As to board approval, my policies go in for an annual re-adoption. This was recommended by my examiners some years ago. The idea is that the board is providing direction and they should periodically review these to determine if that is still the direction they want.

If they approve a policy, it is my opinion that only they can change that policy. Otherwise, their approval has little validity and authority. But, it is noted in my policies that management can change the procedures. So the policy is a high-level document denoting our spirit and intent. The procedures tell how we'll get there.

CP-101 Branch Closing Policy and Procedures
CP-102 Community Reinvestment Act Program
CP-103 Compliance Program
CP-104 Compliance Policy & Procedures
CP-105 BSA-Currency & Foreign Transactions Reporting Act
CP-106 Customer Complaints and Inquiries
CP-107 Electronic Fund Transfer Act
CP-108 Real Estate Settlement Procedures Act
CP-109 Reg. "O" Policy and Proced. (with Code of Ethics/Conflicts of Interest)
CP-110 Truth in Lending
CP-111 Truth in Savings
CP-112 Flood Disaster Protection Act
CP-113 Security
CP-114 Expedited Funds Availability Act
CP-115 Fair Credit Reporting Act
CP-116 Internet Acceptable Use and Personal Computer Security Policy
CP-117 Money Market Deposit Account Monitoring
CP-118 Privacy

------------------
Andy Zavoina
Opinions stated are not necessarily that of my employer.

The board must adopt and monitor those policies and procedures applicable to the bank's activities.

1. Lending policy
2. Funds management policy
3. Fiduciary policies and procedures for banks with trust powers
4. Capital policy
5. Internal and external audit policies
6. Insider policies, information in investment decisions or recommendations
7. Compliance policies, including, if applicable:
a. A compliance program covering consumer, fair lending, and community laws and regulations, approved by the board and management, that includes (see the Compliance Handbook):
· Delegation of compliance responsibilities to specific bank personnel.
· Written guidance for, and training of, employees covering applicable laws and regulations.
· A mechanism to report deficiencies and ensure corrective action.
b. Branch closing policy (applicable to national banks with branches), including:
· Procedures for determining objectively which branch or branches to close and which customers to notify.
· Procedures and methods for providing the notices required by 12 USC 1831r-1.
c. A BSA program to fulfill the requirements of 12 CFR 21.21. The board of directors for each national bank must approve written procedures designed to monitor the bank's compliance with the requirements of the Bank Secrecy Act regulations, 31 CFR 103. The compliance program must provide for a system of internal controls to ensure ongoing compliance; provide independent testing for compliance; designate a person responsible for coordinating and monitoring day-to-day compliance; and provide training for appropriate personnel. The BSA compliance program must be approved by the board of directors.
d. [If applicable] Development and implementation of policies and procedures for the administration of the rules governing securities transactions for broker-dealer activities
e. Development and implementation of procedures for the preparation, review for accuracy, and submission of required regulatory reports.
8. Board supervision policy consistent with the "Duties and Responsibilities" booklet of the Comptroller's Handbook and The Directors Book
9.Disaster recovery plan.

[This message has been edited by Ken Holmes (edited 07-27-2001).]

I believe in documenting proceedure and process as principals as it is easy otherwise to find that you are either technically breaching in minor admistrative ways or that someone lets a huge breach through because the rule did not specifically preclued it.

Matthew Read
Compliance Officers Association, Privacy Officers Association, AACFE,MICM,SHRM.

--Asset Liability
--Bank Secrecy
--Compliance
--Customer Complaints
--Disaster Recovery
--Information Technology
--Investments
--Liquidity
--Loans (ours includes CRA/Fair Lending)
--NonDeposit Investment Products
--Privacy & Security Policies & Guidelines (Customer Information Security)
--Security

The EIC suggested that the Trust Department policy also be added to this list.

Our plan is maybe to send one policy per month to the Board and set up an annual schedule so there is adequate lead time to prepare any revisions for review by senior management prior to Board approval. One suggestion would be to put changes in bold or italic type face to pinpoint the differences from the prior policy. Also, we maintain a more detailed list of bank procedures and their last revision date. This is a useful tool and holds department managers accountable for day to day operational procedures which the board does not need to be involved with (i.e. number of digits in passwords, key & lock combinations to vaults, etc.) Good Luck hope this helps

Angela,

I think that the answer lies in the size and complexity of your organisation, Steve Rileys list looks good for a smaller institution but if you have different divisions or affiliates I think this approach would best be served on a case at a time basis.

My personal belief, as I have said before, is in a principals based approach, so I tend to get the process owners together, discuss the rules, try and get agreement as to what they are intended to achieve, and then look at existing process. The look at existing process is best done, in my experiance, with one process owner and one compliance person or at least a party who niether owns nor operates the process. My reasoning is that someone familiar with the process can walk it much faster than one with no knowledge, but the knowledge itself may lead to ommitions which will be recognised by the other party simply because they don't see how you get from A to B or H-J and then the ommitions, be they steps or simple pieces of process, can be written in.

Again as I have said before by all means refer to rules in the process but write broadly identifying the aims of the process and the intent, mistranslation of a rule will give you far less trouble if you can show good intent. All compliance is really a broad and ethics based practise, the rules are broad and therefore the documentation of compliance needs to be broad.

Process in itself is of course usless unless it is practical and you log regulular tests to ensure continued compliance. The written process is nothing like aas important in the real world as is what actually happens on a day to day basis.

Have fun, just pretend you are being paid like a management consultant - it make you feel much better!

Matthew Read
Compliance Officers Association, Privacy Officers Association, AACFE,MICM,SHRM.