Last week Blair Rugh mentioned that policies should be reviewed and updated to keep up with the changing regulatory terrain. Some of you may be asking yourselves, how do I begin, what do I need to do, what must be included? For those of you who are struggling with the responsibility of creating or updating your current policies, I would like to share some recommendations from our team regarding policy creation.
A policy is more than a, "simple statement that the institution will comply with all rules and regulations." The policy should state your institution's course of action with regards to the specific regulation or subject matter, and be written in a manner that is easy to read and understand. If it does not have a readability factor, or is too wordy and rambling, it will not be effective. You want your officers and staff to read, and comprehend, the policy so they can follow its guidance. There is no need to regurgitate the entire regulation, you should simply hit the important points that will ensure your compliance with the regulation, which will in turn affect your institution's procedures. While most policies do not need to be extremely lengthy, there are a few regulations such as Reg Z or BSA that may require a more robust writing, which may result in a more lengthy policy. At the end of the day, the policy should also take into consideration your institution's products and services with respect to the applicable rules and regulations.
Now let's take a quick look at some of those Do's and Don'ts when policy writing.
Do include the four items we generally look for in a policy. Those 4 items are:
- Oversight/Enforcement: Designate a responsible party for this particular regulation or subject matter.
- Auditing/Monitoring: Include a statement addressing the frequency of auditing or monitoring and to whom you will report those findings. Auditing/Monitoring should also include determining whether the institution follows this policy as well.
- Training: Include a statement addressing the frequency of training, who will be responsible for the training, and who will participate in the training.
- Record Retention: Include a statement regarding the institution's retention program for the applicable regulation.
Don't include procedures intertwined with the policy. If you include your institution's procedures with the policy, any time you make changes to those procedures you will be required to take the entire document to the Board for approval. If you choose to include procedures, then make a statement that all policy changes will be brought before the Board and procedural changes will be approved by the appropriate management official.
Do update documents included in the Appendix of the policy. Sometimes the forms included have changed or expired. Leaving expired or changed forms in the Appendix gives the appearance of a weak policy review system. For example, including a CDD form that is no longer used in the BSA Policy Appendix.
Don't include specific names when designating responsibility within the policy, use the position title instead. For example: Chief Compliance Officer instead of Cindy L.
Do organize the policy with proper headings and formatting so it is easy to read and search. This type of organized policy provides for a smoother audit/exam and allows the auditor or examiner to determine whether your institution has addressed the pertinent requirements of the regulation.
Don't forget to update the regulatory cites. Although many of the regulations were moved to the CFPB several years ago, there are still some institutions that have not updated the regulatory cites in their policies.
Do ensure your policy states what you actually do in practice. The examiners will review to ensure you are following your policy.
At the end of the day, a policy provides guidance to lead you along the various mountains and valleys of the ever changing regulatory terrain. For those of you who subscribe to our Compliance Advisory services, we have a set of sample compliance policy templates to help you get started.