Wipfli logo
Back to Articles

High-risk customer monitoring: Getting it right

Guthridge_Robin
Robin Guthridge
Feb 28, 2025
3 min read

How much is too much or how much is too little when it comes to monitoring high-risk customers? Can you get by with just an annual high-risk review or does it have to be more frequent? What about your moderate-risk customers? What are examiner expectations with managing higher-risk customer relationships? 

In May 2018, the Customer Due Diligence/Beneficial Ownership Rule was put into effect, requiring financial institutions to have an understanding of the nature and purpose of customer relationships. It would also require institutions to develop a customer risk profile to set a baseline against which customer activity is assessed for suspicious activity monitoring. This included the requirement to conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. Based on the results of that periodic monitoring, a determination should be made on whether to collect additional information to better understand the relationship.

Collecting data for a high-risk review

 A comprehensive high-risk review should include a review of data pertaining to all related accounts and lines of business. While account statements may provide a history of money movement from various sources, such as ACH, P2P or wire transfers, it is important to note that this is just raw data. All the transactions should be analyzed to determine any variances from the prior review and any trends or anomalies.

If your institution uses an automated surveillance monitoring (ASM) system, this data is most likely available within the system and can be extracted to a separate report, or may be available within an EDD module contained within the ASM. It should be noted that the reliance on the raw data in an ASM and alert output would not be considered sufficient for a comprehensive review. The analysis should also include volumes of currency transaction reports and suspicious activity reports (SARs) filed, as well as SAR investigations that did not result in a report.

Other factors to consider include monetary instruments purchased with cash, legal notices received and results of negative news searches. For entities where site visits may be appropriate, such as marijuana-related businesses, private ATM owner/operators or money service businesses, there should be documentation retained noting the results of the visit. 

Next steps after data collection

Once the data has been collected, the narrative is one part of the review that many institutions struggle with. It’s just a matter of telling the story of your customer. 

A sound narrative should include:

  • The dates of the review period.
  • The reason the customer was placed on the high-risk list.
  • The customer’s occupation or nature of business.
  • A brief summary of the areas reviewed.
  • Any significant variances identified from the prior review (or stated activity at the time of account opening).
  • A brief summary of any activity noted within any other lines of business the customer engages in.
  • The results of the onsite visit (if applicable).

Finally, the review should include an overall summary noting whether the customer will continue to be monitored or if, based on the review, the customer’s risk score will be lowered. If the customer’s risk rating was lowered to moderate risk, you should refer to your institution’s policy on monitoring those types of relationships.

As with high-risk monitoring protocols, your institution’s policies and procedures should address how moderate-risk customers are managed since examiners and auditors will review those written procedures to ensure your institution is complying with them. 

The frequency of high- or moderate-risk reviews is dependent on the nature of your watch list. If your institution banks marijuana businesses or third-party payment processors, a more frequent review (monthly or quarterly) may be necessary. If your watch list consists of standard cash-intensive businesses, private ATM owners/operators or RDC customers, for example, an annual review may be more appropriate. 

High- and moderate-risk monitoring is not a one-size-fits-all approach, but there is a right and a wrong way to conduct a review. Those who get it right will be looked upon favorably by their independent auditors and examiners. Those who do not may face unwanted regulatory scrutiny. 

How Wipfli can help

Having trouble managing your high- or moderate-risk reviews? Wipfli’s experienced staff can assist with developing a monitoring program or with helping your institution catch up with backlogs of reviews. Contact an advisor today to get started.

Author(s)

Guthridge_Robin
Robin Guthridge
CAMS, CRCM, Director, Wipfli Advisory LLC
View Profile

Discover how our experience and solutions can help grow your firm.

State of the banking industry report 2025

How do financial institution executives feel about the future? Our fourth annual “State of the banking industry” report uncovered confidence, despite rising threats and uncertainty.

Download the report
Key insights into regulatory, tariff and tax policy changes

Stay updated in 2025 on the impact of new policies and laws on your organization.

Visit our resource hub

TOP PICKS

Blaser_Melissa
Melissa D. Blaser 12/09/2025
Why compliance still matters: Navigating reduced oversight in a deregulatory era
Read full story
Anna Kooi
Anna Kooi 12/08/2025
FDICIA threshold changes: Next steps you can’t overlook
Read full story
Matthew Hovis
Matthew Hovis 10/30/2025
New SAR guidance: Should you change your structuring practices?
Read full story