BSA-AML Examiner School eBook

Bank Secrecy Act Assessment (Continued)

CUSTOMER DUE DILIGENCE / ENHANCED DUE DILIGENCE Management has not developed a CDD program for ensuring that each customer is risk rated at account opening and the customer's expected activities and sources of funds are considered. The internal CIP and New Account forms provide employees the opportunity to risk rate the customer based on the customer's expected activities and source of funds. The forms provide an additional section for the BSA Officer to perform a secondary review and concur or change the risk rating assignment. However, none of the information is being completed. Of the 32 new accounts sampled, the forms were either not completed or the CIP form was not used during the account opening process. All accounts are automatically assigned a risk rating of "low" upon entry onto the bank system, without any consideration to the customer's risk profile. The institution's customer base includes businesses and organizations with potentially higher-risk activities; however, none of these customers have any type of formal CDD documentation to support why they are not rated high risk. The Board and management should ensure that employees receive training on internal policies, processes, and procedures for assigning risk ratings and specify when the BSA Officer should be consulted. Employees opening new accounts should be required to collect appropriate information to assign risk ratings for each customer, including the customer's expected activity, types of products and services that will be used by the customer, and the source of funds. Interim BSA Officer stated that all employees with account opening capabilities will receive training on internal processes and procedures by September 2016. She further commented that she is currently performing a secondary review of all New Account forms to ensure accuracy and completeness. Management does not perform EDD for any customers as no customers are considered by management to be high risk. However, several customers with large volumes of cash activity may require enhanced monitoring. The Board and management should ensure that policies requiring EDD for higher-risk customers are being followed. Currently, policies and procedures designate the BSA Officer as the individual responsible for monitoring this process. The BSA Officer should perform a thorough review of all current customers with high volume cash transactions or higher-risk account activities to determine if they should be considered high risk, collect appropriate EDD information to support account activity, and perform periodic reviews on those customers. Interim BSA Officer stated that she will perform a thorough review of all current customers with large volumes of cash activity or other higher-risk account activity by December 2016. BSA/AML RISK ASSESSMENT The BSA/AML/OFAC Risk Assessment has not been reviewed and approved by the Board since January 2015. An effective BSA/AML compliance program controls risks associated with the bank's products, services, customers, entities, and geographic locations; therefore, an effective risk assessment should be an ongoing process, not a one time exercise. Management should update its risk assessment to identify changes in the bank's risk profile, as necessary. Management should understand the bank's BSA/AML risk exposure and develop the appropriate policies, procedures, and processes to monitor and control BSA/AML risks. The bank's monitoring systems to identify, research, and report suspicious activity should be risk-based, with particular emphasis on higher-risk customers, entities, types of transactions, and geographic locations as identified by the bank's BSA/ AML/OFAC Risk Assessment. While the institution is not located in a High Intensity Drug Trafficking Area (HIDTA), the institution's market area is located in a HIDTA. Management should consider the staffing resources and the level of training necessary to promote adherence with these policies, processes, and procedures.

49