We currently have a High Risk List that was deemed too cumbersome, in summary we kept adding to it and never taking off, I had to detail audit the list and am writing procedures for removal and review processes for all the different segments. Any thoughts on how to deal with customers that we have received some sort of subpoena on? They have done nothing suspicous within our bank. A year and removal? or because of the not knowing nature of the subpoenas, leave them on indefinetely? Would love to hear some feedback or thoughts.

How do you risk rate customers that have received subpoenas within yours? Do you?

I will assume that you are referring to a Grand Jury subpoena and not a civil subpoena. A Grand Jury subpoena would result in an account review to see if we might have missed anything suspicious. If nothing is found we document and also add an account tag (we use BAM) about the subpoena since that will give extra points in BAM's risk-rating. It it brings the risk to high we will briefly look at the activity along with all other high-risk accounts, but if not high-risk we would use the normal alerts, etc and nothing more than that.

-Thanks devfan, we are reevaluating the High Risk process and I think your point is hugely vaild. That we review accounts as subpoenas come in, and add points to their rating, that would determine if they are deemed high risk. Thanks.

New to post and always nice for others input

Your institution's policy and procedure should define the customers you consider high risk in all circumstances, the customer types you consider potentially high risk, and the triggers which would initiate a customer risk assessment. Any heightened risk customer should undergo a review process at some point, where they are analyzed and a decision is made based upon a combination of a well-developed methodology and some common sense analysis.

In my experience, some Banks consider customers identified in a GJS as automatically high risk, but more handle it like devsfan indicated. That determination should be made upon your interpretation of their risk level and the appetite your institution has for that risk.

Whatever you decide, I'd caution against setting an "expiration date" for their risk level AND setting them high risk for eternity (if that's what you were suggesting). What should happen are periodic reviews of the customer where your staff will re-assess their risk level. And all decisions to remove a customer from the high risk list should be based upon such reviews and approved by the BSA Officer or other designated BSA/AML managers (under dual control).