Answer:
Documenting a good faith risk assessment is your first step. Without it, you are defenseless to criticisms regarding the adequacy of your reviews.
From what I have seen so far, examiners absolutely do take into account the institution's size and EDP capabilities in evaluating the frequency and depth of account monitoring. I don't have any specific information regarding your institution, its clientele or its location so I can't make any responsible comment about what might be adequate.
"Bare bones" would look like:
- you have or can produce on demand a list of high risk customers.
- you have a transaction profile for each high risk customer.
- you update your profiles annually based on a review of 30-60 days of activity.
- you monitor activity daily and can demonstrate that unusual transactions are noticed. What's "usual" for high risk customers falls within a band established in their profile. What's unusual for other customers is less clearly defined, but it still gets noticed.
First published on BankersOnline.com 6/06/05