IBA Compliance Connection

Your go to source for compliance!

Are banking personnel required take off work for five consecutive days? We would like to remove this requirement from our HR handbook. Also, since our employees can access our system remotely, many sign in even when on vacation to check their email or look something up. How would this impact a requirement to take off work?

by

admin

We are not aware of any law or regulation requiring bank employees or officers to take vacation, but the federal banking agencies continue to recommend that bank employees take at least two consecutive weeks of vacation each year — along with several alternative recommendations, from rotating duties to having your board of directors review and approve your vacation policy.

The FDIC (your primary regulator) recommends that banks require their officers and employees “to be absent from their duties for an uninterrupted period of not less than two consecutive weeks . . . in the form of vacation, rotation of duties, or a combination of both activities.” However, the FDIC also recognizes that exceptions to a two-week policy can occur and, in such cases, recommends establishing “adequate compensating controls — such as an effective rotation of personnel — that are strictly enforced,” as well as having your vacation policy annually reviewed and approved by your board of directors.

We also asked the FDIC to confirm that the agency is standing by these recommendations. An FDIC representative confirmed that to safeguard a bank’s assets, banks should have policies in place requiring vacation and/or a rotation of duties to ensure that employees are absent from their normal duties for a two-week period each year.

Regarding access to your bank’s system, the FDIC suggests that “management should consider suspending or restricting an individual’s normal IT access rights during periods of prolonged absence, especially for employees with remote or high-level access rights,” or, at a minimum, monitoring and reporting remote access during prolonged absences.

Additionally, we note that the OCC and Federal Reserve have published similar guidance, and the Federal Reserve has stated that for a required absence policy to be effective “individuals having electronic access to systems and records from remote locations must be denied this access during their absence.”

For resources related to our guidance, please see:

  • FDIC, Risk Management Manual of Examination Policies, Section 4.2 – Internal Routine and Controls, page 4 (“Banks should have a policy that requires all officers and employees to be absent from their duties for an uninterrupted period of not less than two consecutive weeks. Absence can be in the form of vacation, rotation of duties, or a combination of both activities. Such policies are highly effective in preventing embezzlements, which usually require a perpetrator’s ongoing presence to manipulate records, respond to inquiries, and otherwise prevent detection. The benefits of such policies are substantially, if not totally, eroded if the duties normally performed by an individual are not assumed by someone else. . . . In cases where a two-week absent-from-duty policy is not in place, the institution should establish appropriate compensating controls that are strictly enforced.”)
  • FDIC, Risk Management Manual of Examination Policies, Section 4.2 – Internal Routine and Controls, page 4 (“Where a bank’s policies do not conform to the two-week recommended absence, examiners should discuss the benefits of this control with senior management and the board of directors and encourage them to annually review and approve the bank’s actual policy and any exceptions. In cases where a two-week absent-from-duty policy is not in place, the institution should establish appropriate compensating controls that are strictly enforced. Any significant deficiencies in an institution's vacation policy or compensating controls should be discussed in the ROE and reflected in the Management component of the Uniform Financial Institutions Rating System (UFIRS).”)
  • FDIC FIL-52-1995, FDIC’s Position on the Role of Vacation Policy as an Important Internal Safeguard (August 3, 1995) (“The FDIC endorses the concept of a vacation policy that allows active officers and employees to be absent from their duties for an uninterrupted period of no less than two weeks . . . . The FDIC recognizes, however, that exceptions to a two-week policy can occur. In those situations, it is important for the institution to have adequate compensating controls — such as an effective rotation of personnel — that are strictly enforced. When the vacation policy does not conform to the recommended two-week absence, the institution’s board of directors should review and approve the policy actually followed and the exceptions allowed.”)
  • FDIC, Risk Management Manual of Examination Policies, Section 4.2 – Internal Routine and Controls, page 4 (“Note: Management should consider suspending or restricting an individual’s normal IT access rights during periods of prolonged absence, especially for employees with remote or high-level access rights. At a minimum, management should consider monitoring and reporting remote access during periods of prolonged absence.”)
  • OCC Comptroller’s Handbook, Internal Control, page 4 (January 2021) (“Determine whether processes exist to ensure that . . . Employees in sensitive positions or risk-taking activities do not have absolute control over areas. For example . . . Is there periodic unannounced rotation of duties for employees or vacation requirements that ensure their absence for at least a two-week period?”)
  • FRB, SR 96-37 (SUP) — Supervisory Guidance on Required Absences from Sensitive Positions (December 20, 1996) (“One of the many basic tenets of internal control is that a banking organization ensure that employees in sensitive positions be absent from their duties for a minimum of two consecutive weeks. . . .  In brief, the guidance is intended to ensure that each banking organization conducts an assessment of significant risk areas.  After conducting this assessment, the organization should, with few exceptions, require that employees in sensitive key positions, such as trading and wire transfer, not be allowed to transact or otherwise carryout, either physically or through electronic access, their assigned duties for a minimum of two consecutive weeks.  The prescribed period of absence should, under all circumstances, be of sufficient duration to allow all pending transactions to clear.  It should also require that an individual's daily work be processed by another employee during the employee's absence.”)
  • FRB Commercial Bank Examination Manual, Management Activities and Internal Controls, Section 4520.1 — Required Absences from Sensitive Positions, printed pages 273–274 (“One of the many basic tenets of internal control is that a bank needs to ensure that its employees in sensitive positions are absent from their duties for a minimum of two consecutive weeks. . . . For the policy to be effective, individuals having electronic access to systems and records from remote locations must be denied this access during their absence. Similarly, indirect access can be controlled by not allowing others to take and carry out instructions from the absent employee.”)