Skip to content
BOL Conferences
Thread Options
#815435 - 09/14/07 03:48 PM CIP Risk Assessment?
Cmone Offline
Member
Joined: Aug 2004
Posts: 67
Deep South
In a recent internal audit report, the following was stated: "There should be risk assessments for CIP and OFAC. Although these risk assessments may be included in the overall BSA risk assessment, there should be separate risk assessments for CIP and OFAC since these type of risks differ from each other"
Ok, I took the OFAC matrix and put it in a separate box to show it as a separate risk assessment (we had it incoporated in the total risk assessment) but I am confused on how to do that with CIP. In our risk assessment, we determined and documented our customer base and we have a matrix that lists all the types of entities and their corresponding risk. This matrix is referenced for use in our CIP procedures.
How do you do a separate risk assessment for CIP? Am I missing something here?
_________________________
"I can't think about that right now. If I do, I'll go crazy. I'll think about that tomorrow."

Return to Top
BSA/AML/CIP/OFAC Forum
#815508 - 09/14/07 04:44 PM Re: CIP Risk Assessment? Cmone
Elwood P. Dowd Offline
10K Club
Elwood P. Dowd
Joined: Aug 2001
Posts: 21,939
Next to Harvey
Quote:
(2) Identity verification procedures. The CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. The procedures must enable the bank to form a reasonable belief that it knows the true identity of each customer. These procedures must be based on the bank’s assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank’s size, location, and customer base. At a minimum, these procedures must contain the elements described in this paragraph (b)(2).


The specific suggestion for bank or enterprise wide and OFAC risk assessments is the product of the BSA/AML examination handbook. The prefatory CIP risk assessment was actually required by regulation above. Note that it does not suggest a repetitive exercise, but repetition would be prudent.

There is no reason why you cannot conduct a single risk assessment that incorporates each element of risk; common sense would suggest it is the preferred approach. More to the point, there is a dramatic amount of overlap between appendices J and M describing the relevant matrices; some of the questions are repetitive. Just make certain you mention the relevant considerations for CIP and OFAC in the appropriate sections of your combined product.

I cannot reconcile your auditor's criticism with your description of your risk assessment; i.e. I think what you did is fine and there is absolutely no need for a separate document.
_________________________
In this world you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant.

Return to Top
#815553 - 09/14/07 05:11 PM Re: CIP Risk Assessment? Elwood P. Dowd
Cmone Offline
Member
Joined: Aug 2004
Posts: 67
Deep South
Ken, thank you for your response.
"These procedures must be based on the bank's assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank's size, location, and customer base."

All of the above are incorporated in our CIP procedures and in our overall risk assessment. I, too, do not see the need to have it separate.
_________________________
"I can't think about that right now. If I do, I'll go crazy. I'll think about that tomorrow."

Return to Top

Moderator:  Andy_Z