How to Write a Policy Manual
In the last several seminars we have conducted, as well as clients we have visited, a consistent constant question has arisen, How to write an effective policy manual?
Well the first thing is to be honest with ourselves; companies steal (make effective use of existing copy) to compose the first version of the AML manual as well as several sections of the manuals of other companies. Yep – you took what existed and began to adapt prior copies for your use, and that is OK.
The second is to cut from the manual those things you are not going to do. If the manual says you are going to scan outgoing wire transfers for XYandZ and you are not going to and or your firm is not a bank – cut that part of the manual. Seems simple, but if this were not a real problem – we would not have mentioned it.
Cut ALL adjectives and adverbs – if you need to color a situation – explain the color with out use of adjectives or adverbs.
Cut all words, nouns, verbs, etc…. that can be interpreted in different ways. If you are required to use nouns and verbs that are vague, immediately footnote the word and explain how you are using this word in context. I watched a large bank and the regulators got to battle over the meaning of the word “fiduciary”. Honestly – there was not a wise mind in the room during that battle – geesh.
Avoid exclusionary words such as always and never. Never says that you will always do KYC research so you never get a bad client. Nuff said.
If you describe an action you will take – do it. If you are not going to do – do not say you are going to do it. If you say you will scrub the list of client against the OFAC list every 30 days – do it. Do not scrub the list on the 31st day, for you will have already violated you procedures set forth in you AML manual. Do not offer to do something every month. Scrubbing your list of clients against OFAC on January 31 and than again on Feb 1 – is not effective and it looks like every two months based upon days.
AML policies are living documents, they change and are amended as the laws change as your business changes, as technology changes, etc… For example, Molly drafted your AML policy and it was accepted by FINRA, FDIC, OCC and you insurance company. Molly has done well and was promoted, and her spot in compliance was filled by Carl – call began to automate some of the work and thus changed the AML policy to reflect the automation. Carl was hired away by an executive recruiting firm and Lars was hired to replace Carl. This is a common story for many very diligent people in compliance. Lars was on the job for 30 days when an event occurred and the regulators have come to see if you followed your policy. They will have read the policy you on file with them and will be surprised to find that you have not followed your policy. This is the beginning of a feeding frenzy for the inspectors for they live to find fault with anyone they investigative (I admit that is a dramatic overreach – well, kind of), but it is true that this is how many of the regulators think.
How does one avoid this – simple, but your diligence is still required. Track all updates changes and why the policy was updated or changed. Send copies of the update AML Manuel to the appropriate regulatory authorities as well as your insurance company. Thus all are informed and cannot say they were not informed of the changes.
This level of diligence is also impressive to both regulators as well as insurance carriers and should help in addressing any questions these stakeholders in your compliance might have, and demonstrate not just your honesty but also your authentic attention to detail and compliance.
Companies get into trouble when they don’t have any processes, or when they have a process – but they don’t follow the process.