I don't know that I have really seen anything specific on this from the regulators except from the examination manual where it says that the risk assessment should include products, services, customers, entities and geographic locations. The Risk Assessment sections of the manual all seem to look to the evaluating the risk of the customer/entity as opposed to the account.
Last edited by FlamingoGal; 10/24/06 01:38 PM.
Seems to me that the best way to accomplish a truly meaningful and thorough risk assessment is to first look to the risk level of the customer, then you would evaluate the types of accounts, transactions, etc. of that particular customer. Once you have historical data on the high risk customer, for example, you could potentially consider particular accounts of that customer to be lower risk. But, I'd be careful there since you really want to be looking at the customers entire relationship and transactions between its various accounts when the customer is high risk.
To me, once an account shows high risk activity, it's the customer and not just the account that becomes high risk since that is who conducts the activity itself.
The opinions expressed are mine and do not necessarily reflect those of my employer