Thread Options
#2116359 - 01/31/17 09:09 PM CIP RISK RATING
Skbanker Offline
Joined: Nov 2008
Posts: 56
We are a very small FI and don't "risk rate" our customers in writing. We do have a few accounts that we monitor and consider high risk. So, with that being said, they are requiring us to implement an official risk rating program. How do those of you that are small community banks do that? Do you risk rate existing customers that come in an open new accounts? Any advice would be appreciated.

Return to Top
#2116375 - 01/31/17 09:47 PM Re: CIP RISK RATING Skbanker
bcompliance Offline
Diamond Poster
Joined: Sep 2014
Posts: 1,233
Any new account (existing and new customers) opened at the bank we ask a series of questions to develop a risk profile and then they are monitored according to the rating that they fall under: low is monitored in normal course of business, medium is reviewed semiannually, high is reviewed quarterly. Process was the same at last bank I was at also.

Return to Top
#2116424 - 02/01/17 02:25 PM Re: CIP RISK RATING Skbanker
Tabbetha, CRCM Offline
Junior Member
Joined: Feb 2009
Posts: 44
We are a small institution and we also ask a series of questions at relationship/account inception. For business accounts we go a step further to complete a risk rating form in addition to the questions asked. The risk form is additional information such as geographic location, POATM, Third Party Services, Wires, etc. Then we may actually visit the location or complete a Google earth inquiry. Our examiners requested we review high risk monthly as well as a follow up review for all new businesses opened for 90 days. We also review moderate risk quarterly and low risk annually.

Return to Top
#2116432 - 02/01/17 03:09 PM Re: CIP RISK RATING Skbanker
John Burnett Offline
10K Club
John Burnett
Joined: Oct 2000
Posts: 39,544
Cape Cod
A risk-rating process may be related to CIP in that it often takes place at the same time, but it is a separate function. CIP obtains and verified identity information. The risk-rating involves evaluating the money-laundering and terrorist financing risk that the customer presents. Both requirements originate in the BSA and FinCEN regulations, but they are two distinct requirements.
John S. Burnett
Fighting for Compliance since 1976
Bankers' Threads User #8

Return to Top
#2116448 - 02/01/17 03:44 PM Re: CIP RISK RATING Skbanker
Skbanker Offline
Joined: Nov 2008
Posts: 56
That was a lot of help. Thank you!

Return to Top
#2116543 - 02/01/17 07:00 PM Re: CIP RISK RATING Skbanker
ItNeverEnds CRCM Offline
Platinum Poster
Joined: Oct 2006
Posts: 992
Looking for my sanity
Your risk assessment should help you determine how much risk your bank has overall. From there develop a plan on how you want to risk rate your customers. I prefer to not individually risk rate consumers - when I was at an FDIC bank my policy stated that all consumer accounts used for household purposes are automatically rated low. Low risk accounts reviewed with regular monitoring of cash & wire activity along with kiting report reviews, etc. (note this was a bank with manual BSA process - just like my current OCC bank - however the OCC makes us risk rate consumer accounts which is a whole separate topic and pet peeve of mine).

For business/commercial accounts, we have a risk rating form that has many questions about the type of business, types of products or services they offer, types of wire activity, what kinds of deposits will be coming in, paypal, square, merchant, etc., so that we know what to expect. Enhanced due diligence is done on anyone that comes out high risk from that sheet or is automatically higher risk because they're an MSB, own an ATM, etc.

Really, you're program for risk rating (customer due diligence) should be based on the exam manual - look at page 56:

The cornerstone of a strong BSA/AML compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The objective of CDD should be to enable the bank to predict with relative certainty the types of transactions in which a customer is likely to engage. These processes assist the bank in determining when transactions are potentially suspicious. The concept of CDD begins with verifying the customer’s identity and assessing the risks associated with that customer. Processes should also include enhanced CDD for higher-risk customers and ongoing due diligence of the customer base.

Effective CDD policies, procedures, and processes provide the critical framework that enables the bank to comply with regulatory requirements and to report suspicious activity. An illustration of this concept is provided in Appendix K (“Customer Risk versus Due Diligence and Suspicious Activity Monitoring”).

I sent you a PM on your other post - I'd be happy to talk to you about this too.
"The reason I talk to myself is because I'm the only one whose answers I accept."
- George Carlin

Return to Top
#2116909 - 02/03/17 03:34 PM Re: CIP RISK RATING Skbanker
WIBanker91 Offline
100 Club
Joined: Nov 2011
Posts: 179
Currently we ask a series of questions of our business clients to determine risk. If they answer yes to some-additional questions and possible approval prior to opening. The answers & method of opening determine their risk rate. It has been recommended by auditors and examiners that we use a scoring system that more clear cut-basically assigns a score. Our overall risk is low, we are a small institution, BSA is monitored manually and the majority of our customers also have loans so I have been hesitant to do go further.

Return to Top
#2116921 - 02/03/17 04:21 PM Re: CIP RISK RATING WIBanker91
Elwood P. Dowd Offline
10K Club
Elwood P. Dowd
Joined: Aug 2001
Posts: 21,939
Next to Harvey
Note the transition in acronyms; i.e. from CIP to CDD. You cannot do a risk assessment based on CIP information. You need more; i.e. you need to know what the activity in the customer's account is going to look like.

The new due diligence regulation requires all banks to develop projections for all new customers, not just legal entities. You will garner a generic description for U.S. consumer customers, a more specific description for non U.S. consumer customers. For non consumer customers you will get increasingly detailed profiles based on the nature of the customer's business.
In this world you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant.

Return to Top

Moderator:  Andy_Z