For the first time in over three decades, the Federal Deposit Insurance Corporation (FDIC) is proposing major changes to the asset thresholds that trigger enhanced requirements under the Federal Deposit Insurance Corporation Improvement Act (FDICIA).
The intent is clear: reduce regulatory burden for smaller and mid-sized banks. But as with all compliance reforms, what’s being relaxed on paper doesn’t necessarily translate to a safer operating environment.
These adjustments may lighten the compliance load, especially for internal control assessments and audit committee independence, but the risk landscape hasn’t followed suit. If anything, mid-sized banks are operating in a more complex and volatile environment than ever before.
And that raises the key question: Just because your institution may no longer have to invest in certain risk practices, should you stop?
Absolutely not. FDICIA relief is not a reason to retreat, it’s an opportunity to modernize.
Learn how to manage all your risks consistently and strategically across the enterprise with Protecht’s Enterprise Risk Management eBook:
What is FDICIA, and why does it matter?
Enacted in the wake of the 1980s savings and loan crisis, the Federal Deposit Insurance Corporation Improvement Act of 1991 was designed to enhance risk management and accountability in the banking sector.
Its key provision, codified in 12 CFR Part 363, applies to insured depository institutions that exceed certain asset thresholds and includes several critical governance and reporting requirements:
- Annual financial statements audited by an independent public accountant
- Management’s annual assessment of internal controls over financial reporting (ICOFR)
- Establishment of an independent audit committee, particularly for institutions above specific asset levels
Crucially, FDICIA operates as a tiered risk governance framework: the bigger your bank, the more rigorous the expectations. It was designed not only to protect depositors and the Deposit Insurance Fund but also to promote strong internal governance in banks approaching systemic importance.
What’s changing in 2025?
In April 2025, the FDIC proposed the most significant update to FDICIA thresholds since the Act was passed. The proposed rule aims to modernize compliance obligations in line with today’s banking environment and to reduce unnecessary burdens on institutions that have grown due to inflation or consolidation rather than risk complexity.
Requirement area |
Current threshold |
Proposed threshold |
Part 363 applicability |
$500 million |
$1 billion |
ICOFR (internal control assessments) |
$1 billion |
$5 billion |
Audit committee independence rules |
$1–3 billion |
$5 billion |
The proposed changes would also index thresholds for inflation moving forward, a recognition that static benchmarks no longer reflect banking realities.
While this will provide tangible relief for some institutions, especially around ICOFR compliance, it also introduces a risk: the temptation to interpret these adjustments as a green light to reduce investment in risk governance.
Less compliance doesn’t mean less risk
For banks under the new thresholds, the regulatory burden may decline. But operational, financial, and reputational risks certainly haven’t.
For smaller institutions
The upside of the proposed rule is clear: fewer mandated internal audits and reduced costs associated with control assessments. But with that relief comes responsibility.
Risks such as cyber threats, third-party exposure, climate risk, liquidity gaps, and regulatory scrutiny are still very much present, and, in many cases, intensifying. Customers, investors, and boards will continue to expect transparency, accountability, and risk oversight that goes beyond the letter of the law.
For growing institutions
If your institution is approaching the new $5 billion ICOFR threshold, now is the time to plan. Risk management programs built solely around regulatory minimums often struggle when scale hits.
You may not need a fully integrated ERM platform yet but waiting until you do need one can mean costly rework, last-minute firefighting, and unnecessary stress. Strategic growth demands scalable governance.
Why ERM still matters even if you’re exempt
The FDIC may be loosening formal compliance thresholds, but regulators aren’t looking away and neither are your stakeholders.
An enterprise risk management (ERM) system is about more than regulatory box-ticking. It’s the foundation for managing uncertainty, spotting vulnerabilities early, and navigating change with confidence.
Here’s why a proactive ERM approach remains essential:
- Identify and remediate risks before they escalate into costly issues
- Align governance and oversight with board expectations, especially as new threats emerge
- Support strategic planning by linking risk data to business decisions
- Manage concentration risks and emerging areas such as AI governance, vendor risks and cyber resilience
And crucially: internal controls don’t stop being important just because a filing requirement disappears. Controls are your bank’s immune system, essential for maintaining integrity and resilience.
Future-proofing your approach to risk
The best time to build a scalable risk management framework is before you’re forced to. The second-best time is today.
Protecht gives you the ability to grow your program at your own pace, starting with the fundamentals and expanding as your institution evolves.
Here’s how to get started:
- Deploy a scalable platform that grows with your institution
- Create a single source of truth by integrating risks, controls, obligations, and incidents
- Simplify and automate reporting for internal teams, board committees, and when needed, future auditors
- Streamline assurance with mapped control frameworks and automated workflows
- Build maturity incrementally, using dashboards and registers to generate quick wins and momentum
Banks that implement ERM early tend to mature faster and with fewer growing pains. It’s easier to configure and embed practices when you’re not under regulatory pressure.
Conclusions and next steps for your organization
Regulatory relief can provide breathing room, but forward-looking banks use that space to invest in what matters, not step back from it.
If your institution is under the new FDICIA thresholds, that’s a chance to right-size your risk governance. If you’re growing toward the $5 billion mark, now is the time to scale wisely.
Whichever path you follow, one truth remains constant: you can’t manage what you can’t see. With Protecht ERM, you gain full visibility over your risks, controls, and compliance landscape, so you’re ready not just to comply, but to lead.
See how you can centralize your risks, streamline your controls, and scale confidently with your bank’s growth.
References
- FDIC Proposed Rulemaking – Adjusting and Indexing Certain Part 363 Thresholds (April 2025)
https://www.fdic.gov/news/press-releases/2025/pr25036.html - CLAConnect Analysis: FDIC Proposes Major Revisions to Part 363
https://www.claconnect.com/en/resources/articles/2025/fdicia-thresholds-changes