Identifying and tracking account risk is part of the Red Flag program, do you know what these requirements include?
Question: I?m not clear on the Red Flag requirements for identifying and tracking account risk, what?s involved?
Answer: Account risk really includes two parts: customer risk and activity/ behavior risk. You will need to understand what?s involved with each of these risk factors and insure that your program addresses both.
Customer risk is the risk you identify initially during account opening. You should already have a program in place that allows you to evaluate the information provided on an account application. BSA/AML requirements indicate that you must collect, at a minimum, a customer?s name, address, date of birth and tax ID number. Few banks stop here and many include a variety of other information requirements for new customers (e.g., phone numbers, email address, driver?s license, employer, other accounts, etc.). At least some of this information must be verified. We know that the name must be searched against the OFAC, but the address, DOB and SSN must also be verified as true to the best of your ability.
Customer risk as defined for Red Flags includes both customer identity and the products and services used. This overlaps the BSA/AML requirements (which also require assessment of location risk factors). The Red Flags regulation specifically permits use of existing programs to satisfy its requirements and you should already have in place a much more comprehensive Customer Identification Program (CIP). If your CIP program is properly developed, you are not only meeting the Red Flags identity screening requirements, but you are also covering a broader set of important information.
You should also bear in mind that customer risk is not static and may change as the customer moves to a new address, changes employment, or uses different products and services.
Activity/behavior risk is dynamic risk represented through a combination of daily transactions and the account's behavior profile established over time. Again, your AML program should include the ability to monitor account activity for a variety of fraud, money laundering and terrorism financing indications. Here you should check to make sure that your AML program is not so narrowly focused that it is not able to monitor identity theft related activity. For example, your activity monitoring program should be able to detect changes in account risk that may be related to a recent address change, credit agency alert, address discrepancy or other potential warning.
The Red Flags guidelines and the sample Red Flags provide a good set of objectives for your program. You should consider these against a set of ?issue? criteria to evaluate what needs to be done. There are many ways to do this (e.g., GAP analysis, Analytical Hierarchy, Multi-Attribute Analysis, etc.), but you should consider things like: how information is captured, how it is retained, which parts of the organization are involved, what analysis is involved, what kind of monitoring is needed, what actions are appropriate ? and more. This approach should force you to consider both customer and account activity risks and provide you with an integrated process.
While compliance is mandatory, keep in mind that there are many potentially important benefits that can be derived from a well constructed risk assessment program.
BANKDetect has developed a Free Webinar covering these and other Red Flags compliance subjects. A draft policy document model is also available. BANKDetect has been supporting client's fraud prevention and AML compliance for over a decade with advanced, integrated analytical solutions for the full range of requirements from account opening to risk assessment and activity monitoring. Contact BANKDetect TODAY.
First published on BankersOnline.com 9/22/08