BSA-AML Examiner School Case Study eBook

Internal Use Only

Does the CIP include procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identities (lobby notice, website notice, oral or written)? Does the CIP include procedures regarding the use of third-parties (such as a car dealer or mortgage broker, to verify the identity of its customer and maintain records (if applicable)?

Yes

Yes

Moderate

Assign Inherent Risk → Assign Controls Rating → Assign Residual Risk → Assign Overall Trend →

3 2 2

Satisfactory

Limited

Summary of Risk Ratings: Stable The new CCO conducted an assessment of the CIP / Risk Rating process, and enhancements have been made that will be implemented in December 2023. The Bank does not have a high number of "high" risk clients, maintains a process for oversight of large dollar amount transactions, and reviews risky profiles on a regular basis. CUSTOMER DUE DILIGENCE Yes/No or N/A Comments and description of mitigating controls Does the bank conduct ongoing due diligence including but not limited to: - Obtaining and analyzing sufficient customer information to understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile? - Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information, including information regarding the beneficial owner(s) of legal entity customers? Yes Procedures and process updated as of October 2023. Does the bank have risk-based CDD procedures that:

- Enable it to understand the nature and purpose of the customer relationship in order to develop a customer risk profile? - Enable it to conduct ongoing monitoring for the purpose of identifying and reporting suspicious transactions and, on a risk basis, to maintain and update customer information, including information regarding the beneficial owner(s) of legal entity customers? Yes The bank's risk-based CDD policies, procedures and processes should: - Commensurate with its BSA/AML risk profile, with increased focus on higher risk customers? - Contain a clear statement of management’s and staff’s responsibilities, including procedures, authority, and responsibility for reviewing and approving changes to a customer’s risk profile, as applicable? - Provide standards for conducting and documenting analysis associated with the due diligence process, including guidance for resolving issues when insufficient or inaccurate information is obtained? Yes Does the bank have effective processes to develop customer risk profiles as part of the overall CDD program (including products/services, customers and entities, and geographic locations)? Yes Does the bank use the customer information and customer risk profile in its suspicious activity monitoring process to understand the types of transactions a particular customer would normally be expected to engage in as a baseline against which suspicious transactions are identified and to satisfy other regulatory requirements? Yes Do the bank's due diligence policies, procedures, and processes define both when and what additional customer information will be collected based on the customer risk profile and the specific risks posed (as related to higher risk profile customers)? Yes Does the bank have policies and procedures for determining whether and/or when, on the basis of risk, obtaining and reviewing additional customer information, for example through negative media search programs, would be appropriate (as related to higher risk profile customers)? Yes Does the CDD program include risk-based procedures for performing ongoing monitoring of the customer relationship, on a risk basis, to maintain and update customer information, including beneficial ownership information of legal entity customers? Yes Does the CDD program establish criteria for when and by whom customer relationships will be reviewed, including updating customer information and reassessing the customer’s risk profile? Yes

Moderate Satisfactory

Assign Inherent Risk → Assign Controls Rating → Assign Residual Risk → Assign Overall Trend →

3 2 2

Limited

Summary of Risk Ratings:

Stable

The new CCO conducted an assessment of the CIP / Risk Rating process, and enhancements have been made that will be implemented in December 2023. The Bank does not have a high number of "high" risk clients, maintains a process for oversight of large dollar amount transactions, and reviews risky profiles on a regular basis.