accountant.

    Code of Ethics for Senior Financial Officers.

    Each public company must disclose in financial reports filed under the 1934 Act whether the company has adopted a code of ethics that applies to its principal executive officer, principal financial officer, principal accounting officer, and controller. If not, the company must disclose the reasons why a code of ethics was not adopted. Disclosure on a current basis is also required of amendments to and waivers from the company's ethics code for senior financial officers. The SEC has defined the term "code of ethics" to mean written standards that are reasonably designed to deter wrongdoing and to promote:

    • Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships;
    • Full, fair, accurate, timely, and understandable disclosure in reports and documents the public company files under the federal securities laws and in other public communications the company makes;
    • Compliance with applicable rules and regulations;
    • Prompt internal reporting to an appropriate person of violations of the code; and
    • Accountability for adherence to the code.

    The FDIC encourages each bank to adopt a code of ethics for senior financial officers. If the bank decides not to do so, the FDIC encourages it to explain, perhaps in the minutes of the board of directors, the reasons why. The FDIC also encourages periodic disclosure of the existence of a code of ethics, or lack thereof, to shareholders.

    Disclosure of Audit Committee Financial Expert.

    Each public company must disclose whether the audit committee is comprised of at least one member who is an "audit committee financial expert." If not, the company must disclose the reasons why. The SEC has defined the term "audit committee financial expert" as a person who:

    • Understands generally accepted accounting principles (GAAP) and financial statements;
    • Is able to assess the general application of GAAP in connection with the accounting for estimates, accruals, and reserves;
    • Has experience in preparing, auditing, analyzing, or evaluating financial statements of a breadth and complexity comparable to that of the public company's financial statements, or has experience actively supervising one or more persons engaged in such activities;
    • Understands internal controls and procedures for financial accounting; and
    • Understands audit committee functions.

    A person can acquire such attributes through one or more means, including education and experience as, or experience actively supervising, a public accountant, auditor, controller, principal accounting officer, or principal financial officer. Although the FDIC does not expect a bank to disclose whether or not it has a financial expert on its audit committee, banks are encouraged to do so.


    Although the requirements of the Sarbanes-Oxley Act of 2002 are designed for SEC registered public companies, the FDIC clearly makes the point that non-public companies must adhere to these rules if they have more than $500 million in assets and should follow these rules, to the extent possible, if they are non-public and have less than $500 million in assets, unless there is a good and documented reason as to why this is not possible.