What is the frequency that the BSA Policy has to be updated? Is it every 12 to 18 months?

It's usually done every 12 months.

Actually, it only has to be updated whenever there is a change to the policy. There is no annual approval requirement anywhere in the regulations.

Thanks again! I did see a reference in the BSA Exam manual to the risk assessment as follows but nothing about the policy:

it is a sound practice for banks to periodically reassess their BSA/AML risks at least every 12 to 18 months.

Yes, risk assessments should be updated on a regular basis.

Risk assessments as RL points out are a living, breathing document, which are subject to change when you see that a particular risk change. But at a minimum, you review them as noted above.

To reinforce the idea that the risk assessment drives the policy, report the risk assessment to the board and then note their review of the policy and any attendant changes in the same meeting. (Doing them months apart is a clear indicator that the risk assessment is perceived as a "regulatory requirement," not a worthwhile exercise.)

As noted "the program regulations" promulgated by the federal functional agencies do not require a periodic review of the BSA/AML/OFAC polcies, but some state departments of banking require documented annual reviews of all major policies.

We've always timed the risk assessment to be completed around the same time as the annual policy update; but we're often left with a list of issues that need corrective action - some of which may require policy updates. Since we've always finished them at the same time, we often are left saying "We should've put that in as a policy change..."

Ken, in your opinion, is it preferable to target risk assessment completion several months in advance of the policy update? After reading your post, I'm getting the sense that it may be more useful to show the board the risks you've identified, the corrective action you took or are taking, and specifically any policy changes you made as a result of your assessment along with changes in the regulatory landscape.

Not Ken, but I would suggest that any weaknesses identified in your risk assessment should automatically trigger a change in the internal controls addressed either within your policy or at the very least, your procedures. I would not expect much of a lag time between the completion of the risk assessment and the required modifications.

I would think that the simultaneous presentation of:

1) A presentation of the new risk assessment in which you would highlight the areas of new or increased risk (notice I did not say approve the risk assessment);

2) A request for the board to approve any new policies changes required to sufficiently address the new or increased risks;

and

3) A discussion regarding the procedural changes that management has implemented to address the risks that do not rise to the level of a policy change (notice I did not say approve the procedural changes).

IMHO it sure ties it all together and it will show the regulators that your front to back risk assessment process is working.

We review and update and present annually to the board each April, the policy, risk assessment and conduct their BSA training. Once a year, at the same time.

Thank you Randy, I should have been more precise. We approve it annually, changes or not, simply because it's something a number of our peers do and we don't want to stand out. It's something that takes less than 5 minutes and keeps our regulators happy.

I would also agree with Randy's statements on the risk assessment process.

Agreed. There is nothing to vote on. Its receipt and review needs to be noted in the board minutes, but "approving" it indicates the board is the ultimate rubber stamp. Otherwise, right after the vote on the risk assessment they should vote on a ham sandwich. Not whether they want a ham sandwich, just vote on a ham sandwich to be voting on something.