In 1991, Congress passed the Federal Deposit Insurance Corporation Improvement Act, also known as FDICIA, to strengthen banking practices after a string of problems in the 1980s. Lawmakers included tough new supervisory standards, raised bank capital requirements, and gave examiners new powers to resuscitate troubled institutions. Section 36 of the FDICIA calls for tests, documentation, and management attestation of financial controls.

RELATED ARTICLE

Bankers Group Asks SEC To Address Auditing Overlap

Sound a lot like Section 404 of Sarbanes-Oxley? Well, it is; in fact, the Section 36 served as the model for the internal control provisions of SOX.

As a result, one might assume that deposit institutions subject to FDICIA are finding Sarbanes-Oxley compliance testing to be a piece of cake; however, that's not the case.

Brown

“It’s been interesting to see the progress of institutions that had to comply with FDICIA that now have to comply with PCAOB Standard 2 and SOX 404,” says James Brown, audit and accounting quality control partner at BKD in Springfield, Mo. “They have an easier time than someone starting from scratch, but it’s not inconsequential for them.”

That sentiment was echoed by several audit executives with whom Compliance Week spoke about the issue.

“SOX 404's testing and documentation requirements were more extensive than FDICIA," says Jeffrey Harjo, chief auditor at BOK Financial in Tulsa, Okla. And while Harjo says that the challenges were expected, he agrees that the SOX requirements were tough even for FDICIA regulated companies. “I can't really say [SOX 404] was any harder than expected, but it certainly wasn't easier.”

Changing Standards

Zimiles

One key difference is the wider scope of Sarbanes-Oxley. “FDICIA only applied to the bank part of financial institutions,” says Ellen Zimiles of the National Financial Services Practice of KPMG. Experts note that SOX 404 has relevance to a far more vast matrix of operational issues.

Control documentation at banks, for example, was lighter under FDICIA than SOX 404. According to Zimiles, many of her clients had to create new documentation to comply with the internal control provisions of Sarbanes-Oxley. The process entailed extensive interviews by independent auditors, conducted with employees throughout the company to find out how certain reports were run, and how certain inputs were created. “It’s an enormously labor intensive process," she says, "but once you’ve done it, you have it.”

According to Harjo at BOK Financial, rapidly evolving standards was another reason why banks—like other companies—have had trouble with Sarbanes-Oxley. “The tests themselves were not that much different for SOX 404 as compared to FDICIA," he says. "However, the PCAOB standard changed the testing requirements for our external auditors, so we changed our testing approach accordingly.”

The frequency with which banks have had to test—and re-test—controls under SOX 404 has also proven different than FDICIA. “The major differences were in the timing of testing, responsibility for testing, the amount of documentation required and the amount of re-testing required," says Harjo. "Essentially, we now test early and test often.”

And finally, some observers note that banks' challenges in meeting SOX 404 standards may be partially due to the fact that bank examiners didn't always perform the control systems tests called for under FDICIA. As a result, banks became some what lax in their oversight of certain controls, instead paying more attention to those areas on which examiners focused.

Standard, Market Consolidation

Koonjy

America’s Community Bankers, a trade association representing smaller deposit institutions, recently sent an advocacy letter to Jonathan Katz at the Securities and Exchange Commission requesting that FDICIA and not PCAOB Standard 2 be the compliance standard for banks. One problem is that many auditors are applying PCAOB Standard 2 for all regulated banks, even private ones, says Diane Koonjy, senior regulatory counsel at America’s Community Bankers. “The auditors have control, and they set the standard,” she says.

And some say that higher standard is driving a new round of industry consolidation.

For historical reasons, many small banks are publicly traded, but with thinly floated stock. The America’s Community Bankers NASDAQ index includes 518 banks with an average market capitalization of less than $350 million; the smallest bank in the index, University Bancorp of Ann Arbor, Mich., has a market capitalization of only $8 million.

When FDICIA was passed, it caused a large number of smaller community institutions to merge with larger banks, forming some of the huge national bank systems like Bank of America and Bank One. Now that Sarbanes-Oxley has been added to the compliance equation, “there’s a lot of merger and acquisition activity,” says Zimiles at KPMG.

Koonjy says that America’s Community Bankers fully expects to see consolidation among its members. “It’s not just 404," she says, "but all the other regulatory requirements that they have to meet, but it’s a shame that these banks are losing access to public markets.”

And if those banks stay independent? “Hopefully the extension will allow non-accelerated filers a more orderly process,” says BKD’s James Brown.

Topics