Satisfy Examiners With A Risk-Based CIP
PATRIOT Act experts reveal what's on your examiner's compliance list

Sure, you know that Section 326 of the PATRIOT Act requires you to implement a risk-based Customer Identification Program to know your customers. But how you determine your own CIP's risk will go a long way in proving yourself to examiners. Here's some help from AML experts.

USE WHAT THE FEDS GIVE YOU

The feds expect your overall AML compliance program will be risk-based, and your CIP represents a big chunk of that - but it's typical of the government not to release any guidance that helps you through your risk assessment process.

Good idea: Use the OCC's CIP examination guidelines, click here, as a blueprint to form your own risk analysis, says Sue Burt, senior attorney with St. Cloud-MN Bankers Systems Inc. The OCC's guidelines will show you in at least a broad sense what the examiners are looking for, she adds. Also be sure to look at the government's High Intensity Drug Trafficking Web site for some great info on money laundering hot spots around the country.

SEPARATE RISK INTO 'QUANITY' VS 'QUALITY'

Quantifying your risk means auditing your institution. You must closely examine your entire customer base and your product line. Do you offer standard loan, deposit and credit card products or are you offering more investment services? What about private banking or electronic services? Your examiner will want to see how you evaluate each of these risks, warns Burt.

Even if you don't do business in a high-risk metropolitan area, regulators will expect you to perform a detailed analysis of the environment in which you do business. Example: If you're in an area with several universities or colleges, you likely have a large international student population with many wires going back and forth on a daily basis. That's a potential danger you need to document in your bank's risk assessment, notes Frederick E. Curry III, senior manager in the D.C. office of Deloitte & Touche and former bank examiner with a Federal Reserve bank.

"In today's environment bringing in new clients is not nearly as important as knowing who they are, and assuring that what they say is accurate," says Terrence O'Brien, an AML consultant in Raleigh, NC. The key to compliance in this area is very broad based education - letting the institution's employees at all levels know that AML compliance is job one, he tells Eli.

AUTOMATION CAN SAVE YOU MONEY LONG-TERM

Once you know what your risks to your CIP are, you can then evaluate the quality of those risks. To do that, determine how you plan to manage each of your risks, counsels Burt. This is where automation really helps, especially for such items as wire transfers and suspicious activity. Automation allows you to predetermine which risks will raise red flags in your system.

The costs for automating your systems are significant, Burt admits, but even small banks with relatively few assets have started to become automated for CIP risk. "Some of the smaller institutions are turning the corner with automation because they feel they can recoup some of the expense by reducing their risk for fraud and helping their bottom line. It's also a long-term investment," she asserts.

CREATE SUB-CATEGORIES TO FORM A RISK GRID

Closely scrutinize each of your CIP risks first and then separate them further into "low," "moderate," "high" or even "extreme" categories. Each bank will have different risks depending on size and service offerings. Tip: Create your own risk matrix/grid that categorizes both the services you offer and your existing customers in terms of low to extreme risk, advises Dirk Mohrmann, president of Miami-based World Compliance, Inc; being able to produce such a grid will be much appreciated by examiners.

If you don't have time or resources to produce a risk grid per se, decide what your risks are across several dimensions - customers, your products and services and the geographies in which you and the customer operate - and then apply a score or rating, recommends Breffni McGuire, a senior analyst with Tower Group in Needham, MA. "Most small banks don't have the capabilities to build complex models, but they can categorize customers, or classes of customers, as carrying a lower or higher degree of AML risk based on their business, business type or business pattern," she notes.

The Bottom Line: CIP compliance - and PATRIOT Act compliance, generally - begins with an analysis of your individual risks. Take the time to document how you determined your risks as well as how you plan to manage them, and be prepared to present this material to your examiner come exam time.