The Sarbanes-Oxley Act of 2002: Impact on and Considerations for Financial Institutions

Transcription

1 LAST UPDATED SEPTEMBER 20, 2003 : Impact on and Considerations for Financial Institutions Gibson, Dunn & Crutcher LLP Gibson, Dunn & Crutcher lawyers are available to assist clients in addressing any questions they may have regarding the issues discussed in these materials. For additional information, please contact: Cantwell F. Muckenfuss, III (202) cmuckenfuss@gibsondunn.com Robert C. Eager (202) reager@gibsondunn.com Christopher J. Bellini (202) cbellini@gibsondunn.com Amy L. Goodman (202) agoodman@gibsondunn.com 2003 Gibson, Dunn & Crutcher LLP

2 Abbreviations Act Sarbanes-Oxley Act of 2002 Exchange Act Securities Exchange Act of 1934 FDIA FDIC NASDAQ NYSE OCC OTS PCAOB SEC Federal Deposit Insurance Act Federal Deposit Insurance Corporation The Nasdaq Stock Market, Inc. New York Stock Exchange Office of the Comptroller of the Currency Office of Thrift Supervision Public Company Accounting Oversight Board Securities and Exchange Commission Securities Act Securities Act of 1933 Note on scope of the Act and its application to financial institutions: Because the Act is largely an investor protection statute, many of its provisions apply to "issuers." An "issuer" is defined in Section 2(a)(7) of the Act to include any issuer with debt or equity securities registered under Section 12 of the Exchange Act or required to file reports under Section 15(d) of the Exchange Act, as well as any issuer that files or has filed a registration statement that has not yet become effective under the Securities Act and that it has not withdrawn. On May 5, 2003, the OTS, the Federal Reserve, and the OCC issued a joint statement declaring that they did not expect to take steps to apply the board composition, director independence, audit committee, auditor independence and other corporate governance requirements of the Act and of proposed NYSE and NASDAQ listing standards to non-public banking organizations that are not otherwise subject to those requirements. Nonetheless, the agencies encouraged all non-public banking organizations to review periodically their policies and procedures relating to corporate governance and auditing, and ensure that such policies and procedures are consistent with applicable law, regulations and supervisory guidance and remain appropriate given the organization's size, operations and resources. See CEO Letter 174, "Statement by the Federal Reserve Board, the Comptroller of the Currency, and the Office of Thrift Supervision on Application of Recent Corporate Governance Initiatives to Non-Public Bank Organizations" (May 5, 2003), available at

3 In addition, Section 3(b)(4) of the Act amends Section 12(i) of the Exchange Act to provide that federal banking agencies have the authority to administer and enforce certain provisions of the Act against issuers, including the certification provisions in Section 302, and the provisions of the Act regarding: (a) improper influence on the conduct of audits (Section 303); (b) disgorgement of bonuses and equity-based compensation in the event of material non-compliance with financial reporting requirements as a result of misconduct (Section 304); (c) prohibitions on trading of company equity securities during pension fund blackout periods (Section 306(a)); (d) use of non-gaap financial measures (Section 401(b)); (e) management internal control reports (Section 404); (f) disclosure regarding codes of ethics for senior financial officers (Section 406); and (g) disclosure regarding audit committee financial expert (Section 407)). Under Section 12(i) of the Exchange Act, the powers, functions and duties vested in the SEC to administer and enforce particular provisions of the securities laws (including those provisions of the Act identified in this paragraph) are vested in federal banking regulators with respect to securities issued by banks and savings associations with deposits insured under the FDIA. Section 12(i) requires federal banking regulators to issue substantially similar regulations to those issued by the SEC unless they find that implementation of substantially similar regulations is not necessary or appropriate in the public interest or for the protection of investors. Such regulations must be published in the Federal Register within 60 days of any changes made by the SEC in its relevant regulations or rules. In the absence of express authorization under Section 3(b)(4) of the Act, it is unclear whether Congress intended federal banking regulators to have the authority to administer and enforce various provisions of the Act to the extent that these provisions apply to financial institutions. In this regard, the OCC has taken the position that it has "broad authority to regulate the conduct of national banks except where the authority to issue such regulations has been 'expressly and exclusively' given to another federal regulatory agency," including the authority to "enforc[e] compliance with any applicable federal or state laws" concerning activities authorized or permitted pursuant to federal banking law. AL (Nov. 25, 2002), available at On March 5, 2003 the FDIC issued guidance to financial institutions about selected provisions of the Act. FIL (March 5, 2003), available at Specifically, the FDIC discussed the application of the Act to: 1. FDIC-supervised institutions that are public companies. FDIC-supervised banks that are public companies because they have registered their securities pursuant to Part 335 of the FDIC s regulations, or because they are subsidiaries of bank holding companies that are public companies, must comply with the Act and the SEC s implementing regulations. In its March 5 guidance, the FDIC indicated that, for banks that are registered with the FDIC, Part 335 incorporates applicable SEC regulations by reference, but that the FDIC anticipated that certain amendments to Part 335 would be necessary. 2. Insured depository institutions with $500 million or more in total assets. Insured depository institutions with $500 million or more in total assets are subject to the annual audit and reporting requirements of Section 36 of the FDIA, as implemented by Part 363. The guidance issued by the FDIC on March 5 discusses the relationship between these requirements and the provisions of the Act relating to auditor independence and internal controls. Attachment II to FIL (March 5, 2003), available at The FDIC also indicated that it was considering 2

4 amending Part 363 of its regulations to extend certain provisions of the Act to all insured institutions with $500 million or more in total assets, regardless of whether they are public companies. Unless and until it adopts amendments to Part 363 in response to other provisions of the Act and the SEC s implementing regulations, the FDIC recommended that these institutions review the FDIC guidance on corporate governance practices for smaller institutions not subject to the Act (see 3 below). 3. Insured depository institutions with less than $500 million in total assets. Insured depository institutions with less than $500 million in total assets that are not public companies generally do not fall within the scope of the Act. However, the FDIC noted in its March 5 guidance that certain provisions of the Act mirror existing policy guidance related to corporate governance practices issued by the FDIC and other banking agencies, and that other provisions of the Act represent "sound corporate governance practices." Accordingly, the FDIC prepared a summary of selected provisions of the Act that it believes are relevant to insured depository institutions with less than $500 million in total assets that are not public companies. Attachment I to FIL (March 5, 2003), available at The FDIC recommended that institutions consider implementing these practices to the extent feasible given their size, complexity and risk profile even though these practices are not mandatory. On April 5, FDIC and OCC regulators indicated their concern with the cost and compliance challenges that the Act poses for community banks. Furthermore, an OCC representative indicated that the OCC was working on a set of guidelines similar to the FDIC's March 5, 2003 letter. See Christian R. Bruce, "Agencies Pledge Help for Small Banks Worried About Sarbanes-Oxley Burdens," BNA's Banking Report, April 14, 2003, at

5 Significant Provisions Already in Effect Loans to executive officers and directors 402 The Act prohibits issuers from extending loans to or arranging loans for executive officers and directors except for: loans that existed on July 30, 2002, provided they are not materially modified or renewed; home improvement and manufactured home loans (as defined in Section 5 of the Home Owners' Loan Act (12 U.S.C. 1464)), consumer credit (as defined in Section 103 of the Truth in Lending Act (15 U.S.C. 1602), credit extended under open end credit plans or credit cards (as defined in Sections 103 and 127(c)(4)(e), respectively, of the Truth in Lending Act (15 U.S.C & 1637(c)(4)(e) respectively)), or any extension of credit by a registered broker or dealer to an employee to buy, trade or carry securities that is permitted by Federal Reserve rules or regulations (other than an extension of credit that would be used to purchase stock of that issuer,) provided in each case that such loans are: (1) made in the ordinary course of the issuer's consumer credit business; (2) of a type generally made available by the issuer to the public; and (3) made on market terms or terms no more favorable than those offered to the general public; and loans made by insured depository institutions, if the loans are subject to the insider lending restrictions of Section 22(h) of the Federal Reserve Act. Effective July 30, Applies to any "issuer," which is defined to include any issuer with debt or equity securities registered under Section 12 of the Exchange Act or required to file reports under Section 15(d) of the Exchange Act. It also includes an issuer that files or has filed a registration statement that has not yet become effective under the Securities Act and that it has not withdrawn. Synopsis: Although the Act generally prohibits loans to officers and directors, loans subject to Regulation O are exempt from this prohibition. Application of the Act to insured depository institutions with less than $500 million in assets that are not public companies. The FDIC has indicated that all non-public insured depository institutions with less than $500 million in assets should continue to comply with Regulation O in their lending to directors and executive officers. (FIL , Attachment I (Mar. 5, 2003)). Laws and regulations applicable to financial institutions. Loans permitted under Regulation O are exempt from the prohibition in Section 402. Regulation O prohibits member banks from extending credit to their insiders (executive officers, directors, principal shareholders, and their "related interests," which include controlled companies and political or campaign committees that they control or benefit from), with certain exceptions. Among other things, Regulation O permits extensions of credit that are: (1) made on substantially the same terms (including interest rates and collateral) as those prevailing at the time for comparable transactions by the bank with persons who are not executive officers, directors, principal shareholders or employees; 4

6 (2) do not involve more than the normal risk of repayment or present other unfavorable features; and (3) made following credit underwriting procedures that are not less stringent than those applicable to comparable transactions by the bank with persons who are not executive officers, directors, principal shareholders or employees. (12 U.S.C. 375b(1)-(2); 12 C.F.R. Part 215). Savings associations. Savings associations, and their subsidiaries and insiders are subject to the restrictions of 12 C.F.R. Part 215, subparts A and B, of Regulation O, with the exception of the civil penalties provided for in 12 C.F.R , to the same extent as if they were member banks of the Federal Reserve System, except that such provisions are administered and enforced by the OTS. (12 C.F.R ). Insider transactions in company securities 403 Requires executive officers, directors and greater than 10% shareholders to file Section 16 transaction reports before the end of the second business day following execution of the transaction. Electronic filing and posting on the issuer's website are required by June 30, Reporting requirements effective August 29, The SEC adopted final rules regarding electronic filing and website posting on May 7, 2003, which Applies to equity securities (other than exempted securities) registered pursuant to Section 12 of the Exchange Act. The FDIC, OCC and the Federal Reserve have adopted a new electronic filing system, "FDICconnect" to permit banks to file Section 16 reports electronically within two business days of a transaction. This system became operational on July 30, 2003, and electronic filing will be voluntary until the agencies issue guidance making the use of this system mandatory. This guidance is expected during the first quarter of (FIL (July 27, 2003), available at financial/2003/fil0360.html). 5

7 must be complied with for reports filed on or after June 30, CEO/ CFO certifications 302, 906 The Act contains two separate certification requirements. The Section 906 certification was enacted under the criminal mail fraud statute and the SEC has declined to interpret or engage in rulemaking regarding this provision but is in discussions with the Department of Justice regarding its application. The Section 302 certification requires that the SEC promulgate implementing rules, which were issued in late August, 2002, and amended in June, The certification provision in Section 906 requires periodic reports (10-Ks and 10-Qs) to be accompanied by a certification from the CEO and CFO stating that the report fully complies with Exchange Act reporting requirements, and that the information in the report fairly presents, in all material respects, the issuer's financial condition and results of operations. Section 906 imposes criminal penalties if the CEO or CFO makes the certification "knowing" that the periodic report does not comply with the requirements set forth in the certification, and imposes greater penalties if the conduct is also "willful." The certification in Section 302, as implemented by the SEC, requires that the CEO and CFO certify, Section 906 took effect on July 30, Certifications as to accuracy and completeness of reports (items (2) and (3)) began with the Form 10-Q for the quarter ended June 30, 2002; certifications as to disclosure controls and procedures and internal controls began with the Form 10-Q for the quarter ended September 30, The SEC issued amendments to its rules on internal control Section 906 applies to "issuers," as defined in the Act, filing periodic reports with the SEC pursuant to Section 13(a) or 15(d) of the Exchange Act. Section 302 applies to companies filing Synopsis: Under current banking regulations, each Call Report and Thrift Financial Report must be signed by an officer and (depending on the type of institution) two or three directors, all of whom must attest to the accuracy of the report. Section 3(b)(4) of the Act amends the Exchange Act to provide that federal banking agencies have the authority to administer and enforce Section 302 of the Act with respect to securities issued by banks and savings associations with deposits insured under the FDIA. The FDIC has indicated that, as a matter of sound corporate governance practices, insured depository institutions with less than $500 million in assets that are not public companies may wish to consider including a certification by the CEO and CFO with their financial statements. Application of the Act to insured depository institutions with $500 million or more in assets. The FDIC has indicated that, because of the differences between the content of the certification required under Section 302 of the Act and the management internal control reports required by FDIC regulations (discussed below under "Management internal control report"), insured institutions that are public companies or subsidiaries of public companies may not submit a Section 302 certification to the 6

8 with respect to each quarterly and annual report, that: (1) they have reviewed the report; (2) to their knowledge, the report does not contain any untrue statement of material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading; (3) to their knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition, results of operations and cash flows of the issuer as of, and for, the periods presented in the report; (4) they are responsible for establishing and maintaining "disclosure controls and procedures," and "internal control over financial reporting" and have: (a) designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under their supervision, to ensure that material information about the company, including its consolidated subsidiaries, is made known to them by others within those entities, particularly during the period in which the report is being prepared; over financial reporting, and the related provisions of the Section 302 certification, in June, 2003 in connection with the adoption of its rules under Section 404 of the Act (discussed below). These amendments took effect August 14, 2003, with the exception of the italicized language in the introductory paragraph of Section 4 and in Section 4(b) of the certification, which must be provided beginning with the first annual report that includes the management periodic reports with the SEC under Section 13(a) or 15(d) of the Exchange Act. This includes issuers that are filing or submitting reports exclusively under Section 15(d) of the Exchange Act on a "voluntary" basis, such as pursuant to a covenant in an indenture or similar document. FDIC in place of the internal control report. (FIL , Attachment II (Mar. 5, 2003)). Application of the Act to insured depository institutions with less than $500 million in assets that are not public companies. As a matter of sound corporate governance practices, the FDIC has indicated that non-public insured depository institutions with less than $500 million in assets that issue audited financial statements to their stockholders may want to consider including with the financial statements a certification by the CEO and CFO. This certification would state that the officers have reviewed the financial statements and, based on their knowledge, the statements are true and fairly present in all material respects the institution's financial condition, results of operations, and cash flows. (FIL , Attachment I (Mar. 5, 2003)). Laws and regulations applicable to financial institutions. Call Reports and Thrift Financial Reports must be signed by: (1) an authorized officer, who must attest that the report is true to the best of the officer's knowledge and belief; and (2) not less than two directors (for State nonmember banks) and three directors (for State member and National banks), each of whom must attest that the report is true and correct to the best of their knowledge. (12 U.S.C. 324, 1817(a)(3) & 161(a); 12 C.F.R )). Filing a false or misleading Call Report or Thrift 7

9 (b) designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP; (c) evaluated the effectiveness of the disclosure controls and procedures and presented in the report their conclusions about their effectiveness as of the end of the period covered by the report based on the evaluation; (d) disclosed in the report any change in the internal control over financial reporting that occurred during the most recent fiscal quarter that has materially affected, or is reasonably likely to materially affect, internal control over financial reporting; and (5) they have disclosed to the outside auditor and the audit committee all significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting that are reasonably likely to adversely affect the issuer's ability to record, process, summarize and report financial information, and any fraud involving employees with a internal control report required under Section 404. Financial Report can subject entities to civil and criminal penalties. (12 U.S.C. 1817(a), 12 C.F.R (c); 12 U.S.C. 1464(v)(4)-(6); 12 U.S.C. 1467a(r)(1)-(3); 18 U.S.C. 1005). 8

10 significant role in internal control over financial reporting. The SEC has defined the term "internal control over financial reporting" as a process designed by, or under the supervision of, the CEO and CFO and effected by the board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and includes those policies and procedures that: (1) pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements. Disclosure controls and internal controls 302 and SEC rules The SEC rules implementing the certification requirements in Section 302 also require that issuers maintain disclosure controls and procedures, evaluate their effectiveness on at least a quarterly basis, and include in their periodic reports (10-Ks and 10-Qs) disclosures about the conclusions reached by the CEO and CFO following their Certifications as to disclosure controls and procedures began with the Form 10-Q for the quarter ended See discussion under "CEO/CFO certifications" above. Synopsis: Insured depository institutions are currently subject to safety and soundness guidelines that include guidelines on maintaining internal controls. Section 3(b)(4) of the Act amends the Exchange Act to provide that federal banking agencies have the authority to administer and enforce Section 302 of the Act with respect to securities issued by banks and savings 9

11 evaluation of the disclosure controls and procedures. September 30, The SEC adopted minor amendments to its rules on disclosure controls and procedures (and the related disclosure and certification requirements), which took August 14, associations with deposits insured under the FDIA. Laws and regulations general. Section 39 of the FDIA requires federal banking agencies to establish certain safety and soundness regulations for all insured depository institutions, including operational and managerial standards relating to internal controls, information systems and internal audit systems. (12 U.S.C. 1831p-1). Under the Interagency Guidelines Establishing Standards for Safety and Soundness, an institution should have internal controls and information systems that are appropriate to its size, and the nature, scope and risk of its activities and that provide for: (1) an organizational structure that establishes clear lines of authority and responsibility for monitoring adherence to established policies; (2) effective risk assessment; (3) timely and accurate financial, operational and regulatory reports; (4) adequate procedures to safeguard and manage assets; and (5) compliance with applicable laws and regulations. (12 C.F.R. Part 30, App. A (OCC); 12 C.F.R. Part 208, App. D-1 (Federal Reserve System); 12 C.F.R. Part 364, App. A (FDIC); 12 C.F.R. Part 570, App. A (OTS)). Laws and regulations applicable to insured depository institutions with $500 million or more in assets. The management report on internal controls (discussed in next row, below), required of insured depository institutions with $500 million or more in 10

12 assets, necessitates that management evaluate the effectiveness of internal controls as of the end of the institution's most recent fiscal year. (12 U.S.C. 1831m(a) & (b)(2)(b); 12 C.F.R (b)). Each institution should determine its own standards for establishing, maintaining and assessing the effectiveness of its internal controls. (12 C.F.R. Part 363, App. A (Guidelines and Interpretations), para. 10). Management internal control report 404 Section 404 of the Act, as implemented by the SEC, requires annual reports filed with the SEC to contain an internal control report of management that includes: a statement that management is responsible for establishing and maintaining adequate internal control over financial reporting for the issuer; a statement identifying the framework used by management to evaluate the effectiveness of the issuer's internal control over financial reporting (which must be a suitable, recognized control framework established by a body that has followed due process procedures, including the distribution of the framework for public Domestic listed companies that meet the SEC's accelerated filer requirements 1 must provide management's internal control report beginning with annual report filed for first fiscal year ending on or after June 15, All other Applies to annual reports required by Section 13(a) or 15(d) of the Exchange Act. Synopsis: Insured depository institutions with $500 million or more in assets must prepare management internal control reports similar to those required by the Act. The FDIC has indicated that it will review the final SEC rules under Section 404 to determine whether insured institutions that are public companies, or subsidiaries of public companies, can use the Section 404 internal control report and accountant's attestation to satisfy analogous FDIC requirements. Application of the Act general. Section 3(b)(4) of the Act amends Section 12(i) of the Exchange Act to provide that federal banking agencies have the authority to administer and enforce Section 404 of the Act. 1 An accelerated filer has an aggregate market value of common equity held by non-affiliates of $75 million or more, has been subject to Exchange Act reporting requirements for at least 12 months, has filed at least one annual report pursuant to those requirements, and is not a small business filer. 11

13 comment, such as the Committee of Sponsoring Organization of the Treadway Commission's Internal Control Integrated Framework); management's assessment of the effectiveness of the issuer's internal control over financial reporting as of the end of the most recent fiscal year, including a statement as to whether or not internal control over financial reporting is effective (management may not conclude that it is effective if there are one or more material weaknesses in the issuer's internal control over financial reporting); and a statement that the outside auditor has issued an attestation report on management's assessment of internal control over financial reporting. In addition, under the SEC rules implementing Section 404: (1) issuers must maintain internal control over financial reporting; (2) management must evaluate, with the participation of the CEO and CFO, the effectiveness of internal control over financial reporting as of the end of each fiscal year; (3) management must evaluate, with the participation of the CEO and CFO, on a quarterly basis, any changes in internal control over financial reporting that have materially affected, or are reasonably likely to materially affect, internal control over financial reporting; and (4) issuers must include in their periodic reports disclosures about the conclusions reached by the CEO and CFO following their evaluation. companies must provide the report beginning with their first fiscal year ending on or after April 15, Disclosure about significant changes to internal control over financial reporting (and the related certification under Section 302 and the SEC's rules), are required after August 14, 2003, although the substantive requirement to conduct a quarterly evaluation of significant changes to internal control over financial reporting is not In the release adopting its rules under Section 404, the SEC indicated that bank and thrift holding companies required to file reports under Section 13(a) or 15(d) of the Exchange Act would be subject to the SEC's internal control reporting require ments, and acknowledged that, although its rules under Section 404 are similar to the FDIC's internal control report requirements, they also differ in a few respects. For example, the SEC's rules do not require a statement of compliance with applicable laws and regulations, which is required under FDIC rules (see below). In order to give additional flexibility to depository institutions required to file internal control reports under both Section 404 and the FDIC rules (and bank holding companies permitted to file internal control reports on behalf of their insured depository institution subsidiaries), the SEC has provided two options for satisfying the Section 404 requirements. Institutions can prepare: two internal control reports to satisfy SEC and FDIC requirements separately; or a single internal control report that satisfies both SEC and FDIC requirements. If an institution prepares a single internal control report, SEC rules require that the report contain: a statement of management's responsibility for preparing the annual financial statements, for establishing and maintaining adequate internal control over financial reporting, and for the 12

14 effective until first quarterly report due after first annual report that includes management's internal control report. institution's compliance with laws and regulations relating to safety and soundness designated by the FDIC and the appropriate federal banking agencies; a statement identifying the framework used by management to evaluate the effectiveness of internal control over financial reporting; management's assessment of the effectiveness of internal control over financial reporting as of the end of the most recent fiscal year, including a statement as to whether or not management has concluded that internal control over financial reporting is effective, and of the institution's compliance with the designated safety and soundness laws and regulations during the fiscal year, which must include disclosure of any material weakness in internal control over financial reporting identified by management; and a statement that the registered public accounting firm that audited the financial statements has issued an attestation report on management's assessment of internal control over financial reporting. The registered public accounting firm's attestation report must be included in the institution's annual report filed under the Exchange Act. Application of the Act to insured depository institutions with $500 million or more in assets. The FDIC has noted that the language in Section

15 of the Act requiring internal control reports and accountants' attestations is substantially similar to the language of Section 36 of the FDIA. The FDIC has indicated that it will review the final SEC rules under Section 404 to determine whether institutions that are public companies, or subsidiaries of public companies, can use the Section 404 internal control report and accountant's attestation to satisfy analogous FDIC requirements (discussed below) under Section 36 of the FDIA and Part 363 of FDIC regulations. In the meantime, institutions must comply with applicable FDIC requirements. With respect to the internal control report required by the FDIC, the FDIC has indicated that many institutions are not fully complying with the requirements governing the content of these reports. Specifically, the FDIC has noted that management are frequently omitting one or more of the following items: the required statement of management s responsibility for preparing the financial statements; the required statement of management's responsibilities for complying with the designated safety and soundness laws and regulations; and management s required assessment of the institution s compliance with the designated safety and soundness laws and regulations during the most recent fiscal year. (FIL , Attachment II (Mar. 5, 2003)). 14

16 The FDIC has indicated that, because of the differences between the content of the certification required under Section 302 of the Act and the management internal control report required by the FDIC, insured institutions that are public companies or subsidiaries of public companies may not submit a Section 302 certification to the FDIC in place of the internal control report. (FIL , Attachment II (Mar. 5, 2003)). Application of the Act to insured depository institutions with less than $500 million in assets that are not public companies. As a matter of sound corporate governance practices, the FDIC recommends that even when a non-public insured depository institution with less than $500 million in assets chooses to have a financial statement audit as its external auditing program (which is the preferred type of program under the Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations, discussed below), the institution consider the benefits and costs of supplementing external audits with an internal control assessment by management and an attestation of this assessment by the institution's independent public accountant. (FIL , Attachment I (Mar. 5, 2003)). 15

17 Laws and regulations applicable to insured depository institutions with $500 million or more in assets. For insured depository institutions with $500 million or more in assets: The CEO and chief accounting officer or CFO must sign an annual report containing: (1) a statement of management's responsibilities for preparing the institution's annual financial statements, establishing and maintaining an adequate internal control structure and procedures for financial reporting, and complying with laws and regulations relating to safety and soundness (i.e., restrictions on loans to insiders, and federal and state laws and regulations on dividend restrictions); and (2) an assessment by management, as of the end of the institution's most recent fiscal year, of the effectiveness of the internal control structure and procedures and the institution's compliance with laws and regulations relating to safety and soundness. (12 U.S.C. 1831m(a) & (b)(1); 12 C.F.R (b); 12 C.F.R. Part 363, App. A (Guidelines and Interpretations), paras. 8-12). The institution's independent public accountant must examine, attest to, and report separately on, the assertions by management concerning the internal control structure and procedures for financial reporting. (12 U.S.C. 1831m(a) & (c); 12 C.F.R (b)). The accountant should meet with the institution's audit committee and management to review the basis for the attestation and internal control 16

18 report, respectively, and it may also be appropriate for the accountant to review its findings with the institution's board of directors and management. (12 C.F.R. Part 363, App. A (Guidelines and Interpretations), paras. 19 & 31). The internal control report and assessment, and the attestation, can be satisfied at the holding company level if services and functions comparable to those required of the insured depositary institution under 12 C.F.R. Part 363 (annual independent audits and reporting requirements) are performed at the holding company level and the subsidiary depository institution has either: (1) total assets of less than $5 billion; or (2) total assets of $5 billion or more and a composite CAMEL rating of 1 or 2, although the appropriate federal banking regulator may revoke the ability to meet the requirements at the holding company level for an institution with total assets in excess of $9 billion. (12 U.S.C. 1831m(i); 12 C.F.R (b)(2)-(3)). Laws and regulations applicable to insured depository institutions with less than $500 million in assets. The federal banking agencies have issued guidance to institutions with less than $500 million in total assets and institutions that are not otherwise subject to audit requirements by order, agreement, statute or regulations. This guidance indicates that when an institution's external auditing program includes an examination of internal controls, it is the 17

19 responsibility of the board or its audit committee to obtain an opinion from the independent public accountant stating whether the financial reporting process is subject to any material weaknesses. In such a case, the management assessment and the attestation are considered an acceptable alternative external auditing program for an institution that chooses not to have an audit of its financial statements, although a financial statement audit is the preferred type of external auditing program. For a smaller institution with less complex operations, an examination of internal controls should specifically provide recommendations for improving those controls, including suggestions for compensating controls to mitigate risks arising out of staffing and resource limitations. (Federal Financial Institutions Examination Council, Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations (Sept. 22, 1999)). Corporate governance Audit Committees Independence 301 Each member of the audit committee must be independent, which means that committee members may receive no consulting, advisory or other fees from the company, other than fees for service as a director, and may not be an affiliated person of the company or any of its subsidiaries. The SEC's rules implementing Section 301 prohibit audit committee members from receiving direct and The SEC has adopted rules ordering the NYSE and NASDAQ to adopt listing standards prohibiting the listing of Applies to companies listed on an exchange or traded on NASDAQ. Synopsis: Under current banking regulations, insured depository institutions with $500 million or more in assets must have an independent audit committee, and the audit committees of institutions with total assets of more than $3 billion also may not include any large customers of the institution. In addressing the applicability of the Act to financial institutions, the FDIC has indicated that it continues to encourage institutions that are not otherwise required to do so to 18

20 indirect payments of consulting and other advisory fees other than compensation for board or committee service. Indirect payments include payments to: (1) a spouse, minor child or stepchild of, or a child or stepchild sharing a home with, an audit committee member; and (2) an entity in which the audit committee member is (i) a partner or a member, (ii) an officer occupying a position comparable to a partner or member (such as a managing director); (iii) an executive officer or (iv) in a position similar to any of the foregoing (excluding limited partners, non-managing members and others who have no active role in providing services to the entity) and that provides accounting, consulting, legal, investment banking or financial advisory services to the company. The SEC clarified in the release adopting its final rules that the rules only apply to current relationships with audit committee members, but indicated that it expects the exchanges to include "look back" periods in their listing standards adopted under Section 301. The definition of "affiliated person" in the SEC's final rules under Section 301 is consistent with current SEC definitions, under which an "affiliate" of an issuer is "a person that directly, or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with, [the] issuer." The definition of "affiliated person" includes a safe harbor under which a person who is not an executive officer or greater than 10% securities of any company that does not comply with the audit committee requirements in Section 301. The SEC is expected to approve the listing standards by early October, 2003, and companies will be required to comply with them by the earlier of their first annual meeting after January 15, 2004, or October 31, establish an audit committee consisting entirely of outside directors. Application of the Act to insured depository institutions with less than $500 million in assets that are not public companies. In guidance issued prior to passage of the Act to institutions with less than $500 million in total assets and institutions that are not otherwise subject to audit requirements by order, agreement, statute or regulations, the federal banking agencies encouraged the board of directors of each institution that is not otherwise required to do so to establish an audit committee consisting entirely of outside directors. If this is impracticable, the board should organize the audit committee so that outside directors constitute a majority of the membership. (Federal Financial Institutions Examination Council, Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations (Sept. 22, 1999)). The FDIC continues to encourage insured depository institutions that are not otherwise required to do so to establish an audit committee consisting entirely of outside directors. (FIL , Attachment I (Mar. 5, 2003)). Laws and regulations applicable to insured depository institutions with total assets of more than $3 billion. The audit committee of any insured depository institution with total assets of more than $3 billion, 19

21 stockholder is not deemed to control the issuer. The final rules also provide that the safe harbor does not create a presumption that a person exceeding the 10% threshold controls or is otherwise an affiliate of another person. measured as of the beginning of each fiscal year, must not include any large customers of the institution. If the institution is a subsidiary of a holding company and relies on the holding company's audit committee to comply with this provision, the holding company audit committee must not include any members who are large customers of the subsidiary institution. (12 U.S.C. 1831m(g)(1)(C)(iii); 12 C.F.R (b)). Any individual or entity (including a controlling person of the entity) that, in the determination of the board of directors, has such significant direct or indirect credit or other relationships with the institution, the termination of which likely would materially and adversely affect the institution's financial condition or results of operations, should be considered a "large customer." (12 C.F.R. Part 363, App. A (Guidelines and Interpretations), para. 33). Laws and regulations applicable to insured depository institutions with $500 million or more in assets. Each insured depository institution with $500 million or more in assets must establish an independent audit committee, the members of which shall be outside directors who are independent of management of the institution. (12 U.S.C. 1831m(g)(1)(A); 12 C.F.R (a)). The board should determine at least annually whether all existing and potential committee members are "independent of management and the institution." The board should consider all relevant information, 20

22 including whether the director: (1) is or has been an officer or employee of the institution or its affiliates; (2) serves or served as a consultant, advisor, promoter, underwriter, legal counsel, or trustee of or to the institution or its affiliates; (3) is a relative of an officer or other employee of the institution or its affiliates; (4) holds or controls, or has held or controlled, a direct or indirect financial interest in the institution or its affiliates; and (5) has outstanding extensions of credit from the institution or its affiliates. An outside director should not be considered independent of management if the director is, or has been within the preceding year, an officer or employee of the institution or any affiliate, or owns or controls, or has owned or controlled within the preceding year, assets representing 10% or more of any outstanding class of the institution's voting securities. (12 C.F.R. Part 363, App. A (Guidelines and Interpretations), paras ). The requirement of an independent audit committee can be satisfied at the holding company level if services and functions comparable to those required of the insured depositary institution under 12 C.F.R. Part 363 (annual independent audits and reporting requirements) are performed at the holding company 21

23 level and the subsidiary depository institution has either: (1) total assets of less than $5 billion; or (2) total assets of $5 billion or more and a composite CAMEL rating of 1 or 2, although the appropriate federal banking regulator may revoke the ability to meet the requirements at the holding company level for an institution with total assets in excess of $9 billion. (12 U.S.C. 1831m(i); 12 C.F.R (b)(2)-(3)). When the subsidiary institution meets the holding company exception, members of the holding company audit committee should meet all membership requirements applicable to the largest subsidiary depository institution and may perform all duties of the subsidiary's audit committee, even though the holding company directors are not directors of the institution. When the subsidiary institution fails to meet the holding company exception or maintains its own separate audit committee to satisfy the requirements of 12 C.F.R. Part 363, members of the holding company's audit committee may serve as the audit committee of the subsidiary if they are otherwise independent of the subsidiary's management and, if applicable, meet any other requirements for a large subsidiary institution covered by 12 C.F.R. Part 363. This does not, however permit officers or employees of a holding company to serve on the audit committee of its subsidiary institutions. 22

24 Disclosure of "audit committee financial expert" 407 Companies must disclose whether at least one member of their audit committee is a "financial expert," as defined by the SEC. In defining this term, the SEC must consider whether, through: (1) education and experience as a public accountant or auditor; (2) as a company's principal financial officer, comptroller or principal accounting officer; or (3) from a position involving the performance of similar functions, a person has an understanding of GAAP and financial statements; experience in preparing or auditing the financial statements of generally comparable companies and in applying GAAP in connection with accounting for estimates, accruals and reserves; experience with internal accounting controls; and an understanding of audit committee functions. Under the SEC's implementing rules, an issuer must disclose in its Form 10-K whether or not (and if not, why not) it has at least one "audit committee financial expert" serving on the audit committee, and if so, the name of the expert and whether the expert is independent of management. The determination of whether an individual qualifies as an "audit committee financial expert" must be made by the full board of directors. Independence is defined by reference to current NYSE Rules (B)(2)(a) (definition of "independent" for directors) and (B)(3) (independence requirements for audit committee members) and NASDAQ Rule 4200(a)(14) (definition of "independent director"). Disclosures about the audit committee financial expert must be provided for fiscal years ending on or after July 15, Applies to "issuers," as defined in the Act. Synopsis: Under current banking regulations, the audit committees of insured depository institutions with total assets of more than $3 billion must have at least two members who have banking or related financial management expertise, as determined by the board. Section 407 of the Act is a disclosure, rather than an audit committee membership, requirement. Section 3(b)(4) of the Act amends the Exchange Act to provide that federal banking agencies have the authority to administer and enforce Section 407. The FDIC has indicated that, as a matter of sound corporate governance practices, an insured depository institution with less than $500 million in assets that is not a public company may wish to disclose voluntarily whether or not it has an audit committee financial expert. Application of the Act to insured depository institutions with less than $500 million in assets that are not public companies. The FDIC has indicated that, although it does not expect non-public insured depository institutions with less than $500 million in assets to disclose whether or not they have a financial expert on the audit committee, as a matter of sound corporate governance practices, an institution may choose to make such disclosure on its own. (FIL , Attachment I (Mar. 5, 2003)). Laws and regulations applicable to insured depository institutions with total assets of more than $3 billion. The audit committee of any insured depository 23