I'd start with the Interagency Policy Statement on Non-deposit Investment Products. It's a must read before starting a program. It discusses Board responsiblities and other compliance responsibilities and the need to have a program.
I'd also look at your regulators exam procedures whether they are S&S or compliance they discuss what you need to be concerned with.
The opinions are mine and do not necessarily reflect those of my employer.