Resource Articles Back to Article List

Here a Risk, There a Risk

Risk assessments are at the core of any effective BSA/AML Program and corresponding examination. For any institution to have a sound program, management must perform a risk assessment of its customers or members as well as its product and service offerings. While almost any type of an account may pose a risk to money laundering or terrorist financing, certain customers or members, products and services may pose specific risks. Certain activities in account types are identified in the FFIEC BSA Examination Manual (Exam Manual) as high risk. Regardless of whether such an activity is identified, you must consider the risk to your institution based on your size, complexity, location, and appetite for risk. In other words, there is no one size that fits all.

In assessing customer or member risk, an institution must exercise judgment and not define or treat all the same. For example, just because your potential customer or member is in the car dealer business, which is considered a high risk business, you need to ask, “What risk does this auto dealer pose to your institution?” Thus, an institution’s Customer Identification Program (CIP) plays a vital role in management’s understanding of its overall customer or member risk.

How you determine the various risk factors for each of your customers or members depends upon the tone and culture of your BSA/AML Program. Management is expected to take certain factors into consideration when making the determination, including the types of customers or members that have historically been associated with money laundering or other illicit activities. However, management must make the final determination based on factors unique to the specific customer or member such as actual transaction volumes into consideration.

Risk Rating is an integral component of knowing your customer or member. It assists a financial institution in detecting and reporting suspicious or unusual activity and transactions that could expose the institution to various risks, including financial loss, or operational or reputational risks. When rating risk, consider the institution’s appetite for risk, the internal controls and any mitigating factors. Let’s break it down piece by piece.

First, arm yourself with the tools you need. The Exam Manual issued by the FFIEC is by far the most critical resource for any BSA Officer. It provides a core overview of BSA/AML Risk Assessment and Customer Due Diligence requirements. Also, Appendix K Customer Risk versus Due Diligence and Suspicious Activity Monitoring provides a picture of risk rating in visual context. (You can access the Exam Manual from the FFIEC’s website at (

Next, be sure you have a solid understanding of your institution’s overall risk profile. Utilize your existing BSA/AML Risk Assessment and consider the risks identified with the particular product or service a customer or member is requesting. This means, yes, you must assess your entire suite of products and services. Look at everything, paying special attention to electronic services, payroll cards, private banking products, wire transfers, online banking, mobile banking, remote deposit capture, ACH initiations, credit cards, mortgage loans, consumer loans, indirect lending, letters of credit, trust services, and whether accounts are opened online or by mail. Once you understand the inherent risk associated with each product and service you offer, then, you can begin your assessment and rate the risk of your customers or members and their accounts.

Finally, understand your customer or member’s activity and be able to differentiate between a higher risk customer or member and a lower risk customer or member. Many institutions complete a questionnaire when accounts are opened. If you don’t ask the questions, you will not know the answers or the potential risk that may be posed. In order to formulate a risk rating (low, medium or high), consider the purpose of the account; the account holder’s occupation; does the customer or member live and/or work in the area that you service; is the entity licensed to do business in your state; is it in good standing; what is/are the source of funds; expected wire activity; consumer or business account; banking references; what type of products and services are they requesting, such as remote deposit capture, online banking, ACH initiations, mobile banking; review financial statements (do the numbers even add up correctly?); what is the expected cash flow of the account; how was the account opened (online or in person), etc. The more detailed information provided in the risk assessment, the better the quality of the overall result. Management should quantify risk using actual numbers. For example, include volume of wire transfer activity in cash, percentages of customers or members in certain geographies, by customer or member type; etc. And, don’t forget to consider non-financial risk factors such as the entity make-up (i.e., MSB, sole proprietor, publicly traded).

Armed with this information, you should be able to risk rate the customer or member as well as the account as a high, medium or low risk account and determine what type of suspicious activity monitoring is required. Implementing periodic risk-based monitoring will assist you in determining whether there are any essential changes from the original information collected at account opening. The higher the risk, the more frequent the monitoring of the account should be. Risk rating doesn’t just occur at account opening; it is an on-going process as activity digresses from what was once expected.
In order to be useful, a risk assessment and corresponding rating should be manageable and not so cumbersome that you lose sight of your intent. Ensure account profiles are current and scheduled monitoring is risk-based. For example, all high risk customers or members should be reviewed at least annually whereas moderate risk members or customers may be reviewed every 18 months. Low risk customers or members should also be reviewed, typically every 24 months. In all cases, a more frequent review may be warranted if various triggers are flagged in your BSA monitoring processes (i.e., 90-day SAR review, activity now appearing on monitoring reports). Consider your monitoring triggers – what makes up the low, medium and high. Also consider the frequency of your monitoring of the different accounts held.

Risk assessing and rating your customers or members is a process to aid you and the institution to successfully manage your institution’s BSA/AML risks. It is a vehicle by which you can ensure you and management understand your customer or member base and how it relates to the institution’s overall BSA/AML risk.

The above article was provided to Andrews Hooper Pavlik PLC (AHP) courtesy of TriComply, the compliance arm of TriNovus. AHP does not guarantee accuracy of the information provided in the article and it should not be construed as professional advice. If you have any questions regarding this article, please contact Randy Morse, CPA, Partner and leader of AHP’s Financial Institution practice. AHP provides a broad range of accounting, auditing, tax, and consulting services to financial institutions throughout the state of Michigan and beyond.

TriComply compliance service offer banks a full compliance package that provides them with quality assistance at an affordable price. TriComply provides the TriComply knowledgebase, compliance manual, policy manual (written and reviewed), compliance newsletter (weekly), advertisement review, compliance calendar, helpful resources and an online training library of compliance webinars.

The CFPB now has control over certain consumer protection laws. As a result, TriComply has put out a product called CFPB Comparisons: What Really Changed. This produce allows you to see the changes firsthand versus going line by line on your own. Thus saving you hours of stress, anxiety and work. Please contact Starr Largin at 205.588.4316 or or Darryl Brasfield at to receive information regarding TriComply or to schedule a demo.