12 CFR 917.6 - Internal control system.
(a) Establishment and maintenance. (1) Each Bank shall establish and maintain an effective internal control system that addresses:
(i) The efficiency and effectiveness of Bank activities;
(ii) The safeguarding of Bank assets;
(iii) The reliability, completeness and timely reporting of financial and management information and transparency of such information to the Bank's board of directors and to the Finance Board; and
(iv) Compliance with applicable laws, regulations, policies, supervisory determinations and directives of the Bank's board of directors and senior management.
(2) Ongoing internal control activities necessary to maintain the internal control system required under paragraph (a)(1) of this section shall include, but are not limited to:
(i) Top level reviews by the Bank's board of directors and senior management, including review of financial presentations and performance reports;
(ii) Activity controls, including review of standard performance and exception reports by department-level management on an appropriate periodic basis;
(iii) Physical and procedural controls to safeguard, and prevent the unauthorized use of, assets;
(iv) Monitoring for compliance with the risk tolerance limits set forth in the Bank's risk management policy;
(v) Any required approvals and authorizations for specific activities; and
(vi) Any required verifications and reconciliations for specific activities.
(b) Internal control responsibilities of Banks' boards of directors. Each Bank's board of directors shall ensure that the internal control system required under paragraph (a)(1) of this section is established and maintained, and shall oversee senior management's implementation of such a system on an ongoing basis, by:
(1) Conducting periodic discussions with senior management regarding the effectiveness of the internal control system;
(2) Ensuring that an internal audit of the internal control system is performed annually and that such annual audit is reasonably designed to be effective and comprehensive;
(3) Requiring that internal control deficiencies be reported to the Bank's board of directors in a timely manner and that such deficiencies are addressed promptly;
(4) Conducting a timely review of evaluations of the effectiveness of the internal control system made by internal auditors, external auditors and Finance Board examiners;
(5) Directing senior management to address promptly and effectively recommendations and concerns expressed by internal auditors, external auditors and Finance Board examiners regarding weaknesses in the internal control system;
(6) Reporting any internal control deficiencies found, and the corrective action taken, to the Finance Board in a timely manner;
(7) Establishing, documenting and communicating an organizational structure that clearly shows lines of authority within the Bank, provides for effective communication throughout the Bank, and ensures that there are no gaps in the lines of authority;
(8) Reviewing all delegations of authority to specific personnel or committees and requiring that such delegations state the extent of the authority and responsibilities delegated; and
(9) Establishing reporting requirements, including specifying the nature and frequency of reports it receives.
(c) Internal control responsibilities of Banks' senior management. Each Bank's senior management shall be responsible for carrying out the directives of the Bank's board of directors, including the establishment, implementation and maintenance of the internal control system required under paragraph (a)(1) of this section, by:
(1) Establishing, implementing and effectively communicating to Bank personnel policies and procedures that are adequate to ensure that internal control activities necessary to maintain an effective internal control system, including the activities enumerated in paragraph (a)(2) of this section, are an integral part of the daily functions of all Bank personnel;
(2) Ensuring that all Bank personnel fully understand and comply with all policies, procedures and legal requirements applicable to their positions and responsibilities;
(3) Ensuring that there is appropriate segregation of duties among Bank personnel and that personnel are not assigned conflicting responsibilities;
(4) Establishing effective paths of communication upward, downward and across the organization in order to ensure that Bank personnel receive necessary and appropriate information, including:
(i) Information relating to the operational policies and procedures of the Bank;
(ii) Information relating to the actual operational performance of the Bank;
(iii) Adequate and comprehensive internal financial, operational and compliance data; and
(iv) External market information about events and conditions that are relevant to decision making;
(5) Developing and implementing procedures that translate the major business strategies and policies established by the Bank's board of directors into operating standards;
(6) Ensuring adherence to the lines of authority and responsibility established by the Bank's board of directors;
(7) Overseeing the implementation and maintenance of management information and other systems;
(8) Establishing and implementing an effective system to track internal control weaknesses and the actions taken to correct them; and
(9) Monitoring and reporting to the Bank's board of directors the effectiveness of the internal control system on an ongoing basis.