We performed a risk assessment in 2008 as the regulation required for the FACT Act. Is there a requirement to update this assessment on a regular basis? Ours has had minor tweaks since we rolled it out, but nothing has gone back to the board for review/approval because the changes have not impacted our program. The program does get reviewed and reapproved by the board annually, however.

I am just anticipating a comment from the auditors on this... and would like to be prepared. I did not recall an annual requirement (I think it was one-time) based on my notes.

Red Flags annual report is the thing I can think of. Any risk assessment you drafted when implementing the FACT Act would not require annual update.

If you mean the Red Flag risk assessment, section 222.90(c) says:

"Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:
(1) The methods it provides to open its accounts;
(2) The methods it provides to access its accounts; and
(3) Its previous experiences with identity theft."

So, it isn't necessarily an annual requirement, just "periodic".

Further, in the Federal Register it states: "As discussed above, the final regulations require financial institutions and creditors to conduct a risk assessment periodically to determine whether they have covered accounts, which include, at a minimum, consumer accounts. If the financial institutions and creditors determine that they have covered accounts, the final regulations require them to create a written Identity Theft Prevention Program (Program) and they should report to the board of directors, a committee thereof, or senior management at least annually on compliance with the final regulations.”

We determined we had covered accounts during the initial risk assessment. Our program was implemented and it gets reviewed and re-approved every year. So, I intrepret that statement in the Federal Register to mean that if you don't have covered accounts you should periodically be doing a risk assessment to determine if you do and then implement a program. Thoughts?

It says that "each" institution must periodically determine whether it has covered accounts and as part of that determination it must do a risk assessment. The focus appears to be on the non-consumer accounts to determine whether there is a foreseeable risk of ID theft in those accounts. If you determine that the risk related to those accounts hasn't changed, then it may be that you can just state that fact and restate the same risk assessment.

As long as you're reviewing your program every year - which is driven by the risk assessment - why not take that time to update the risk assessment, if needed. If not needed, I would just make it clear that it was re-reviewed.

We were cited during an exam for not doing the risk assessment annually. It had been done initially, but the examiner judge the term "periodic" to mean annually. After arguing the point, he called his hom eoffice and the citation stuck.