BOARD OF GOVERNORS
OF THE
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C. 20551 DIVISION OF BANKING
SUPERVISION AND REGULATION
SR 96-37 (SUP)
December 20, 1996
TO THE OFFICER IN CHARGE OF SUPERVISION
AT EACH FEDERAL RESERVE BANK
SUBJECT: Supervisory Guidance on Required Absences from Sensitive Positions
One of the many basic tenets of internal control is that a banking organization ensure that employees in sensitive positions be absent from their duties for a minimum of two consecutive weeks. Such a requirement enhances the viability of a sound internal control environment because most frauds or embezzlements require the continual presence of the wrongdoer.
In light of recent events involving significant trading losses caused by illegal activities, we believe that it is necessary to reemphasize the importance of this internal control procedure. To this end, we request that you send the attached guidance to each domestic and foreign banking organization supervised by the Federal Reserve in your district. A copy of a suggested transmittal letter is also attached.
In the attachments, we emphasize that each banking organization should assess its significant risk areas before developing a policy regarding this matter. After making this assessment, the organization should require that employees in sensitive key positions, such as trading and wire transfer, not be allowed to transact or otherwise carryout, either physically or through electronic access, their assigned duties for a minimum of two consecutive weeks. The prescribed period of absence should, under all circumstances, be sufficient in duration to allow all pending transactions to clear. It should also require that an individual's daily work be processed by another employee during the employee's absence.
If you have any questions regarding this guidance, please contact the appropriate Board officer responsible for domestic or foreign bank supervision.
Stephen C. Schemering
Deputy Director
ATTACHMENTS TRANSMITTED ELECTRONICALLY BELOW
Suggested Transmittal Letter
TO: Chief Executive Officers of all State Member Banks, Bank Holding Companies and Foreign Banking Organizations
SUBJECT: Supervisory Guidance on Required Absences from Sensitive Positions One of the many basic tenets of internal control is that a banking organization ensure that employees in sensitive positions be absent from their duties for a minimum of two consecutive weeks. Such a requirement enhances the viability of a sound internal control environment because most frauds or embezzlements require the continual presence of the wrongdoer.
In light of recent events involving significant trading losses caused by illegal activities, we are reemphasizing the need for sound internal controls and offering the attached supervisory guidance to financial institutions regarding required absences from sensitive positions.
In brief, the guidance is intended to ensure that each banking organization conducts an assessment of significant risk areas. After conducting this assessment, the organization should, with few exceptions, require that employees in sensitive key positions, such as trading and wire transfer, not be allowed to transact or otherwise carryout, either physically or through electronic access, their assigned duties for a minimum of two consecutive weeks. The prescribed period of absence should, under all circumstances, be of sufficient duration to allow all pending transactions to clear. It should also require that an individual's daily work be processed by another employee during the employee's absence.
Should you have any questions on the supervisory guidance for required absences from sensitive positions, please contact _______________________________ at the Federal Reserve Bank of _____________________.
Attachment
SUPERVISORY GUIDANCE ON REQUIRED ABSENCES
FROM SENSITIVE POSITIONS
A comprehensive system of internal controls is essential for a financial institution to safeguard its assets and capital, and avoid undue reputational and legal risk. It is the responsibility of senior management to establish an appropriate system of internal controls and to monitor compliance with that system. Although no single control element should be relied upon to prevent fraud and abuse, these acts are more easily perpetrated when proper segregation and rotation of duties do not exist. As a result, the Federal Reserve is reemphasizing the following prudent banking practices that should be incorporated into an institution's internal control procedures. These practices are designed to enhance the viability of a sound internal control environment in that most internal frauds or embezzlements necessitate the constant presence of the offender to prevent the detection of illegal activities.
When developing comprehensive internal control procedures, each institution should first make a critical assessment of significant areas and sensitive positions. This assessment should consider all employees, but should focus on those with authority to execute transactions, signing authority and access to the books and records of the banking organization, as well as those employees who can influence or cause such activities to occur. Particular attention should be paid to areas engaged in trading and wire transfer operations, including personnel who also may have reconciliation or other back office responsibilities.
After producing a profile of high risk areas and activities, it would be expected that a minimum of two consecutive weeks absence be required of employees in sensitive positions. The prescribed period of absence should, under all circumstances, be of sufficient duration to allow all pending transactions to clear, and to provide for an independent monitoring of the transactions that the absent employee is responsible for initiating or processing. This practice could be implemented through either a requirement that affected employees take vacation or leave, the rotation of assignments in lieu of required vacation, or a combination of both so the prescribed level of absence is attained. Some institutions, particularly smaller ones, might consider compensating controls such as continuous rotation of assignments in lieu of required absences, so as not to place an undue burden on the institution or its employees.
Individuals having electronic access to systems and records from remote locations must be denied such access during their absence for the policy to be effective. Similarly, indirect access can be controlled by not allowing others to take and carry out instructions from the absent employee. Of primary importance is the requirement that an individual's daily work be processed by another employee during his or her absence. This process is essential to bring to the forefront any unusual activity of the absent employee.
Exceptions to this policy may be necessary from time to time. However, management should exercise the appropriate discretion and properly document any waivers that are granted. Internal auditing should be made aware of these individuals and the circumstances necessitating the exceptions.
If an institution's internal control procedures do not now include the above practices, they should be promptly amended. After the procedures have been enhanced, they should be disseminated to all employees, and the documentation regarding receipt and acknowledgement maintained. Additionally, adherence to the procedures should be included in the appropriate audit schedules, and audit should be cognizant of potential electronic access or other circumventing opportunities.
The development and implementation of procedures on required absences from sensitive positions is just one element of an adequate control environment. Each banking organization should take all measures to establish appropriate policies, limits, and verification procedures for an effective overall risk management system.