Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao El Salvador Guatemala Honduras Mexico Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
home Insights

Relief With Responsibility

Navigating FDIC Part 363 Changes

Lori W. Charlebois, JP Shelly, Stacia Vernon
12/16/2025
Pedestrian crosses a financial district street at dawn, symbolizing regulatory change and strategic response to FDIC Part 363 updates.

The FDIC’s new thresholds create regulatory relief, but they also require strategic recalibration for an IDI’s environment.

On Nov. 25, 2025, the Federal Deposit Insurance Corp. (FDIC) finalized significant amendments to 12 Code of Federal Regulations (CFR) Part 363 including, among other things, raising key thresholds for internal control over financial reporting (ICFR) audits in accordance with the FDIC Improvement Act (FDICIA). These changes, effective Jan. 1, 2026, but currently available for affected institutions, are intended to ease compliance burdens, particularly for community insured depository institutions (IDIs), by recognizing the inflation-driven asset growth that pushed many institutions past outdated thresholds.

Effective Jan. 1, 2026:

Citation Requirement Current threshold Threshold as finalized
363.2(b)(3) and 363.3(b) Audit of ICFR by external accountant $1 billion $5 billion

The final rule not only increases the threshold for a required audit of ICFR but also indexes this threshold to the Consumer Price Index for Urban Wage Earners and Clerical Workers, assessed generally every two years.

Read our Take Into Account article highlighting the changes in 12 CFR Part 363.  
View the article

The new reality for IDIs: Relief with responsibility 

The impact of this amendment will have different implications for stakeholders throughout the banking industry.

Boards and audit committees: The recent changes to Part 363 shift the landscape from prescriptive mandates on audit requirements to strategic decision-making. Although the internal control attestation requirements in Part 363 are narrowly focused on ICFR, these requirements are a foundational component of the overall governance framework for many institutions. Now, with certain assurance requirements lifted, boards and audit committees must proactively determine the level of oversight and assurance appropriate for their institution. This determination means weighing the benefits of reduced compliance costs against the potential for increased risk, level-setting expectations of investors and key stakeholders, and establishing clear expectations for risk tolerance and governance. Said differently, how, if at all, should the amendments to Part 363 affect an institution’s control culture?

Crowe observation: All IDIs that must comply with the provisions of Part 363 must provide certain statements to its primary federal regulator. In a statement of management’s responsibilities, management must assert to, among other things, “establishing and maintaining an adequate internal control structure and procedures for financial reporting, including controls over the preparation of regulatory financial statements.”


The introduction of inflation-based indexing of the thresholds for compliance with Part 363 adds a new layer of complexity, as regulatory thresholds are now dynamic rather than static. Management must establish processes to monitor these evolving benchmarks, anticipate when expanded requirements might apply again, and confirm the control environment remains aligned with both current needs and future growth. A forward-looking, strategic approach will be essential for maintaining compliance readiness and optimizing resource allocation.

Management: For IDIs between $1 billion and $5 billion in total assets, maintaining ICFR audit-level rigor is no longer a requirement; however, management remains responsible for its own reporting and disclosures on internal controls. Leadership of affected institutions must evaluate the risk appetite and strategic focus to determine whether to adopt a more streamlined approach to maintaining an adequate internal control structure and procedures for financial reporting or continue with a comprehensive control testing system. This evaluation also should consider how changes in internal control practices might be perceived by external stakeholders. Management must consider future growth plans and how reduced compliance costs might affect near-term forecasted results as well as the potential additional costs to re-implement a control framework in the future.

Regulatory expectations: The absence of a regulatory requirement must not equate to the absence of oversight. Regulators continue to expect robust controls over financial reporting and might challenge a reduction in control rigor, particularly if it is not supported by a well-documented, risk-based rationale. Institutions should be prepared to defend their approach to maintaining an adequate internal control structure and procedures, especially if weaknesses emerge in financial reporting or operational processes.

Crowe observation: Despite reduced compliance requirements regarding internal control attestation, we believe certain significant controls should continue to be evaluated annually, specifically information technology (IT) controls. In fact, we anticipate increased rigor as IT environments grow more complex in today’s digital landscape.


Strategic options for considering changes to the control environment in the post-requirement era

To guide strategic decision-making, institutions can begin by answering the following questions.

Questions for management

  • How should the changes to Part 363 influence the risk assessment processes, business process narratives, control documentation, and the scope and cadence of internal audit testing?
  • Should the institution use the changes to Part 363 to rationalize or modernize the control framework to streamline processes, level-set controls, and eliminate redundancies while remaining responsive to emerging risk areas, such as cybersecurity, data quality, model risk, and third-party oversight?
  • Are there any additional internal stakeholders that need to be aware of the change in requirement and any changes in management approach, for example, executives or control owners?
  • In which areas should management prioritize continued testing? Specifically, what areas in the organization carry higher inherent risk or require specialized oversight?
  • Is the institution prepared for future regulatory reviews or potential shifts in expectations, even if certain requirements are reduced today? What measures will prevent gradual erosion of governance or control maturity?
  • How will the institution monitor the newly indexed, inflation-adjusted thresholds over time? Who takes responsibility, and how will the board receive visibility?

Questions for the board and audit committee

  • How will management demonstrate its basis for comfort over internal control requirements in the statement of management’s responsibilities required to be submitted to regulatory agencies in accordance with Part 363? What objective evidence or monitoring activities will support this statement?
  • What is the institution’s strategic growth plan over the next three to five years? If growth initiatives or M&A activity could push the IDI back above the $5 billion threshold or require the institution to comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX), what elements of the existing control environment should the IDI retain to maintain readiness?
  • Is maintaining a FDICIA control testing program important to a potential acquirer?
  • How will the board and audit committee confirm the institution has adequate internal controls over financial reporting and emerging risks? Does the current reporting cadence and depth meet the board’s expectations?

Based upon preliminary discussions with our clients, the following are three paths IDIs are considering in subsequent reporting periods.

Path 1: Reset to baseline

Certain IDIs have indicated their plan to discontinue their current FDICIA practices and reset the approach to ICFR deployed before they were subject to a required ICFR audit under Part 363. These IDIs cite organizational size, available resources, and the anticipated cost benefits as reasons for this decision. In these cases, management expects to rely primarily on existing internal audit coverage and strong internal communication to maintain visibility into key risks and control performance.

Crowe observation: This approach might be suitable for institutions that have recently crossed the $1 billion threshold and have not yet developed a mature FDICIA framework. It is also suitable for IDIs that do not anticipate reaching $5 billion in the near term, operate with less complex processes, or have streamlined financial reporting. In addition, institutions facing margin compression or resource constraints might find this model aligns well with their current strategic imperatives.

  • Pro: Lowest cost and reduced administrative burden
  • Con: Highest risk of undetected issues; control degradation might create major challenges if the institution later crosses the $5 billion threshold or goes public and must rapidly rebuild a mature ICFR environment designed for external attestation

Path 2: Risk-based targeted testing (hybrid approach)

Other IDIs have indicated they plan to redesign their internal control monitoring programs to be more agile and less rigid under the new regulation, with a focus on streamlining internal control testing and reducing the annual compliance burden. Many institutions are reassessing their current control inventories, challenging testing frequency and timing, such as adopting rotational cycles, and evaluating whether management can obtain sufficient confidence on the adequacy of ICFR through alternative approaches, including greater reliance on the internal audit plan, second-line testing, or even self-assessments by process or control owners.

Crowe observation: This path might be appropriate for IDIs that have well-established control environments and want to maintain strong discipline but do not have expectations of approaching $5 billion in the near future or have growth strategies, which would require additional compliance requirements from different laws or regulations. These institutions are seeking some cost relief without sacrificing essential oversight.

  • Pros: Greater flexibility and efficiency; focuses management’s attention on the areas of highest risk and impact; enables continued governance confidence with reduced burden
  • Con: Potential for missing infrequent or emerging control testing exceptions; might lower management’s overall level of confidence on the adequacy of ICFR as compared to the current program

Path 3: Maintain full ICFR-like program (voluntary FDICIA discipline)

Several IDIs intend to continue their current FDICIA framework and testing approach. They acknowledge both the efforts taken to implement the process and the significant value that an increased control culture and governance confidence provides to senior leadership and the board. Certain institutions are considering voluntarily engaging their external auditors to perform an integrated financial statement and ICFR audit on an ongoing basis.

Crowe observation: This approach might be appropriate for institutions that are nearing, or have strategic plans that will bring them over, the $5 billion threshold and for IDIs that want additional comfort when filing the statement of management’s responsibilities. Institutions with prior control concerns or risk-sensitive boards and audit committees also might prefer minimal changes to the current regime. Institutions considering an initial public offering or other event that would require compliance with provisions of SOX also might want to adopt this approach, as management of issuer institutions must provide reasonable assurance over the institution’s ICFR, filed with the Securities and Exchange Commission in Form 10-K regardless of size, unless the issuer is an emerging growth company.

  • Pros: Higher degree of confidence in the effectiveness of ICFR; preserves a mature, scalable control framework; minimizes disruption and facilitates seamless reentry into required ICFR compliance if required; reduces the risk of financial statement misstatements
  • Cons: Audit and compliance costs remain largely unchanged and require continued management time and documentation

Looking ahead

The FDIC’s final rule marks a shift from prescriptive compliance to risk-based discretion. For institutions between $1 billion and $5 billion, this rule is an opportunity for cost reduction and strategic realignment.

Rather than defaulting to a minimalist posture, IDIs can proactively and responsibly design control assertion and testing approaches that match their complexity, growth ambitions, and stakeholder expectations.

Contact us

Crowe can help you navigate changes in the Part 363 environment, including ways to balance regulatory expectations, risk management considerations, and your institution’s strategic objectives.
Lori Wilson Charlebois
Lori W. Charlebois
Partner, Consulting
+1 202 552 8000
JP Shelly
JP Shelly
Partner, Audit & Assurance
+1 202 509 8154
Stacia Vernon
Stacia Vernon
Senior Manager, Consulting
+1 202 552 8051

Related insights

View all insights