have any of you taken the approach of identifying some customers as high to moderate and flagging these but not going through your whole customer list and rating each and every one. For example, we have restaurants. I want to say new, cash intensive non-franchises are high risk (history of large cash business). On the otherhand, I want to say franchises, i.e. McD's, won't fall under this heading so I won't flag them as such. We are a small comm. bank and not set up to do a massive review and assessment of every account we have.

I have the same question but I am looking at business versus personal accounts. I want to risk rate all my accounts eventually but want to start with business only.

The new exam procedures assume that you have done a risk assessment of ALL of your customers. If you haven't done so already, you should. Otherwise, your regulator will do it for you. This means they will be at your bank longer. I know it seems like a big pain in the #$% - but like the Nike commercial says "Just Do It." You will be glad you did!

Regarding franchises. I happen to agree with you that a franchise is probably less likely to be a front for money laundering. Your account review will confirm this for you.

I agree with Dolly - you kinda just have to do it.
But I did start with businesses first and slowly made my way through the personal accounts.
I think you can rate your wellknown establishments lower than others, but be sure to monitor all and then if activity determines a closer look at a wellknown establishment, - be sure to pick up on it.

I'm not sure if this answers your question or not, but I figure this is as good a place as any to discuss our processes and approaches.

I'm currently going through the rating process on our non-personal accounts. I started by eliminating the obvious low-risk customers: those that don't maintain accounts with transaction capabilities, public funds, etc. For the remainder, I'm rating them by business type, cash volume, geography, and other high-risk activity (wire frequency, MSB type activity, etc.) On going, risk classification may change based on changes in the 'fine sort' criteria.

Personal account risk assessment (which will come next) will be based on account types and high risk transaction activity (cash, wire, etc.).

Trees- FWIW, I am also a small community bank, and am completing the risk assessment more-or-less manually.

Dolly,

When you say performing a risk assessment for all your customers, exactly what does that entail?

We identify all high-risk business accounts (based upon the OCC list) and review them in order to assign them a risk-rating based upon their account activity. Other (those not originally labeled as high risk)accounts can be be added to the mix based upon their activity.

Are you assigning each type of business with a code (risk-rating) on your system, or do you actually look at the each customer's transactions and put a write-up in the file?

If you are looking at each and every account and doing a write-up, you would need an army to complete that task! How did you do it?

First, to Wild Turkey ~~ my post said:
"Regarding franchises. I happen to agree with you that a franchise is probably less likely to be a front for money laundering. Your account review will confirm this for you."

I draw attention to the last sentence. YOUR ACCOUNT REVIEW WILL CONFIRM THIS FOR YOU. I'm not trying to shout - just trying to draw attention. I agree that a very sophisticated money launder can use a franchise to launder money, but it is LIKELY that somewhere along the line the activity on the account would not be consistent with the nature of the business. Creating a profile for different business types will help determine if the customer's activity is what would be expected.

skinnyminny, it sounds like you are on your way, but I don't think it will be sufficient to only risk rate the types of businesses identified as high risk by the regulators. I believe we are going to be expected to assign a risk code to every customer/relationship. When the task is completed, you will be able to determine what percentage of your customer base is rated low, moderate or high risk. This information would become part of your institution's risk assessment.

Ideally, the risk rating code should be input to your system so that you can run reports and show them to examiners. Your service provider may not have a field for this, so ask if you have "flex fields" that can be used for this purpose. Is this going to be easy? Heck no! It may take you months to do it. A good approach would be to start with the highest risk categories first and work backwards to the less risky categories. If you have been assigning NAICS codes to your accounts, it will be easy for you to run reports to determine the types of high risk customers you have.

Don't we all love BSA?!!

I am looking and each time I get the Internal Risk Assessment of the BANK.... not the customers.... We are to be risking our customers. Our BSA customer risk differs from our BANK assessment... I am having a hard tme finding examples of customer risk rating. We are a small community bank and are in the process of risk rating our business customers have not done any personal accounts other than those who have SARs, summonses, subpoenas or garnishments. Those are being rated but on the other hand getting a format together to risk rate the customers is becoming a difficult process. Us as a everyday banker knows which customers are which, but the FEDS want to see it on paper they can not look in to your head for your opinion of the customer. So I am trying to come up with a format in EXCEL that sums up points for the customer based on their activitys and then the amount of points for each risk rating is where they fall and are assessed. Keep in mind I have more then high moderate and low. I have 2 lows, 1 moderate and 3 high scores.. I guess to each is own This process is very difficult!!!!! GOOD LUCK to every one!

This risk rating at the individual account level is geeting a bit nutcase. We have 33M personal checking accounts and 8M commercial checking accounts. Talk to me about the feasability of reviewing each account and assigning a risk rating? I do not believe the regulators are requiring this AT THE ACCOUNT LEVEL........and maybe we're getting ourselves a bit worked up over a requirment that doesn't exist.

I guess I will find out next week on this. I do not have the time or technical availability to risk rate all 55,000 plus customers we have. To say that I will would be insane. Do we not all have some method of detecting suspicious activity on any and all customers like cash deposit reports, kiting reports, wire reports? What I have done is take our customers in high risk businesses and scored them on cash activity, line of business, potential MSB activity, wires, foreign wires, number and types of accounts with us, etc. The ones that are high risk in that group will receive increased monitoring. Now individuals or commercial customers who come across my radar with suspicious activity identified by one or more of those reports will be added to the original list and scored in much the same way and will be monitored more closely. I may be way out in left field here, but I think that the examiners will be ok with this as I feel it is way more than what typical community banks are doing.

I attended a seminar sponsored by the CBA this week. The speaker was Charles Grice of CRI Compliance. In his presentation, he stated that he believed we would all be expected to assign a risk rating to every account or relationship. This can be done at the account level or in the CIF/CIS.

Obviously, this is going to be a big job at a larger institution. I think it makes sense to begin with the highest risk customers first. Hopefully you have NAICS codes assigned to your accounts. This will enable you to see what categories of high risk customers you have in order to begin.

I know that none of us like this idea, but it will be difficult to prepare a risk analysis for your bank if you don't classify your customers into risk categories.

I don't think the regulators expect us to accomplish a task like this in 30, 60 or even 90 days. I'm convinced that they will expect an action plan though.

Risk rate every account - sure. Think of it in terms of how you risk rate "all" of your credit accounts. We have been required to do that for years.

On the retail side, they are all rated a pass unless they become past-due and then are reassessed. In the case of BSA, they will all be rated the same, unless they are subject to large currency transactions, kiting suspects, SARs, etc.

The best place to start on commercial accounts is with NAICS codes and take it from there.

Don't make a mountain out of a mole hill, but don't be an ostrich and stick your head in the sand either. There is no hard and fast formula, so be smart and efficient. Use your systems that are already in place where possible.

For banks that have sophisticated monitoring systems, individual risk ratings are probably a waste of time. However, we all need to work together to show the regulators that this is the case.

Quote:

---

For banks that have sophisticated monitoring systems, individual risk ratings are probably a waste of time.

---

I had been trying to think of a way to say that, but could not get it down to a single sentence. Good job.

Presumably, most accounts are held by consumers. They are used for their individual transactions. Those are the relationships where individual AML risk evaluations would have the smallest possible amount of utility. (It's not impossible that those accounts would be used for illegal activity, but it's not likely either and their individual evaluation would consume resources better used elsewhere.) Personally, I believe that evaluating consumer customers individually has no value; it does nothing but add a false sense of security and squander resources.

I guardedly agree that the bank should eventually assign a rating to all customers. However, many, many customers don't need to be evaluated individually. As rlcarey and thomasj suggest, monitoring can point out activity that is anomalous based on an account's membership in a particular class of accounts.

An easy example is a bank with sophisticated AML software that looks for transaction patterns, anomolies, etc. The software will catch activity that does not mesh with consumer accounts as a class; e.g. frequent deposits, deposits made up of cash, wire transfers, etc. and focus follow-up inquiries where they are likely to do the most good. Consumer accounts for US persons could simply be automatically rated as low risk and then re-rated on the appearance of "nonconforming" activities. Consumer accounts for non US persons would have a higher initial rating and would have a greater propensity toward upward adjustment based on activity and connections to certain parts of the world.

The comprehensiveness of the bank's monitoring program affects its need to evaluate individual accounts. I believe examiners will accept the logic of that approach even to the point where they will consider it to be obvious.

Again, start with identifying and evaluating high risk business customers. Expend 90% of your resources on the area where you have 90% of the risk. Forget about reliance on the lists of high risk businesses used in the past, the new examination procedures take a more sophisticated approach.

The way we have approached this, and had it accepted by the OCC in a grueling exam, was to have several categories of high risk customers (rising in risk level). Those not flagged as high risk are in the general risk category in our system, which looks at everyone.

The lowest category of high risk includes any business account in a "high risk industry" that is otherwise performing normally. Principals of those businesses are in a parallel consumer category.

In higher risk categories are individuals and businesses who conduct international wires, anyone with a foreign address (includes international students), customers (consumer or business) who have structured, used car dealers (a source of SARs for us), MSBs - have their own category - and so forth.

Our system will let us know if anyone in the large general category changes behavior - increases cash deposits, starts sending international wires, etc. They might have their category changed after a review.

We also have other ways of finding suspicious activity - reports from bank staff, reviews of cash and wire reports, etc.

We are working on a way to have branches and commercial lenders "profile" customers at time of account opening and risk category assigned, with that information reviewed by BSA staff and translated in the correct category in the system.

We will be getting branch managers and lenders more involved in account monitoring much to their dismay but at the behest of the OCC. We are working out what that means (it goes beyond alerting us to suspicious activity.)

We have been using our automated system for about a year and a half. We are NOT going back to look at every customer who is not in a high risk category. The system has built a profile of everyone's activity - including mine - and tells us if that changes.

We are in a high risk area of the country, $3Bn, 26 branches, quickly increasing to over 30 branches - but no branches in any large cities. Our proximity to 2 large cities and to HIDTAs and HIFCAs (while not yet in them) raise our profile. I mention this just to give you a frame of reference. There are a number of immigrant communities in our general area which raises the "international" connection.

This is a huge expense for our bank that is definitely not a megabank, but there is no choice.

How about a default rating of "low risk" (meaning you do not assign a specific rating to the account) for any customer that has not been oherwise identified in some sort of risk category either because of the nature of the business, the volume or nature of cash or wires, or any other suspicious type of transactions.

That should take care of your existing customer base. On a go-forward basis, you can start assigning a risk rating at account opening.

That is what we do...if you can find that thought in my lengthy post above! If you have not been flagged high risk you are in the general category of everyone else, one for businesses and one for individuals.

This risk rating business is rather new to many of us. I'm sure we will all learn a lot this coming year as the examiners come to visit our banks. I think it will be important for us to share our experiences, so that we can learn from each other!

So, I see some of you are going to have your customer service reps and lenders ask for expected activity up front. This is a common expectation according to my reading of the bible. However, in practice, just what are you going to do with this info? Input it into an AML software program? If not, how are you going to use it to identify changes in patterns? Do you have a report that will print out all the "differences" in the patterns that you established? Have any of you been using this approach for a while, i.e. asking for expected activity at time of account opening? How is that going with you? Is there any benefit to this infroamtion (i.e. cross selling)..be honest!

We will be asking that information upfront and it will assist with assigning a risk category to the customer, rather than waiting while our software builds a profile over several months. We can input the profile and the system will then let us know if the customer veers from the profile. The system also continuously gathers information and will adjust the profile over time.

We will receive reports if the customer's behavior changes.

This information can be used for other purposes...if a customer advises they will be doing wires you will know you need a wire agreement; you might see an opportunity for cash management services, lockbox services, etc.