November 15, 2022

To:  Chief Executive Officers or Equivalents of New York State-Chartered Banks, Savings Banks, Savings and Loans, and Credit Unions, and New York State-Licensed Branches and Agencies of Foreign Banks (“Regulated Banking Organizations”)

Subject:  Absence from the Office as an Internal Control Safeguard

The New York State Department of Financial Services (the “Department”) is issuing this guidance letter (“Revised Guidance”) to update and replace the August 22, 1996 guidance letter on “Vacation Policy as an Internal Control Safeguard” (the “Original Guidance”) issued by the Department’s predecessor, the New York State Banking Department.  Since the publication of the Original Guidance in 1996, advances in technology, evolutions in business practices, and improvements in risk management methodologies have changed how institutions consider and, in many instances, manage, the key vulnerabilities associated with employees in sensitive positions.

The Department recognizes that the practices outlined in the Original Guidance may in some cases be overly burdensome—particularly for smaller and more leanly staffed institutions, such as a number of community banks, community development financial institutions (“CDFIs”) and minority depository institutions (“MDIs”)—and not sufficiently tailored to reflect the prevailing business and operational models of institutions, as well as currently available technologies.

A required absence from the office policy remains a critical component of a Regulated Banking Organization’s internal controls to identify and mitigate the risks of defalcations and other misconduct.  Based on engagement with Regulated Banking Organizations, however, and taking into account the practical realities of current business practices and the possibilities presented by new and improved technology, the Department believes that the objectives of the required absence from the office policy can be achieved through a more risk-based and tailored approach.  This approach includes a focus on business continuity to minimize costly and inconvenient disruptions while ensuring appropriate surveillance and control over the activities of employees in sensitive positions.  This Revised Guidance serves to notify the industry of the Department’s updated requirements regarding Regulated Banking Organizations’ policies on absence from the office.

Background

Through engagements with Regulated Banking Organizations, the Department has come to understand how burdensome and disruptive the operational challenges presented by compliance with the Original Guidance may be, particularly for certain community banks, CDFIs, and MDIs.

For smaller institutions that operate with limited staff, employees often perform multiple functions, which could mean that the prolonged absence of a single individual may require substitute or temporary support across multiple departments.  Further, smaller institutions often grant decision-making authority to a small number of employees.  In some institutions, there may be very few (or even no) other employees with the same level of experience, qualification, or knowledge as an absent employee, and delegating that employee’s responsibilities for a full two weeks may consequently increase operational and related risk.

In light of these considerations, and in order to strike an appropriate balance between risk-mitigation and prudent business continuity, on January 4, 2022, the Department issued a Request for Information (“RFI”) to Regulated Banking Organizations, seeking comments with respect to the Original Guidance.  The Department initiated this RFI to consider whether additional flexibility was needed to accommodate Regulated Banking Organizations—particularly smaller community banks, CDFIs, and MDIs—that may have operational challenges in complying with the two-week consecutive absence requirement, while also ensuring that a comprehensive system of internal controls is in place to safeguard an organization’s assets and capital, and to avoid operational, reputational, legal, or regulatory risks.

The Department received 72 comments in response to the RFI.  While some commenters indicated that they have been complying with the two-week absence without undue difficulty, others suggested that a one-size-fits-all approach may not be the best way to meet the internal control objectives of the policy, and that for smaller Regulated Banking Organizations with limited staff, a two-week complete absence from the office is impracticable and strains their processes, operations, and resources, potentially creating additional risks for those institutions.  Commenters noted that while larger Regulated Banking Organizations may have the resources to comply with a two-week absence requirement efficiently, smaller Regulated Banking Organizations may experience associated administrative and operational challenges without necessarily furthering their safety and soundness objectives.

Several responses also highlighted the fact that, as noted above, since the promulgation of the Original Guidance in 1996, advancements in technology and risk-management methodologies have improved the ability to monitor employee communications and apply necessary controls.

Commenters also requested clarifications on issues such as what positions are considered as “sensitive,” who should make a determination as to the sensitivity of positions, and what constitutes “absence” from the office.

Below is the Department’s Revised Guidance, which supersedes the previously issued Original Guidance and takes account of the comments and questions received in response to the RFI, as appropriate.

Revised Guidance

Rather than continuing to require a mandatory two-week absence policy for all Regulated Banking Organizations in all circumstances, the Department now requires that each Regulated Banking Organization adopt a written “absence from office” policy (“Policy”) applicable to employees in sensitive positions, tailored to that organization’s operational considerations and risk controls framework.

The Department expects a Regulated Banking Organization to take a risk-based approach in developing its Policy (a) to determine which positions should be considered “sensitive,” (b) to define “absence” with respect to the organization’s particular operational framework, taking into account both physical absence and electronic or virtual absence, (c) to determine the appropriate length of time employees in sensitive positions should be required to be absent from the office annually depending on the sensitivity of the position, and (d) to establish and maintain a strong internal framework of compensating controls and risk mitigants to safeguard against potential fraud and misconduct by employees who may no longer be subject to the full two-week consecutive absence from the office, as further described below.

The Department anticipates that, after undertaking an analysis to determine the appropriate risk-based approach, many Regulated Banking Organizations may conclude that their existing two-week absence policy continues to work best for their organization.  Generally speaking, a Regulated Banking Organization’s ongoing compliance with the terms of the Original Guidance will be sufficient to evidence compliance with the Revised Guidance, provided that the organization has evaluated its internal controls and found them consistent with those contained in the Original Guidance and documented such evaluation.

(a)  Defining “sensitive” positions

Each Regulated Banking Organization should develop a methodology for determining the organization’s level and type of risk exposure to potential employee fraud or other misconduct and to determine the sensitivity of the position accordingly.  The Department recommends that, at a minimum, sensitive positions should include positions of those officers and employees:

  1. having the ability to change the official books and records or transactions of the organization, and those who can influence others to change such books and records or transactions;
  2. with privileged access to information systems, including the authority to alter systems, such as an IT manager; and
  3. engaged in certain specialized products that pose a higher risk to the Regulated Banking Organization.

The Policy, among other things, should define as “sensitive” all other employees who are capable of influencing or causing these activities to occur, even if not engaged in the activity directly, and state the methodology for identifying sensitive positions, including direct and indirect performance of the above-described activities along with any other criteria, as determined by the organization.

The Department recommends that the ultimate responsibility for determining the sensitivity of positions should rest with the board of directors or an equivalent function, or an appropriate committee of the board of directors or an equivalent function, in consultation with the senior management and representatives from the human resources and compliance functions of the Regulated Banking Organization.

(b)  Defining “absence from the office”

The Department views “absence from the office” for purposes of this Revised Guidance as a Regulated Banking Organization denying an employee access to the company’s premises, both physically and electronically.  Physical absence includes restricting employees from entering their usual office location at the institution, or other designated office locations or meeting spaces, along with temporary deactivation of any devices used for accessing the premises.  Electronic absence includes denying employees access to the organization's application systems virtually, including prohibiting them from effecting any transactions or other business from off-site such as through an off-site computer link, sending electronic communications to or through an organization’s systems or networks, whether using a personal or an organization-provided device or other means of communication (including from a personal or an organization-provided email address), or otherwise accessing the organization's intranet or telecommunication system.

A Regulated Banking Organization is expected to define both physical absence and electronic absence in its Policy, taking into account the organization’s size, business model and complexity, operations, and locations, as well as its systems and networks, as applicable.

(c)  Determining length and means of mandatory absence for sensitive positions

Depending on the level and types of risks assigned to each sensitive position, and in light of their internal control framework, Regulated Banking Organizations should determine the required manner and length of absence from the office for employees in sensitive positions, including (i) the length and means of denying access to the physical premises and sites of the Organization, and (ii) the length and means of denying access to the organization’s networks, intranet, or telecommunication and application systems.  Regulated Banking Organizations may consider a flexible, tiered approach to their absence from the office requirements, based on the risk and the sensitivity of each position, such as permitting access to email and instant messaging while restricting access to financial, ledger, transactional, accounting, and similar systems.

(d)  System of Internal Controls

A comprehensive system of internal controls is essential in assessing, detecting, and managing risks from potential fraudulent or other misconduct by employees to safeguard Regulated Banking Organizations’ assets and capital and to avoid undue operational, reputational, legal, or regulatory risks. 

Generally, a Regulated Banking Organization’s internal controls should ensure that no individual employee could become a single point of failure, with higher-risk activities subject to stricter oversight.  Regulated Banking Organizations should already have in place various oversight/supervisory controls as a routine matter, not just with respect to a required absence policy, and such controls may be leveraged as part of the mandatory office absence policies and procedures.  For example, high-risk functions should be performed by multiple employees on a team who have been cross-trained, with segregation of duties and be subject to stricter oversight.  Compensating controls and risk mitigants already implemented by Regulated Banking Organizations may be incorporated into the Policy and any implementing procedure(s) addressing this Revised Guidance.

A Regulated Banking Organization’s Policy and any implementing procedure(s) regarding mandatory office absence should be approved by its board of directors or an equivalent function, or an appropriate committee of the board of directors or an equivalent function, and include the following items, at a minimum:

  • Designation of specific sensitive positions subject to the Policy;
  • Appropriate length of annual absence from the office for each such sensitive position;
  • When compensating controls, such as an employee rotating duties in lieu of required absence, are to be utilized;
  • Acknowledgement, whether in electronic or paper form, by each employee in a designated sensitive position that they are subject to, and are required to abide by, the Policy;
  • Specific guidelines for when waivers from the requirements may be granted, with a prohibition on granting multiple consecutive waivers for an employee;
  • Maintenance of a compliance log, whether in electronic or paper form, to track deviations and exceptions from compliance with such Policy and procedure(s);
  • Validation of the effectiveness of the Policy on a periodic basis, which should at least be annually, by Internal Audit or a qualified, approved third-party service provider;
  • A periodic review of the Policy, which should at least be annually, by the Regulated Banking Organization’s board of directors or an equivalent function, or an appropriate committee of the board of directors or an equivalent function, to determine if any changes or modifications are necessary and/or to approve significant proposed changes.

The Department recommends that Regulated Banking Organizations conduct targeted compliance and internal audit reviews of any office-related activities, either conducted internally or by a qualified, approved third-party service provider, including electronic communications, of employees while they are on mandatory absence from the office.  The Department further recommends that Regulated Banking Organizations regularly review and monitor the activities of those employees who have not been absent from the office in accordance with the Regulated Banking Organizations’ policies and procedures, whether because of waiver or otherwise.

Conclusion

The Department will continue to review Regulated Banking Organizations’ written policies and procedures on mandatory absence from office, and the related compliance logs, during regular safety and soundness examinations.

Very truly yours,

 

Shirin Emami
Executive Deputy Superintendent – Banks
New York State Department of Financial Services