FDICIA Final Rule 2025: What Banks Need to Know

November 25, 2025

Contributors: Alicia Prichard, CPA

On Nov. 25, 2025,��the Federal Deposit Insurance Corporation (FDIC)��officially adopted amendments��to 12 CFR Part 363, which is the regulation to implement Section 112 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (known as��FDICIA).��The amendments, effective Jan. 1, 2026,��update��certain��regulatory thresholds that govern audit and reporting requirements.

An��insured depository institution��will not need��to��comply with��the��applicable��Part 363��requirements��in��effect��as of��Dec.��31, 2025,��if��the institution��will not be subject��to��the��requirements��under the new thresholds effective Jan.��1, 2026.��

This modernization offers relief, particularly for smaller and mid-sized institutions that have invested��significant time��and resources in FDICIA compliance.��As��a��trusted advisor��to many��of these institutions,��è��Ƶ��has��a��front-line��perspective��on��the challenges��brought by��recent regulatory uncertainty��and��is��helping clients��identify��clear, actionable next steps��with this final rule.��

What’s��Changed��Under the��Final��FDICIA Rule?��

The most��significant��change��relates to the��asset size thresholds for certain audit requirements, summarized as follows:��

Important: These thresholds will be evaluated and adjusted every two years based on changes in the non-seasonally adjusted Consumer Price Index for Urban Wage Earners and Clerical Workers (CPI-W). They will be adjusted sooner if CPI-W exceeds 8%. The first future adjustment is planned to be effective Oct. 1, 2027.

Additional��changes��include:��

increases��in��asset size thresholds��for��certain��audit committee composition��requirements��
an increase in��the��director independence��compensation threshold��

Implications for Regional and Community Banks’ Internal Control Environment��

While these updates offer relief,��we acknowledge that��maintaining��strong internal controls��remains��essential; not out of obligation, but because��it’s��foundational to��the safety and soundness of any financial institution.��

The Association of Certified Fraud Examiners’��recent global study��of��occupational fraud,��A Report to the Nations,��finds that��more than half of��occupational frauds occur due to the lack of internal controls or override of existing controls.��Institutions��with��effective��control environments��will remain��well-positioned to use them strategically for growth and resilience.��

The��appropriate��response��to these regulatory changes will��naturally��vary based on��each institution’s��size and structure.��However,��a��common theme��should be��embracing��this��opportunity to thoughtfully��reevaluate��and��reassert��direction��of��the��institution’s��overall risk and internal controls framework.��

How Should Banks with Assets Between $1 Billion and $5 Billion Respond?��

In responding to these changes, it��is important to keep in mind that management of institutions��with��over��$1 billion��in��current or projected��assets will still be��required��to attest to the effectiveness of internal controls��under the new rule.��Making and monitoring that attestation��should have a reasonable basis��that is��supported by��an��internal control monitoring function.��

Even so,��management��will be��more empowered to��drive and define the scope of internal controls, which��might be refreshed to focus on��what’s��most important.��Some��examples of��this may include:��

Controls most critical to the bank’s operations and risk profile��
Areas important to management and those charged with governance��
Controls critical for��identifying��errors in financial reporting��
Information technology��(IT)��controls��
Controls that help��to��mitigate fraud risks��

For certain controls��deemed��important to the overall control structure but lower risk,��management might consider formally testing them on a rotational basis (e.g., every two��years instead of annually) to��help��navigate competing priorities effectively.��

We expect most institutions��of this asset size��to��benefit��from��time and cost savings associated with certain��documentation and��compliance requirements and the increased flexibility to internally manage the timing and scope of monitoring activities.��

Other��Considerations��for Banks Navigating the FDICIA Final Rule��

Impact on External Audits

A point of discussion for institutions that have their financial statements audited��externally��should be whether there may be any scope changes if their auditors can no longer take a “control reliance” approach, meaning that they will have to increase testing performed on the��financial��statements if internal controls aren’t in place and tested.��

Strategic Planning & Growth

It is also important to consider��each institution’s��overall��strategy��and whether��it��plans to grow, make acquisitions, or get��acquired��as this could��impact��regulatory requirements.��Prior investments made to��establish��strong internal control��and governance��structures ought not to be viewed as a sunk cost, but as a��foundation for institutional resilience, regulatory confidence, and long-term strategic agility.��

Next Steps: Questions for Leadership Teams����

If your institution��is navigating how best to respond to these recent changes,��consider��the following questions:��

What��compliance and��documentation��responsibilities will��management��and those charged with governance��continue to have in��maintaining��an effective internal control environment?��
What controls are beneficial to��my��institution or determined critical��regarding��financial reporting, IT��systems, fraud, and other bank-specific operational risks? How can we capitalize on this moment to right-size��our overall risk and control structure?��
How��will��this��impact��our institution’s annual risk assessment process��and��internal audit function?��
How will we involve key stakeholders��in these decisions and communicate with them in a way which��demonstrates��a continued commitment to sound governance?��
Is our��planned approach��in harmony��with��our��overall��strategic��plan?��

Empower��your institution’s leaders to��take this��as an��opportunity��to rethink��the status quo.��To learn more about��best practices for��maintaining��modernized��and��effective��internal��control��and��governance structures��in an ever-changing regulatory landscape, contact your ��è��Ƶ advisor��or click��here.��

Frequently Asked Questions About the FDICIA Final Rule��

Q: Do banks under $1 billion still need external audits?
A:��Banks under��$1 billion��in assets��are no longer required to��have independent external financial statement audits under the new FDICIA rule, though many may��still��choose to do so for��strategic,��governance��or other��reasons.��

Q: What happens if a bank’s assets fluctuate around the��$1 billion��or��$5 billion��thresholds?
A:��Institutions should��monitor��their asset size closely and plan accordingly. The thresholds will be evaluated every two years based on CPI-W��changes, so long-term strategic planning is essential.��

Q: Can banks��eliminate��all internal control testing under the new rule?
A:��No. Banks between��$1 billion��and��$5 billion��must still attest to the effectiveness of internal controls, which requires a reasonable basis supported by internal monitoring. Strong controls��remain��foundational��to��safety and soundness.��

Q: How can ��è��Ƶ help my institution respond to the FDICIA final rule?
A:����è��Ƶ provides strategic advisory services to help banks assess their internal control environments, right-size compliance efforts, and align governance structures with long-term growth��objectives.��