Separating Policy from Procedures for CIP

Our bank is considering separating our CIP Policy from our CIP Procedures. Currently the policy and procedures are one document. However, it would be much easier to make changes to the procedures if they were not part of the policy (due to Board approval).

Has anyone else taken this approach? If so, have examiners been critical?

Thanks!

We've always had our policy separated from our procedures with no criticism. The policy says what we do; the procedures say how we do it.

My current bank and my last bank separated policy from procedures and examiners have never had any issues.

While I think it is essential to separate procedures from policy, individual examiners have differing opinions. You can hedge your bets by indicating the procedures are an exhibit or appendix to the policy, making it clear the board does not vote on modifications.

I have always been a little confused about exhibits to policies.

So, exhibits are not approved, only the policy is approved? We could then change or add exhibits and not need board approval?

Make no mistake, making procedures an exhibit to a policy is simply pandering to field examiners who:
1)have a personal opinion they want to see reflected in the bank's actions or
2) do not think the BSA/AML policy by itself meets an appropriate length or weight requirement.

As for those who allow themselved to be forced on to this path, they can do it any way they wish; e.g. approve the policy with the "current" procedures attached.

As stated, my personal opinion, very strongly held is that policies and procedures are two different things. The policy should mandate written procedures in key areas and say who should be responsible for developing them, not dabble in reciting them.

I agree with Ken and have separated policies and procedures for many years, including while running the policy and procedure area of a very large bank. I did come up against an examiner a few years ago who actually told me she had never ever seen separate policies and procedures and it was totally wrong.

Agreed. Policies should be short and sweet and state WHAT needs to be done, while procedures can be as long or short as necessary to state HOW things should be done to comply with policy. For example, our SAFE policy is literally a one-pager, stating the fact that management will comply with the appropriate regulation/law (cited) and then recaping the nine items that management needs to address. The procedures will then expand on the processes that will enforce that policy (e.g., who are MLOs in our organization and why, what vendor do we use for fingerprints and how do we submit them, etc.).

Yes, but I don't think that is really going to cut it for CIP. The Board cannot pass a CIP policy just saying that the bank will comply with the regulation and delegate the details to management.

The BSA/AML/OFAC and CIP/CDD policies are, not surprisingly, the biggest ones. A little too much detail, in my opinion, but I agree that on these 'more is more'.

I agree with rlcarey and cite the following:

http://files.ots.treas.gov/25175.pdf (OTS CEO Letter # 175 issued 5/9/2003 and attached 68 Fed. Reg. 25090 which includes regulatory staff guidance)

"The board of director’s responsibility to oversee bank compliance with section 326 of the Act is a part of a board’s conventional supervisory BSA compliance responsibilities that cannot be delegated to bank management. Therefore, a bank’s board of directors must be responsible for approving a CIP described in detail sufficient for the board to determine that (1) the bank’s CIP contains the minimum requirements of this final rule; and (2) the bank’s identity verification procedures are designed to enable the bank to form a reasonable belief that it knows the true identity of the customer. Nevertheless, responsibility for the development, implementation, and day-to-day administration of the CIP may be delegated to bank management."

In my opinion the words "in detail sufficient for the board" are key. However, is stating in the policy that you perform "documentary verification obtaining two forms of approved (meaning acceptable as listed in procedures developed by the bank's BSA officer) unexpired identification documents, one of which must be a government issued ID with photo" sufficient, or does the board need to see and approve the list of types of ID deemed acceptable by the bank?

Any insight would be much appreciated. Thanks.