FDICIA requirements: How banks approaching $1 billion should prepare for FDICIA compliance

As your bank approaches $1 billion in total assets, the Federal Deposit Insurance Corporation Improvement Act (FDICIA) introduces a new level of rigor around financial reporting, audit oversight and governance structure. These requirements are designed to enhance transparency and accountability, but they also require advance planning to implement effectively.

What does FDICIA compliance require, and how should your institution prepare as you approach the $1 billion and $5 billion thresholds? Keep reading to find out.

Why FDICIA compliance matters

FDICIA establishes enhanced audit, reporting and governance requirements for insured depository institutions. These requirements begin at the $1 billion asset threshold and expand significantly at $5 billion, particularly regarding internal control over financial reporting (ICFR). While FDICIA requirements are mandatory under 12 CFR Part 363, they also serve as a critical framework for strengthening financial reporting discipline, governance oversight and overall risk management.

A common misstep is delaying preparation until a threshold is imminent. In practice, achieving FDICIA readiness at $1 billion — including establishing audit capabilities, governance structures and sustainable reporting processes — requires advance planning and disciplined execution. Institutions approaching $5 billion must take a further step, developing a mature and well-documented ICFR framework, supported by formal risk assessment, control testing and remediation processes.

Institutions approaching either threshold should plan proactively to avoid compressed timelines, operational strain and heightened supervisory scrutiny at the point of applicability.

Key FDICIA requirements

FDICIA Part 363 establishes graduated reporting, audit and governance requirements for institutions based on asset size. These requirements take effect at two key thresholds: $1 billion in assets and $5 billion.

• Institutions with $1B or more in assets are generally subject to annual audited comparative financial statements, Part 363 management reporting and board-level audit committee requirements.
• Institutions with $5 billion or more in assets are also subject to management assessment and independent auditor attestation requirements related to ICFR audits. At $5 billion, additional internal control and audit committee expectations also kick in.

FDICIA reporting requirements

Banks with at least $1 billion in assets must provide independently audited comparative financial statements annually. These audited financial statements provide regulators, directors and other stakeholders with independent assurance regarding the accuracy of the institution’s financial reporting.

FDICIA audit requirements

The audit of your financial statements must be completed by an independent auditor who complies with SEC/PCAOB independence standards. This means your auditor cannot perform non-attest services that could impair their independence with respect to financial reporting oversight, including:

• Preparing financial statements
• Performing appraisal, valuation or internal audit services
• Providing tax services

FDICIA internal control expectations

Management — principally, your CEO and CFO — is responsible for the preparation and fair presentation of your institution’s financial statements and for establishing and maintaining an effective system of ICFR. For banks that reach $5 billion in total assets, Part 363 requires management to perform a formal assessment of ICFR and to support an independent auditor’s attestation on the effectiveness of those controls. This entails conducting a comprehensive risk assessment, implementing and documenting key controls at the process level and maintaining sufficient evidence to support both management’s conclusions and the auditor’s opinion on ICFR.

Governance and audit committee responsibilities

Banks with $1 billion or more in assets must maintain a board-level audit committee composed entirely of outside directors, with a majority independent of management. At $5 billion and above, all members must be independent of management and meet enhanced governance expectations.

• Your audit committee is responsible for the appointment, compensation and oversight of your independent auditor, including evaluating the auditor’s independence and performance. It also provides oversight of your bank’s financial reporting process, ICFR and compliance with Part 363 requirements.
• In performing these duties, your committee reviews audited financial statements, monitors significant control issues and remediation efforts and ensures appropriate coordination among management, internal audit and your external auditor.

FDICIA threshold changes explained

Effective January 1, 2026, the FDIC revised 12 CFR Part 363 (FDICIA) to adjust key asset thresholds for inflation, materially reducing the scope of institutions subject to audit and internal control requirements. The applicability threshold for annual independent audits and reporting increased from $500 million to $1 billion, while the threshold for management’s assessment and auditor attestation of ICFR increased from $1 billion to $5 billion, along with corresponding increases to audit committee governance requirements.

These changes shift FDICIA toward a more risk-based framework, providing immediate compliance relief for many community and mid-sized banks, but still requiring institutions approaching $1 billion to proactively establish audit, governance and control structures ahead of becoming subject to Part 363.

In other words, don’t overlook FDICIA compliance if you haven’t yet reached $1 billion. You’ll need time to prepare, and your bank still faces other regulatory compliance and risk management challenges that remain in place regardless of the FDICIA threshold change.

How to prepare for FDICIA compliance

Bringing your bank into FDICIA compliance requires phased preparation aligned to the $1 billion and $5 billion thresholds, as expectations increase significantly at each level. Banks approaching $1 billion in assets should focus on foundational readiness, including establishing an appropriately independent audit committee, engaging a qualified external auditor and enhancing financial reporting processes; many institutions already perform an independent financial statement audit.

In contrast, institutions approaching $5 billion should shift to a more robust control environment by formalizing ICFR, performing a comprehensive risk assessment, strengthening control documentation and testing processes and preparing for management’s ICFR assessment and external auditor attestation. At both stages, a structured readiness assessment and clear alignment of responsibilities across management, internal audit and the board are critical to ensuring timely and effective compliance.

Here are specific keys to success as you approach an FDICIA threshold:

Start planning early

As you approach $750 million in assets, you should start getting serious about FDICIA compliance. Establishing a board audit committee, finding an independent auditor (if you do not already have one) and establishing an effective internal control environment will take time.

On the off chance you’re not already doing so, it’s a good idea to conduct an independent audit of your financial statements the year before you expect to reach $1 billion, as this will help you prepare for the FDICIA-required audit process once you reach $1 billion.

Conduct an FDICIA readiness assessment

Assess your overall level of FDICIA readiness. Unless your internal team has significant experience in FDICIA compliance, you’ll typically benefit from working with a third-party advisory firm to do this.

This firm can help you identify gaps in your existing controls, processes and compliance structures and help ensure you are properly in compliance by the time you reach $1 billion.

Define responsibilities across management, internal audit and the board

Your CEO and CFO, independent auditor and board audit committee each have specific responsibilities under FDICIA. Ensure each stakeholder understands their specific areas of responsibility and also has sufficient resources to implement FDICIA requirements within that area.

Strengthen internal controls and documentation

Management — particularly your CEO and CFO — is responsible for establishing and maintaining an effective system of ICFR, including identifying key controls, evaluating design and operating effectiveness and maintaining sufficient documentation to support those conclusions. If your bank is approaching $1 billion, your focus should be on establishing a well-documented control framework and consistent testing discipline.

For institutions approaching $5 billion, expectations expand significantly to include a more formalized ICFR structure, anchored by a comprehensive risk assessment, enhanced control documentation at the process level, and systematic testing and remediation of control deficiencies. These institutions must be prepared to support management’s ICFR assessment and the external auditor’s attestation, requiring a higher degree of rigor, consistency, and evidentiary support across the control environment.

Common FDICIA compliance challenges

Top FDICIA compliance challenges include:

Underestimating time and resource needs

FDICIA compliance requires significant coordination across management, finance, internal audit, your board and external auditors. This often takes longer to implement than anticipated. Institutions approaching $1 billion should begin preparation 12 to 24 months in advance, as establishing an audit committee structure, completing a first-time external audit, if applicable and implementing consistent reporting processes can be time-intensive.

For institutions approaching $5 billion, the effort increases substantially due to the need to formalize ICFR, testing and documentation, often requiring dedicated resources, tooling, and enhanced internal audit capabilities. In both cases, balance sheet growth —particularly through acquisitions — can accelerate applicability timelines and compress readiness efforts.

Incomplete documentation and control testing

A common challenge is failing to establish sufficient documentation and evidence to support control design and operating effectiveness. While this is important for institutions approaching $1 billion, expectations become significantly more rigorous at $5 billion, where management must support a formal ICFR assessment and external auditor attestation. Inadequate documentation, inconsistent control execution or insufficient testing discipline can result in control deficiencies, delayed reporting or adverse audit outcomes, in addition to heightened regulatory scrutiny.

Preparing too late for threshold requirements

Banks that delay FDICIA readiness may reach the $1 billion threshold without the necessary audit, governance and reporting infrastructure in place, increasing the risk of supervisory criticism and operational strain. This risk becomes more pronounced as institutions approach $5 billion, where the transition to a fully supportable ICFR framework requires well-established processes, documentation standards and remediation protocols.

Early, phased preparation aligned to both thresholds is critical to avoiding compressed implementation timelines and ensuring a controlled transition into Part 363 compliance.

FDICIA compliance FAQs

Here are some common FAQs about FDICIA compliance:

How long does it take to prepare for FDICIA compliance?

Banks should generally plan for a 12 to 24-month FDICIA preparation period as they approach the $1 billion threshold, depending on complexity and existing governance structures. This preparation typically begins with a readiness assessment to evaluate financial reporting processes as well as governance and audit requirements, and should allow sufficient time to establish an independent audit committee.

Institutions approaching $5 billion should allow for additional lead time to design, implement and validate a fully supportable ICFR framework in advance of management assessment and auditor attestation requirements. We recommend an 18-month lead time for preparation.

Who is responsible for FDICIA compliance within a bank?

Responsibility for FDICIA compliance rests with management, led by your CEO and CFO, who are accountable for the accuracy of financial reporting and the effectiveness of internal controls. These responsibilities are executed in coordination with finance, internal audit and compliance functions, with oversight provided by your board of directors and audit committee.

Your independent external auditor also plays a critical role in providing assurance on financial statements — and for institutions above $5 billion, on the effectiveness of ICFR.

What happens if a bank is not prepared for FDICIA requirements?

Institutions that are not adequately prepared for FDICIA compliance may face heightened supervisory scrutiny, including potential enforcement actions, reporting delays or adverse audit outcomes. Beyond regulatory risk, insufficient readiness can strain internal resources, disrupt financial reporting processes and negatively impact board confidence, investor perception and overall governance effectiveness.

How Wipfli can help

We provide independent audit and FDICIA advisory services to help your bank comply with FDICIA requirements as you cross the $1 billion or $5 billion thresholds. If you’re growing or planning for growth, let’s talk about how we can help you meet this major milestone with confidence. Start a conversation.

Read more

• FDICIA threshold changes: Next steps you can’t overlook
• How lenders should comply with new SBA lending rules
• How to mitigate ransomware attacks on financial institutions