We are updating our CDD and EDD policy and we are stuck. We understand that there may be accounts that due activity they may be deemed high risk and require further monitoring. But then what? They may have a suspicious activity, we report it, and then put it back on the shelf? Is the CDD or EDD policy supposed to also have guidance on what actions to take if certain activities continue, etc. We are not sure on how to structure and update this policy and any help will be appreciated.

It's hard to answer your question without the actual policy in front of me, but I'll give it a shot anyhow.

If you determine a customer requires further monitoring, then you should implement processes to do so, and mention them in the policy.

In terms of suspicious activity, you should have processes to ensure compliance with the 90-day timeline.

Your policy absolutely should address continuing suspicious activity, and include parameters for actions such as providing the structuring notice and closing accounts. "Three strikes and your out" seems to be pretty common, but you'll want to word it in a way that allows for flexibility.

If you're stuck, just consult the exam manual, and make sure you're addressing the key risks that apply to your institution. Also, check out some of the Banker's Tools on this site.

See page 76 of the BSA/AML examination handbook. They expect more than voyeurism if the activity is generating a string of SARs.

I've heard senior representatives from four of the five federal functional regulatory agencies say that it is not the regulator's job to tell a bank to close an account. (Field examiners oftentimes do not display such restraint.) Your policy should establish a decision making process, not dictate the decision.

In addition to the excellent advice offered by hovis and Ken, I'd like to suggest that part of your difficulty may come from conflating 2 different parts of your AML program; namely due diligence and monitoring.

For simplicity's sake, think of CDD as baseline due diligence; every customer goes through this level of review. Based on particular customer attributes (like high risk geography, high risk business type, use of high risk products or services, for example) some customers are subject to an additional level of review, that is EDD or Enhanced Due Diligence.

Both EDD is driven by customer identity attributes, not transactional ones.

Transactional monitoring may give rise to other kinds of investigation and review, but these are based on what the customer does instead of who the customer is.

If you separate the two concepts, it might be easier to develop a policy on what to do with customers that seem to attract a high number of transactional investigations.

Just a thought.