Risk Assessment for Red Flags involves both creativity and math!
Question: What should we do to comply with Red Flags risk assessment requirements?
Answer: There are two categories of risk that should be assessed: account risk and institution risk.
- Account risk assessment should include the same kinds of criteria that are considered for customer risk and products and services risks under the AML/Customer Identification Program (CIP). You do not need to consider location risk for Red Flags, like you do for AML.
- Institutional risk assessment is much less defined for Red Flags. In general you are to consider risks related to: account opening; account access; and prior experiences with identity theft. You already have institutional risk definitions provided for AML, however these to not map particularly well to the Red Flags requirements. We recommend using the same institutional risk assessment process for both requirements, but would add several categories for better definition. For example, you should consider categories like: opening screening; customer information management; account monitoring; etc.
One of the aspects of risk assessment that you should consider is scoring. Many banks opt for simple measures like Low, Medium and High. While this approach simplifies things, it does not permit consideration of combined scores. For instance, how should institutional risks and account risks be combined? Account risk and institutional risk are NOT independent of one another. Therefore it is important to consider that certain account risks may be amplified by certain institutional risks. In order to accurately assess actual risk, you will need a number score and a way to mathematically combine the effects of the scores on one another.
In addition to accuracy, number scores are much more flexible. If you learn that a certain aspect of your institutional risk has been significantly reduced by a new system, policy or process, you can easily adjust that score and recalculate the resulting combined risk for all accounts. Thus your overall risk management process can evolve as your risks change.
As you develop your risk assessment program, you should also consider how the resulting risk knowledge should be used. If you know that a particular account has a high level of risk, you should definitely have a way to ensure that this knowledge is used to produce extra scrutiny within your daily account transaction monitoring process. This is essentially the same concept that is used to comply with your requirements for AML Enhanced Due Diligence.
A good risk assessment program can be a great benefit to bank management. The knowledge you collect can be used to aid in product development, security investment, training and other important benefits to risk management in general.
BANKDetect has been a major provider of fraud prevention and risk compliance solutions to the financial industry since 1996. The company offers the widest selection of integrated solutions available for addressing BSA/AML, ID Theft Red Flags and traditional fraud requirements. The company offers integrated solutions for:: account opening identity screening, CIP compliance analysis, risk assessment, case management, account activity analysis (for fraud, Red Flags, and AML), OFAC/OSFI screening, electronic SAR/CTR reporting, address discrepancy management, and more. BANKDetect also offers consulting and risk analysis support to its clients. Contact BANKDetect at www.bankdetect.com | 410 867 8217.
First published on BankersOnline.com 8/04/08
First published on 08/04/2008