What is Risk Identification?
Under many regulations, institutions are charged with determining risk and designing a compliance program to respond to that risk. The Customer Identification Program is one more exercise in this risk assessment. Now that CIP has been in place for a few weeks, it is a good time to take another look at your risk assessment.
In the context of anticipating and planning to survive compliance examinations, we often measure risk by the chances of getting caught. This is a very real risk with very real consequences. However, this approach focuses on the symptoms rather than the cause.
The cause of problems and violations that will get cited is what you should be looking at in your CIP risk assessment. There are two basic causes of risk. The first is your employees and systems. How well they work and whatever their shortcomings are key elements of things going wrong or right. That's why compliance programs give so much attention to training, systems and transaction testing, and more training.
There is always the risk that someone will hire the bad egg. There is always a risk that someone will have a bad day. And there is always the risk that some fluke in the system will cause a problem to go unchecked.
When it comes to looking at the full scope of risk, looking inward at the institution and nowhere else has its own risk. After all, when it comes to a terrorist or a drug dealer laundering money, it isn't your employee that you should be worried about - not very often, anyway. What you need to worry about is that someone with criminal intentions will come to your institution and attempt to use the institution for illegal purposes. Your real risk is therefore measured by how often you expect this could happen and how effective your people and systems will be at catching it. The higher the risk, the tighter your systems and training should be.
To identify this type of risk you need to look outside - to your market. Who are or could be your customers? Under what circumstances will they come into your institution? What types of products are they likely to want? Here are some things to consider.
- What does my market look like? Do I have high or low mobility? High mobility can help to conceal or shelter terrorists. Low mobility means you are more likely to really know your customers and what they are up to.
- Who are the primary employers in my market? Does the employment base support stability or mobility of customers? For example, a university provides apparent reasons for mobility and may camouflage those whose reason for being here is terrorism.
- Who is in my market? Do I have a homogeneous community or a great deal of diversity? Diversity helps people from other countries - some of whom may wish us ill - to blend in. If diversity is high, how will we recognize the good customers from the ones we should report?
- What products do we offer? Are we offering products that are of interest to money launderers? An active wire service and low-cost checking could be attractive to terrorists who want flexibility without giving away any of their funds.
- How do we deliver products and services? Can customers be anonymous in accessing their funds or must they deal with staff? Can a customer use ATMs for all transactions after opening an account? How accessible is our ATM system?
- What is our competition doing? Are we working harder to compete with other institutions than to identify and provide services to our customers?
- Have we filed to share information under Section 314(b) or are we working in isolation without the information of other institutions?
Copyright © 2003 Compliance Action. Originally appeared in Compliance Action, Vol. 8, No. 12, 11/03
First published on 11/01/2003