Keep customer risk assessments current

Pull the full transaction history since this customer's last CDD review. You're looking for anything that's changed - shifts in transaction volume, new geographies showing up, unfamiliar counterparties, or dollar amounts that don't match the customer's stated business purpose. Here's what experienced analysts typically do: - Compare the current activity side-by-side with what was documented at account opening or the last review - Pay extra attention to wire transfers, international transactions, and any cash-intensive patterns - If you see round-dollar transactions just under reporting thresholds ($9,900, $9,500), that's a structuring red flag you shouldn't ignore - Don't just look at the numbers - think about whether the story still makes sense for this customer's business type If something doesn't add up, flag it here. You don't need to resolve it at this stage - just document what caught your eye. It's better to over-flag than to miss something an examiner would catch later.

Now you'll confirm that everything on file for this customer is still accurate. People move, businesses change ownership, and contact details go stale - and outdated info can mean you're not really "knowing your customer" anymore. What to check: - Phone numbers, email addresses, and physical addresses - do they still match what's in your system? - For business accounts, verify that the beneficial ownership information hasn't changed. Per FinCEN's guidance, you're required to update beneficial ownership whenever there's a triggering event (like a change in ownership of 25% or more) - Check the customer's ID documents - are they expired? You'll want current copies on file - For businesses, confirm the entity is still in good standing with the state Pro tip: If you can't reach the customer to verify their info, don't just skip this step. Document your attempts and escalate if needed. An incomplete CDD review is a finding waiting to happen. If anything has changed, request updated documentation and note what was updated in the fields below.

This is where everything comes together. Based on what you found in Steps 1 and 2, you'll decide whether this customer's risk rating should stay the same, go up, or come down. Here's how to think about it: - If activity is consistent and info is current, the rating probably stays the same - just document that you reviewed it and nothing changed - If you spotted unusual activity OR the customer's business has shifted significantly, consider whether the risk rating needs to increase - If a previously higher-risk customer has had clean, consistent activity for multiple review cycles, it might be time to lower their rating - In rare cases where the risk is just too high and can't be mitigated, you may need to recommend exiting the relationship When documenting your analysis, be specific. Don't just write "no issues found" - examiners want to see that you actually looked. Mention the transaction patterns you reviewed, the documents you verified, and why the rating you're assigning makes sense. Finally, set the next review date based on the updated risk level: - High risk: 3 months from today - Medium risk: 12 months from today - Low risk: 24-36 months from today File everything in the customer's CDD folder so it's ready when the next review comes around or if examiners ask to see it.