Complete a risk assessment at least once per year. Also complete one within 30 days if any of these occur: an ownership change of 25% or more, a significant shift in your customer base, or a Geographic Targeting Order (GTO) affecting Advanced Compliance Technology, Inc.'s area.
\nFollow these five steps for every assessment:
\nRate five risk dimensions — each gets an inherent risk rating and a residual risk rating:
\nMap each dimension to its controls. Controls include CIP, OFAC screening, monitoring thresholds, SAR/CTR filing, EDD protocols, and staff training. Rate each control as strong, adequate, or needs improvement. Any dimension rated residual-high requires a documented remediation plan with a target completion date.
\nBefore launching any new product, service, channel, or location, complete a pre-launch risk assessment using the same five steps.
\nReview all monitoring thresholds at each annual assessment. Document and approve all threshold changes before they take effect. Test key controls at least once per year.
\nDocument each completed assessment in a written report. Present the report to the owner/principal for approval before updating the program. Retain completed assessments for a minimum of five years.
", "narration_text": "Complete a risk assessment at least once per year. Also complete one within 30 days if any of these occur: an ownership change of 25% or more, a significant shift in your customer base, or a Geographic Targeting Order (GTO) affecting Advanced Compliance Technology, Inc.'s area.\r\n\r\nFollow these five steps for every assessment:\r\n\r\nDefine scope. List all products, services, customer types, locations, and delivery channels.\r\nAssess inherent risk. Rate each area before considering controls. Use transaction volume data, customer risk indicators, and location exposure.\r\nEvaluate controls. Review existing policies, procedures, and automated controls. Determine whether each one adequately addresses the identified risk.\r\nCalculate residual risk. Identify risk that remains after controls. Flag any area where residual risk is too high.\r\nDocument and recommend. Record findings, data sources, and proposed changes. Submit to the owner/principal for approval.\r\n\r\nRate five risk dimensions — each gets an inherent risk rating and a residual risk rating:\r\n\r\nProducts and services: Advanced Compliance Technology, Inc. provides check cashing, money transmission, payment instrument sales, foreign currency exchange. Check cashing carries elevated placement-stage risk.\r\nCustomers: Your customer base is walk-in retail with no account relationship. Flag customers with no fixed address, frequent large transactions near the CTR threshold, or third-party check presenters.\r\nGeography: Advanced Compliance Technology, Inc. operates in a HIDTA and HIFCA zone. A new or modified GTO automatically triggers a new assessment.\r\nTransaction volume: Review volume trends each quarter. A sustained shift of 20% or more triggers an out-of-cycle assessment.\r\nRegulatory environment: Review regulatory changes at each assessment cycle.\r\n\r\nMap each dimension to its controls. Controls include CIP, OFAC screening, monitoring thresholds, SAR/CTR filing, EDD protocols, and staff training. Rate each control as strong, adequate, or needs improvement. Any dimension rated residual-high requires a documented remediation plan with a target completion date.\r\n\r\nBefore launching any new product, service, channel, or location, complete a pre-launch risk assessment using the same five steps.\r\n\r\nReview all monitoring thresholds at each annual assessment. Document and approve all threshold changes before they take effect. Test key controls at least once per year.\r\n\r\nDocument each completed assessment in a written report. Present the report to the owner/principal for approval before updating the program. Retain completed assessments for a minimum of five years." }