We are in the process of trying to risk rate our accounts for CIP/AML. I am curious how others have done this or are doing this. We are leaning towards using the CIF (jack henry useres) vs the account level. Something simple say numeric 1 through 5 (or what JH allows us to do, that we have to find out yet), defining each high, medium, low and other, then incorporate this into our policy. I guess we will try to isolate accounts opened after 10/1/2003, and code them for now. Does this sound reasonable or adequate as compared to what others may be doing? Thanks

I must have missed something here, are you talking about risk weighting deposit accounts? I know of no regulation that required that action - could you point me to a specific regulation and section covering this issue - we just went through a CIP/AML exam (FDIC) and they didn't mention this issue, at all.

I do know that loan are risk rated, but that's due to overall credit risk, not privacy or any other issue.

It’s not a regulation, but I worked at an FDIC regulated bank awhile back and they all but demanded we do it. It’s not a bad idea. It gives you an idea about which accounts to monitor more closely and the regulators seem to like it.
I thought the system, which they recommended, was stupid so I wont bother you with it.
It comes down to know your customer. If you have a good understanding of their business and are comfortable with the transactions, it would be low risk. We actually pulled three months worth of statement & checked activity. Obviously you have to come up with a systematic way of judging that.

For CIP, the amount of id verification required is to be "risk based". Risk can be because of a product type (international, Private Banking, etc.), method of account opening: in person, internet, etc., and type of primary id presented. The lower the risk the less additional verification you need. Regulators like to see your method layed out in a chart.

For BSA/AML, it is similar. Type of customer, type of product, amount of funds, type of transactions all affect risk. You should group customers together into classes of risk and establish monitoring levels/what you w8ill be monitoring/how you will be monitoring/frequency of monitoring for those classes.

We risk-rate accounts because the FED demanded that we do so. We use the BSA guidelines - Anything that flies, floats or has wheels (i.e., airplane, boat or auto dealers), check cashers, real estate brokers, investment brokers, CPAs, lawyers, doctors, dentists, etc. We use the NAICS codes and pull a report daily on the activity in these accounts. We investigate any unusual activity.
BC

If you are an OCC bank, most of the requirements to establish risk ratings on deposit accounts for suspicious activity monitoring originated with Advisory Letter 2000-3

When you thnk about it, tiering accounts by risk for any purpose is more efficient. It makes it easy to decide what gets the most attention, etc. Otherwise, you would be grappling with a giant list of accounts trying to review them all! An impossible task.

If you are an OCC bank, most of the requirements to establish risk ratings on deposit accounts for suspicious activity monitoring originated with Advisory Letter 2000-3

---

Actually, that advisory does not say that you need to 'establish risk ratings on deposit accounts' is states that you need to 'target high risk accounts and services.' Therefore, if a bank does not provide services in the high risk categories, such as those mentioned (money services businesses, offshore private investment companies, non-discretionary private banking and international correspondent banking customers) strict account opening policies, effective tracking for CTR reporting, etc. should be sufficient in this area. Of course, each institution determines how far they need to go in this area, based on a risk assessment.

Here is a link to the OCC Compliance Handbook, which is referenced in the AL mentioned above.

OCC BSA Handbook

You should find that you are expected to have control procedures established to not only monitor accounts opened under services which are considered high risk in nature, (as mentioned in the AL) but also for accounts opened under traditional services that for various other reasons pose a greater level of risk.

How you identify, evaluate, flag and routinely monitor these accounts is up to each bank. But, control procedures to ensure it is done are expected.

Thanks for the response - perhaps I'm missing something in that I'm not looking for an additional reference as my statement appears to already include the elements - is that not correct?

Once again, the whole issue depends on your risk profile with coding of all deposit account not normally required - only tracking of high-risk accounts is required.

I do agree Paragon that coding of the accounts is not required. But I am finding that many banks are employing such a procedure to flag accounts they have classified as high risk at the CIF level for ease in monitoring. Whether it is a report internally generated specifically for periodically monitoring transactions or for reference when such an account does show up on the large transaction report, wire activity reports, etc.. It seems to be the most effective way to communicate that the level of risk has previously been evaluated and of keeping these accounts within the banks scope of review.

I was also pointing out that there are factors other than whether or not the bank provides any of the services mentioned in the AL that could result in the bank having an account that requires routine monitoring. The list of business considered high risk in nature is fairly extensive and far reaching. The list is specified in the OCC handbook that is referenced in the AL.

I do agree that routine procedures such as CTR monitoring and suspect kite review should be a part of your AML program. And that employees should be aware that they are not only looking for reportable activity but for unusual activity as well - on any and all accounts. But, having a code at the CIF or account level provides an indication to any employee performing routine review of these reports that the account calls for closer scrutiny as it has been deemed to potentially pose a greater threat for money laundering.

The coding of accounts is a way to streamline the process and allow the bank to pull reports, etc. rather than a manual paper-driven process.

If you have NAICS codes in your system for deposit accounts you can use that, but those won't work for individuals and you can have high risk individuals.

I'm just not wanting the risk coding of deposit accounts to to given myth status not unlike a lot of other tasks in banking. It's not required by regulation and in many cases not necessary as a lot of relatively small institutions know their customers and have effective CTR elements and other logs in place. Of course, the bigger you get the more likely you may need deposit account risk coding.

Agreed!