Summer is coming to an end, and my high school freshman has spent much of his summer on his iPad. How things have changed. I remember spending my summers taking long bike rides, swimming in the lake, and playing badminton over the fence in my parent’s backyard. As a parent, I worry about the time spent on the iPad and the dangers the Internet brings. The auditor in me wants to dig into the activity history on the iPad to see what he is viewing and the messages he is sending so I can keep him safe. But are we invading our children’s privacy?
I have always thought the practice of monitoring employee account activity was also keeping the financial institution safe but could see employees’ differing point of view as a violation of their privacy. The monitoring of employees’ account activity is briefly discussed in Section 3000.1 of the Federal Reserve Bank’s Commercial Bank Examination Manual, which states financial institutions’ policy should establish standards that segregate or specially encode employee accounts and encourage periodic internal supervisory review. The OCC and FDIC do not require employee account monitoring but do include questions in their standard questionnaires asking whether the financial institution has procedures for establishing employee accounts and reviewing accounts. Also, as part of Bank Secrecy Act and Anti-Money Laundering (BSA/AML) compliance, there are requirements for monitoring and reporting of suspicious activity. Although employee account monitoring is not specifically required, suspicious activity monitoring should include all transaction accounts, and there is a requirement to report suspicious activity of any amount involving an insider on a suspicious activity report.
So to keep the financial institution safe and to meet regulatory expectations, employee account activity should be monitored. This monitoring can detect employee fraud and identify employees who are not following established procedures. It can also be a deterrent to committing fraud if the financial institution has disclosed and requires employees to acknowledge receipt of the employee manual, which should include policy on the financial institution’s right to review employee account activity.
Invading privacy sometimes is part of a control to keep us safe and, if we know someone is watching, will deter activity that could lead to unsafe situations or financial losses. If your financial institution needs assistance with developing employee account monitoring procedures or establishing controls, please let us know. We can help to keep your financial institution safe.