Remember there is a difference between "required" and "required by reg" as the former depends on your products and services and examiner expectations.
Required for a de novo by the OCC:
– Lending
– Funds Management, Investment Securities, And Interest Rate Risk
– Fiduciary (Trust banks)
– Capital
– Internal/External audits
– Insider Activities,
– Compliance Program
– Branch Closing
– BSA (AML/EDD/CIP)
– Securities Transactions for Broker-Dealers
– Board Supervision
– Disaster Recovery
– Privacy and Security
(Ones I added when doing materials prep for a school)
– a SAFE policy 1007.104
- FCRA 1022.42(a)-(c) and App E integrity of info
- 1022.82(c) address discrepancies
- RESPA 1024.38(a) requires reasonable policies and procedures
This list is from a most excellent compliance management school - oh, that was mine,
But it doesn't include all the cites. I will say when I first prepared that list, I called each agency and one of them actually laughed at me and said there was no such list because what was required and expected were not the same. SCRA is an example. You're typically expected to have one, but it isn't required. So who wants to challenge an examiner and say based on the purpose of a policy that the "expected" list won't be met?