By: BRENDAN M. WHALEN, CPA
Principal, Audit and Assurance | S.R. Snodgrass, P.C
On November 25, 2025, the Federal Deposit Insurance Corporation (FDIC) officially adopted a final rule amending several regulatory thresholds under Part 363—the rules that govern internal control and reporting requirements for insured depository institutions.
The changes reflect the highly anticipated modernization of a regulatory framework that had remained largely unchanged for decades—despite inflation, consolidation, and material growth across the banking sector.
Importantly, the rule adds an indexing mechanism so that many of the thresholds will be automatically adjusted every two years based on inflation (as measured by the non-seasonally adjusted Consumer Price Index for Urban Wage Earners and Clerical Workers—CPI-W).
Key Threshold Changes Under Part 363
As a result of the updated guidance, many smaller and midsize community banks that previously fell under Part 363’s requirements will now be exempt.
The final rule updates the applicability asset threshold in Part 363 from $500 million to $1 billion and the internal control over financial reporting (ICFR) asset threshold from $1 billion to $5 billion. Additionally, the final rule increases the threshold related to minimum Audit Committee requirements for banks from the range of $500 million to less than $1 billion in total assets to the range of $1 billion to less than $5 billion in total assets, as well as the threshold of $1 billion or more in total assets to $5 billion or more. The final rule also increases the threshold related to additional Audit Committee requirements from $3 billion to $5 billion. Additionally, the final rule updates the compensation threshold in Part 363 related to the determination of whether a director is considered “independent of management” from $100,000 to $120,000.
A summary of the pertinent increased asset thresholds is outlined below.
| Citation | Requirement | Threshold as of January 1, 2025 | Updated Threshold |
| 363.1(a) | Scope and applicability | $500 million | $1 billion |
| 363.2(b)(3) & 363.3(b) | Internal controls over financial reporting (ICFR) | $1 billion | $5 billion |
| 363.5(a)(1) | Audit Committee composition – outside directors independent of management | $1 billion | $5 billion |
| 363.5(a)(2) | Establish an Audit Committee from Board of Directors | $500 million | $1 billion |
| 363.5(b) | Audit Committee composition – two members with “financial expertise,” have access to its own outside counsel, and not include any large customers of the institution | $1 billion | $5 billion |
| Guideline 28(b)(4) | Director independence – compensation considerations | $100 thousand | $120 thousand |
Key Threshold Changes Under Part 363 (Continued)
Irrespective of the changes to Part 363 thresholds, institutions may still be subject to these requirements by their respective states if the institution is state-chartered.
Additionally, the amendments to Part 363 do not relieve public companies or subsidiaries of public companies of their obligation to comply with the internal control assessment requirements imposed by Section 404 of the Sarbanes-Oxley Act in accordance with the effective dates for compliance set forth in the Securities and Exchange Commission’s rules and regulations.
Restoring the Original Purpose of Part 363
Part 363 was originally designed so that only institutions representing meaningful risk to the deposit- insurance fund would be subject to comprehensive audit, governance, and internal-control requirements. Over decades, inflation and overall growth caused many relatively small or mid-size banks to drift into coverage even though their underlying risk profiles may not have changed.
The FDIC estimates that 727 banks have between $500 million and $1 billion in assets, while another 778 have between $1 billion and $5 billion in assets. In addition, the proposed increase in the applicability threshold would result in approximately the same number of institutions being subject to Part 363 (approximately 1,000 institutions) in 2025 as were subject to the regulation in 1993 (at its inception) and in 2005 (when the threshold for the ICFR requirements was amended). Similarly, the proposed increase in the ICFR threshold from $1 billion to $5 billion would be generally consistent with the historical application of such requirements (to approximately 75 percent of institutions) at the time of initial implementation.
Raising the ICFR threshold from $1 billion to $5 billion will further reduce compliance costs and governance burdens on many mid-size banks—especially those between $1 billion and $5 billion in total assets.
By raising the thresholds and indexing them, the FDIC aims to preserve the original calibration of the regulation: small, community-type banks face lighter regulatory burden, while larger and more complex institutions remain subject to stricter oversight.
Indexing for the Future—Avoiding Outdated Dollar Limits
A core innovation in the final rule is automatic indexing of many thresholds to inflation. Under the new framework:
- Thresholds will be adjusted every two years.
- Adjustments will be based on CPI-W, allowing thresholds to maintain their real (inflation- adjusted) value over time.
- The final rule provides that such adjustments will take effect on October 1 for future thresholds.
- The final rule expressly permits an institution’s appropriate federal banking agency to exercise discretionary exemption if the institution likely will no longer be subject to a Part 363 requirement as a result of a threshold adjustment that is scheduled to occur during the institution’s current fiscal year.
The indexing methodology included in the final rule enhances transparency and certainty by providing institutions with a predetermined schedule for future threshold changes. Further, these automatic adjustments will help preserve thresholds’ intended scope of application and their alignment with intended policy objectives over time. Accordingly, the indexing methodology contributes to a more durable regulatory framework while avoiding the undesirable and unintended outcome where the scope of applicability for a regulatory requirement changes over time due solely to inflation.
Significance and Broader Context
This overhaul of Part 363 is likely the most significant regulatory relief for community and mid-size banks from the FDIC in decades. It reflects a broader recognition that regulatory thresholds established in the early 1990s no longer reflect the realities of a vastly larger banking sector, higher inflation, and changes in the structure and concentration of banking assets.
By design, the changes preserve oversight where it matters most—for larger and potentially higher-risk institutions—while reducing unnecessary burden on those less likely to threaten the deposit-insurance fund.
At the same time, indexing ensures the rule remains relevant over time, rather than becoming obsolete again as the economy grows.
Effective Date
The final rule is effective January 1, 2026. An insured depository institution need not comply with the applicable Federal Deposit Insurance Corporation Improvement Act (FDICIA) requirements in effect as of December 31, 2025, if the institution won’t be subject to Part 363 requirements under the updated thresholds in effect as of January 1, 2026.
Looking Ahead—What Banks Should Do Now
The updated thresholds set forth in the proposed rule would achieve meaningful burden reduction for the smallest institutions. While the final rule amends certain compliance requirements, the approval does not lessen the need for strong financial reporting discipline. Prudent risk management practices remain essential to preventing errors, unauthorized activity, and fraud—risks that do not disappear with regulatory relief.
We recommend management and those charged with governance take several steps to prepare for updated requirement thresholds:
- Institutions should assess their current asset level to determine the impact of the amendments to Part 363.
- Boards and Audit Committees should understand the updated composition and governance requirements under Part 363 and what they mean for their institution.
- Boards and Audit Committees should understand and assess the impact of changes to the independence requirements.
- Management teams should coordinate with external auditors and internal audit functions to align expectations.
- Compliance teams should begin planning for next year’s audit and reporting cycle accordingly, and consider whether to revise, rotate, or consolidate internal control testing. We recommend integrating the ICFR into your risk-based internal audit plan.
- Other areas of impact on institutions should be assessed. For example, the definition of large and supervised lenders with respect to Department of Housing and Urban Development (HUD) and Federal Housing Administration (FHA) compliance audits is tied to the Part 363 threshold.
At Snodgrass, we are committed to community banks. Our firm’s size and volume of work enable us to provide you with industry specialists. Our team of professionals can help you assess the impact of these changes and develop strategies for the future.
About the Author:
BRENDAN M. WHALEN, CPA
Principal, Audit and Assurance | S.R. Snodgrass, P.C.
Brendan is responsible for all aspects of audit engagements, from planning and performing fieldwork to analyzing high-risk areas. With comprehensive experience in all elements of accounting and business management, Brendan has valuable insight into the industries he serves, with a primary focus on financial institutions, employee benefit plans, and nonprofits. He has extensive SEC experience with public reporting companies, which includes assisting clients with filings under the 1933 and 1934 Acts, reporting requirements for Sarbanes-Oxley, and COSO Internal Control – Integrated Framework (2013) compliance. Brendan has become proficient in preparing and coordinating the financial statement audit, as well as working with clients to help them thoroughly understand and work through various difficult accounting issues. He remains informed of the ever-changing rules and regulations affecting the banking industry and employee benefit plan industry to assist his clients in dealing with accounting and financial matters that impact their business
About S. R. Snodgrass
Founded in 1946, S.R. Snodgrass is a privately held, multi-faceted public accounting and consulting firm, known for innovative tax, assurance, technology, and financial advisory services for financial institutions, nonprofits, and businesses of all kinds. The firm has worked with more than 175 financial institutions in 16 states and employs more than 90 professionals. The firm is ranked among the country’s top 300 public accounting firms according to Inside Public Accounting’s 2025 list. It maintains offices in suburban Pittsburgh and Philadelphia, along with Wheeling, West Virginia, and Steubenville, Ohio.
