The FDIC Improvement Act of 1991 requires that at an institution with more than $150 million of assets, management must publicly report its responsibility for compliance with certain safety and soundness laws and regulations.
The report must include an assessment of the institution's compliance as of the end of its most recent fiscal year. What must management say and do to meet this superficially straightforward requirement?
It seems simple enough: Management says something to the effect that it is responsible for compliance with the listed laws and regulations, state and federal, and that as of yearend the institution was in compliance with such laws and regulations.
Such a statement is easy to write, but are you prepared to sign it? Is it everything that the Federal Deposit Insurance Corp. wants?
Note that the FDIC, in its proposed regulations to implement the law, recently said that the assessment should cover the entire year - not just the last day of the year, as some have read the law.
Also, the FDIC proposed that management's statement of responsibility address, in addition to compliance itself, the creation nd maintenance of a system of internal controls designed to ensure compliance. The statement should also address that system's effectiveness, the agency said.
The FDIC has proposed designating five areas of safety and soundness law and regulation for management reporting:
* Loans to insiders.
* Transactions with affiliates.
* Loans to one borrower.
* Dividend restrictions.
* Call report accuracy.
And while federal banking regulators have identified specific federal laws and regulations for each area to assist management's reporting, state-chartered institutions must research applicable state laws and rules in those areas.
For management, the easy part will be identifying relevant laws and regulations and writing the report. The tough and expensive part will be to maintain, monitor, and test compliance.
The 1991 law also requires that an independent public accountant apply procedures agreed upon by the FDIC to determine objectively the extent of an institution's compliance with designated laws and regulations.
But the independent accountant's report, instead of being the basis for management's report, is supposed to give management and regulators information about management's already reported assessment of compliance.
The FDIC has determined that the independent accountant should perform certain procedures related to management's assertions and report findings to management itself, for transmittal to applicable regulators.
Several bills now in the congressional hopper would eliminate the accountant's compliance report - but not the requirement for management's public report. In any case, management will need its own solid basis for assessing compliance.
Compliance cannot be established in the morning and reported on in the afternoon. And laws, rules, and employees all change, making periodic training essential.
The role of internal auditors in this section of the 1991 law has received some attention but may not yet be settled.
The FDIC rejected the idea of letting them substitute for independent accounts in the testing of holding company subsidiaries. As the proposed rules stand, internal auditors can do tests and provide support for management's report but cannot pinch-hit in tasks reserved for independent accountants, not even on their behalf or under their supervision.
No Consolidated Reporting
The proposed rules would not allow subsidiaries of holding companies to avoid separate reports on compliance by having the independent accountant test and report on a consolidated basis.
The law had appeared to provide for consolidated reporting and testing if comparable "services and functions" were provided at the holding company level. This provision of the law was found to be inoperative, however, because each subsidiary bank must comply on its own with lending limits, dividend restrictions, etc.
The FDIC board voted Sept. 1 to issue for public comment regulations to enforce section 112 of the 1991 law. The rules must be finalized by Dec. 19, and they become effective for fiscal years that begin after Dec. 31.
But regardless of what managements must report and independent auditors test, compliance is the law. Regulators are taking very seriously indeed any violation of laws and rules in the five areas discussed here.
You will want to be able to report confidently on your bank's compliance when you sign that public report.
Mr. Baskin, national technical director for depository institutions at Arthur Andersen & Co., is a co-author of "Understanding FIRREA: A Practical Guide to Planning and Compliance," published by Prentice Hall.