With all the different laws/regulations in banking, has anyone seen or developed a listing of the banking laws/regs that require Board approved policies be established?

Outside of a board approved policy for BSA (can't think of anything else off the top of my head), policy generation is usually based on risks presented and not mandated by regulation.

What about FCRA?

If you can give me a citation, I will add it to my list.

So kbaird, just getting around to posting on BOL. Welcome aboard.

You will need to look beyond the regulatory requirement for a policy and discern the regulatory EXPECTATION. Flood, Fair Lending, CRA, Business Continuity, Complaint, UDAP/UDAAP, SCRA, ACH (just to name a few) are all receiving higher scrutiny and pressure to have board approved policies. Flood is now rising to the same process that BSA went through. First it was just a policy but now it is a robust program. Buckle your seatbelt.

Remember there is a difference between "required" and "required by reg" as the former depends on your products and services and examiner expectations.

Required for a de novo by the OCC:

– Lending
– Funds Management, Investment Securities, And Interest Rate Risk
– Fiduciary (Trust banks)
– Capital
– Internal/External audits
– Insider Activities,
– Compliance Program
– Branch Closing
– BSA (AML/EDD/CIP)
– Securities Transactions for Broker-Dealers
– Board Supervision
– Disaster Recovery
– Privacy and Security
(Ones I added when doing materials prep for a school)
– a SAFE policy 1007.104
- FCRA 1022.42(a)-(c) and App E integrity of info
- 1022.82(c) address discrepancies
- RESPA 1024.38(a) requires reasonable policies and procedures

This list is from a most excellent compliance management school - oh, that was mine, But it doesn't include all the cites. I will say when I first prepared that list, I called each agency and one of them actually laughed at me and said there was no such list because what was required and expected were not the same. SCRA is an example. You're typically expected to have one, but it isn't required. So who wants to challenge an examiner and say based on the purpose of a policy that the "expected" list won't be met?

Speak of the devil. As I go thru email that stacked up on me today, FDIC FIL-14-2016:

The FDIC is clarifying supervisory expectations in existing guidance for institutions' risk-management practices for decisions to discontinue foreclosure proceedings after initiating such actions, which are commonly referred to as abandoned foreclosures. Institutions should have appropriate policies and practices pertaining to decisions to discontinue foreclosure actions.

I believe it is 1022.42 appendix E

Thanks for all the input...and the list, AndyZ! It was all very helpful.

One of the questions I was wanting to get answered was whether the expectations are that a separate Board approved policy be developed for each specific reg. For example, if our loan policies (commercial, consumer non-RE and consumer RE) all reference that all loans will be made in compliance with all applicable federal and state regulations, is it then necessary to have a separate RESPA, TILA, etc. policy to take to the Board?

No. That doesn't mean that some examiner will not tell you otherwise, but it's your job to explain why it's ridiculous and unnecessary.

Policies tell WHAT

Procedures tell WHO, WHEN WHERE & WHY.

Policies should be short, so they do not change all the time.
Procedures should be a bit more detailed because they change with personnel, systems, etc.