CIP Risk Assessment
by Mary Beth Guard, BOL Guru
There are four components to the risk assessment you must make, each corresponding to a different risk factor.
- Types of accounts. What types of "accounts" do you offer, and to what types of "customers"? A sole proprietorship, for example, is going to be inherently more difficult to verify than an individual. A foreign corporation or a non-U.S. person will also present challenges. You may perceive a savings account as presenting less risk than a transaction account. A credit card account may also be at a higher risk level. A situation where an individual purports to act under a power of attorney for another individual also poses a higher risk than where an individual is opening an account in his own name. Outline what you've got, then risk rate them.
- Methods of opening accounts. Accounts opened in person are lower risk, generally, than those opened by phone, mail, or Internet. Accounts opened through a third-party agent may pose a greater risk than those handled directly by your institution's employees. If you have a joint account and allow one or more signatures to be obtained outside the bank, there is a greater risk. It can be useful to consider where you have experienced losses or fraud in the past and utilize that information in your risk assessment.
- Types of identifying information. You may be willing to accept a wide variety of documentary and non-documentary evidence of a customer's identity, but some types of identifying information have a higher degree of reliability than others. For example, a driver's license or state ID issued by the same state you're located in will be more readily familiar to your employees and a counterfeit of your in-state ID would be hard to get by an experienced frontline person. A foreign passport will be more difficult to analyze. Limited partnerships, corporations, and LLCs must file official documents with the state, under most states' laws. General partnerships and sole proprietorships, on the other hand, sometimes have no filing requirements. Bob's Bowling League and Betty's Book Club will probably have nonexistent documentation. Make lists of the types of identifying information you may be given, and risk-rate it.
- Your bank's size, location, type of business, or customer base. If you're with a small bank where everybody knows everybody, all of your customers are located within the same town, and your product offerings are fairly plain vanilla, your risk may be low, depending upon where you're located. If you're in a border town, or in a gang's back yard, you must take that into how that risk factor may impact your ability to form a reasonable belief you know the true identity of your customer. The larger you are, the less likely your employees will "know" your customers on a personal level. On the other hand, larger sized institutions may have more sophisticated fraud prevention technology to help protect them against identity fraud.
The original version appeared in the April 2003 edition of the Oklahoma Bankers Association Compliance Informer.
First published on BankersOnline.com 9/8/03