A Higher Standard for Bank HR Departments (Part 6)
With an additional overlay of state and federal regulation, employment law issues at financial institutions take on an additional level of complexity. Whether it is the new regulations affecting permissible compensation practices for mortgage loan originators, state and federal licensing requirements or complex rules applicable to insider transactions, human resource professionals who work in financial services need to be attuned to the special rules that apply to employees and executives at their institutions.
This article is the last installment in a six-part series on banking regulations that impact your financial institution’s Human Resources Department. These materials originally were presented to attendees of the 26th Annual Baird Holm Labor Law Forum.
Part 6: Specific Training Requirements for Bank Employees
While training is expected in connection with many of the regulations applicable to financial institutions, a number of bank regulations expressly impose specific training obligations, including:
1. Expedited Funds Availability (Reg. CC)
Financial institutions are required to establish procedures to ensure that they comply with the requirements of the Expedited Funds Availability Act and its implanting regulations (Regulation CC). A copy of these procedures must be provided to all employees who perform duties affected by the rules. For example, employees who issue hold notices should be instructed on when to hold funds and how to notify customers that funds are being held.
Employees should also be instructed about providing availability disclosures. Such disclosures must be provided to customers before they open a new account. If the availability terms on an existing account are to be changed, a new disclosure should be provided to consumer customers 30 days before the change is implemented or, if the change will improve the availability of funds to the customer, no later than 30 days after the change becomes effective.
2. Bank Protection Act
The Bank Protection Act (BPA) is intended to discourage robberies, burglaries and larcenies committed against financial institutions. It requires financial institutions to:
- Establish procedures for opening and closing for business and for the safekeeping of all currency, negotiable securities, and similar valuables at all times;
- Establish procedures that will assist in identifying persons committing crimes against the institution and that will preserve evidence that may aid in their identification and prosecution.
- Provide for initial and periodic training of officers and employees in their responsibilities under the security program and in proper employee conduct during and after a burglary, robbery, or larceny; and
- Provide for selecting, testing, operating, and maintaining appropriate security devices.
3. Anti-money laundering (AML) and Customer Identification Program (CIP)
The Bank Secrecy Act (BSA), initially adopted in 1970, establishes the basic framework for AML obligations imposed on financial institutions. Among other things, it authorizes the Secretary of the Treasury to issue regulations requiring financial institutions to keep records and file reports on financial transactions that may be useful in investigating and prosecuting money laundering and other financial crimes.
In addition, Section 326 of the USA PATRIOT Act amended the BSA to require financial institutions to establish written customer identification programs (CIP). Treasury’s implementing rule requires an institution’s CIP to include, at a minimum, procedures for: (1) obtaining customer identifying information from each customer prior to account opening; (2) verifying the identity of each customer, to the extent reasonable and practicable, within a reasonable time before or after account opening; (3) making and maintaining a record of information obtained relating to identity verification; (4) determining within a reasonable time after account opening or earlier whether a customer appears on any list of known or suspected terrorist organizations designated by Treasury; and (5) providing each customer with adequate notice, prior to opening an account, that information is being requested to verify the customer’s identity.
Financial institutions are required to adopt and implement a compliance program to comply with AML and CIP obligations. The compliance program must: (1) Provide for a system of internal controls to assure ongoing compliance; (2) Provide for independent testing for compliance to be conducted by bank personnel or by an outside party; (3) Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and (4) Provide training for appropriate personnel.
4. Information Security Standards (Regs. P and V)
The Interagency Guidelines Establishing Information Security Standards (Security Guidelines) implement section 501(b) of the Gramm-Leach-Bliley Act (GLB Act) and section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The Security Guidelines establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information.
The Security Guidelines require a financial institution to train staff to prepare and implement its information security program. The institution should consider providing specialized training to ensure that personnel sufficiently protect customer information in accordance with its information security program. For example, an institution should:
- Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling;
- Provide staff members responsible for building or maintaining computer systems and local and wide-area networks with adequate training, including instruction about computer security; and
- Train staff to properly dispose of customer information.
5. Red Flag ID Theft Rules (Reg. V)
Sections 114 and 315 of the Fair and Accurate Credit Transactions Act require banking regulators to implement rules regarding Identity Theft Red Flags and Address Discrepancies (the “Red Flags Rules”). These rules seek to ensure that financial institutions and creditors are alert for signs or indicators that an identity thief is actively misusing another individual’s sensitive data, typically to obtain products or services from the institution or creditor. The Red Flags Rules require financial institutions and creditors that offer or maintain “covered accounts” to have policies and procedures to identify patterns, practices, or activities that indicate the possible existence of identity theft, to detect whether identity theft may be occurring in connection with the opening of a covered account or an existing covered account, and to respond appropriately.
To comply with the Red Flags Rule, institutions must offer annual awareness training to all appropriate employees and staff as part of their overall Red Flags Rule compliance program.