On November 15, 2022, the New York Department of Financial Services (“NYDFS”) issued updated guidance (“Revised Guidance”) on the requirements regarding absence from the office policies.1 The Revised Guidance updates and replaces a 1996 guidance letter (the “Original Guidance”) that required employees in sensitive positions to take at least two consecutive weeks of vacation, or other leave, on an annual basis.2
The Revised Guidance applies to New York state-chartered banks, savings banks, savings and loans, and credit unions and New York state-licensed branches and agencies of foreign banks (“Regulated Banking Organizations”). The issuance of the Revised Guidance will grant Regulated Banking Organizations discretion to draft an absence from office policy that is more risk-based and tailored to their specific needs.
In this Legal Update, we provide background on the Original Guidance, discuss some key changes reflected in the Revised Guidance, and highlight the implications for Regulated Banking Organizations. While the Revised Guidance is effective immediately, as discussed below, it should not impose significant new compliance obligations on Regulated Banking Organizations.
Internal controls are the rules, processes, and procedures put in place to safeguard the integrity of financial and accounting information, enhance accountability, and thwart fraud. These controls are essential for financial institutions looking to protect assets and capital, mitigate reputational damage, and minimize exposure to legal risk.
The execution of fraud or illegal schemes may require the continual presence of the perpetrator to avert detection. With this understanding, and in light of significant trading losses caused by illegal activities, NYDFS and the Board of Governors of the Federal Reserve System (“Fed”) in 1996 provided supervisory expectations to financial institutions regarding required absences from sensitive positions.3
In 1996, NYDFS and the Fed issued supervisory guidance to financial institutions requiring employees in sensitive positions to take at least two consecutive weeks of vacation, or other leave, on an annual basis. Although the NYDFS guidance allowed any institution to make exceptions to the policy, it was recommended that the same individual not be permitted continual exceptions.
Decades after its inception, a required absence from the office policy remains an essential component of a Regulated Banking Organization’s internal controls to identify and quell misconduct. However, NYDFS recognized that the practices in the Original Guidance may be unduly onerous and not adequately tailored to reflect the prevailing business and operational models of institutions as well as the current technologies available.
In an effort to strike a balance between mitigating risk and present-day business practices, NYDFS issued a Request for Information (“RFI”) earlier in 2022 for feedback on the Original Guidance, including the effect that compliance with the two-week consecutive absence requirements had on smaller community banks, community development financial institutions and minority depository institutions that may have encountered operational challenges as a result of such rigid guidelines.4
Commentators highlighted the fact that smaller Regulated Banking Organizations with limited staff experience operational challenges that make it impractical to comply with a consecutive two-week absence from the office policy. Additionally, several responses highlighted the advancement in technologies that make it easier to monitor employees. Requests for clarifications on issues such as what positions were considered “sensitive” and what constituted “absence” were also submitted by stakeholders.
The Revised Guidance requires each Regulated Banking Organization to adopt a written “absence from office” policy (“Policy”) that applies to employees in sensitive positions. The Policy should be tailored to the operational considerations and risk controls of each respective organization.
Regulated Banking Organizations are expected to develop a Policy that delineates which positions are to be considered “sensitive,” defines “absence,” determines the appropriate period of time employees are to be absent from the office, and establishes an appropriate framework to mitigate risk and safeguard against potential fraud carried out by employees who are no longer subject to the full two-week consecutive absence policy.
Importantly, Regulated Banking Organizations who continue to comply with the terms of the Original Guidance will be deemed to be in compliance with the Revised Guidance so long as the organization has conducted and documented an evaluation of its internal controls and found those controls to be in line with those found in the Original Guidance.
In order to determine the sensitivity of a position, Regulated Banking Organizations are expected to establish a methodology to determine an organization’s level and type of risk exposure to potential employee fraud or other misconduct. The Revised Guidance recommends that, at a minimum, sensitive positions are those officers and employees:
- having the ability to change the official books and records or transactions of the organization and who can influence others to change these books and records or transactions;
- with privileged access to information systems, including the authority to alter systems, such as an IT manager; and
- engaged in certain specialized products that pose a higher risk to the Regulated Banking Organization.
Positions also are sensitive if they are capable of influencing or causing one of the listed activities to occur, even if the person is not directly engaged in the activity. The Revised Guidance recommends that the ultimate determination of the sensitivity of positions should be made by the board of directors or an appropriate committee of the board of directors or an equivalent function, in consultation with senior management, human resources and compliance.
The Revised Guidance defines “absence from the office” as physically and electronically denying the employee access to the organization’s premises. Physical absence is characterized as the denial of entry to an employee’s usual office space and the deactivation of devices used to gain entry to the premises. Electronic absence is defined as the denial of virtual access to the organization’s applications. Regulated Banking Organizations are asked to further tailor their definition of absence from the office in their Policies, using the Revised Guidance as a framework.
Each Regulated Banking Organization is instructed to outline the scope of both the physical and electronic absence from the office for sensitive employees. Based on the risk and sensitivity of each position, organizations have the flexibility to implement a tiered approach to its absence policy, such as allowing limited access to applications such as email and instant messaging while restricting access to accounting systems.
The Revised Guidance highlights that Regulated Banking Organizations should already have internal controls in place for higher-risk activities to ensure that no individual employee becomes a single point of failure. Nevertheless, an organization’s board of directors, or equivalent body, is further asked to approve any implementing procedures regarding mandatory office absence, including specific guidelines for waivers to requirements and validation of the effectiveness of the Policy on a periodic basis.
The Revised Guidance is not intended to create new requirements but rather update an absence policy that remains a critical component of a Regulated Banking Organization’s internal controls to identify and mitigate risk and other misconduct. In fact, smaller organizations that struggle to staff essential positions during two-week absences will likely welcome the Revised Guidance. A risk-based and tailored approach also may help organizations better focus on business continuity and avoid inconvenient disruptions while simultaneously maintaining proper oversight over the activities of sensitive employees.
However, the Revised Guidance does not change the Fed’s 1996 supervisory guidance. While supervisory guidance is not legally binding, it is often used by examiners when applying requirements such as the binding guidelines on safety and soundness.5 Therefore, Regulated Banking Organizations that are regulated by the Fed should consider consulting with their supervisory point of contact before adopting an absence policy that diverges from the Fed’s 1996 guidance.
1 NYDFS, Absence from the Office as an Internal Control Safeguard (Nov. 15, 2022), https://www.dfs.ny.gov/industry_guidance/industry_letters/il20221115_absence.
2 NYDFS, Vacation Policy as an Internal Control Safeguard (Aug. 22, 1996), https://www.dfs.ny.gov/legal/industry/il960822.htm.
3 Federal Reserve, SR 96-37 (Dec. 20, 1996), https://www.federalreserve.gov/boarddocs/srletters/1996/sr9637.htm.
4 NYDFS, Request for Information Regarding “Vacation Policy as an Internal Control Safeguard” (Jan. 4, 2022), https://www.dfs.ny.gov/industry_guidance/industry_letters/il20220104_vacation_policy_internal_controls. NYDFS received 72 comments in response to the RFI.