We currently have a High Risk List that was deemed too cumbersome, in summary we kept adding to it and never taking off, I had to detail audit the list and am writing procedures for removal and review processes for all the different segments. Any thoughts on how to deal with customers that we have received some sort of subpoena on? They have done nothing suspicous within our bank. A year and removal? or because of the not knowing nature of the subpoenas, leave them on indefinetely? Would love to hear some feedback or thoughts.
How do you risk rate customers that have received subpoenas within yours? Do you?
Your institution's policy and procedure should define the customers you consider high risk in all circumstances, the customer types you consider
potentially high risk, and the triggers which would initiate a customer risk assessment. Any heightened risk customer should undergo a review process at some point, where they are analyzed and a decision is made based upon a combination of a well-developed methodology and some common sense analysis.
In my experience, some Banks consider customers identified in a GJS as automatically high risk, but more handle it like devsfan indicated. That determination should be made upon your interpretation of their risk level and the appetite your institution has for that risk.
Whatever you decide, I'd caution against setting an "expiration date" for their risk level AND setting them high risk for eternity (if that's what you were suggesting). What should happen are periodic reviews of the customer where your staff will re-assess their risk level. And all decisions to remove a customer from the high risk list should be based upon such reviews and approved by the BSA Officer or other designated BSA/AML managers (under dual control).