Skip to content
 

CIP Policy vs. Procedures

Answered by: 
Ken Golliher
Andy Zavoina

Question: 
There have been numerous threads regarding CIP policy versus procedures. Some threads state that the CIP procedures need to have Board approval whereas others say a general overview of procedures is needed. My question is 1)do the procedures really need to go to the Board for approval and 2) how in depth do these procedures need to be? Could we keep the policy separate from the procedures or do they really need to be a single document?
Answer: 

Answer by Andy Zavoina:

Both the policy and procedures need board approval.

103.121(b)(1) says the board must approve your CIP and it must conform to these requirements in (b)(1) through (b)(5). (b)(2) is a requirement for procedures.

As I see it you have two choices. Put together the well defined documents and have them approved or have a document complying with the minimum requirements approved by the board and the finer document approved by senior management. This provides the "turn on a dime" ability you can get from senior management so that you can make changes as needed without board approval, but the board has approved a policy and procedures that meets the minimum qualifications.

Answer: 

Answer Ken Golliher:

At several points, the final regulation uses the phrase "...the CIP must include procedures..."

If the CIP must include procedures and the board must approve the CIP, it follows that the Board must approve the procedures.

Bankers' objections to allowing the board to approve specific procedures are based on common sense and longstanding industry practices which distinguish between policies and procedures. The supplementary information clearly indicates that some of those commenting on the proposed regulation advocated the common sense approach: "These commenters urged Treasury and the Agencies to adopt a regulation that states that the role of bank's board of directors need only be to approve broacd policy rather than the specific methods or actual procedures that will be a part of a bank's CIP."

The draftsmen did not choose to make such a plain statement, instead saying: Therefore, a bank’s board of directors must be responsible for approving a CIP described in detail sufficient for the board to determine that (1) the bank’s CIP contains the minimum requirements of this final rule; and (2) the bank’s identity verification procedures are designed to enable the bank to form a reasonable belief that it knows the true identity of the customer.

Relying on this language, who could guess what part of CIP the board does not have to approve? More to the point, can you predict whether your examiner would agree with you?

Hopefully, additional guidance expected from the agencies will address this issue. As it stands now, including the procedures in what the board approves is the only course assured to achieve compliance.

First published on BankersOnline.com 9/8/03

First published on 09/08/2003

Filed under: 
Compliance
Filed under compliance as: 
Board of Directors
CIP
Directors
IT
Management
Policies

Report a problem with this page

Search Topics