The FFIEC IT Examination Handbook note that User Access Programs should have "timely notification from HR to security administrators to adjust user access based on job changes, including terminations."

How should "timely" be defined? Is "timely" different for a part time teller versus a bank's CFO? If so, what about consistency?

Your thoughts are appreciated!

Timely, would be a total system lockout no more than 5 minutes after you told someone they were terminated. Not sure why it would be any different for different positions in the case of a termination. Job changes - well that is a different story as they might have to train replacements, etc. and may need to keep old accesses for a transitional period of time.