We are currently being examined by the FDIC for BSA/AML Compliance. While we are very fortunate to be dealing with an extremely reasonable examiner, we do have a disagreement regarding the following:

My read of the regulation is that our BSA/AML Risk Assessments should be reviewed at least annually. I see nothing that indicates that annual is akin to “every 12 months” (though likely a good practice); rather the wording would suggest that as long as the Assessment is reviewed each calendar year, then you are technically in compliance.

And isn’t technical compliance the balance we seek between regulatory requirements and operational objectives?!

While I will likely agree to revise my approach going forward, I would like to defend the existing practice so as to preclude a possible cite.

Should I hold firm or have I no legs to stand?

Thanks

So, do you mean if you look at it in January 2009 and again in December 2010, that is annual?

I would find that to be too infrequent. Looking at it on a regular schedule not to exceed 12 months is more reasonable, with reviews for changes to existing or introduction of new products, changes in bank market, customer base, etc. triggering a fresh review regardless of last review.

On pages 24-25 of the BSA Exam Manual it says:

"Management should update its risk assessment to identify changes in the bank’s risk profile, as necessary (e.g., when new products and services are introduced, existing products and services change, high-risk customers open and close accounts, or the bank expands through mergers and acquisitions). Even in the absence of such changes, it is a sound practice for banks to periodically reassess their BSA/AML risks at least every 12 to 18 months."

So if you haven't had the changes mentioned and you're within 18 months maybe you can use this quote.