Can a Bank Change the BSA Risk Rating of a Customer in a High Risk Business?

ISSUE/QUESTION

Can a bank ever lower the BSA risk rating of a customer? Or is the rule “once high risk, always high risk”? Certain business types are viewed as high risk simply by NAICS code. For example, a jewelry store that buys or sells gold will be viewed as a non-bank financial institution.

If that jewelry store has its operating account at another institution, has come out clean in every BSA high risk review the bank has conducted, has had no history of suspicious activity, and if the account has very few transactions and carries low balances of less than $500, would the bank be permitted to lower its risk rating? Would it be all right to have something in the bank’s BSA policy that says after “X” number of review cycles or “X” number of years, if there is no unusual activity noted or if the account has less than “X” number average balances or fewer than “X” number of transactions, the bank can then lower the risk rating?

RESPONSE SUMMARY

The nature of a customer’s business would be one of the factors considered in determining the risk rating to assign to the customer. The continuing customer due diligence performed by the financial institution may reveal circumstances warranting a downgrade in the risk rating, such as the banking history of the customer and its principals. Any reduction in the risk rating should be handled in stages, as from high to medium and then medium to low. All factors leading to the BSA/AML risk rating or any changes made to it should be thoroughly documented.

RESPONSE DETAIL

Introduction

A BSA/AML risk rating is not required by the Bank Secrecy Act, but may be an aspect of a financial institution’s BSA/AML compliance program, in that it allows an evaluation to be made of an aspect of risk posed to the financial institution. In determining the risk rating to assign to a customer, the nature of the customer’s business would be one of a number of factors that would be considered. Given that continuing Customer Due Diligence is required, the risk rating of a customer may be affected by changed circumstances, including the banking history of the customer and its principals.

BSA/AML Compliance and the Risk Rating

In making a risk assessment of a financial institution, the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual considers whether a financial institution has adequately identified the risk within its banking operations, such as products, services, customers, entities, and geographic locations, and incorporated this identified risk into its BSA/AML compliance program.

As part of the BSA/AML risk assessment, many financial institutions evaluate and apply a BSA/AML risk rating to its customers. Under this approach, the financial institution will obtain information at account opening sufficient to develop a “customer transaction profile” that incorporates an understanding of normal and expected activity for the customer's occupation or business operations. While this practice may not be appropriate for all institutions, management of all institutions should have a thorough understanding of the money laundering or terrorist financing risks of its customer base and develop and implement the means to adequately mitigate these risks.

Certain customers and entities, such as money services businesses, professional service providers, cash-intensive businesses, non-bank financial institutions, and politically exposed persons, are considered to have an inherently high risk for money laundering, simply by the nature of their business. Jewel, gem, and precious metal dealers are also considered to be high risk.

This is only a starting point, however.

The type of business engaged in by the customer is an important factor to be considered, but it is only one variable in assessing risk. It is essential that a financial institution exercise judgment and neither define nor treat all members of a specific customer category as posing the same level of risk. The final determination must be made based on other factors unique to the specific customer, such as their location, ownership, the type of banking services to be used, and the anticipated transaction volume.

These factors must be documented and should be quantified.

The financial institution is then expected to perform continuing customer due diligence commensurate with its risk profile, and periodically reassess the BSA/AML risk that a customer poses. This reassessment would consider additional factors, such as the type of banking services actually used, the deposit and debit volume, and the banking history of the customer and its principals, including the length of the banking relationship.  If reasonably established, a number of review cycles with or without unusual activity, a continuing history of low account balances or an unanticipated increase in account balances may be a basis for raising or lowering the risk rating.

Whatever method the financial institution decides to use in downgrading risk should be conducted in such a way that the risk is stepped down, from high to medium and then medium to low. While there may be data supporting a move directly from high risk to low risk, using a step down method will demonstrate to regulators an appropriate systematic approach for such changes. No matter how long a customer has been in the system, regulators tend to look on moves from high risk straight to low risk as reflecting either some sort of weakness in the initial rating process or a weakness in the ongoing mitigation process.

Conclusion

The financial institution’s BSA/AML compliance policy should, therefore, establish criteria for determining risk, and provide for an initial risk assessment at the opening of the account relationship, and then for continuing due diligence, also based upon risk. It should account for changes in the customer’s behavior from what was anticipated, including those which indicate that the risk is less than had been anticipated. All factors leading to the BSA/AML risk rating or any changes made to it should be thoroughly documented.

References: FDIC, Risk Management Manual of Examination Policies, Bank Secrecy Act, Anti-Money Laundering, and Office of Foreign Asset Control, section 8.1; FFIEC, Bank Secrecy Act/Anti-Money Laundering Examination Manual, 2014, BSA Risk Assessment Overview, Appendices J and K; Federal Reserve Bank of Philadelphia, SRC Insights, Third Quarter, 2007 “Is Your Institution’s BSA/AML Risk Assessment Adequate?”.

This entry was posted on Thursday, January 29th, 2015 at 9:46 pm.