top of page

Subscribe to our Resources Mailing List

Thanks for submitting!

Acing Regulatory Exams for Higher-Risk Banking Programs: A Q&A, Part Two

Updated: Dec 22, 2022

Banks and credit unions need to handle higher-risk customers with care, but some “go overboard” with information gathering while overlooking other critical steps, says Ryan McInerny, Principal, Product Strategy, at RiskScout. In Part Two of this Q&A, the former OCC examiner gives concrete advice for creating a “reasonable and achievable higher-risk banking program,” one that will stand you in good stead with the regulators.

Q: What are the most important lessons learned from your life as an OCC examiner that would apply to financial institutions thinking about BSA compliance today?

A: Honestly, I’d say stratifying within industries and really understanding customer types. A lot of institutions will be too general. They’ll say, “Oh, this is the cannabis industry,” or “Oh, these are money-service businesses.” They’ll have one catchall process for each. But sometimes there are very different niches within those groups.

If you have a whole portfolio of money-service businesses that have one location, versus some that have 15 locations and do way more volume, you’d really expect different [processes] for those types of businesses…. Tailoring to the different risk characteristics of customers is really beneficial.

The other lesson is that some banks and credit unions try to learn everything there is to know, and at a certain point, it’s not cost effective to keep digging and digging. There’s a level of information that gives you enough confidence that you can actually bank that customer and they’re doing things the right way. The lesson here is to not go overboard.

Q: I was curious about that. Do you often see financial institutions taking steps that go above and beyond what’s necessary? And how and where do they go overboard? A: It’s the amount of questions that they might be asking. Some of the questions are redundant or they don’t provide any information that anyone is actually using for a decision. It’s kind of like a weight test. If we keep asking things, no one is going to fault us. But if you’re not using the information [that you’re collecting], it actually puts you in a worse position.

Q: What were some of the mistakes you, as an examiner, personally saw banks and credit unions make?

A: For the non-high-risk portfolios, if there are no reviews or no identification of when someone is moving into the higher-risk areas, that’s when we often see an issue,. if you aren’t identifying when someone should be in [a higher-risk category], such as when characteristics of an existing customer change, then your monitoring won’t match the risk level.

Let’s say that I identify you as a fishing store because you sell bait and tackle and that sort of thing. In the future, if you decide to add a private ATM to your property, or if you start doing something else, the bank could be unaware that a change has been made. Still, there’s probably a change in the activity occurring in the account.

So if you’re unable to identify when the characteristics of a customer have changed, that’s something that gets flagged by regulators.

Q: When you look two-to-three years down the road, how do you think bank compliance will evolve for higher-risk banking programs?

A: I think it’s going to start to evolve to be more and more like what we see from a lending perspective. So when you look at loan reviews, there’s typically an annual review of the customer type, and you’re looking at their financial statements and a lot of other information that just makes you understand that they’re a good customer. I think the same sorts of things will become more and more prevalent for higher-risk customers.

I think we’ll be looking at customers and saying, “Hey, do these people still align with my risk profile? Am I still comfortable banking them?”

Also, I think there will be more focus on the actual review process. I think right now it’s viewed as just a regulatory requirement and that’s why we, as a financial institution, are doing it.

Really, though, internal compliance reviews should inform your pricing and your risk management. They should inform everything you’re doing. The review process could and should be made more helpful for financial professionals, going forward.

[To read the first part of this interview, please go to PROVIDE LINK.]