# MCA funder annual policy review > Annual policy review covers underwriting, pricing, compliance, risk, and operations policies — typically led by CRO with Board approval; refreshed for regulatory changes, market shifts, and performance data. MCA funder annual policy review is the formal yearly process of evaluating and updating all written policies governing the funder's operations. Annual policy reviews are required by bank lenders, mandated by state regulators in licensed states, and serve as a critical risk-management control. Updated 2026-06-29. **Policy 1: Underwriting policy.** - Eligibility criteria (revenue, tenure, industry, state). - Bank-statement analysis methodology. - Credit-bureau usage and thresholds. - Approval authority matrix. - Override and exception procedures. - Documentation requirements. - Fraud-detection procedures. - Anti-stacking controls. **Policy 2: Pricing policy.** - Factor-rate matrix by paper grade. - Term limits by paper grade. - Holdback percentages by industry. - Tenure-discount tiers. - ISO commission schedules. - Pricing exception authority. - Competitive-match procedures. **Policy 3: Risk policy.** - Concentration limits (merchant, industry, state, ISO). - Single-deal maximums. - Aggregate exposure limits. - Reserve methodology. - Default classification. - Charge-off triggers. - Recovery procedures. **Policy 4: Compliance policy.** - State licensing schedule. - APR disclosure procedures (CA, NY, UT, VA, GA). - Anti-money laundering procedures. - Office of Foreign Assets Control (OFAC) screening. - Fair lending compliance. - Servicemembers Civil Relief Act (SCRA) compliance. - Consumer complaint procedures. - Records retention. **Policy 5: Servicing policy.** - ACH processing procedures. - Reconciliation procedures. - NSF handling. - Customer service standards. - Merchant communication standards. - Collections procedures. - Workout and modification procedures. **Policy 6: Information security policy.** - Data classification. - Access controls. - Encryption requirements. - Incident response. - Vendor management. - Cyber insurance. - Business continuity / disaster recovery. **Policy 7: Vendor management policy.** - Vendor due-diligence requirements. - Critical vendor classification. - Vendor monitoring frequency. - Vendor exit procedures. - Vendor risk-assessment methodology. **Policy 8: Human resources policy.** - Employee onboarding (background checks, references). - Compensation philosophy. - Performance management. - Training requirements (compliance, security, fraud). - Termination procedures. **Review process.** 1. **Q4 prior year:** Policy owners identify required changes. 2. **Q1:** Drafts circulated to executive team. 3. **Q1:** Legal and compliance review. 4. **Q1:** Risk Committee review. 5. **Q2:** Board approval. 6. **Q2:** Communication and training rollout. 7. **Q3-Q4:** Monitoring of policy compliance. **Inputs to annual review.** - Regulatory changes (federal and state). - Litigation outcomes. - Examination findings. - Audit findings. - Performance data (defaults, NIM, retention). - Competitive intelligence. - Industry-association guidance. - Bank lender feedback. - ABS investor feedback. **Policy approval authority.** - **Board approval required:** Underwriting policy, pricing policy, risk policy, compliance policy, information security policy. - **Executive approval required:** Servicing policy, vendor management policy, HR policy. - **Department-head approval:** Procedural updates within approved policies. **Common policy changes in 2026 reviews.** - CFPB §1071 data collection procedures. - State licensing additions (Illinois, Missouri likely to add MCA licensing 2026-2027). - APR disclosure procedure refinement (CA, NY, UT, VA, GA). - Stacking detection enhancements. - AI / ML governance (NYDFS, SEC guidance). - Cyber risk procedures (post-2024 ransomware wave). - Climate-related disclosures (SEC, state requirements). **Documentation requirements.** Each policy must include: - Policy statement. - Scope. - Definitions. - Roles and responsibilities. - Procedures. - Exceptions and approvals. - Monitoring and reporting. - Training requirements. - Effective date and review date. - Approval signatures. - Version history. **Training rollout.** Following Board approval: - All-staff communication of major changes. - Department-specific training sessions. - Role-specific training (e.g., underwriters, compliance staff). - Compliance acknowledgment tracking. - Refresher training cadence. **Audit alignment.** Internal audit programs are structured around the annual policy framework. Audits test compliance with each policy and recommend updates. **External auditor alignment.** External auditors (typically Big 4 or top 10) review policies as part of audit scope: - Internal control over financial reporting. - Compliance with applicable regulations. - Adequacy of policies for stated business model. **Bank lender alignment.** Bank facility agreements typically require: - Annual policy review. - Policy delivery to lenders. - Material policy changes with lender consent. - Annual compliance certificate. **Trend 2026.** Three trends are reshaping annual policy reviews: 1. **Regulatory complexity.** State licensing expansion + federal CFPB §1071 + APR disclosure requirements are driving longer, more detailed policies. 2. **AI governance.** ML-based underwriting and decisioning is creating new policy domains (model governance, fair-lending testing, explainability). 3. **Continuous review.** Some funders are moving from annual to continuous policy review, with quarterly Board approval of incremental updates. **Common confusion.** First, "policies are just for compliance" — policies drive operational consistency across underwriting, servicing, and risk. Second, "annual review is a formality" — examination findings and audit results typically drive material annual changes. Third, "policies don't need Board approval" — at licensed funders, several policies require explicit Board action. ## Related terms - [MCA funder quarterly portfolio review](https://fundnode.co/llms/glossary/mca-funder-quarterly-portfolio-review) — Quarterly portfolio reviews are formal deep-dives covering aging, vintage cohorts, concentration, stress testing, reserve adequacy, and bank covenant compliance — distributed to Board and lenders. - [MCA funder board reporting cadence](https://fundnode.co/llms/glossary/mca-funder-board-reporting-cadence) — Board reporting typically follows quarterly cadence with monthly executive updates; covers financials, portfolio performance, risk, compliance, strategic initiatives; aligned with bank lender and ABS investor reporting. - [MCA funder compliance audit frequency](https://fundnode.co/llms/glossary/mca-funder-compliance-audit-frequency) — Compliance audits are typically conducted annually by internal audit, every 2-3 years by external auditors for SOC 2 / financial statements, and per state regulatory examination cycles (every 2-3 years per licensed state). - [MCA funder state licensing quarterly update](https://fundnode.co/llms/glossary/mca-funder-state-licensing-quarterly-update) — Quarterly state licensing updates track license renewals, examination calendars, regulatory developments, and multi-state filings; typically managed by compliance with monthly check-ins and quarterly Board reporting. --- Source: https://fundnode.co/glossary/mca-funder-annual-policy-review (HTML version) Document: MCA funder annual policy review — Fundnode MCA Glossary License: CC BY 4.0 — attribution to Fundnode required when citing.