Thread Options
#2266102 - 02/09/22 11:30 PM BSA Account Review
Paul Offline
Junior Member
Joined: Jan 2019
Posts: 34
Like most banks, we divide our accounts BSA Risk into Low, Moderate and High. Our High Risk Accounts are reviewed annually and Moderate Risk every 2 years. Our Low Risk Accounts can go 3-4 years without a full review (except for automated alerts).

My question is for those accounts that are not on an annual review schedule, how far back do you go in your review. Currently we go back to the prior review (2-4 years); however, a new analyst recently joined and indicted that in his prior bank they only went back 6 months and their regulator did not object. Not having to go back 4 years on some customers, would greatly improve our efficiency, but I am not sure how the regulators would look on this practice. We are an OCC bank.

I would appreciate any input in how far back you go for accounts on non-annual reviews,

Thank you all in advance,


Return to Top
#2266108 - 02/10/22 12:10 PM Re: BSA Account Review Paul
rlcarey Online
10K Club
Joined: Jul 2001
Posts: 78,967
Galveston, TX
Unless your automated system is so weak that you would not know that an account has transitioned between a low-risk rating to a high-risk rating without performing some manual periodic review every 3-4 years, I have no idea why you would even contemplate doing a specific review. You must be a very small bank, as if you were BofA, can you imagine the manpower necessary to manually review the millions of the low-risk customers they have? You are basically wasting your time and that time should be spend on fixing your risk rating system.
The opinions expressed here should not be construed to be those of my employer:

Return to Top
#2266116 - 02/10/22 02:00 PM Re: BSA Account Review Paul
ACBbank Offline
Power Poster
Joined: Jul 2006
Posts: 4,159
New York City
I am not sure that I understand the ask, but I will say just because a regulator is okay with a process at Bank A does not ensure they will be okay with the same process at Bank B. There are many different variables which could lead to vastly different regulatory opinions.
"100 victories in 100 battles isnt the most skillful. Subduing the other's military w/o battle is the most skillful." Sun-Tzu

Return to Top
#2266117 - 02/10/22 02:13 PM Re: BSA Account Review Paul
edAudit Offline
Power Poster
Joined: Jul 2008
Posts: 4,766
You are here
FWIW: A while back after reviewing a "Low Risk" client I found that in my opinion (and most if I could go into details) was rated as low as it was "only a holding company". That just happened to own an extremely high-risk company which it was comingling funds,
Opinions can be considered as coming from anywhere but my employer.


Return to Top
#2266123 - 02/10/22 03:23 PM Re: BSA Account Review Paul
BowlingQueen Offline
Power Poster
Joined: Mar 2007
Posts: 2,920
At my previous institution ($570M), all new customers were risk-rated at account opening. If the customer was deemed (and verified) to be low-risk, there was no further ongoing due diligence reviews, unless activity behavior warranted the risk-rating being elevated. We only performed ongoing due diligence for medium and high-risk customers on a staggered schedule to keep the reviews manageable. These include POATMs, MSBs/Check Cashers, Hemp, Phase II exempts, etc.

Our procedure was to do a 3-month look-back for most customers, unless the business is seasonal, which we would review the period with highest activity within the previous 12-months. I used to pull statements, deposit/check images, manually review the documents and complete a formal internal review form/memo to provide evidence of the reviews. As time wore on, that process became very cumbersome, primarily due to the fact that I was also regularly reviewing most of those same customers in the process of clearing alerts through our automated system.

While you should have some kind of evidence of your enhance due diligence reviews, make sure it is reasonable and manageable, especially if you have an automated system that can do most of that work for you. Also, ensure that your policy/procedures matches what you're actually doing.
Nothing changes, if nothing changes. (from a good friend of mine) smile

Return to Top
#2266128 - 02/10/22 04:08 PM Re: BSA Account Review Paul
ColoradoAML Offline
Gold Star
Joined: Mar 2018
Posts: 277
I can't imagine having the ability to conduct manual reviews on all low-risk customers. I agree with ed that there are plenty of cases when a low risk account is rated incorrectly, but BSA is risk-based and reviewing potentially hundreds of thousands or millions of accounts just to be sure everyone is risk rated correctly sounds impossible. Also to ed's point though, the fact that you reviewed that account at all suggests to me that something triggered the review despite the low-risk rating.

There must be ongoing due diligence, so there must be a mechanism to determine if a customer's risk has changed. That doesn't have to be an EDD review of every account.

All of that aside, I'm also interested in Paul's initial question about how other banks determine review periods.

Return to Top
#2266136 - 02/10/22 04:37 PM Re: BSA Account Review Paul
Paul Offline
Junior Member
Joined: Jan 2019
Posts: 34
Thank you all for your comments so far; I would be interested in more feedback from others.

I did not review low risk accounts early in my career (as a BSA Officer); I started when I heard of a multi-billion dollar bank (FDIC regulated) that received an exam comment for not reviewing their low risk accounts.

Luckily we are a small bank and we do not have many low risk accounts, so it is manageable. This being said, it does not make sense to me to report activity from 4 years ago that should have been identified by our automated system and is not reoccurring, that is why I asked the question.

Return to Top
#2266141 - 02/10/22 05:18 PM Re: BSA Account Review Paul
SmallBankBSA Offline
100 Club
Joined: May 2018
Posts: 147
I too thought of reviewing medium and low risk accounts at one time as well when I got to my new
institution and realized they had no review process for those...however as my boss who is the CEO told me, they (examiners, auditors) haven't asked for it, don't give yourself more work. If they ask for it then we'll do it.

I'm at a small institution as well but if I had to review low risk accounts that's all I would do, that is the majority of our customer base.

I agree with your thinking, your AML Software should have picked up any suspicious activity in the past four years. If you're going to review low risk maybe 6 months to a year? do your regulators ask for reviews of low risk accounts?

Return to Top
#2266213 - 02/11/22 06:05 PM Re: BSA Account Review Paul
JennKK2 Offline
Gold Star
Joined: Nov 2006
Posts: 250
we are a small institution >$500M, but have a total of four locations. I serve as the BSAO. i had presented the idea of creating a medium risk category, the answer was no, so we risk rate at account opening Low or High. We do not use a numeric system nor do we use an automated AML system. Low risk customers are not reviewed unless something brings attention to their account, a simple but basic trigger could be they suddenly are in OD status or they show up on the Kiting report or unexpected large cash or check deposit activity. i review those on the high risk category quarterly. given we have so few, i don't see the need to do it otherwise. we have implemented a process for adding and removing those identified as high risk. one area of weakness in this process is how to better train those at the other locations to review the initial risk rating, question it, and then communicate it back to the account opener and or the BSAO should the need arise.
plan your Work and Work your Plan

Return to Top

Moderator:  Andy_Z