January 4, 2022
To: Chief Executive Officers or Equivalents of New York Regulated Banking Organizations
SUBJECT: Request for Information Regarding “Vacation Policy as an Internal Control Safeguard”
The New York State Banking Department, predecessor to the New York State Department of Financial Services (DFS), issued a guidance letter on Vacation Policy as an Internal Control Safeguard to New York banking organizations in August 1996 (the “Guidance Letter”) to require employees in sensitive positions to take at least two (2) consecutive weeks of vacation (or other leave) on an annual basis.
The Guidance Letter specifically stated that it is a prudent business practice for the regulated institutions to promulgate and maintain a written vacation policy, which, at a minimum, would cover those officers and employees involved or engaged in transactional business or having the ability to change the official records of the institution, as well as all other staffers who are capable of influencing or causing such activities to occur.
Implementation of such a vacation policy continues to be an important internal control safeguard and is in accord with safe and sound banking practices as perpetration of most fraudulent or other illegal, or irregular activities requires the continued presence of the wrongdoer. For example, if an employee has engaged in an unauthorized trading activity and is concealing it, the activity will likely be exposed in the institution’s trade reconciliation process as the employee is not able to continue the concealment while away from the institution and its systems.
The Guidance Letter allows for exceptions to the vacation policy subject to documentation and approval by the senior management on a case-by-case basis, but recommends against granting continual exceptions to the same individuals.
Through engagements with regulated institutions, it has come to the attention of DFS that compliance with the two-week absence requirement, as laid out in the Guidance Letter, may not be feasible as it could cause operational challenges, particularly for smaller institutions. For example, smaller institutions frequently manage their workflow with limited staff, generally with their team members wearing multiple hats. This is especially so for decision-making positions, where the final decision-making power lies with an even smaller group. When a decision-making employee is absent due to the two-week absence requirement, their duties must be transferred to someone else without the benefit of the absent employee’s experience, qualification, or knowledge, which can be problematic. DFS understands the need for flexibility with respect to these smaller institutions.
Request for Information:
In light of the foregoing, DFS is seeking responses to the following questions, in order to consider possible levels of flexibility for those banking organizations that may have operational challenges in complying with the two-week absence requirement, while ensuring that a comprehensive system of internal controls is in place for the organization to safeguard its assets and capital and to avoid reputational, legal or regulatory risks:
- What type of banking organizations should qualify for a more flexible approach, particularly in terms of size, business model, safety and soundness considerations or other factors? What is the reasoning therefor?
- Should vacation policies cover all employees or only those in “sensitive positions”?
- What types of positions should be considered “sensitive,” and which authority or authorities within the banking organization should determine the sensitivity of positions?
- How should institutions assess significant areas and sensitive positions?& For example, should the assessment focus on employees with authority to execute transactions, signing authority, and the ability to modify the books and records of the banking organization, or also include those employees who could influence or cause such activities to occur? Should particular emphasis be put on areas engaged in trading and trade operations, wire transfer operations and reconciliation or other back-office responsibilities?& Any others?
- How should absence be defined and what should it encompass, whether directly or indirectly?
- Is a two-week complete absence, both physically and electronically, sufficient to detect significant errors and potential fraud, illegality, or other irregularity perpetrated by a wrongdoer?
- How should the mandatory absence be implemented? By the employee’s taking vacation or leave, or by a rotation of assignment, or by a combination thereof, so that the requisite level of absence is achieved?
- If the requisite level of absence, through vacation, leave, rotation of assignment, or a combination thereof, is not feasible, what compensatory controls should be in place to ensure that the banking organization has a comprehensive system of controls in place to detect significant errors, potential frauds, illegalities and other irregularities, which may result from non-compliance with the two week absence requirement, while avoiding interruption to their daily operations and reducing undue burden on the organization and its employees.
- What exceptions to the vacation policy should be allowed and by whom and how often to the same individual? How often should exception reports be disseminated and to whom?
- What controls should be in place to ensure continued enforcement of a banking organization’s vacation policy?
- Are there any other recommendations or suggestions to facilitate the timely detection of significant errors or potential fraudulent, illegal or irregular activities, and which would minimize operational challenges that may result, particularly for smaller banking organizations, from compliance with the two-week absence requirement?
DFS encourages organizations to be as specific as possible in submitting their responses. Responses should be submitted by February 4, 2022, to [email protected]. Please use “Request for Information Regarding Vacation Policy” in the subject line. Responses may be subject to public inspection and should not include any sensitive or confidential information.
If you have any questions about the above, please contact Kathleen A. Scott, Deputy Superintendent of Banking, New York State Department of Financial Services, at [email protected].