1. 1.A Bank must have a strong control environment, including but not limited to, appropriate segregation of duties and dual control. Areas of potential conflicts of interest must be identified, minimized and be subject to careful independent monitoring³ and review.
2. 2.A Bank, in addition to segregation of duties and dual control, must ensure that other traditional internal controls are in place. Such controls include but are not limited to:
   1. a.Clearly established authorities and/or processes for approval;
   2. b.Close monitoring of adherence to assigned risk thresholds or limits;
   3. c.Safeguards for access to and use of, Bank assets and records;
   4. d.Appropriate staffing level and training to maintain expertise;
   5. e.Ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations;
   6. f.Regular verification and reconciliation of transactions and accounts; and
   7. g.A vacation policy that requires officers and employees to take a minimum leave of absence as determined by the Bank.
3. 3.Risk transfer and mitigation tools such as insurance are imperfect substitutes for sound controls and risk management so Banks must utilize risk transfer tools as complementary to, rather than a replacement for, internal operational risk control.

³ Independent monitoring may be done by the internal audit function or an external consultant, subject to the party having the appropriate skills to do so. The Central Bank will expect the Bank to explain and evidence its decision of how it chose an independent party and how their skills were assessed.