Too often, we are under pressure to develop a quick policy, and
we find ourselves creating a complex document that, at the very least creates
additional burden, impractical and impossible tasks and a monitoring nightmare.
I found the below comments to be very useful which are excerpts from "Lucy
and Nancy's Common Sense Compliance" ABA Banking Journal contributing
editors on compliance. It is to the point, simple with practical common sense ideas.
Policies—we have to have them. But what, exactly is a policy?
What should it do and what should it look like?
The challenge for banks is that examiners seem to have an idea in their heads about what a policy should look like-but this isn't necessarily what banks think a policy should be. When examination ratings are based on the content and structure of policies, rather than actual compliance performance, it is time to take a hard look at what is going on.
Defining the Term, As we Used to Think of "policies"
Let's start with a definition. The American Heritage Dictionary of the English Language, third edition, defines policy as: "a plan or course of action ... intended to influence and determine decisions, action and other matters." The secondary definition is "a course of action, guiding principle, or procedure considered expedient, prudent or advantageous."
So basically, a policy is a statement of what the business is about and how the business will go about doing business.
Sound simple? Don't get too excited.
It used to be simple. A policy was a one-paragraph to one-page document that described the bank's business philosophy. This could constitute a statement of principles about fair lending or about providing timely and accurate disclosures. This type of document was easy to write.
But far more important than being relatively easy to write, it was easy to read and understand.
Because these old-style policies were short and to-the-point, they actually communicated a business philosophy to the staff of the business. And best of all, directors actually could read and understand them before adopting them.
Using a Different Dictionary
Examiners, however, take a different approach. Examiners are charged with making certain that the bank has a policy on a specific topic so they want to see the connection. A broad statement about timely disclosures or fair lending isn't enough. They aren't certain what to check off on their checklist.
Examiners are driven by regulations, and checklists derived from those regulations. Since that is how they work, they expect everyone to do the same.
How does this play out? They want to see your policy on Regulation B.
But a general statement about the business policy of fair lending is not enough.
Examiners expect you to show them where the policy addresses signatures, and adverse action notices, and providing appraisals, and keeping records, and collecting monitoring information without collecting prohibited information. And your policy had better address protected income! And it also must specifically identify what types of discrimination are prohibited and against whom. Phew!
When the examiners are finished with it, the policy is no longer a clear and easily understood "plan or course of action." It is no longer merely a guiding principle. It even goes far beyond being a course of action.
By the time examiners are finished with it, a policy is a detailed discussion of the regulation.
In fact, you practically have to restate the regulation word-for-word to satisfy the examiner. When they see this, then they know what boxes to check on their checklist.
How to Approach Policy Writing
When developing or reviewing policies, there are two key questions.
1. Will the examiners like it? If your policy has all the definitions and requirements of the regulation, the examiners should love it. Your policy should get good grades.
2. What is the impact and effectiveness of the policy? This question is more difficult- and more important.
Now we have an entirely different question. To answer this one, we are not looking at the details of the regulation. This question turns on whether or not bank staff gets, understands, and heeds the message.
There is a significant difference between a policy that states, simply and directly, what the goals and standards of the business are to be, and a policy that uses the regulation as a skeleton.
The first type sets the standard for product design and delivery, as well as for customer service. Such a clear and direct document communicates. And everyone knows that the Board has looked at and considered the issue.
Yes, banking has lots of details. Details are addressed in procedures. The policy states the basic philosophy and goal of fair lending or customer service. The procedures carry that out.
The second type of policy, the policy that is designed around the specific requirements of a regulation, is more of an agreement to comply than a policy for the business.
It constitutes some bizarre form of proof that at least someone has read the regulation and identified all the requirements. But does it work? Who besides the compliance and audit staff is actually going to read the thing? Can you imagine branch staff reading and discussing such a document on their breaks?
For all practical purposes, such a policy is the regulation, just restated.
Can these Attitudes be Reconciled?
How should these two very different approaches be made compatible?
It can work if you have an introduction to the policy that, as a practical matter, does what the old-fashioned policy did.
It simply states the philosophy and the goal. After this-perhaps even in smaller print-come the definitions and details to keep the examiners happy.
When presenting the package to the Board and to staff, call their attention to the spirit part of the policy and briefly state that the additional details contain or refer to specific regulatory requirements. This serves the basic policy goal of establishing the business approach and philosophy while it also satisfies the examiners by walking them through their checklist.
Finished? Not quite.
Next, you take the detail portion of the policy and copy it into a new document. This gets you part way to completing procedures. This is where you really want to deal with specific regulatory requirements. Since you have already laid them out in the policy, you have given yourself a head start!
Director of Internal Audit
Philip Gonzalez, Director, has over 40 years of experience in the financial services industry, holding a wide variety of executive and senior management experience at community banks and financial institutions.