Tuesday, October 4, 2022

July 2021 OBA Legal Briefs

  • Vacations — Required or recommended

Vacations – Required or recommended

By Andy Zavoina

We last wrote about vacation time in the September 2019 Legal Briefs. That was a short article on the recommended necessity of taking consecutive days off. After a year of COVID-19 and everyone being couped up, summer 2021 stands to be a record as people can finally get back out and take much needed vacation time. But rather than say, “here is a cite from the FDIC and Human Resources needs to enforce a policy…” I want to explore why a “vacation” policy should be required, where it is required as well as where it is not, and how to meet the spirit and intent. I put quotes around the key term, vacation, but that is misleading. I also want to explore not just being absent but also being disconnected, and why this is important. It is important to point out to both management and staff that such a policy is a safety and soundness issue, not a way to inconvenience staff or force them to group together the few days of vacation they have.

We will talk about a few real-life cases which reinforce why this policy needs to exist, and under what circumstances exceptions are allowed. By the time you are done, you will be able to ensure management has all the facts and the reasons for requiring many staff members are in fact absent from their duties, and how this is beneficial to both the bank and the employee. In short, it will help you understand why a policy is needed and how to craft it or tweak, if needed, what you already have in place, to best meet the spirit and intent of the rule.

Three cases of interest

Indirect vehicle financing. Fortunately, this was not my bank, but it was a bank about a block away from our main branch and we all knew many of the staff there. Many in my bank knew the woman in question. She had worked for the bank for over 20 years. She rarely took a vacation or sick day. She was seen as dedicated. She was seen as experienced. She was trusted.

It turned out what she was, was a thief, an embezzler. She worked in the indirect dealer area and handled drafts. With many larger floorplans there was a lot of money coming in and going out and that meant large suspense accounts. Those accounts had to be reconciled and checked. But when you have an employee of this caliber and with this experience, you ask her “why?” She will explain it and on you go, because these audits are such a pain to do and explain anyway.

But when she was on a very rare vacation, the employee filling in had questions. Nobody liked the answers because it was well over $100,000 that could not be reconciled and that is a shock for a small bank. She had been taking money and as the phrase goes, cooking the books. When she was not available to answer certain questions, the facts came pouring out because numbers do not lie.

First Community Bank, Cave City, AR. Two years ago, there was an incident in Cave City, Arkansas. This is “Home of the world’s sweetest watermelons.” In the 2010 census this was a town of less than 2,000 people, so a small town to say the least.

Today the bank involved has 28 locations in Arkansas and Missouri and the Cave City branch shows to have deposits of $22 million. For 18 years Carrie Porter worked at First Community Bank. She was a teller. For about 12 of those years Carrie would periodically take a stack of $100 bills. The first time she walked out of the bank with $10,000 in her purse that was not hers, it was not hard. She continued this every three or four months.

By the time she was caught the sum of her theft was calculated to be $285,125. She was very apologetic and confessed what she had done. She was cashing in her retirement and her family was harvesting trees from their property and selling land. She hoped to repay 80 percent of what she had stolen before she reported to prison for 18 months. She swore she would repay all of it. She said the money “was just gone” and really had nothing to show for it.

Carrie Porter will be about 51 years old when she is released and most certainly her family will be paying the price with her. Thefts such as this impact the bank, the employee, and the families of all involved.

Bank fraud, wire fraud, and money laundering (Oh, my!). In April of this year in New York, Gangadai Rampersaud Azim was arrested and charged with wire fraud, bank fraud, bank theft, money laundering, and conspiracy, for her role in a scheme to defraud the bank she worked at, of $1.7 million. These charges are pending, so the crime is alleged at this point.

Azim allegedly stole more than $1.7 million and concealed the crime until an absence from work led to its discovery. Yes, she had an illness that forced her to take leave. She was not there to cover her tracks.
In January 2021, the bank set off a customer’s deposit for a delinquent loan. The customer claimed the loan had been paid off in 2019, and the unravelling began. In 2019 the money was taken for the loan and the customer believed the loan was paid off. Azim kept that payoff and unbeknownst to the borrower, started a renewal of the loan for them. There is both a debit and credit, but Azim’s theft created an additional debit that had to be concealed in the future.

The investigation revealed Azim repeatedly made false entries in the bank’s systems, misappropriating funds paid to the bank by many borrowers who thought their loans were paid off. In fact, Azim was extending the maturity dates, so the bank believed it had assets, while the borrowers thought they had no debts. As loans came due, they were covered by new loans faked by Azim to replace them.

The criminal complaint says, “Between August 2008 and January 2021, Azim, a long-time employee of a New York, New York-based bank (“Bank-1”) stole approximately $1.7 million from her employer. Over the course of approximately 12 years, Azim executed hundreds of wire transfers of Bank-1 funds to co-conspirators and related companies, who then sent portions of the ill-gotten funds to Azim’s personal bank account.

“In furtherance of her scheme to defraud Bank-1, Axim repeatedly made false entries in Bank-1’s systems, misappropriating funds paid to Bank-1 by its clients to satisfy outstanding loan obligations and then extending the maturity dates of those loan obligations, making it appear as though the loan obligations had not yet been paid. When even the fraudulently extended maturity dates came due, Azim originated new, fraudulent loans. Azim utilized the proceeds of those fraudulent loans to satisfy the loans for which she had previously stolen the client payments. In doing so, Azim abused her position at Bank-1 and enriched herself at the expense of her employer.”

In all it appears there were 14 fraudulent loans without promissory notes for $1 million that were used to pay the fictitious debts Azim created, and five others for more than $700,000 with extended maturity dates where the borrower thought the loans had been satisfied. Over approximately 12 years, between 2008 and 2020, Azim made approximately 200 wire transfers of bank funds, each for an amount under $10,000, sent to third party accounts. Transfers were made to co-conspirators and related companies, which then returned portions of those funds to Azim.

We never would have thought …

The bank’s Security Officer will advise the bank to diligently have the internal control and other periodic audits completed because the bank must be diligent against theft. Banks and other companies often say when an embezzlement is found that that was the last employee they would have ever thought would steal from them. Unfortunately, many of the traits of a dedicated employee are also those of someone covering up a theft. Additionally, there are signs to look for in employees such as those living beyond their means, having financial difficulties, having unusually close relationships with vendors, and having excessive control issues such as over the account relationships they oversee.

Security programs will point out common warning signs seen when employee thefts have occurred. These are not definitive points, but rather are intended to raise awareness.

• The employee never wants to take vacation.

• The employee works a lot of overtime and enjoys the peace of quiet of being the only one there.

• The employee takes work home.

• There are signs of excessive personal spending, cars, vacations, collectibles, etc. Some of these may be converted to cash through sale, laundering if you will, and some may be for personal enjoyment.

• Frequent casino trips.

• Unusually close relationship with customers or vendors.

• Unverified expense reports for supplies or travel.

Disconnecting

Human Resource managers and health experts all agree that there is a reason for weekends and vacations regardless of the energy and dedication an employee has. Disconnecting from the job is needed for mental health. Therefore, your bank offers vacation time.

There are many reasons big vacations are not taken. Not every employee wants to travel or has the means to do so. There may be additional restrictions due to an employee’s health or that of someone they care for. Family schedules can be hard to sync and there can be many other reasons. But that does not prevent a person from using time off and disconnecting from the job.

There is the occasional employee who wants control. The work they do may be intricate and detailed and having a day-to-day knowledge of what has transpired assists them in keeping up to date and resolving problems quickly and accurately. “If I leave for a few days, I’ll just come back to a mess that will take weeks to clean up.” This may be a valid concern, but sometimes it is a sign of a controlling person who has falsified records and accounts and is concerned that anyone stepping into their job may find a discrepancy and that could lead to discovery. It is like a juggler with many balls in the air. If you miss one, many others may come down as well. They must be there, in control, to keep those balls in the air.

There are pros and cons of a mandatory vacation requirement. These should be recognized by management, HR, and the bank’s employees. Taking a short block of days, such as one week, gives the employee a chance to recharge their batteries. It can be a needed break.

This employee’s time off is also an opportunity for the bank to review the employee’s area. Have there been complaints from customers or staff that a supervisor was overstepping their authority? This is a chance for issues to come to the top so they can be resolved. It is also a time when workloads can be reviewed and balanced for the benefit of everyone. It also encourages cross training staff. No one person is irreplaceable and if they are, the bank needs to rectify that. People come and go but the business tasks continue as do deadlines. This gives the junior employee a chance to work at a higher level and to understand a job they may inherit or may not be suited for. In that case, it is better to know sooner rather than later. If that junior employee is in a rut, this may be an opportunity to help them as well. And if that seasoned employee were to decide to leave suddenly, the bank wants to know who can fill the position and what information may be needed to do so. A few vacation days may reveal that more cross training is required to be efficient, or that the written procedures are not adequate for the position in today’s environment.

After a year of so many telecommuting on a full or part time basis, this need is even more pressing today. It is rare that an employee will come back from a vacation more tired than when they left, even if they filled every day with activities. They either enjoyed the time off or looked forward to getting back to their routine. Either way, it is a positive position for the bank. That leads to happier employees, and makes future recruiting easier as well. It also makes planning easier for the bank and the employees because certain dates can be blacked out well in advance for the benefit of both the bank and staff.

Something that can be a short term “con” and a long term “pro” is that this advance planning reveals staffing concerns. Certain positions can be harder to fill and may stretch key employees very thin. Knowing this in advance assists in resolving the issue before it happens at a less controlled time.

Preplanned vacations may contribute to scheduling challenges as well. When several employees want the week off around given holidays like July 4th or Christmas, it can be taxing on those left to complete all the work. This may also draw down management’s time as increased supervision over a department or certain jobs becomes required. For this reason, adding planned maternity leaves into the calendar aids in the overall planning. A vacation will be easier to adjust than a parental leave.

Another challenge in having a mandatory vacation requirement is enforcing it. HR needs to be able to warn employees well in advance so there is not a concentration of employees who all need the last week of the year off. If planned events must be adjusted for whatever reason, they should be rescheduled immediately to avoid a bottleneck.

If an employee does not use their annual vacation time, either it accumulates which could cause the bank actual cash if it pays the employee for that time, or the employee could lose those days which could be seen in the long term as “theft of time” by the employee. That is, if their opinion of the bank sours, this will be one more thing they dislike about it and blame the bank. It also serves to support a bad employee as it adds justification to anything they are doing wrong.

How should the bank manage these situations? The bank controls the risks. The risk is the employee could be embezzling, but that is certainly not the norm and we do not assume it is, but we do recognize it as a red flag. It is a risk that is mitigated in part by ensuring employees use vacation time. You may hear arguments, “I don’t have enough vacation time to take an entire week off,” or “I’m a one-person department. If I’m not here to do my job, it will not get done.” This brings us back to risk mitigation. The bank truly needs someone else to understand that job and to be able to do it. In addition to the proverbial bus taking that employee out of their job, that employee limits their upward mobility in the bank, and if they ever choose to leave the bank there would be nobody cross-trained to fill in or take over. Again, risk mitigation is good for the bank and the employee in this case. Fortunately, this risk mitigation is also an audit control feature.

Audit Controls

The bank’s HR area should have a record of which employees have how many days of vacation. Proper procedures tell us the vacation days should be tracked. The bank needs to be aware of who uses, stockpiles, or loses vacation time. Proactively monitoring who has how many vacation days is a positive step for the bank in planning its calendar. When the bank has large projects coming up such as systems conversions, a new branch opening, or a major exam, certain employees may not be able to take vacation days. These need to blacked out and the employee needs to know this in advance.

Likewise, the employee should be able to identify at least one block of time they do want vacation, and this should be communicated to the bank. As an example, a bank with a mandatory five-day block of vacation needs to know when certain employees will be out. Additional vacation days may be broken up as some people enjoy short breaks and pairing one or two days with a holiday weekend provides interim breaks. But that five-day break helps detect possible ongoing fraud. Five days is often enough for one or more of those balls in the air to drop.

There may be a set period of days the bank identifies as “mandatory vacation.” If the bank determines that for a variety of reasons a five or even ten-day block of time is required, employees and the bank need to plan when this will be, so it meets the needs of both the staff and the bank. Employees may be restricted from having overlapping days with another key employee, so it may be necessary to create a hierarchy of who gets preference, the senior employee by position or time at the bank, the first one to request those days or some other methodology that works for your bank.

OK Administrative Code 85:10-5-3

To save you from looking this up, here is what the Administrative Code requires of your internal controls program as to being absent. The actual text is in italics, and I’ve injected my own comments after each paragraph, as needed, to reinforce certain points:

All internal control programs adopted by banks shall contain as a minimum the following:

(1) A requirement that each officer and employee, when eligible for vacation, be absent from the institution at least five consecutive banking days each calendar year, unless otherwise approved in writing by the bank’s bonding company for bank officers and employees generally and then each officer and employee who may be excepted from this requirement must be specifically approved by the bank’s board of directors and it shall be recorded in the board of director’s minutes, that the officer or the employee may be absent less than the five consecutive banking days. During the absence of an officer or employee, the duties of the absent officer or employee must be performed by other bank officers and employees.

This section says a lot. Some banks have expressed a policy of providing immediate vacation availability to meet this perceived five days off requirement. Note the text says, “when eligible for vacation.” If the bank’s vacation policy requires accrual and prohibits taking vacation in the first three or six months, then the requirement to take days off is based on eligibility and no time is available during that probation or accrual period. The bank may consider a policy such as “the employee will accrue 0.83 days of vacation per month yielding 10 days after one year. The employee will be eligible for vacation after 6 months, when five days have accrued. As vacations are planned, a five-day continuous block must be scheduled by the employee. Additional days may be taken at the convenience of the bank in one day increments, but at least one block of five days must be planned.” A policy such as this means that an employee hired after June will not have time to accrue the minimum five days required, July to December is six months, 6 x0.83=4.98 days, rounded up to the five needed, but the calendar year ends with the last accrual. In this case the accrued days could be taken in that year with the caveat that the 5-day block will be taken the following calendar year as there are more days accrued. Employees hired in May could feel resentment as a strict reading says they are eligible for five days of vacation in December and would have to take those days then to achieve the “each calendar year” requirement. The bank would then have to consider that is what is required, or an exception be granted or that vacations are simply not allowed in the first calendar year except by special permission.

Note next that the actual requirement is not that an employee take vacation days, but that they be absent for at least five consecutive days. In that this is an internal fraud control procedure the five days are business days – days in which problematic transactions such as those noted in the actual cases above could be detected. This means we do not count non-banking days such as weekends, holidays, or days when the bank is otherwise closed. This brings up an exception to consider. Say an employee is on a five-day vacation break and a winter storm closes your bank for two days. If there is no item processing, the intent of this break may not be met. The bank needs to consider extending that employees time off to accomplish the five-day break. Since the bank was closed those shouldn’t be vacation days anyway, but the employee may not have enough vacation days remaining for a five-day absence. If the vacation is not extended at that time, consider noting it as an unintended and unavoidable exception caused by an act of God.

Let’s consider another exception. Say an employee has a severe illness and has used their personal and vacation days. Some policies allow other employees to donate their days off to that sick employee. That may exhaust the donating employees vacation days and not allow the five-day absence requirement to be met. Such a policy should allow all but five days to be donated, unless the absence requirement has or will otherwise be met, so keep reading.

The real point here is that the issue is a five-day absence. Let’s assume the bank’s CFO is travelling out of town on Monday for a conference to be held Tuesday through Thursday. She then will travel home on Friday. All 5 of those days were business days. The 5 days of absence can be met with her not performing any of her duties in the bank – that is, if she was absent.

Now let’s consider what “absence” means. Remember that one motivating factor here is fraud detection. This means that employee is not conducting any of their functions or advising on issues while away. They should not be calling, texting, or emailing anyone about their job. Any message such as “Do not worry if it does not balance. Leave it as out and I will fix it/figure it out when I get back. No one will know” would completely defeat the purpose of the rule from an internal control perspective. Similarly, the bank should consider suspending the logon credentials of the absent employee. This protects the bank and the employee as the employee will without question not be able to go into the bank’s systems and make any changes, and any other employee using those credentials will be locked out. The bank’s IT department would be able to track attempted logons and determine if these credentials were compromised. That would be a separate issue, but an important internal control, nonetheless.

Exceptions can be allowed. These may require the approval of the bank’s bonding company, and the board of directors. The latter should be noted in the board meeting minutes. I was a common exception in my bank. It was a smaller bank, and I was the Compliance Department. This is a field requiring precise knowledge of laws and regulations and I was not easily replaceable. There were subject matter experts in various departments of the bank who could answer questions about their areas, but I tied it all together. I never worked on any general ledgers, debits or credits or handled cash or checks for processing. I did not grant or close loans. This put my position at a very low risk of conducting internal fraud and especially any fraud that would be detected because of my absence.

In a very small bank, another potential solution is cross-training. Two employees may switch positions, but it is imperative that they not conduct or advise each other about their duties as this could defeat the purpose of being absent. This is not ideal but may be permissible under certain circumstances.

Other Rules

The FDIC addressed this issue in FIL-52-95. Yes, that is from 1995 and it is still valid. In part it says, “The FDIC endorses the concept of a vacation policy that allows active officers and employees to be absent from their duties for an uninterrupted period of no less than two weeks.” Some larger banks do hold to a ten-day period but because of staffing issues, five days is often considered adequate to detect wrongdoing. The FIL is guidance, not a requirement. It states that if a bank is not following this guide, examiners should encourage the board of directors to annually review and approve the policy followed and the exceptions allowed. The March 2015 Internal Routine and Controls exam manual includes a section recommending a bank have a policy requiring employees (which includes officers) be absent for a two consecutive week period. I understand examiners will inquire about this, but that little else is done when risk management practices and strong internal controls exist. The exam manual calls for only a discussion with management when such a policy does not exist. It also states, “Any significant deficiencies in an institution’s vacation policy or compensating controls should be discussed in the ROE and reflected in the Management component of the Uniform Financial Institutions Rating System (UFIRS).” The exam manual also refers to the rotation of staff as an effective internal control and a valuable part of an employee’s training.

The Federal Reserve issued SR 96-37 in December 1996 discussing required absences. This was a guidance document. The FRB later issued Circular 10923 on February 10, 1997, where it provided guidance and recommended a ten-day absence. It is specific to sensitive positions and allows for well document exceptions.

I was in a national bank for over 20 years, and it was not an event during any of our exams. I have read that as national banks get bigger, the examiners do pay more attention and do point it out as a strong internal control. So, like the FDIC and FRB, they encourage a policy requiring absence, but it is not a requirement. It is mentioned in the OCC’s Internal Controls Manual. This references sensitive positions or risk-taking activities and asks, “Is there periodic unannounced rotation of duties for employees or vacation requirements that ensure their absence for at least a two-week period?” This is a question, but not a stated requirement.

The bank may opt to prioritize which positions would require a consecutive five- or ten-day absence from their positions and those handling cash and checks, approving and processing loans and similar “at-risk” tasks and positions may be the only ones required, or they may require a higher bar to request and have approved any exception. Risk rating the employee’s positions will not please all of them, but some may be happier than others. Changes to a position’s duties could influence this risk status, so remember to add that to a checklist, if applicable.