Policies & Procedures
Understand all the necessary policies and procedures for a compliant program
The specific documents requested from the bank partner will generally depend on the specific bank’s requirements as well as your line of business and use case.
This document is intended to provide a general framework for the types of documents that you should be prepared to produce. This is not an exhaustive list and may vary depending on the bank partner.
General Policies
| Policy Name | Deposit Products | Credit Products |
|---|---|---|
| Vendor Management | ✅ | ✅ |
| UDAAP | ✅ | ✅ |
| Business Continuity | ✅ | ✅ |
| Complaint Management | ✅ | ✅ |
Vendor Management
The purpose of a vendor management policy is to identify which vendors put your organization at risk and then define controls to minimize third-party and fourth-party risk. It starts with due diligence and assessing whether a third-party vendor should have access to sensitive data.
Required for:
- Deposit Products
- Credit Products
Policy Questions
- What diligence do you perform on a vendor prior to working with them?
- How often do you review a vendor?
UDAAP
Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) Policy Manual. The Dodd-Frank Act mandates "fair, equitable and nondiscriminatory access to credit" for consumers and makes it illegal for mortgage brokers/lenders to engage in any unfair, deceptive or abusive acts or practices as it relates to the consumer.
Required for:
- Deposit Products
- Credit Products
Policy Questions
- How do you ensure representations to customers are clear and not misleading?
- To the extent representations may be misleading or deceptive, how do you mitigate the risk?
Business Continuity
A business continuity policy is the set of standards and guidelines an organization enforces to ensure resilience and proper risk management. Business continuity policies vary by organization and industry and require periodic updates as technologies evolve and business risks change.
Required for:
- Deposit Products
- Credit Products
Policy Questions
- What are the risk management strategies?
- What tests are being performed to ensure that operations are running and continue to run without interruption?
Complaint Management
The purpose of this policy is to enable customers to make complaints, enable employees to effectively handle and resolve those complaints, and provide a process to collect, collate, and retrospectively analyze complaint data to continuously improve operations.
Required for:
- Deposit Products
- Credit Products
Policy Questions
- What are the guidelines for the reporting and handling of consumer, customer, or non-customer complaints?
- What is the complaint submission process?
Accountholder Protections
| Policy Name | Deposit Products | Credit Products |
|---|---|---|
| BSA/AML/OFAC | ✅ | ✅ |
| Fraud Prevention/ID Theft | ✅ | ✅ |
| Servicemembers Civil Relief Act/Military Lending Act | ✅ |
BSA/AML/OFAC
The Bank Secrecy Act (BSA) requires financial institutions to conduct, or have conducted, independent testing of the institution’s BSA/Anti-Money Laundering (AML) compliance program.
Required for:
- Deposit Products
- Credit Products
Policy Questions
- What is the approach to KYC, sanctions screening, and onboarding?
- What is the approach to transaction monitoring?
- What is the overall strategy to prevent money laundering, terrorist financing, and fraud?
- What is the audit process to make sure transactions aren't missed/overlooked?
- What is the documentation retention policy?
Fraud Prevention/ID Theft
To ensure compliance with all laws and regulations, providers must maintain a system to detect and prevent fraud and identity theft performed by their customers. Any fraudulent activity must be reported.
Required for:
- Deposit Products
- Credit Products
Policy Questions
- How is fraud/ID theft detect, prevented, and mitigated?
- What are the red flags?
- What are the customer IDV (Identity Verification) procedures?
- What are the fraud investigation procedures?
Servicemembers Civil Relief Act/Military Lending Act
The Servicemembers Civil Relief Act (SCRA) is a law created to provide extra protections for military servicemembers in the event that legal or financial transactions adversely affect their rights during military or uniformed service. These protections enable servicemembers to devote their entire energy to the defense needs of the Nation.
Required for:
- Credit Products
Policy Questions
- What checks are performed to ensure that new or existing customers are not active servicemembers?
Payment Policies
| Policy Name | Deposit Products | Credit Products |
|---|---|---|
| ACH | ✅ | ✅ |
ACH
To ensure compliance with current regulations, all ACH originators must obtain a current copy of the National Automated Clearing House Association (NACHA) Operating Rules and Guidelines which is published annually.
Required for:
- Deposit Products
- Credit Products
Policy Questions
- What is the scope of ACH Origination Services offered?
- What is the overall strategy to prevent money laundering, terrorist financing, and fraud?
- How are potentially unauthorized ACH entries handled?
- What is the documentation retention policy?
- What is the audit process to make sure ACH transactions aren't missed/overlooked?
- What is the process for processing an approved/denied ACH origination request?
- What is the approach to ACH transaction monitoring?
Regulation Policies
| Policy Name | Deposit Products | Credit Products |
|---|---|---|
| Regulation B | ✅ | |
| Regulation E/Disputes | ✅ For card products only | ✅ |
| Regulation Z | ✅ |
Regulation B
Regulation B prohibits creditors from requesting and collecting specific personal information about an applicant that has no bearing on the applicant's ability or willingness to repay the credit requested and could be used to discriminate against the applicant.
Required for:
- Credit Products
Policy Questions
- What are the criteria for credit approval?
- How is interest calculated?
- What is the process of data collection for credit applications?
- What are underwriting standards?
Regulation E/Disputes
In general, Regulation E carries out the purposes of the EFTA, which establishes the basic rights, liabilities, and responsibilities of consumers who use electronic fund transfer services and of financial institutions that offer these services.
Required for:
- Deposit Products
- Credit Products
Policy Questions
- What are the procedures for resolving errors?
- What disclosures are issued to customers?
Regulation Z
Regulation Z prohibits certain practices relating to payments made to compensate mortgage brokers and other loan originators. The goal of the amendments is to protect consumers in the mortgage market from unfair practices involving compensation paid to loan originators.
Required for:
- Credit Products
Policy Questions
- What is the timeline for when consumer disclosures for all loans covered by TILA (Truth in Lending Act) are issued?
Security Policies
| Policy Name | Deposit Products | Credit Products |
|---|---|---|
| Information Security | ✅ | ✅ |
Information Security
The aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.
Required for:
- Deposit Products
- Credit Products
Policy Questions
- How is confidential customer information safeguarded?
- In the event of a data breach, what steps do you take to mitigate harm?
- What controls exist in your systems to ensure no breaches occur?
Updated 2 months ago