The top signs of a "bad policy"
- NO table of contents or index - you have to read the entire document to find out where you comply
- Large print and large margins - signs of "content stuffing" and "fluffing" to make the document seem more substantial
- NO implementation - no checklists or workflows mean that there is no way to prove compliance
- Multiple regulatory citations - §, and citations like *.***.* are useful only in legal pleadings; we are mortgage lenders, not attorneys
- Lots of history and background - is only necessary for training purposes (if then). Add a slideshow if it is training material.
- Creating new workflows - e.g.; creating a Customer ID Program (CIP) when you already have a PATRIOT Act Program or creating an OFAC monitoring program when you already check OFAC from the credit bureau.
In general, a bad plan is any plan that is difficult to read and understand. We approach this review from the perspective of a mortgage industry line employee - a typical loan officer, processor, underwriter, or branch manager. We ask, “could the employee quickly reference the required procedures and understand them?” When we see excessive verbiage (“content bulk packing” more appropriate to training) and few examples of implementation (e.g., narrative stating “we will…” do a particular task and long lists), we know that the plan, while containing the majority of regulatory required elements in a vacuum, does not advance the company’s compliance.
Mostly, we see this in the area of AML plans, which have been written in "policy mills" by lawyers or others who are trying to sell them. From our perspective, the problem with these is that they aren't written with our industry as the audience. We ALREADY do most of what we need to comply. It's a matter of matching those requirements with what we already do.
For example, every mortgage company has a PATRIOT Act-required customer identification program. There is a disclosure that explains this, and there is a standard form to provide a method for recording the identification reviewed and received. The company should include its PATRIOT Act ID validation. In a bad plan, you create another program called a CIP or customer Identification Program. WHY? You are already verifying the Customer's ID. DON'T implement another process.
In another example, the entire mortgage process centers on screening for fraud, misrepresentation, or even simple errors which could lead to forensic discovery. In these bad plans, fraud is featured in an extensive discussion. However, fraud, when discovered, has a specific course of action, and fraud isn't what AML/BSA is after. The AML rules focus on the “suspicious activity” element of loan processing, where there are questions about specific items which do not, in themselves, represent fraud.
As to suspicious and AML activity, it’s less valuable to have a discussion of general terms, such as placement, layering, and integration, than it is to have a rubric of loan file review exhibits that highlight those items if they appear in a loan file. A bad policy focuses on the academic discussion of placement, layering and integration.
History, too, is fascinating, but the only relevant history in a policy should be the effective dates for compliance. Bad policies have a lot of history in them
Bad policies provide long sections giving multiple legal code citations relative to responding to requests and sharing information with agencies, so you can tell this is cribbed directly from the law. In the rule, the impetus of this code is to ensure that disclosure of SAR filing remains confidential - you may not alert the customer - and that we protect the customer’s private information to the extent that only a legal request should result in disclosure. A simple line "we will not disclose SAR filing to anyone, except as required by law." should suffice.
Bad policies often appear printed in a very large (14-point) font and large (1.5 inches) margins. This is often done to give the impression of more expansive content. There is nothing wrong with this formatting, but it works to dissuade a reader by insinuating that there is a lot to parse. It's puffery.