One of the first places a regulator will start during any given examination is by looking at a financial institution’s policies, which is one good reason you should keep yours in tip-top shape. How exactly do you build that perfect policy? Sometimes the best way to figure out how to make the perfect policy is by hearing what elements contribute to a bad one. The following four mistakes are the most commonly made, yet the most important to avoid:
No policy at all
While rare, we do occasionally see institutions that are missing one or more key policies. Not only does this burden the auditor or examiner—who must now interview personnel to obtain information about processes and procedures—but it creates operational risks for the institution as well. In the absence of written guidance, personnel are far more likely to make mistakes (and possibly costly ones at that). How will your staff know how to handle uncommon or unusual situations without guidance from a policy?
An overly generic policy
Sometimes institutions borrow their policies from the Internet or from another financial institution, or use a generic policy provided by a vendor. While this may not be a bad place to start, a truly effective policy needs to be customized. For example, a BSA policy should contain member or customer identification policies specific to the institution. This leads to the third issue, which is….
An incomplete policy
For a given area, there are usually so many applicable federal regulations that it’s easy to forget a few in your policy. When writing a policy, consider all of the regulations that could apply to this area: E-Sign Act, Funds Availability, Electronic Funds Transfer Act, the Bank Secrecy Act, and so forth. Neglecting these areas can have significant consequences and therefore should be addressed in each applicable policy.
Additionally, sometimes an institution will have procedures instead of a policy. While this is acceptable at times when there is a not a regulatory requirement to have a board-approved policy that addresses specific areas, it is always best to still include a section in your policy that references the fact that there are procedures. For instance, if you have procedures for handling section 314(a) of the USA PATRIOT Act, you should note this in your BSA or OFAC policy instead of leaving the person reviewing your policy wondering if there is any guidance provided.
Confusing the manual with the policy
Institutions often think that an agency manual or policy can pass as their policy for a given area. For instance, NACHA issues a detailed guide called NACHA Operating Rules & Guidelines. Because the NACHA manual already delineates how to handle all aspects of ACH, your policy should state which aspects your institution wants to handle. For example, you will find detailed requirements in the NACHA manual for the proper handling of third-party obligations, but it is up to your institution to include in its policy whether you want to deal with third-party obligations
Keeping your policies in tip-top condition will not only help your next examination go a lot more smoothly, it will likewise help your financial institution to operate more smoothly.