Financial institutions of all types and sizes are all told to “improve written policies and procedures” by every auditor, compliance officer, regulator and critic at any chance they get. This is especially true when talking about loan and compliance policies. But when is it too much? When are policies/procedures too long and covering too many topics? How can we independently assess our auditor’s advice to increase the size of our policies/procedures?
In my opinion, the single biggest problem with loan and compliance policies/procedures is that institutions allow policies and procedures to blend together. A policy should be a high-level statement on what the organization expects employees to do. A procedure is a more detailed description of how employees will accomplish policy goals. Procedures can be less formal and are more easily changed. Too many policies are crippled by the inclusion of too many procedural elements that impossibly lengthen and complicate the key policy statements. Directors are not book editors – or even always subject matter experts – how can they be expected to review changes to a 250-page loan policy? For that matter, how is an executive expected to make revisions to that policy? Any small change might have hundreds of conflicts scattered across the rest of the policy.
A good cleanup project is to read through your policies and cut out procedures. Don’t throw them away, just copy them into a separate document for procedures.
When considering a new policy, ask yourself:
Do we need to include this in a written policy or procedure at all?
If so, should it really be in a formal policy? Or could it be included instead in easier-to-modify procedures?
If we do use a formal policy, do we also need to address this is procedures?
In any situation, how lengthy should any policy or procedures be?
An important starting point is to understand that the potential number of policy topics is unlimited and you cannot possibly cover everything. There’s a law that requires us to protect whistleblowers – do we need a policy on that? Maybe. But there’s also a law against murder – is our compliance policy sub-par because we haven’t addressed homicide against customers? So how do we identify those that actually need to be included?
Similarly, any particular chosen topic could be an unlimited length. A Truth-in-Lending policy could be hundreds of pages. Obviously, it does not need to be. But is one page enough?
When we begin our analysis, I break this down into two categories: clear rules and general principles.
For the first, there are a few topics that a regulation will actually require to be included in a written policy. For example, Reg Z requires the mortgage loan officer compensation requirements to be encompassed in written policy. In some cases, the regulation will describe expectations for length and complexity. I have no advice for you here except to make sure your compliance officer is on top of these.
General Principles
This is where things get a little more interesting. For all other potential policy topics, general principles dictate whether they should be included in written policy or a procedure and, if so, how in depth such policy or procedure should be. What are these general principles?
The level of risk to customer and bank: The higher the risk, the more likely it needs to be in writing. For example, the Ability-to-Repay rule carries Truth-in-Lending penalties, is a new regulation, and applies to most residential mortgages the company will do. That’s high risk and a regulator would expect a written policy on this.
Volume (income earned): The more you earn from an activity, the greater the need for a written policy. For example, an institution without mortgage loan officers that instead relies on brokers and correspondent lenders would have a policy covering third-party origination channels. Conversely, an institution that relies solely on organic origination may not address third-party channels in its policy. In another example, a mortgage lender in Rhode Island is probably going to have more lengthy flood policies/procedures than a land-locked lender in an area with few flood zones in their assessment area.
Continuity of staff: There are Massachusetts-specific rules on record-keeping for mortgage licensing purposes. Should you include this in policy? Have key staff personnel been in place for 20 years, with no plans to retire? If so, maybe I’m not worried about including this right away.
History of compliance: Have past exams or audits identified a problem in a specific area? If so, that topic is more appropriate to include in policy than it would otherwise be. For example, a company that paid penalties related to fees charged by settlement agents may have a policy addressing how settlement agents are managed and monitored.
A good policy or procedure works “from the streets to the suites,” in that employees can depend on it for clear guidance (enabling independent action) and management can efficiently keep it up-to-date. It also must cover all the right topics. Hopefully you can use the framework from this article to assess whether yours passes this test.
Ben Giumarra is a risk management consultant with Spillane Consulting Associates Inc. He may be reached at BenGiumarra@scapartnering.com or (781) 356-2772.