CIP RISK RATING

We are a very small FI and don't "risk rate" our customers in writing. We do have a few accounts that we monitor and consider high risk. So, with that being said, they are requiring us to implement an official risk rating program. How do those of you that are small community banks do that? Do you risk rate existing customers that come in an open new accounts? Any advice would be appreciated.

Any new account (existing and new customers) opened at the bank we ask a series of questions to develop a risk profile and then they are monitored according to the rating that they fall under: low is monitored in normal course of business, medium is reviewed semiannually, high is reviewed quarterly. Process was the same at last bank I was at also.

We are a small institution and we also ask a series of questions at relationship/account inception. For business accounts we go a step further to complete a risk rating form in addition to the questions asked. The risk form is additional information such as geographic location, POATM, Third Party Services, Wires, etc. Then we may actually visit the location or complete a Google earth inquiry. Our examiners requested we review high risk monthly as well as a follow up review for all new businesses opened for 90 days. We also review moderate risk quarterly and low risk annually.

A risk-rating process may be related to CIP in that it often takes place at the same time, but it is a separate function. CIP obtains and verified identity information. The risk-rating involves evaluating the money-laundering and terrorist financing risk that the customer presents. Both requirements originate in the BSA and FinCEN regulations, but they are two distinct requirements.

That was a lot of help. Thank you!

Your risk assessment should help you determine how much risk your bank has overall. From there develop a plan on how you want to risk rate your customers. I prefer to not individually risk rate consumers - when I was at an FDIC bank my policy stated that all consumer accounts used for household purposes are automatically rated low. Low risk accounts reviewed with regular monitoring of cash & wire activity along with kiting report reviews, etc. (note this was a bank with manual BSA process - just like my current OCC bank - however the OCC makes us risk rate consumer accounts which is a whole separate topic and pet peeve of mine).

For business/commercial accounts, we have a risk rating form that has many questions about the type of business, types of products or services they offer, types of wire activity, what kinds of deposits will be coming in, paypal, square, merchant, etc., so that we know what to expect. Enhanced due diligence is done on anyone that comes out high risk from that sheet or is automatically higher risk because they're an MSB, own an ATM, etc.

Really, you're program for risk rating (customer due diligence) should be based on the exam manual - look at page 56:



I sent you a PM on your other post - I'd be happy to talk to you about this too.

Currently we ask a series of questions of our business clients to determine risk. If they answer yes to some-additional questions and possible approval prior to opening. The answers & method of opening determine their risk rate. It has been recommended by auditors and examiners that we use a scoring system that more clear cut-basically assigns a score. Our overall risk is low, we are a small institution, BSA is monitored manually and the majority of our customers also have loans so I have been hesitant to do go further.

Note the transition in acronyms; i.e. from CIP to CDD. You cannot do a risk assessment based on CIP information. You need more; i.e. you need to know what the activity in the customer's account is going to look like.

The new due diligence regulation requires all banks to develop projections for all new customers, not just legal entities. You will garner a generic description for U.S. consumer customers, a more specific description for non U.S. consumer customers. For non consumer customers you will get increasingly detailed profiles based on the nature of the customer's business.