“The difference between reckless and risk is planning.” Unknown
This article’s purpose is to cover aspects of the customer risk profile as an opportunity for you to measure your efforts as we move closer to the May 11, 2018 effective date of the beneficial owner rule. A crucial building block to your customer due diligence program is identifying, measuring, and monitoring the risk(s) each customer relationship brings to your organization. Have you developed an initial risk profile? Do you know when to update it and what triggers a review?
Practically speaking, your customer due diligence program is intended to achieve the following:
- Gather information about the customer
- Identify, assess, and mitigate risks associated with your customers
- Monitor customer accounts
- Evaluate customer activity for suspicious activity reporting
As noted by the BSA in §1020.210 (b)(5), regarding your organization’s customer due diligence program, appropriate risk-based procedures must be implemented for conducting ongoing customer due diligence that includes:
- Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
- Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.
The Initial Customer Risk Profile
Key to understanding how to measure risk with your customer is to first know the difference between inherent risk and residual risk. Inherent risk is the probability of loss arising out of circumstances existing in an environment in the absence of any action to control or mitigate the circumstances. Residual risk is the risk which remains after all efforts (risk mitigation) have been made to mitigate the risk. A visual representation of risk would look like this:
Important to this process is your understanding and acceptance that you cannot completely eliminate risk. The level or amount of residual risk helps determine the level of due diligence you will apply to any specific customer.
In addition to CIP information at account opening, you should be gathering information that relates to the ‘who’ of your customer in order to assess that customer’s risk(s). Now, there are a variety of ways to holistically gather information; just remember that the BSA calls for a risk-based approach. Do you understand your organization’s risk appetite?
Modifying the Customer Risk Profile
Just like any risk tool, the customer risk profile is not a stagnant dormant document. Customer behavior naturally changes over time, but maybe not in ways that you might predict. So, when should you update?
- Changes to the customer relationship – is there a new owner? Was a third party added?
- Suspicious activity – Have you identified unusual or suspicious activity that needs monitoring and potential reporting?
While this article may only cover a miniscule amount of information about customer risk profiles, are you confident about your organization’s process? Consider these questions:
- Do you understand your organization’s risk appetite regarding its customer due diligence program?
- Is the process haphazard or well defined with documented procedures?
- Do you understand the methodology of identifying and measuring customer risks used by your organization?
- Is the type of information gathered (beyond CIP requirements) for a new customer adequate in understanding the risks associated with a new customer?
Next time we’ll explore three key ingredients to the standard due diligence process: coverage, application and process. Without these, the end result will not be what’s required by regulation.
Around the Industry:
Now that the new HMDA rule requirements are in full swing, remember that the CFPB’s
Small Entity Compliance Guide is a great resource.
Review the following Mortgage Compliance Magazine article regarding the TCPA, natural disasters, and loan servicing.