Risk Rating of Customers

I am a BSA Administrator and am discussing with the rest of the Compliance staff if we should risk rate each individual account or by customer. Is there are specific recommendation out there to do one or the other?

I don't know that I have really seen anything specific on this from the regulators except from the examination manual where it says that the risk assessment should include products, services, customers, entities and geographic locations. The Risk Assessment sections of the manual all seem to look to the evaluating the risk of the customer/entity as opposed to the account.

Seems to me that the best way to accomplish a truly meaningful and thorough risk assessment is to first look to the risk level of the customer, then you would evaluate the types of accounts, transactions, etc. of that particular customer. Once you have historical data on the high risk customer, for example, you could potentially consider particular accounts of that customer to be lower risk. But, I'd be careful there since you really want to be looking at the customers entire relationship and transactions between its various accounts when the customer is high risk.

To me, once an account shows high risk activity, it's the customer and not just the account that becomes high risk since that is who conducts the activity itself.

Due to our processor, we were only capable of risk rating accounts. From that, however, we elevated it to customer level to include the entire relationship and products we provide. The entire relationship is taken into account for annual reviews, and activity from all products is reviewed.

I agree with flamingogal, it's the customer and not just the account.

Our regulator is the OTS and they have said it's the customer not the account.

We exempt the customer. The types of accounts/services they have with the bank are factors in the risk rating process.

You should determine the risk of the *customer* based upon several factors. One of those factors includes the types of accounts he/she/it holds at your bank.

Are you truly risk rating EVERY customer? Or just customers you have flagged as a risk (i.e. gas station, consumer with many int'l wires, etc.)?

All new customers as of a certain date and existing customers that were selected through a risk-based process.

Does anyone have a questionnaire or information they use to risk-rate new customers? I'm just starting to put together our risk assessment and would like to include that for all of our bankers. Thanks!

There are several risk-rating checklists and forms on the Bankers Tools website under the AML/BSA section.

we do customers...we did all our existing and do all new going forward based on the accounts and services requested at the start of the new relationship. when i do a high risk review, i pull all the customer's deposit and loan accounts and look at the activity as a whole, not each accoutn separately.

i've shared my forms with a handful of the BOLers already, but if anyone else wants them, pm me your address. plus, my forms and processes are ok with the occ.