BAI Policy Template Library
BAI provides compliance professionals with industry-specific actionable content that helps them make informed decisions during the policy management process. The policy templates listed below are only available as part of the BAI Policy Manager. Each policy template includes standard language that is updated to the latest regulatory changes, and within the BAI Policy Manager can easily be customized to meet the needs of your financial services organization.
| BAI Policy Template | Description |
|---|---|
| 802.11 Wireless Network Security Standard | The standard is to establish controls for 802.11 wireless networks in order to minimize risks to the confidentiality, integrity and availability of information and to support secure access to resources and services over wireless networks. |
| Acceptable Use of Information Technology Resources | Establishes the appropriate organizational use of information and information technology (IT) resources and effective security of those resources require the participation and support of the organization’s workforce (users). It applies to the users of any system’s information, or physical infrastructure. Users must comprehend the responsibilities and activities described in the document, and adhere to them. |
| Acceptable Use Policy | The purpose of this policy is to supplement and expand upon an organization’s Information Systems Security Policy by outlining policies, procedures and processes that outline the organization’s Acceptable Use Policy (AUP). The guidelines are in place to mitigate cybersecurity risks, events and the legal and compliance issues that arise from them. |
| Access Control | To ensure that access controls are implemented and in compliance with IT security policies, standards, and procedures. |
| Account Management/Access Control Standard | The purpose of this standard is to establish the rules and processes for creating, maintaining and controlling the access of a digital identity to an entity’s applications and resources for means of protecting their systems and information. |
| Accounting (CECL) | The purpose of this Current Expected Credit Loss (CECL) policy is for to maintain an adequate methodology for establishing, estimating and maintaining allowances for credit losses to properly reflect an accurate financial position of the organization while also ensuring that the institution complies with guidance outlined by regulatory agencies and the Financial Accounting Standards Board (FASB). The guidance is established as Accounting Standards Codification (ASC 326) that creates a measurement model to establish a proper allowance for loan losses based on current expected credit losses rather than incurred losses. |
| Accounts Payable and Employee Expense Policy | This policy provides guidelines for the accounts payable function and the reimbursement of employee expenses incurred in connection with activities formalized by the Board of Directors of this Institution. This policy and subsequent procedures are designed to ensure legal and regulatory compliance while allowing a degree of flexibility and judgment for approving officers. |
| Active Shooter | The purpose of this policy is to minimize the risk of personal injury to employees at work and damage to institution and personal property. To meet this goal, it is vital that all employees read, understand, and follow all elements of this policy. |
| Americans with Disabilities Act | The policy is to ensure the organization will provide equal access to people with disabilities and to comply fully with Title III of the Americans with Disabilities Act (ADA) with respect to policies, programs, services, and activities. This policy applies to all members of the public with disabilities using or attempting to use our services (including online services), locations and facilities. |
| Appraisal | Appraisal guidelines have been established to assist you in protecting your interests in real estate-related transactions by requiring minimum real estate appraisal standards be used. Appraisals and evaluations are required to be (1) in writing (including electronic delivery), (2) performed in accordance with established standards, and (3) performed by appraisers and evaluators whose competency has been demonstrated and whose professional conduct will be subject to effective supervision. |
| Bank Bribery Act | To prevent any conflict-of-interest issues, INSTITUTION employees and officials are prohibited from engaging in any activities prohibited by the federal Bank Bribery Act, 18 U.S.C. § 215, and the relevant NCUA Rules and Regulations. |
| Change of Address | A policy for applicants and members that need to update/change their address. Having the incorrect mailing address can cause the institution to be out of compliance with multiple regulations and will most likely result in any mail sent by the credit union being returned. |
| Charitable Donation Accounts | The policy has been established to ensure that the Credit Union’s charitable and financial resources are used in a way that follows it’s charter and best serves its membership. |
| Clean Desk | The policy was developed to improve the security and confidentiality of information. This ensures that all sensitive and confidential documents and information, whether it be on paper, a storage device, or a hardware device, is properly locked away or disposed of when a workstation is not in use. This policy will reduce the risk of unauthorized access, loss of, and damage to information during and outside of normal business hours or when workstations are left unattended. A Clean Desk Policy is an important security and privacy control. |
| Cloud Computing Policy | The policy provides ongoing oversight and monitoring of cloud service providers, which are important to gain assurance that cloud computing services are being managed consistent with contractual requirements, and in a safe and sound manner. In general, this oversight and monitoring includes, at a minimum, evaluating independent assurance reviews (e.g., audits, penetration tests, and vulnerability assessments), and evaluating corrective actions to confirm that any adverse findings are appropriately addressed. It is the responsibility of the organization to assess, select, engage, and oversee the cloud computing services to ensure such actions are consistent with the INSTITUTION’s strategic plans and corporate objectives. |
| Commercial Loan (CML) | The general Commercial Credit Policy addresses the composition and control of the loan portfolio as a whole and establishes standards for individual credit decisions. Supplementing this general policy, and subordinate to it, are separate policies including this Commercial Lending Policy covering specific types or aspects of lending. |
| Commercial Real Estate (CRE) Loan | The general Commercial Real Estate Credit Policy addresses the composition and control of the loan portfolio as a whole and establishes standards for individual credit decisions. Supplementing this general policy, and subordinate to it, are separate policies including this Real Estate Lending Policy covering specific types or aspects of lending. |
| Community Reinvestment Act (CRA) – Large Bank | The policy purpose is to state the Community Reinvestment Act (CRA) requirements to encourage banks to reinvest in their local communities through affirmative credit programs and community involvement, specifically for banks which are defined as an intermediate or large bank. |
| Community Reinvestment Act (CRA) – Small Bank | The policy purpose is to state the Community Reinvestment Act (CRA) requirements to encourage banks to reinvest in their local communities through affirmative credit programs and community involvement, specifically for banks which are defined as a small bank. |
| Community Reinvestment Act (CRA) – Strategic Plan | This document is designed to assist banks with the development of a CRA strategic plan, and submit this plan to its regulatory agency for proper approval. The plan will specify measurable goals for helping to meet the credit needs of each assessment area covered by the plan; particularly the needs of low- and moderate-income geographies and low- and moderate-income individuals, through lending, investment, and services, as appropriate. |
| Complaint | The policy governs the receipt, investigation, analysis and response to general complaints regarding an institution. Complaints are defined as issues noted and communicated related to credit bureau reporting issues, some mortgage loan issues, and electronic transaction issues are covered by other regulations. These complaints are taken seriously, and will be responded to in an appropriate amount of time. |
| Compliance Management Systems | The policy was designed to govern the management of processes, policies, procedures, training used to comply with all consumer laws and regulations and to manage the compliance program to ensure the lowest possible risk to our institution. It sets an expectation for all employees to comply with the specific details and the spirit of all consumer laws and regulations. This policy statement is intended to assist all affected employees in understanding and carrying out that mandate. |
| Computer Security Threat Response | This policy is to define the responsibility in responding to security threats affecting the confidentiality, integrity, and/or availability of information technology (IT) resources. |
| Configuration Management | The policy was designed to ensure that Information Technology (IT) resources are inventoried and configured in compliance with IT security policies, standards, and procedures. |
| Consumer Leasing | The offering of a consumer lease program at an institution should include internal controls used to comply with the Truth-in-Lending Act, Regulation M, and all other appliable consumer federal and state laws and regulations. These internal controls will also be used to mitigate the risks to the institution and consumers who apply for them. This policy also covers, the need to ensure the lessees of personal property receive the required disclosures, requirements to limit the amount of balloon payments in consumer lease transactions, and how to promote accurate disclosures of lease terms in the institution’s advertising. |
| Consumer Loan | The general Consumer Credit Policy was designed to address the composition and control of the loan portfolio as a whole and establishes standards for individual credit decisions. Supplementing this general policy, and subordinate to it, are separate policies including this Consumer Lending Policy covering specific types or aspects of lending. |
| Contingency Planning | The policy was designed to ensure that normal Information Technology (IT) resources and information systems are available during times of disruption of services. |
| Credit Card | The policy is subordinate to and subject to the guidelines and principals stated in our general Consumer Credit Policy including such subjects as nondiscriminatory lending, consumer protection regulations, lending structure, approval authority, credit standards and guidelines, trade area, loan portfolio composition. |
| Credit Card Compliance | The purpose of this policy is to establish and maintain an effective compliance management system that ensures the Institution’s adherence to applicable laws and regulations. By implementing robust compliance practices, the Institution aims to mitigate legal risks, protect sensitive information, and uphold its commitment to ethical business conduct. |
| Cryptocurrency Policy | The policy was designed to govern the processes and risks inherent with offering its customers a Cryptocurrency Service through its Internet and mobile banking product platforms that provides the convenience of functionality such as buying and selling, withdrawing funds, and pricing. |
| BAI Policy Template | Description |
|---|---|
| Cyber Incident Response Standard | This standard outlines the general steps for responding to computer security incidents. In addition to providing a standardized process flow, it (1) identifies the incident response (IR) stakeholders and establishes their roles and responsibilities; (2) describes incident triggering sources, incident types, and incident severity levels; and (3) includes requirements for annual testing, post-incident lessons-learned activities, and collection of IR metrics for use in gauging IR effectiveness. |
| Cybersecurity | The policy states the responsibilities for Cybersecurity, especially with the Board of Directors, and the employees responsible for overseeing the Information Security Program of the institution and ensuring that management effectively implements and manages the program. |
| Data Privacy | The purpose of this Data Privacy Policy is to provide a clear framework for managing personal data in a manner that ensures its confidentiality, integrity, and availability. By implementing this policy, the Institution aims to safeguard personal information against unauthorized access, disclosure, or misuse, while complying with relevant privacy laws and regulations such as GDPR, CCPA, and others. This policy also aims to enhance trust and transparency with customers, employees, and other stakeholders by demonstrating a strong commitment to data privacy. |
| Data Retention – Protection – Maintenance | The purpose of this policy is to establish a comprehensive framework for managing Institution’s data, ensuring it is appropriately protected, classified, retained, and maintained. By implementing robust data management practices, the Institution aims to mitigate security risks, ensure compliance with industry standards, and support operational efficiency. |
| Diversity Equity & Inclusion | This policy is neither a replacement nor a substitute policy for any other policy such as Equal Employment Opportunity (EEO) and/or Affirmative Action policies. It is meant to provide a starting point for and support a broader diversity initiative. The combination of required policies/plans, and Diversity, Equity & Inclusion (DE&I) initiatives create opportunities for cultural inclusion, respect for differences, acceptance, and respect for all workers. |
| Do-Not-Call | The policy addresses the national do-not-call rules and how financial institutions must comply with them. |
| Elder Abuse | Older adults are targets for financial exploitation due to their income and accumulated life-long savings, in addition to the possibility that they may face declining cognitive or physical abilities, isolation from family and friends, lack of familiarity or comfort with technology, and reliance on others for their physical well-being, financial management, and social interaction. The policy is designed to identify, monitor, manage and properly report instances of potential elder abuse, and comply with the rules related to the Bank Secrecy Act. |
| Electronic Signatures in Global and National Commerce Act (E-SIGN Act) | The policy was designed to assign responsibility to ensure the rules of the E-Sign Act are adhered to by all personnel. |
| Eligible Obligations | The policy addresses situations when a credit union can, in whole or in part, purchase, sell, and pledge a federal credit union’s loan. A credit union must establish an agreement between the two parties to identify the loans that will be transferring ownership. |
| Employee Incentive or Bonus Program | Employee Incentive or Bonus Program |
| Encryption Standard | This standard applies to all systems, which includes websites and web services, for which the entity has administrative responsibility, including those managed and hosted by third-parties on behalf of the entity. |
| Enterprise Risk Management | The policy governs all inherent risks posed to financial institutions, the development and implementing of a risk management framework, and tying risks to the strategic initiatives of the instition to make the organization as a whole more efficient at addressing the major risks. |
| Environmental Risk Policy | The policy was designed to recognize the importance of appropriately determining the potential adverse effect of environmental contamination on the value of real property and the potential for liability under various environmental laws in evaluating real estate transactions and making loans secured by real estate. The policy describes the importance and guidelines for establishing an Environmental Risk Program, which involves the overall credit decision making process, that provides procedures for identifying and evaluating potential environmental concerns associated with lending practices and other actions relating to real property commensurate with an institution’s lending portfolio and operations. |
| Exceptions | The purpose of this policy is to establish a formal process for handling security exceptions, ensuring that any deviations from established security policies and standards are properly managed and do not pose undue risks to Institution’s information assets. |
| Fair Credit Reporting Act (FCRA) | The policy describes the methods that institutions are required to uphold to consumer credit information and how to correct inaccurate credit reporting information. The policy also describes the permissible use of information, credit standings, credit capacity, credit disputes, handling address discrepancies and more. |
| Fair Debt Collection Practices Act (FDCPA) | The purpose of the policy is to enforce the rules related to eliminating abusive debt collection practices by debt collectors and to ensure that those debt collectors who refrain from using abusive debt collection practices are not competitively disadvantaged. |
| Fair Lending | The policy enforces the fair lending laws and regulations, which prohibit discrimination in all aspects of any type of credit transaction on the basis of race, color, religion, national origin, sex (including sexual orientation), marital status, age, receipt of income from public assistance programs, and good faith exercise of any right under the Consumer Protection Act. The policy states the organization will only grant or deny requests for loans solely on the basis of the applicant’s creditworthiness and the established underwriting standards. |
| FDIC Insurance and Signage | The policy governs the use deposit and non-deposit products, and the applicability of FDIC insurance signage, advertisement insurance disclosures, and how depositors conduct business within an insured bank through all channels. The policy requires the bank to identify, mitigate, and monitor risks associated with deposit taking activities. The policy includes guidance on signage requirements for physical and digital deposit-taking locations, and the use of disclosures differentiating deposits and non-deposit products regardless of their location. |
| Financial Technology Company Providers Policy | The policy was developed to supplement and expand on the organization’s Vendor Management Policy by identifying the risks associated with the fintech engagement and mitigate those risks when performing due diligence on prospective relationships with fintech companies. |
| Fintech Bank Partner | It is the policy of the Company to provide its product, service, system, or activity to banks, credit unions, or other types of financial institution companies (referred to as financial institutions) which are in compliance with consumer protection laws and regulations, safety and soundness guidelines, and third-party risk management practices. |
| Flood Disaster Protection Act (FDPA) | The objectives of flood disaster protection and insurance legislation are to ensure that flood insurance is available at a reasonable cost to owners of real property located in a special flood hazard area, and to reduce the potential loss due to a flood and provide alternate relief funds where available. |
| Foreign Branching | This policy addresses the situations when a foreign branch may be created and the requirements the credit unions need to meet in order to have the NCUA approval a foreign branch application request. |
| Fraud | This fraud policy is established to assure that an institution properly responds to potential or actual fraud, through the development of internal controls that will aid in preventing fraud or the detection and prevention of fraud against. |
| General Lending | The policy addresses a high level of controls used to mitigate the risks of offering lending products by the institution, including lending approval limits, maximum LTVs and terms, and more. |
| Generative AI | This policy addresses the issues associated with Generative AI, helps employees understand the guidelines for its acceptable use, and provides guidelines for using AI in a way that protects Institution’s non-public, sensitive information and complies with applicable laws, regulations, ethical standards, and Institution’s company values. This Policy applies to all Personnel and the use of any third-party or publicly available Generative AI tools. |
| Governance (ISP) | The purpose of this policy is to define and describe the governance of the information security program (ISP) for protecting the confidentiality, integrity, and availability of protected data processed, stored, or transmitted by the institution. |
| Human Resources Salary Administration | This policy develops and enforces the organization’s Human Resources Salary Administration Program (the Program), to ensure its salary and incentive compensation arrangements are fair, equal in relation to position or experience, recognizes performance, are designed to attract and retain talent, and do no encourage risk taking behavior. |
| Human Resources Telecommuting (Work from Home) | The policy was created to allow and govern designated employees to telecommute by working from home, on a business trip, or from a remote or satellite location while conducting their job responsibilities for all or part of their normal work schedule. The organization considers telecommuting to be a viable, flexible work option when both the employee and his or her job responsibilities are appropriately suited to such an arrangement. |
| Human Resources Vaccination | The policy was created to provide and maintain a safe and healthy workplace in accordance with all applicable federal, state, and local laws, rules and regulations, in addition to guidance issued by the Centers of Disease Control and Prevention (CDC), the Equal Employment Opportunity Commission (EEOC), as well as that of state and local health authorities, as applicable, including during times of a pandemic to manage, monitor and communicate the organization’s vaccination policy. |
| Human Resources Whistleblower | The policy was created to protect such individuals of the organization, allowing them to anonymously communicate unjust or improper actions of management, the board, or the organization as a whole and to provide such remedies for alleged improper actions. |
| BAI Policy Template | Description |
|---|---|
| Identification and Authentication | The policy was created to ensure that only properly identified and authenticated users and devices are granted access to Information Technology (IT) resources in compliance with IT security policies, standards, and procedures. |
| Identity Theft Prevention Program (Red Flags) | The policy was created to comply with the rules, which require each financial institution or creditor to develop and implement a written Identity Theft Prevention Program (Program) to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts. |
| Incident Response | The policy was created to ensure that Information Technology (IT) properly identifies, contains, investigates, remedies, reports, and responds to computer incidents. |
| Incident Response and Preparedness | The policy was created to implement and maintain an effective Incident Response Program so that designated personnel (internal and external Incident Response Teams) may take appropriate action and notify consumers as required in the event an incident of unauthorized access to sensitive consumer information to minimize damage to the company and its consumers. |
| Indirect Dealer Loan | The purpose of this policy is to generally state the conditions and the processes under which staff are to function and operate indirect dealer loan lending operations. This policy, formalized by the Board of Directors of institution, serves as a guide to provide a foundation of safe and sound credit decisions and adherence to all state and federal laws and regulations. |
| Information Classification Standard | This standard outlines a classification process and provides procedures for classifying information in a manner that uniformly protects information entrusted to the entity. The process of classifying information is a basis for an entity to evaluate the retention and disposition schedules currently in effect for its records. |
| Information Security | This policy benefits entities by defining a framework that will assure appropriate measures are in place to protect the confidentiality, integrity and availability of data; and assure staff and all other affiliates understand their role and responsibilities, have adequate knowledge of security policy, procedures and practices and know how to protect information. |
| Information Systems Security (IT Security) | This policy and the sub-policies it contains are designed to provide guidance to all of your employees on the confidentiality and importance of safely maintaining customer information. Information security is every employee’s responsibility. |
| Interest Rate Risk (IRR) | Interest rate risk is the exposure of a bank’s current or future earnings and capital to adverse changes in market rates. This policy is used to govern the risks, and assign responsibilities for implementing controls, measurements, and monitoring necessary for the organization to be sustainable, and have optimal capital and earnings. |
| Internet and Electronic Mail (E-Mail) | The internet and email policy identifies the risks inherent in the world of the internet and corporate email environment, and establishes the parameters for the general scope and use this institution will make of electronic technology, the process for its planning and implementation, and the responsibilities and safeguards for its implementation, use, and risk management. Supplementing this general policy, and subordinate to it, are separate policies covering specific areas of technological use. |
| Internet Banking | The policy was created to establish and implement governance and manage the risks with respect to internet banking activities. |
| Investment | The investment securities portfolio shall be managed to maximize portfolio yield over the long term, consistent with liquidity needs, pledging requirements, asset/liability strategies, and safety/soundness concerns. The purpose of this policy statement is to outline the institution’s practices for managing the risks of investment securities and, when applicable, end-user derivatives activities. The fundamental elements of our risk management program include board and senior management oversight and a comprehensive risk management program which identifies, measures, monitors, and controls risks like market risk, credit risk, liquidity risk, operational risk and legal risk. |
| IT Physical and Environmental Protection | The policy was created to ensure that Information Technology (IT) resources are protected by physical and environmental security measures that prevent physical tampering, damage, theft, or unauthorized physical access. |
| IT Resources Maintenance | The policy was created to ensure that Information Technology (IT) resources are maintained in compliance with IT security policies, standards, and procedures. |
| Liquidity | The purpose of the liquidity policy template is to manage the risk of the institutions liquidity position, and its ability to meet obligations. The institution’s liquidity can be effected by factors such as interest rate changes, economic factors, asset quality, and the stability of deposits at the organization. This policy is used to govern the risks and develop internal controls to mitigate the risks of not meeting obligations, and ensuring sustainability of the organization. |
| Loan Collection Program | The collections department is charged with ensuring that the INSTITUTION complies with all state and federal laws, regulations, and internal guidance governing the collection of delinquent debts and loans. It is the policy of the INSTITUTION to use effective collection practices available to reduce loan loss and minimize risk by the INSTITUTION. The collections staff will make every effort to bring delinquent loans and overdrawn accounts to their current status. It is the INSTITUTION’s policy to reduce and stabilize consumer credit delinquency and sell repossessed and foreclosed collateral when necessary to maintain efficient recoveries. |
| Loan Participation | The policy was developed to govern participation loans either originated or participated in by the institution. A participation is an arrangement in which an institution makes a loan to a borrower, then sells all or a portion of that loan to other institutions. All documentation would be drafted in the name of the institution originating and selling portions of the loan. Generally, the purchasing bank’s share of the participated loan is evidenced by a certificate that assigns an interest in the loan and any related collateral. |
| Loans and Lines of Credit to Members | The policy is to govern the making of sound loans and lines of credit to members, with equal access to credit in compliance with all federal, states and local consumer and fair lending laws. The objectives of this policy are to: create policies and procedures designed for the lending products to members, to perform adequate due diligence to address the inherent credit risks associated with offering credit products to members, define risk appetite, establish underwriting criteria associated with these types of loans and lines of credit, and provide adequate monitoring. |
| Loans to Credit Unions | The policy was written to address situations when a Federal Credit Union makes loans to other credit unions, and corporate credit unions, and maintaining compliance with the legal borrower limits to the institution and a single borrower. |
| Marketing Plan and Program | The policy was created to ensure that Information Technology (IT) resources are protected by physical and environmental security measures that prevent physical tampering, damage, theft, or unauthorized physical access. |
| Media Protection (IT) | The policy was created to ensure that Information Technology (IT) controls access to and disposes of media resources in compliance with applicable laws and regulations, and other IT security policies, standards, and procedures. |
| Member Expulsion | This policy provides for expulsion of members who have caused a loss, or who have engaged in behavior that is illegal, threatening, abusive, or otherwise disruptive to CREDIT UNION operations and/or any activity that causes a financial loss, is associated with fraud, and/or increased reputational or regulatory compliance risk to the CREDIT UNION. The Federal Credit Union Act (FCU Act) provides authority for the board of directors to expel members who have caused the CREDIT UNION a loss or who have engaged in actions that puts the CREDIT UNION at risk of loss or liability. This policy is not enacted to restrict the rights of membership, but rather to address certain unacceptable conduct and protect the CREDIT UNION’s members, employees, and property. |
| Military Lending Act (MLA) | The policy was developed to comply with the rules under the Military Lending Act (MLA), which include protections for a broad range of closed-end and open-end credit products to military personnel and their covered dependents. |
| Mobile Banking | The policy was created to identify and manage the inherent risks with offering the mobile financial services (MFS) through mobile devices (also known as wireless devices, such as a smart phone, tablet, etc.) via its mobile delivery channel that provides the convenience, and access to services and information through that medium. |
| Mobile Device Security Standard | Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices that are only used within an entity’s facilities and on the entity’s networks. This standard outlines the additional protections required for the use of mobile devices. |
| Model Risk Management | The policy was created to utilize quantitative analysis and models in most aspects of its financial decision-making processes that are routinely used for a broad range of activities. In general, models can help increase automation, transparency, and consistency with the organization’s activities. |
| Mortgage Servicing | The policy will be used by mortgage loan servicers to understand and implement the provisions of the federal mortgage servicing rules and regulations for creditors, assignees, small or large servicers, to maintaining the service standards for consumer mortgage loans after consummation, ensuring the rights of borrowers in good standing or in a default, and provide a clear and accurate understanding of any exemptions, and how they apply. |
| Mortgage Serving – Large Servicer | The policy consideration covers the following topics: Relevant regulatory definitions, Loan servicing thresholds and entity types for large mortgage servicers, servicing transfers, forced-placed insurance, ARM interest-rate adjustment disclosures, escrow statement and cancellation notice requirements, prompt crediting and no pyramiding, payoff statements, mortgage loan transfer disclosures policies and procedures, early intervention for troubled loans, continuity of contact, loss mitigation procedures, periodic statements, and record retention requirements. |
| Overdraft | The policy was created to develop and manage the processes necessary to manage the risks associated with offering overdraft products and services, which are unsecured extensions of credit and require approval within established credit authorities. |
| Patch Management Standard | Security patch management (patch management) is a practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The standard was created to applying security related software or firmware updates (patches) to applicable IT, the expected result is reduced time and money spent dealing with exploits by reducing or eliminating the related vulnerability. |
| BAI Policy Template | Description |
|---|---|
| Payday Alternative Loans | The policy oversees the offering of the payday lending loan program at the institution and includes internal controls used to comply with the regulatory requirements and mitigate the risks to the institution and consumers who apply for them. |
| Payment Systems | The policy was created to manage the activities and procedures of the various payment systems utilized by the organization. |
| Physical Security | The policy is to provide guidelines for employees, contractors, partners, and other interested parties with a clear direction. It requires them to ensure all necessary physical security measures are in place to prevent unauthorized access, malicious interference, or damage to our assets; but most importantly provide safety for our employees and clients. |
| Planning Policy | The policy was created to ensure that Information Technology (IT) resources and information systems are established with effective security controls and control enhancements that reflect applicable federal and state laws, executive orders, directives, regulations, policies, standards, and guidance. |
| Public Notice | The policy was created to comply with all related federal and state laws, rules and regulations regarding public notices. |
| Reconsideration of Value | The policy addresses deficiencies noted by the institution or the applicant related to the appraisal or evaluation report developed for a consumer mortgage loan transaction. All complaints will be taken seriously and addressed in a timely manner. In certain situations when errors or insufficient information was found, a second appraisal may be deemed necessary. |
| Records Preservation Program | The policy addresses the requirements for federal credit unions to maintain certain vital records in the event a catastrophic event were to occur. |
| Regulation B – Equal Credit Opportunity Act (ECOA) | The policy addresses the requirements within regulation B, including appraisal standards, offering credit products equally to applicants based off standards such as credit history, income, and other objective standards. The policy also includes internal controls and guidance used to comply with Section 1071 of the Dodd-Frank Act. |
| Regulation C/Home Mortgage Disclosure Act (HMDA) | The policy was created to comply with the Home Mortgage Disclosure Act and related Regulation C with internal procedures that result in proper loan information recordation, submission, and proper disclosures to the public. |
| Regulation CC – Delayed | The policy was created to develop internal procedures that result in proper loan information recordation, submission, and proper disclosures to the public as required by law to applicable organizations. |
| Regulation CC – Next Day Availability | The policy was developed to make funds deposited into transaction accounts available according to specified time schedules and disclose these funds availability policies to their clients, and also establish procedures designed to speed the collection and return of unpaid checks as required under the regulation. |
| Regulation DD/Truth In Savings Act (TISA) | The policy was created to comply with these deposit account guidelines by establishing internal procedures that result in the offering of proper deposit account terms, correct disclosure of these terms, and advertising that meets the regulation guidelines. |
| Regulation E/Electronic Fund Transfer Act (EFTA) | The policy was created to establish internal procedures that result in proper issuance of access devices, disclosure, limitations on consumer liability, documentation of transfers, prepaid accounts, and error resolution procedures to ensure compliance with the requirements of the regulation. |
| Regulation E/Electronic Fund Transfer Act (EFTA)-Remittance Transfer | This policy contains the guidance for institutions to comply with the regulatory requirements, who provide remittance transfer services, and conduct more than 500 transactions per year. |
| Regulation K | The purpose of this policy is to govern the activities of foreign banks in the United States. Since this Institution qualifies under the Edge Act, it’s permitted to participate in a variety of global banking practices including owning entire nonfinancial foreign business entities. |
| Regulation O | This policy is designed to address the credit and legal standards that apply to insiders and affiliates. All loans to insiders and affiliates must also meet the standards set forth in the overall credit policy and subordinate credit policies covering particular types of loans (commercial, real estate, etc.). |
| Regulation P/Privacy of Consumer Financial Information | The policy was created to ensure the respect for the privacy expectations and enforce privacy rights of our consumers for ethical and regulatory expectations and requirements. |
| Regulation W | The policy is to ensure proper adherence to the provisions and intent of Regulation W – Transactions between Member Banks and their Affiliates. Sections 23A and 23B of the Federal Reserve Act are important statutory provisions designed to protect the Bank from suffering losses in transactions with its affiliates. They also limit the ability of the Bank to transfer to its affiliates the subsidy arising from the Bank’s access to the Federal safety net. |
| Regulation Z Policy | The policy was created to created controls, assign responsibility designed to protect consumers and ensure competition among financial institutions through the meaningful disclosure of credit terms, allowing consumers to compare standardized credit terms more readily and knowledgeably. In addition to providing a uniform system for disclosures as required under the regulation. |
| Remote Access Standard | The policy was created to address the major security concerns with remote access include the lack of physical security controls, the use of unsecured networks, the connection of infected devices to internal networks, the availability of internal resources to external hosts, potential damage to resources, and unauthorized access to information. |
| Right to Financial Privacy Act (RFPA) | The policy was created to govern the process by allowing consumers with a reasonable amount of privacy from federal government scrutiny into their financial activities, and complying with rights of consumers to, in certain cases, challenge government access to their financial records and, if their challenge is unsuccessful, at least be informed as to which personal records are being turned over to a government authority. |
| Risk Assessment | The policy was created to ensure that Information Technology (IT) performs risk assessments in compliance with IT security policies, standards, and procedures. |
| SAFE Act | The purpose of the SAFE Act Policy Template is to summarized the organizational requirements for identifying, registering, and assigning a unique identifier to all personnel which meets the definition of a Mortgage Loan Originator. |
| Safe Deposit Box | The purpose of the policy is to comply with all safe deposit box laws and regulations and implement a sound risk management program to ensure the risks associated with offering safe deposit boxes are adequately identified and managed. |
| Safety Program | The policy includes objectives, direction and expectations regarding an institution’s safety. It is the authority, basis and platform for the development, communication, implementation, interpretation and enforcement of appropriate and applicable operating procedures that follow in subsequent sections of this policy. |
| Sanitization/Secure Disposal Standard | The policy was created to establish controls for the proper disposal of electronic media, in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality. |
| Secure Coding Standard | The standard was created to ensure that programming code written is resilient to high-risk threats and to avoid the occurrence of the most common coding errors which create serious vulnerabilities in software. While it is impossible to write code that is completely impervious to all possible attacks, implementing these coding standards throughout information systems will significantly reduce the risk of disclosure, alteration or destruction of information due to software vulnerabilities. |
| Secure Configuration Standard | The standard was developed to establish baseline configurations for information systems that are owned and/or operated by an entity. Effective implementation of this standard will maximize security and minimize the potential risk of unauthorized access to information and technology. |
| Secure System Development Life Cycle Standard | Computer systems and applications are created to address business needs. To do so effectively, system requirements must be identified early and addressed as part of the SDLC. Failure to identify a requirement until late in the process can have major repercussions to the success of a project and result in project delivery delays, deployment of an inadequate system, and even the abandonment of the project. Furthermore, for each phase through which a project passes without identifying and addressing a requirement, the more costly and time-consuming it is to fix problems that occur because of the omission. |
| Security Assessment and Authorization | The policy was developed to ensure security controls in information systems and the environment in which those systems operate as part of an ongoing system monitoring and system development life cycle. |
| Security Awareness and Training | The policy was developed to ensure that the appropriate level of information security awareness training is provided to all Information Technology (IT) users. |
| Security Logging Standard | This standard defines requirements for security log generation, management, storage, disposal, access, and use. Security logs are generated by many sources, including security software, such as antivirus software, firewalls, and intrusion detection and prevention systems; operating systems on servers, workstations, and networking equipment; databases and applications. |
| Sensitive Position Two Week Vacation Policy | Sensitive positions include employees who are involved or engaged in transactional business or have the ability to change the official records of the institution, as well as all other staff who can influence or cause such activities to occur. Titles include all officers, the Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, Chief Risk Officer, Chief Compliance Officer, and other applicable officer titles to be named. All exempt, full-time employees in accounting or finance are also included. The policy includes the implementation of mandatory time off for positions as part of a critical initial safeguard consistent with AML best practices and fraudulent safeguards. |
| BAI Policy Template | Description |
|---|---|
| Servicemembers Civil Relief Act (SCRA) | The policy is to enforce the rights and requirements under the Servicemembers Civil Relief Act (SCRA), which is to strengthen national defense through protection extended servicemembers that will enable them to devote their entire energy to the defense needs of the nation by providing for the temporary suspension of judicial and administrative proceedings and transactions that may adversely affect the civil rights of servicemembers during their military service. |
| Small Business Administration (SBA) Loan | The policy was developed to state the conditions and the processes under which staff are to function and operate Small Business Administration(SBA) loan operations. This policy serves as a guide to provide a foundation of safe and sound credit decisions and adherence to all state and federal laws, rules and regulations. The policy delineates authority and defines responsibilities and functions. |
| Social Media and Networking | This policy is designed to provide guidance on how social media will be approached, proper methods for promoting your message and image, and the consequences of not following guidelines. |
| Stored Value and Prepaid Card | The policy was developed to govern the processes, risks, and regulatory requirements that come with offering stored value and prepaid card products and services that comply with all related laws, rules and regulations. |
| Stress Testing Program | The policy was created to address the requirements of stress testing, which is designed to fit its unique loan portfolio strategy, size, loan types, composition, operations, and management. This process can range from a single spreadsheet analysis to a more sophisticated model, depending on portfolio risk and the complexity of an institution, thereby enabling management to ensure that potential adverse outcomes are appropriately considered. |
| Student Loan Program | The policy was created to address the conditions and the processes under which the staff are to function and operate a student loan program. This policy serves as a guide to provide a foundation of sound credit decisions and adherence to all applicable laws, rules and regulations. |
| System and Communications Protection | The policy was created to establish guidelines for system and communications protection for Information Technology (IT) resources and information systems. |
| System and Information Integrity | The policy was created to ensure that Information Technology (IT) resources and information systems are established with system integrity monitoring to include areas of concern such as malware, application and source code flaws, industry supplied alerts and remediation of detected or disclosed integrity issues. |
| System and Services Acquisition | The policy was created to ensure that Information Technology (IT) resources and information systems are acquired with security requirements to meet the information systems mission and business objectives. |
| Telephone Consumer Protection Act (TCPA) | The policy was developed to comply with the telephone consumer protection act and ensure the privacy of consumers when using their telephone and cell phone numbers. |
| Text Messaging Opt-In FormDisclosure Opt-In Form | Disclosure Opt-In Form to allow institutions to obtain permission to send text messages to customers or members. |
| TILA-RESPA Integrated Disclosures | The Consumer Financial Protection Bureau (CFPB) developed a rule designed to create disclosure forms that combine previously separate mortgage disclosures given to consumers under the Truth in Lending Act (TILA) and the Real Estate Settlement Procedures Act of 1974 (RESPA). This policy covers the disclosure and timing requirements required to be developed and delivered to consumers for closed-end mortgage loans secured by real property. |
| Training for Officials | The policy addresses the requirements for federal credit unions to provide training for new and incumbent board members to allow them to be equipped to comply with their fiduciary responsibilities. |
| UDAAP | Unfair, Deceptive or Abusive Acts or Practices / UDAAP can cause significant financial injury to consumers, erode consumer confidence and undermine the financial marketplace. The policy was created to enforce that it is unlawful for any provider of consumer financial products or services or a service provider to engage in any unfair, deceptive or abusive act or practice. UDAAP is designed to prevent unfair, deceptive or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service. |
| Vendor Management Program | This policy is intended to establish a framework for the management of outsourcing or vendor risks by meeting several objectives such as effective oversight by the board, adequate risk assessment and due diligence procedures for the selection and monitoring of service providers, and contract review procedures. |
| Vulnerability Scanning Standard | Vulnerability management is a process by which the vulnerabilities identified through scanning are tracked, evaluated, prioritized and managed until the vulnerabilities are remediated or otherwise appropriately resolved. This standard was developed to manage the vulnerabilities identified during scans ensures that appropriate actions are taken to reduce the potential that these vulnerabilities are exploited and thereby reduce risk of compromise to the confidentiality, integrity and availability of information assets. |
| Wire Transfer | The policy was developed to provide proper controls over the wire transfer function and thus manage several types of risk inherent within this area related to fraud, misuse, settlement risk, compliance risk, including AML considerations and requirements. |
| Workout and Non-Accrual | Loan workouts are used by institutions to help borrowers in situations where they are experiencing financially difficult events or situations. This policy describes the types of workout situations available through the institution, scenarios where a loan can be placed on non-accrual status and when it can return to accrual status, and the due diligence required by the institution to understand and make available the best option for the institution and the borrower. |