I was having a philosophical discussion with a colleague today.

When conducting your BSA/AML risk assessment, what would be your thresholds for "few", "moderate", and "high" when considering the number of customers with high risk business types, or who may be inherently high risk (MSBs, PEPs, third party payment processors, etc.).

Would you consider a percentage? Say, for example, if more than 10% of the customer base can be categorized as being in a higher risk industry, would that meet the "high" threshold? Would 5%?

Obviously there would be no one-size fits all answer, and much would depend on the size of the FI, resources available for monitoring, etc., but just curious about what some general responses might be.

Also, I should point out this would be a separate analysis from the # of customers ACTUALLY considered to be high risk based on activity.

Thanks!

We break it out by branch, so a branch with a concentration of high risk accounts may be considered HR. We don't use a percentage. We state the risks, which would include the number of high risk accounts, then state the mitigating factors and then determine the overall risk for the branch.

You can't do the quantitative analysis you're describing without any comparison data. Maybe you'd be lucky enough to get OCC MLR metadata with an OCC FOIA request. Otherwise, it may be useful research for the private sector.

While I applaud your efforts, it won't add much to the end game of assessing your risk and installing the right controls.