Doctors and stethoscopes go together like french fries and ketchup. You won’t often see one without the other, especially in your annual physical exam. An integral part of every annual physical is the heart exam. Why? Because a healthy heart is a pretty strong indicator of a healthy person. The heart of a financial institution’s compliance program is its policies. Healthy policies usually indicate a healthy compliance program. That’s why, during any given examination, one of the first places a regulator will start is by looking at a the institution’s policies. This is one good reason why you should keep yours in tip-top shape. So how exactly do you build that perfect policy? Sometimes the best way to figure that out is by learning what contributes to a bad policy. The following four mistakes are the most commonly made, yet the most important to avoid:
No policy at all
While rare, we do occasionally see institutions that are missing one or more key policies. Not only does this burden the auditor or examiner—who must now interview personnel to obtain information about processes and procedures—but it creates operational risks for the institution as well. In the absence of written guidance, personnel are far more likely to make mistakes (and possibly costly ones at that). How will your staff know how to handle uncommon or unusual situations without guidance from a policy?
An overly generic policy
Sometimes institutions borrow their policies from the Internet or from another financial institution, or use a generic policy provided by a vendor. While this may not be a bad place to start, a truly effective policy needs to be customized. For example, a BSA policy should contain member or customer identification policies specific to the institution. This leads to the third issue, which is….
An incomplete policy
For a given area, there are usually so many applicable federal regulations that it’s easy to forget a few in your policy. When writing a policy, consider all of the regulations that could apply to this area: E-Sign Act, Funds Availability, Electronic Funds Transfer Act, the Bank Secrecy Act, and so forth. Neglecting these areas can have significant consequences and therefore should be addressed in each applicable policy.
Additionally, sometimes an institution will have procedures instead of a policy. While this is acceptable at times when there is a not a regulatory requirement to have a board-approved policy that addresses specific areas, it is always best to still include a section in your policy that references the fact that there are procedures. For instance, if you have procedures for handling section 314(a) of the USA PATRIOT Act, you should note this in your BSA or OFAC policy instead of leaving the person reviewing your policy wondering if there is any guidance provided.
Confusing the manual with the policy
Institutions often think that an agency manual or policy can pass as their policy for a given area. For instance, NACHA issues a detailed guide called NACHA Operating Rules & Guidelines. Because the NACHA manual already delineates how to handle all aspects of ACH, your policy should state which aspects your institution wants to handle. For example, you will find detailed requirements in the NACHA manual for the proper handling of third-party obligations, but it is up to your institution to include in its policy whether you want to deal with third-party obligations
Keeping your heart healthy with a good diet and exercise goes a long way to keeping your whole body healthy. In a similar fashion, keeping your policies in good shape will help your next examination go a lot more smoothly, and will go a long way toward keeping your whole financial institution operating in tip-top condition.