Is Vacation Mandatory?
I would have to double check with the Compliance Department, but I’ll bet that at least twice a year a credit union tells us that an examiner is in their office and has told them that they must require their employees to take at least two consecutive weeks of vacation. Is the examiner right, they want to know.
My decisively equivocal answer to that question is, not exactly, but a from a safety and soundness standpoint, it makes a lot of sense. First, you won’t find a statute or regulation specifying the amount of vacation time your employees must take. The most authoritative documents I’ve seen on the subject are two legal opinion letters issued by New York’s Department of Financial Services. In 1995, the Department issued a general industry letter to financial institutions in which it opined that the State considered it “prudent business practice for every bank” and branch to have vacation policies that at a minimum mandate that “those officers and employees involved or engaged in transactional business or having the ability to change the official records of” an institution take at least two consecutive weeks of vacation each year. This letter would only be binding on state-chartered credit unions and even then, only strongly encourages credit unions and banks to have mandatory vacation policies.
As for NCUA, Section 4-6 of its examination manual, which assesses a credit union’s internal controls, tells examiners to find out whether or not officers and employees in “sensitive positions” take two consecutive weeks of vacation each year, “if practical.” The manual doesn’t define what practical is, but it clearly provides a bit of wiggle room for that smaller credit union to point out that it doesn’t have enough staff to mandate vacation time policies. Chapter 18 of the Guide lists an employees unwillingness to take vacation as a money laundering red flag.
The reason for these policies is obvious enough. Two weeks should give you more than enough time to figure out if an employee is engaging in illegal activity at the credit union. (And here you thought your employer just wanted you to be well rested). Still, it is clear that on both the state and federal level, credit unions that ignore the role that vacation policies play in protecting them from being used for illegal activity may raise legitimate safety and soundness concerns.
This idea seems simple enough, but this is another example of how your IT and compliance activities have to be coordinated. For example, in 2005, a Type-A bank employee asked the DFS if its vacation policy recommendation meant that she couldn’t access e-mail while on vacation. Let’s face it, some of us are more addicted to email than Donald Trump is to his own ego. The DFS explained that while employees can access email while on vacation, financial institutions should ensure that this discretion does not allow employees to blur the lines between routine email communications and communications effecting transactions.
The distinction the Department was trying to make is all the more difficult in 2015 when many employees are allowed to bring their own smartphones to work and passwords can access the most important of databases. So what conclusions should you draw from all this? First, although examiner concerns have traditionally been geared toward employees who can execute transactions, it seems to me that in this day and age, virtually all your employees have that power. As a result, while there is no statute or regulation mandating your employees take a significant, consecutive amount of time off each year, such a policy makes sense. Besides, it’s a good mechanism to ensure that your credit union isn’t dependent on one employee to perform a core function.
Second, for these vacation policies to be most effective from a safety and soundness standpoint, your IT Department should know who has access to what credit union resources at any given time. Even if you don’t rigorously enforce a vacation policy, one of the most basic steps you can take from a cybersecurity standpoint is to limit access to employees who actually need it.
Finally, don’t assume that your employees would never embezzle from your credit union. The sad reality is that good people do bad things all the time. Your typical embezzler is not a 26 year old kid whose been working at the credit union for a year; but is the trusted middle-aged executive with bills to pay.
Come to think of it, I better put in for vacation time between Christmas and New Years. See you on Monday and Happy Fourth of July!