FIDICA threshold changes: Next steps you can’t overlook

The FDIC’s Part 363 changes will dramatically reduce the number of institutions subject to its audit and internal control mandates. While this sounds like welcome relief, many banks are overlooking critical realities: other regulators haven’t changed their rules, audit expectations remain, and operational risk is climbing.

From Federal Reserve and HUD requirements to state-level mandates and rising fraud exposure, the compliance landscape is still complex, and boards need clear visibility to avoid costly mistakes.

Here’s an overview of the threshold updates and how you can address compliance concerns:

Overview: FDICIA threshold changes

Effective January 1, 2026, Part 363 $500 million thresholds have been raised to $1 billion. $1 billion thresholds have been raised to $5 billion.

Insured depository institutions (IDIs) that will not be subject to Part 363 requirements under the updated FDIC regulatory thresholds do not need to comply as of December 31, 2025.

What many banks are overlooking: Other regulators still require audits

IDIs that are currently subject to FDICIA requirements but do not meet the updated thresholds get immediate relief. However, FDIC relief does not mean universal relief.

Even though the FDIC has increased thresholds, other regulatory bodies have not. That means some institutions may still be required to undergo an annual audit even if the FDIC no longer mandates it.

Specifically:

• The Federal Reserve (FRY-6 audit requirement) remains unchanged: Bank holding companies with $500 million or more in consolidated assets must still have annual audited financial statements from an independent public accountant.
• HUD requirements also remain intact: Institutions with HUD-regulated lending or servicing operations must continue to meet HUD’s annual audit requirements, which are separate from FDICIA and continue to apply regardless of FDIC threshold relief.
• State regulators may still require audits: Wipfli has already consulted with banks in states whose regulators have not adopted the federal threshold changes and still expect annual audits or specific reporting. Be sure to verify if your state has adopted the changes or if you still face audit requirements.

Internal controls are still critical

Should you continue internal control testing?

In conversations with CEOs, CFOs, controllers and boards this past week, we’ve seen that board and audit committees across the country are asking this same question. And the overwhelming trend we are seeing is yes, but in a right-sized way.

Here’s why maintaining internal control testing still matters:

Risk hasn’t decreased — it has increased.

Digital banking growth, real-time payments, API integrations and third-party reliance have created more operational complexity than ever. Reduced requirements do not reduce exposure.

Fraud risk is rising.

Industry data continues to show upticks in internal fraud, account takeovers, vendor fraud and control overrides — especially during periods of staffing strain or turnover.

Technology upgrades introduce control gaps.

Core conversions, new digital channels and automation projects often create temporary breakdowns in user access, reconciliations, data mapping and change-management controls.

Talent turnover exposes weaknesses.

When institutional knowledge walks out the door, controls often degrade quietly. Sustained testing protects against this erosion.

Regulators still expect strong governance, regardless of thresholds.

Even without ICFR attestation requirements, examiners continue to focus on:

• ITGC’s
• Third-party oversight
• Model governance
• Loan administration
• Deposit operations
• Cybersecurity

Strong internal control testing demonstrates strong governance.

The board’s fiduciary responsibility hasn’t changed.

Audit committees need continued visibility into financial reporting accuracy, operational reliability and risk management performance.

A scaled control program is often more effective than a compliance-driven one.

Freed from formal attestations, institutions can tailor testing around:

• High-risk processes
• Significant accounts
• Known pain points
• System changes
• Fraud-prone areas

This delivers sharper insights at a lower cost and strengthens governance.

Ratings matter.

Maintaining governance and internal controls helps avoid surprises.

The bottom line?

Even though the FDIC has raised thresholds, the risk environment, governance expectations and operational complexity facing financial institutions have not changed. 

A disciplined, right-sized internal control framework remains one of the most effective tools your board and leadership team have to support strategic growth. Shift from compliance-driven to risk-driven, strengthen the areas that matter most and give your board the visibility they need to steward the institution forward.

Guidance for moving forward

To avoid missteps, consider:

• Confirming all applicable regulatory frameworks (FDIC, Fed Reserve, HUD, state banking departments) before making any decisions on audit or ICFR structure.
• Re-evaluating your audit and ICFR strategy
• Documenting decisions clearly for examiners, boards and stakeholders.
• Maintaining a right-sized internal control testing program, especially as technology and third-party reliance continue to expand.

How Wipfli can help

Wipfli closely monitors regulatory changes so that we’re ready to help you navigate them effectively. When the news of regulatory updates happened, we helped clients stay informed, along with:

• Conducting regulatory impact assessments.
• Reviewing Fed, HUD and state-level requirements.
• Supporting boards and audit committees with decision frameworks.
• Designing right-sized internal control programs.
• Advising on governance, risk and operational readiness, including talent.

Contact our financial services risk advisory team to discuss your institution’s next steps.

Read more:

• FDICIA readiness for $1B banks
• FDICIA – How to prepare for the $1 Billion asset threshold
• Prepare your financial institution to meet FDICIA requirements