David is correct, there is no legal requirement that the BSA policy be approved by the board annually, although it is an excellent practice. There is also no requirement that the bank have an exempt list, let alone that the board approve it. By having the board approve the list, you are making board members directly responsible for something outside their expertise. They have enough BSA responsbility without making an upward delegation.
It's important to distinguish between legal requirements and recommendations, regardless of whether they are offered by auditors or examiners.
In this world you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant.