The bank's BSA officer is required annually to report to the BOD regarding the efficiencies of the bank's BSA program and shall recommend any appropriate changes in the program. Is there an additional requirement that the BOD is to approve the bank's BSA policy annually along with a review of the bank's exempt list?

No. The policy does not need to be approved annually, nor do they need to review the exempt list.

I recently lost this battle with our internal audit firm. Our BSA policies will, in the future, be reviewed annually.

David is correct, there is no legal requirement that the BSA policy be approved by the board annually, although it is an excellent practice. There is also no requirement that the bank have an exempt list, let alone that the board approve it. By having the board approve the list, you are making board members directly responsible for something outside their expertise. They have enough BSA responsbility without making an upward delegation.

It's important to distinguish between legal requirements and recommendations, regardless of whether they are offered by auditors or examiners.