To the Chief Executive Officers of All State Member Banks, Bank Holding Companies, and Foreign Banking Organizations, in the Second Federal Reserve District:
One of the many basic tenets of internal control is that a banking organization ensure that employees in sensitive positions be absent from their duties for a minimum of two consecutive weeks. Such a requirement enhances the viability of a sound internal control environment because most frauds or embezzlements require the continual presence of the wrongdoer.
In light of recent events involving significant trading losses caused by illegal activities, we are reemphasizing the need for sound internal controls and offering supervisory guidance to financial institutions regarding required absences from sensitive positions.
This guidance is intended to ensure that each banking organization conducts an assessment of significant risk areas. After conducting this assessment, the organization should, with few exceptions, require that employees in sensitive key positions, such as trading and wire transfer, not be allowed to transact or otherwise carry out, either physically or through electronic access, their assigned duties for a minimum of two consecutive weeks. The prescribed period of absence should be of sufficient duration to allow pending transactions to clear. It should also require that an individual's daily work be processed by another employee during the individual's absence.
The text of this supervisory guidance is available below. Should you have any questions, please contact your portfolio manager or Joseph E. Buckley Jr., Supervising Examiner, of the Advisory and Technical Services Function at the Federal Reserve Bank of New York.
Supervisory Guidance On Required Absences From Sensitive Positions
A comprehensive system of internal controls is essential for a financial institution to safeguard its assets and capital, and avoid undue reputational and legal risk. It is the responsibility of senior management to establish an appropriate system of internal controls and to monitor compliance with that system. Although no single control element should be relied upon to prevent fraud and abuse, these acts are more easily perpetrated when proper segregation and rotation of duties do not exist. These practices are designed to enhance the viability of a sound internal control environment in that most internal frauds or embezzlements necessitate the constant presence of the offender to prevent the detection of illegal activities.
When developing comprehensive internal control procedures, each institution should first make a critical assessment of significant areas and sensitive positions. This assessment should consider all employees, but should focus on those with authority to execute transactions, signing authority and access to the books and records of the banking organization, as well as those employees who can influence or cause such activities to occur. Particular attention should be paid to areas engaged in trading and wire transfer operations, including personnel who may also have reconciliation or other back office responsibilities.
After producing a profile a high risk areas and activities, it would be expected that a minimum of two consecutive weeks absence be required of employees in sensitive positive. The prescribed period of absence should be of sufficient duration to allow all pending transactions to clear, and to provide for an independent monitoring of the transactions that the absent employee is responsible for initiating or processing. This practice could be implemented through either a requirement that affected employees take vacation or leave, the rotation of assignments in lieu of required vacation, or a combination of both so the prescribed level of absence is attained. Some institutions, particularly smaller ones, might consider compensating controls such as continuous rotation of assignments in lieu of required absences, so as not to place an undue burden on the institution or its employees.
Individuals having electronic access to systems and records from remote locations, must be denied such access during their absence for the policy to be effective. Similarly, indirect access can be controlled by not allowing others to take and carry out instructions from the absent employee. Of primary importance is the requirement that an individual's daily work be processed by another employee during his or her absence. This process is essential to bring to the forefront any unusual activity of the absent employee.
Exceptions to this policy may be necessary from time to time. However, management should exercise the appropriate discretion and properly document any waivers that are granted. Internal auditing should be made aware of these individuals and the circumstances necessitating the exceptions.
If an institution's internal control procedures do not now include the above practice, they should be promptly amended. After these procedures have been enhanced, they should be disseminated to all employees, and the documentation regarding receipt and acknowledgment maintained. Additionally, adherence to the procedure should be included in the appropriate audit schedules, and audit should be cognizant of potential electronic access or other circumventing opportunities.
The development and implementation of procedures on required absences from sensitive positions is just one element of an adequate control environment. Each banking organization should take all measures to establish appropriate policies, limits and verification procedures for an effective overall risk management system.
