top of page

Subscribe to our Resources Mailing List

Thanks for submitting!

Acing Regulatory Exams for Higher-Risk Banking Programs: A Q&A, Part One

Updated: Dec 22, 2022

Preparing to meet a regulator is an anxiety-producing event for most financial professionals. Ryan McInerny, Principal, Product Strategy, at RiskScout, was an examiner at the Office of the Comptroller of the Currency (OCC) for more than six years; in the following conversation, he provides firsthand knowledge about how examiners view higher-risk banking programs and how you can excel at your next regulatory exam.

In addition, be sure to check this space next week, when McInerny offers some practical tips for creating a reasonable and achievable higher-risk banking program that will hold up well when it comes to regulatory scrutiny.

Q: What types of banking programs do you deem higher-risk? And why?

A: Programs could be in any of a wide breadth of different industries. Cannabis, both marijuana and hemp, because they both fall under the “cannabis” title; crypto and money-service businesses; and anything else that has a higher degree of regulatory or operational risk.

From a regulatory risk perspective, we’re talking about anything that has more stringent guidelines or a higher likelihood of a fine or potential regulatory finding that would end up costing the institution. And then from an operational risk side, it’s anything that’s more time intensive or any process for managing the customer that is more difficult than for a traditional customer.

Q: When it comes to regulators examining BSA departments, what would be the parameters for a higher-risk banking program?

A: The favorite line regulators like to say is: “It depends.”

I would say that any program where you can identify the types of risk that are present-- and can put a repeatable process in place to identify those risks, as well as to manage them-- would work. So maybe that’s getting information from customers on an ongoing basis to make sure they still have the same risk profile. Or maybe it’s having periodic reviews with the customer and tailoring that by risk type… [What matters is that the process] is repeatable, it’s been documented, and it’s specific to that industry or customer type.

Q: When you worked for the OCC, how did you look at higher-risk banking programs in terms of BSA compliance? Did you use different criteria to evaluate them than you did for more traditional banking programs? And if so, what were the differences?

A: I wouldn’t necessarily say that any program [is subject to] different criteria. The idea is that when we look at something we start with the risk assessment first to make sure they’re identifying what is high risk and what’s not.

Once you’ve gone past the risk assessment, you look at the program itself. Here’s the risk level for that type of industry. Now, [is the institution] identifying the level of risk that might be appropriate for each part of the industry? And are they stratifying risk among different categories?

Take the cannabis industry. A distributor is going to have different risk characteristics from a retailer. [The examiner needs to make] sure that the institution is aware of those different risk characteristics within the portfolio.

Also, [examiners will review] what processes a bank or credit union has in place for onboarding and for ongoing risk management, which looks at whether the customer still has the same risk profile over time.

The criteria are going to be the same for any program; any program will be looked at the same ways. It’s just when you start to get to riskier industries, [the regulators] expect more. There might be more frequent reviews or more in-depth reviews.

Q: How does a software platform like RiskScout’s make it easier for community banks or credit unions to go before the examiners? Could you please provide some examples?

A: One example is on the onboarding side. [RiskScout] helps to tailor applications to different customer types, so it’s easy to select, say, “my marijuana application,” or “my marijuana retailer application.” The application headings make sure I’m giving the right information for that customer type.