2023 is winding down. The 4th quarter has begun, bringing to mind not only pumpkin spice and falling leaves but also that it’s that time of year when many institutions start reviewing and updating their policies for Board approval in January. We wanted to give you a “jump start” on that process.
Policies and procedures are the core of any bank; without them, there would be no direction or consistent operation. Policies should be the Board of Directors’ (BOD) general guidance on what the bank will do as it relates to each area. Such as the types of loans, deposits, and services the bank will offer and the regulations that may be affected by those offerings. The policies should be reviewed and updated to keep up with the changing regulatory terrain. Some policies require an annual (or any updates made) BOD approval, such as BSA.
Some of you may be asking yourselves – how do I begin – what do I need to do – what must I include? First, we suggest you review Temenos’ significant library of policies as a great starting place. A pre-established standard policy is a great place to start because we recommend policies not include any of the day-to-day procedures established to carry out the policy direction. Additionally, we would like to share some recommendations from our team regarding policy creation.
A policy is more than a “simple statement that the institution will comply with all rules and regulations.” The policy should state your institution’s course of action regarding the specific regulation or subject matter and be written in an easy-to-read and understandable manner. A policy is the BOD’s direction and guidance to management on what they would like them to carry out. The policy will only be effective if it is concise, not rambling, and has a readability factor. Officers and staff alike should be able to easily read and comprehend the policy so they can follow its guidance. Refrain from regurgitating the entire regulation; simply hit the essential points that will ensure compliance with the regulation and affect your institution’s procedures.
Most policies do not need to be extremely lengthy. However, a few regulations, such as Reg Z or BSA, may require a more robust writing, resulting in a lengthier policy. As mentioned earlier, the products and services the BOD decides to offer will affect what will be applicable for each regulation and policy.
Now, let’s take a quick look at some of those P’s and Q’s of policy writing.
Most importantly, ensure your policy states what you actually do in practice. If you are using a template policy such as the Temenos Policy Templates, customize the policy to fit your institution. Both the examiners and auditors will review to ensure you are following your policy.
Include the four items we generally look for in any policy. Those four items are:
- Oversight/Enforcement –Designate a responsible party for the specific regulation or subject matter.
- Auditing/Monitoring – Include a statement addressing the frequency of auditing or monitoring and to whom you will report those findings.
- Training – Include a statement addressing the training frequency, training responsibility, and training participants.
- Record Retention – Include a statement regarding the institution’s retention program for the applicable regulation. It could be a simple statement that the institution will comply with the required record retention provisions of the regulation. This statement will ensure that examiners and auditors can determine that you are aware of retention provisions for the regulation.
Organize the policy with proper headings and formatting so it is easy to read and search. This type of organized policy provides for a smoother audit/exam and allows the auditor or examiner to determine whether your institution has addressed the pertinent requirements of the regulation. When a regulation is complex, such as Reg Z or BSA, we recommend including subheaders for ease of reading and guidance when looking for a particular subject, such as ATR/QM or CTRs.
Don’t include procedures intertwined with the policy. This is the biggest problem we see with policies. Because policies are approved by the BOD, if you include your institution’s procedures with the Board approved policy, any time you make changes to those procedures, you will be required to take the entire document to the Board for approval. And believe me, the Board is not interested in re-approving a policy because you changed some procedural steps in the process. Procedures are the step-by-step (daily, weekly, monthly, annually) actions that will be taken to ensure the BOD’s guidance is carried out. If you choose to include procedures, we recommend you include a statement that all policy changes will be brought before the Board and that the appropriate management official will approve procedural changes.
If you include an Appendix in your policy, ensure that you remove and update any stale-dated or expired documents from the Policy’s Appendix. Often, appendixes are forms that may change or expire, and these should be updated just as you update the rest of the policy. Don’t leave expired or changed forms in the Appendix, which results in an ineffective policy review system. (For example, including a CDD form that is no longer used in the BSA Policy Appendix)
We do not recommend you include specific names when designating responsibility within the policy; the position title is sufficient. For example – Chief Compliance Officer instead of the employee’s name. Your BSA policy could be an exception since you are required to designate a specific person as your BSA Officer. This, however, could be accomplished outside of the policy and the BSA Officer referenced in the policy.
Update the regulatory citations. Although many of the regulations were moved to the CFPB several years ago, some institutions still need to update the regulatory cites in their policies. Additionally, changes to the regulations are still made from time to time, and an updated policy will demonstrate to your auditors and regulators that you take the regulation seriously.
When providing your BOD with either an updated or annual policy review, we recommend recording the date of the last BOD approval somewhere on the policy, as this provides both management and any outside reviewer with information on how current the policy is.
To wrap up our discussion, remember that a policy guides the institution along the ever-changing regulatory climate. For those of you who subscribe to our Compliance Advisory services, we not only have a set of sample compliance policy templates to help you get started, but we will also happily review any of your regulatory-related compliance policies to ensure all required elements are present.