If your bank’s internal time-off requirements are based on calendar days rather than hours worked, we do not believe you need to impose hourly time-off requirements for employees who work less than forty hours in a five-day span. However, your bank may want to consider requiring employees to be absent from their duties for two consecutive weeks for the reasons described below.
The FDIC (your primary regulator) recommends that banks require their officers and employees “to be absent from their duties for an uninterrupted period of not less than two consecutive weeks . . . in the form of vacation, rotation of duties, or a combination of both activities.” The FDIC also recognizes that exceptions to a two-week policy can occur and, in such cases, recommends establishing “adequate compensating controls — such as an effective rotation of personnel — that are strictly enforced,” as well as having your vacation policy annually reviewed and approved by your board of directors.
Consequently, your bank may want to require employees to rotate their duties for five consecutive days before or following a five-day vacation so that they are absent from their regular duties for two consecutive weeks. The FDIC’s Risk Management Manual of Examination Policies measures this recommended absence in weeks (rather than hours) and notes that such time off policies “are highly effective in preventing embezzlements, which usually require a perpetrator’s ongoing presence to manipulate records, respond to inquiries, and otherwise prevent detection.”
The FDIC also recommends “suspending or restricting an individual’s normal IT access rights during periods of prolonged absence, especially for employees with remote or high-level access rights” and states that “[a]t a minimum, management should consider monitoring and reporting remote access during periods of prolonged absence.”
Additionally, we note that the OCC and Federal Reserve have published similar guidance, and the Federal Reserve has stated that for a required absence policy to be effective “individuals having electronic access to systems and records from remote locations must be denied this access during their absence.”
For resources related to our guidance, please see:
- FDIC, Risk Management Manual of Examination Policies, Section 4.2 – Internal Routine and Controls, page 4 (“Banks should have a policy that requires all officers and employees to be absent from their duties for an uninterrupted period of not less than two consecutive weeks. Absence can be in the form of vacation, rotation of duties, or a combination of both activities. Such policies are highly effective in preventing embezzlements, which usually require a perpetrator’s ongoing presence to manipulate records, respond to inquiries, and otherwise prevent detection. The benefits of such policies are substantially, if not totally, eroded if the duties normally performed by an individual are not assumed by someone else.”)
- FDIC, Risk Management Manual of Examination Policies, Section 4.2 – Internal Routine and Controls, page 4 (“Where a bank’s policies do not conform to the two-week recommended absence, examiners should discuss the benefits of this control with senior management and the board of directors and encourage them to annually review and approve the bank’s actual policy and any exceptions. In cases where a two-week absent-from-duty policy is not in place, the institution should establish appropriate compensating controls that are strictly enforced. Any significant deficiencies in an institution's vacation policy or compensating controls should be discussed in the ROE and reflected in the Management component of the Uniform Financial Institutions Rating System (UFIRS).”)
- FDIC FIL-52-1995, FDIC’s Position on the Role of Vacation Policy as an Important Internal Safeguard (August 3, 1995) (“The FDIC endorses the concept of a vacation policy that allows active officers and employees to be absent from their duties for an uninterrupted period of no less than two weeks . . . . The FDIC recognizes, however, that exceptions to a two-week policy can occur. In those situations, it is important for the institution to have adequate compensating controls — such as an effective rotation of personnel — that are strictly enforced. When the vacation policy does not conform to the recommended two-week absence, the institution’s board of directors should review and approve the policy actually followed and the exceptions allowed.”)
- FDIC, Risk Management Manual of Examination Policies, Section 4.2 – Internal Routine and Controls, page 4 (“Management should consider suspending or restricting an individual’s normal IT access rights during periods of prolonged absence, especially for employees with remote or high-level access rights. At a minimum, management should consider monitoring and reporting remote access during periods of prolonged absence.”)
- OCC Comptroller’s Handbook, Internal Control, page 4 (January 2021) (“Determine whether processes exist to ensure that . . . Employees in sensitive positions or risk-taking activities do not have absolute control over areas. For example . . . Is there periodic unannounced rotation of duties for employees or vacation requirements that ensure their absence for at least a two-week period?”)
- FRB, SR 96-37 (SUP) — Supervisory Guidance on Required Absences from Sensitive Positions (December 20, 1996) (“One of the many basic tenets of internal control is that a banking organization ensure that employees in sensitive positions be absent from their duties for a minimum of two consecutive weeks. . . . In brief, the guidance is intended to ensure that each banking organization conducts an assessment of significant risk areas. After conducting this assessment, the organization should, with few exceptions, require that employees in sensitive key positions, such as trading and wire transfer, not be allowed to transact or otherwise carryout, either physically or through electronic access, their assigned duties for a minimum of two consecutive weeks. The prescribed period of absence should, under all circumstances, be of sufficient duration to allow all pending transactions to clear. It should also require that an individual's daily work be processed by another employee during the employee's absence.”)
- FRB Commercial Bank Examination Manual, Management Activities and Internal Controls, Section 4520.1 — Required Absences from Sensitive Positions, printed pages 273–274 (“One of the many basic tenets of internal control is that a bank needs to ensure that its employees in sensitive positions are absent from their duties for a minimum of two consecutive weeks. . . . For the policy to be effective, individuals having electronic access to systems and records from remote locations must be denied this access during their absence. Similarly, indirect access can be controlled by not allowing others to take and carry out instructions from the absent employee.”)