I feel really dumb posting this question, that's why I'm doing it here. But this is to settle an argument. I'm sure there will be more questions than answersto this....Here goes....

Are there certain Bank Policies that need to be read and acknowledged with a signature on an annual basis?. I'm not talking about annual training that covers everything under the sun that we complete each year. I'm talking about reading a specific policy?

Acceptable Network Use Policy is one example, Cybersecurity Policy is another. Each year, even though we have ABA training courses covering these topics, our Bank requires us to read and acknowledge these policies. Is this common?

You won't find anything in a regulation that says how a bank is required to document training. General knowledge of requirements is nice via web-based training, but examiners expect that banks document how employees are trained on job specific and bank specific policies and procedures.

Signing an acknowledgement for certain policies for which even a single violation could be serious enough to result in an employee's termination is one way that a bank may demonstrate to staff that they really need to read this one carefully.

Bottom line, not a regulatory requirement.

The acceptable use policy acknowledgment should be part of your information security training. Note they use "should collect," but they really mean "must collect." At least that's how examiners and auditors seem to interpret it. It has become an expectation.

Training materials for most users focus on issues such as end-point security, log-in requirements, and password administration guidelines. Training programs should include scenarios capturing areas of significant and growing concern, such as phishing and social engineering attempts, loss of data through e-mail or removable media, or unintentional posting of confidential or proprietary information on social media. As the risk environment changes, so should the training. The institution should collect signed acknowledgments of the employee acceptable use policy as part of the annual training program.

https://ithandbook.ffiec.gov/it-booklets/information-security/ii-information-security-program-management/iic-risk-mitigation/iic7-user-security-controls/iic7(e)-training.aspx

Thank you both! Happy Thanksgiving.

In addition to our acceptable use policy, we have to acknowledge and sign our business ethics policy annually.

Many of our policies require acknowledgment and it is handled through ADP, our payroll system so it can be done electronically.

Some past experience on this. After multiple issues with BSA exams a very large internal fraud was discovered (It was in the news and people were arrested) and when everyone went into deflection mode people said "I didn't know that I should have reported this." I'm dead serious and for the most part, this excuse worked internally. The regulators obviously brought the hammer down on us.

Moving forward the BSA Policy and a number of other policies must be read and acknowledged through a service provider (All done online). You're performance evaluation is impacted this.