On Nov. 25, 2025, the Federal Deposit Insurance Corporation (FDIC) officially adopted amendments to 12 CFR Part 363, which is the regulation to implement Section 112 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (known as FDICIA). The amendments, effective Jan. 1, 2026, update certain regulatory thresholds that govern audit and reporting requirements.
An insured depository institution will not need to comply with the applicable Part 363 requirements in effect as of Dec. 31, 2025, if the institution will not be subject to the requirements under the new thresholds effective Jan. 1, 2026.
This modernization offers relief, particularly for smaller and mid-sized institutions that have invested significant time and resources in FDICIA compliance. As a trusted advisor to many of these institutions, Rehmann has a front-line perspective on the challenges brought by recent regulatory uncertainty and is helping clients identify clear, actionable next steps with this final rule.
What’s Changed Under the Final FDICIA Rule?
The most significant change relates to the asset size thresholds for certain audit requirements, summarized as follows:
Important: These thresholds will be evaluated and adjusted every two years based on changes in the non-seasonally adjusted Consumer Price Index for Urban Wage Earners and Clerical Workers (CPI-W). They will be adjusted sooner if CPI-W exceeds 8%. The first future adjustment is planned to be effective Oct. 1, 2027.
Additional changes include:
- increases in asset size thresholds for certain audit committee composition requirements
- an increase in the director independence compensation threshold
Implications for Regional and Community Banks’ Internal Control Environment
While these updates offer relief, we acknowledge that maintaining strong internal controls remains essential; not out of obligation, but because it’s foundational to the safety and soundness of any financial institution.
The Association of Certified Fraud Examiners’ recent global study of occupational fraud, A Report to the Nations, finds that more than half of occupational frauds occur due to the lack of internal controls or override of existing controls. Institutions with effective control environments will remain well-positioned to use them strategically for growth and resilience.
The appropriate response to these regulatory changes will naturally vary based on each institution’s size and structure. However, a common theme should be embracing this opportunity to thoughtfully reevaluate and reassert direction of the institution’s overall risk and internal controls framework.
How Should Banks with Assets Between $1 Billion and $5 Billion Respond?
In responding to these changes, it is important to keep in mind that management of institutions with over $1 billion in current or projected assets will still be required to attest to the effectiveness of internal controls under the new rule. Making and monitoring that attestation should have a reasonable basis that is supported by an internal control monitoring function.
Even so, management will be more empowered to drive and define the scope of internal controls, which might be refreshed to focus on what’s most important. Some examples of this may include:
- Controls most critical to the bank’s operations and risk profile
- Areas important to management and those charged with governance
- Controls critical for identifying errors in financial reporting
- Information technology (IT) controls
- Controls that help to mitigate fraud risks
For certain controls deemed important to the overall control structure but lower risk, management might consider formally testing them on a rotational basis (e.g., every two years instead of annually) to help navigate competing priorities effectively.
We expect most institutions of this asset size to benefit from time and cost savings associated with certain documentation and compliance requirements and the increased flexibility to internally manage the timing and scope of monitoring activities.
Other Considerations for Banks Navigating the FDICIA Final Rule
Impact on External Audits
A point of discussion for institutions that have their financial statements audited externally should be whether there may be any scope changes if their auditors can no longer take a “control reliance” approach, meaning that they will have to increase testing performed on the financial statements if internal controls aren’t in place and tested.
Strategic Planning & Growth
It is also important to consider each institution’s overall strategy and whether it plans to grow, make acquisitions, or get acquired as this could impact regulatory requirements. Prior investments made to establish strong internal control and governance structures ought not to be viewed as a sunk cost, but as a foundation for institutional resilience, regulatory confidence, and long-term strategic agility.
Next Steps: Questions for Leadership Teams
If your institution is navigating how best to respond to these recent changes, consider the following questions:
- What compliance and documentation responsibilities will management and those charged with governance continue to have in maintaining an effective internal control environment?
- What controls are beneficial to my institution or determined critical regarding financial reporting, IT systems, fraud, and other bank-specific operational risks? How can we capitalize on this moment to right-size our overall risk and control structure?
- How will this impact our institution’s annual risk assessment process and internal audit function?
- How will we involve key stakeholders in these decisions and communicate with them in a way which demonstrates a continued commitment to sound governance?
- Is our planned approach in harmony with our overall strategic plan?
Empower your institution’s leaders to take this as an opportunity to rethink the status quo. To learn more about best practices for maintaining modernized and effective internal control and governance structures in an ever-changing regulatory landscape, contact your Rehmann advisor or click here.
Frequently Asked Questions About the FDICIA Final Rule
Q: Do banks under $1 billion still need external audits?
A: Banks under $1 billion in assets are no longer required to have independent external financial statement audits under the new FDICIA rule, though many may still choose to do so for strategic, governance or other reasons.
Q: What happens if a bank’s assets fluctuate around the $1 billion or $5 billion thresholds?
A: Institutions should monitor their asset size closely and plan accordingly. The thresholds will be evaluated every two years based on CPI-W changes, so long-term strategic planning is essential.
Q: Can banks eliminate all internal control testing under the new rule?
A: No. Banks between $1 billion and $5 billion must still attest to the effectiveness of internal controls, which requires a reasonable basis supported by internal monitoring. Strong controls remain foundational to safety and soundness.
Q: How can Rehmann help my institution respond to the FDICIA final rule?
A: Rehmann provides strategic advisory services to help banks assess their internal control environments, right-size compliance efforts, and align governance structures with long-term growth objectives.