IBA Compliance Connection

Your go to source for compliance!

At an IBA Compliance Conference, an IDFPR representative recommended that bank employees be required to take two week vacations, without access to bank systems. Is that a legal requirement, or does one week suffice? Should the employee also be blocked from the bank email system (which is accessible offsite with a phone)?

by

admin

No, there are no laws or regulations requiring two consecutive weeks of vacation time, but this practice is strongly recommended by your primary federal regulator, the FRB. The FRB recommends that bank employees and officers in “sensitive key positions, such as trading or wire transfer,” take two consecutive weeks of vacation per year in order to provide enough time to detect internal fraud, embezzlement, or other threats to your institution. However, “this practice could be implemented through a requirement that affected employees take vacation or leave, the rotation of assignments in lieu of required vacation, or a combination of both so the prescribed level of absence is attained.” However, we believe that many institutions are not following this recommendation (e.g., they are requiring only one uninterrupted week of vacation per year and not rotating assignments).

Depending on a sensitive employee’s job duties, we recommend restricting access to email during any required absences, although this requirement is not found in any law or regulation. The FRB guidance states that employees in sensitive key positions should not be able to “transact or otherwise carry out, either physically or through electronic access, their assigned duties” for a two week period. The FRB guidance also focuses on blocking the employee from obtaining “indirect access” to bank systems by giving instructions to other employees during the absence. If an employee’s job duties are performed using email, or could be performed by emailing instructions to other employees, then we recommend blocking that employee’s access to email during the two week period (or one week period, if that is your institution’s policy).

For citations related to our guidance, please see:

  • FRB Commercial Bank Examination Manual, Section 5017.1, page 21 of the PDF file (“One of the many basic tenets of internal control is that a bank needs to ensure that its employees in sensitive positions are absent from their duties for a minimum of two consecutive weeks. . . . For the policy to be effective, individuals having electronic access to systems and records from remote locations must be denied this access during their absence. Similarly, indirect access can be controlled by not allowing others to take and carry out instructions from the absent employee.”)
  • FRB Supervisory Guidance on Required Absences from Sensitive Positions, SR 96-37 (December 20, 1996) (“In brief, the guidance is intended to ensure that each banking organization conducts an assessment of significant risk areas. After conducting this assessment, the organization should, with few exceptions, require that employees in sensitive key positions, such as trading and wire transfer, not be allowed to transact or otherwise carryout, either physically or through electronic access, their assigned duties for a minimum of two consecutive weeks.”)