Changes to FDIC 12 CFR Part 363 should mean relief for financial institutions. We share the benefits, components, and best practices to help you prepare.
In November 2025, the Federal Deposit Insurance Corporation (FDIC) approved a final rule, effectively updating its existing rules and regulations that affect all FDIC-insured depository institutions. The final rule includes permanent updates to regulatory thresholds under 12 CFR Part 363, which sets annual independent audit, internal control, and governance requirements for insured depository institutions based on asset thresholds rather than a one-size-fits-all approach.
Updates to regulatory thresholds were initially proposed in July 2025, and the permanent updates will be effective on January 1, 2026.
What are the Benefits of the Changes to 12 CFR Part 363?
Overall, the updates to 12 CFR Part 363 are focused on adjusting the regulatory thresholds to account for historical inflation while also indexing for future anticipated inflation. As a result, institutions should experience regulatory relief, reduced compliance costs, and increased flexibility. Additionally, many smaller institutions will obtain nearly immediate relief from prior FDIC audit and reporting requirements. The updates should provide a long-term and durable framework for mandatory audits and control assessments.
How Can the Changes to 12 CFR Part 363 be Summarized?
The FDIC’s final ruling regarding 12 CFR Part 363 can be summarized by changes to three primary components:
1. General Applicability
General applicability establishes thresholds regarding requirements for annual independent audit and reporting. Under previous rulings, institutions with total consolidated assets of $500 million or more were required to undergo an independent financial statement audit and to submit the auditor’s report to the FDIC and other federal and state supervisory agencies. The FDIC has officially raised the general applicability threshold from $500 million to $1 billion.
Additionally, it’s anticipated the threshold requiring independent public accountants to comply with independence standards of the SEC may mirror the new general applicability thresholds. If this threshold increases, audit firms for institutions with less than $1 billion in assets would be able to assist more directly, as a nonattest service, in the preparation of financial statements and related footnotes.
2. Internal Control over Financial Reporting (ICFR)
Under previous rulings, institutions with total consolidated assets of $1 billion or more were required to not only undergo an independent financial statement audit but to also obtain an independent auditor’s report on ICFR. The FDIC has officially raised the ICFR threshold from $1 billion to $5 billion, relieving approximately 700 institutions from ICFR audit and reporting requirements.
3. Audit Committee Composition and Director Compensation
Under previous rulings, institutions with total consolidated assets of $3 billion or more were required to not only maintain an audit committee but to also meet additional composition requirements such as having members with relevant financial expertise and access to outside counsel. The FDIC has officially raised the threshold for additional requirements for audit committee composition from $3 billion to $5 billion, simplifying the qualifications of committee members, especially in rural communities.
Additionally, under previous rulings, compensation for a director on the audit committee was limited to $100,000 in order for the director to be considered independent. The FDIC has officially raised the director compensation limitation to $120,000 for independent directors on the audit committee.
The table below summarizes the prior and updated thresholds under FDIC 12 CFR Part 363, effective January 1, 2026:
When Will the Changes to 12 CFR Part 363 Impact My Organization?
While the effective date of the recent FDIC ruling is January 1, 2026, the FDIC has clarified that institutions do not need to comply with requirements in effect as of December 31, 2025, if not subject to Part 363 under updated thresholds in effect as of January 1, 2026.
In simpler terms, if your institution falls below the new thresholds effective on January 1, 2026, it is technically relieved from the prior requirements in place concerning financial reporting as of December 31, 2025.
How are Changes to 12 CFR Part 363 Impacted by State and Other Regulations?
The FDIC’s final rule does not override audit and reporting obligations imposed by state regulations for state-chartered institutions. Additionally, public companies and their subsidiaries remain subject to the Sarbanes-Oxley Act of 2002, which requires annual audits and internal control assessments regardless of FDIC thresholds.
What are Best Practices for My Institution in Response to 12 CFR Part 363 Changes?
Despite the relief from prior FDIC audit and reporting requirements, smaller institutions must keep in mind that regulatory compliance should never be the sole driver of strong governance. Even with reduced regulatory requirements, stakeholders of institutions of all sizes will continue to have high expectations regarding financial transparency and internal controls.
To maintain confidence and mitigate risk, PYA recommends that all institutions, regardless of size, continue to follow industry best practices, such as these:
- Continue Independent Audits
Even if no longer required by regulation, an annual independent financial statement audit remains a cornerstone of sound governance and stakeholder trust. - Implement a Risk-Based Control Assessment
Regularly evaluate internal controls using a risk-based approach. This practice ensures that critical processes—such as lending, liquidity management, and cybersecurity—are monitored effectively throughout the year. - Leverage External Expertise
Engage independent advisors or third-party specialists to provide objective insights and strengthen oversight. This proactive approach can identify emerging risks and support strategic decision-making.
Your Strategic Partner in Navigating Regulatory Changes
Navigating regulatory changes doesn’t have to be overwhelming. PYA’s team of financial institution specialists is ready to help you assess the impact of these updates and design tailored risk and compliance strategies that align with your business objectives and stakeholder expectations. Partner with us to strengthen your strategic plan.
