If you mean the Red Flag risk assessment, section 222.90(c) says:
"Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:
(1) The methods it provides to open its accounts;
(2) The methods it provides to access its accounts; and
(3) Its previous experiences with identity theft."
So, it isn't necessarily an annual requirement, just "periodic".
Further, in the Federal Register it states: "As discussed above, the final regulations require financial institutions and creditors to conduct a risk assessment periodically to determine
whether they have covered accounts, which include, at a minimum, consumer accounts. If the financial institutions and creditors
determine that they have covered accounts, the final regulations require them to create a written Identity Theft Prevention Program (Program) and they should report to the board of directors, a committee thereof, or senior management at least annually on compliance with the final regulations.”
We determined we had covered accounts during the initial risk assessment. Our program was implemented and it gets reviewed and re-approved every year. So, I intrepret that statement in the Federal Register to mean that if you don't have covered accounts you should periodically be doing a risk assessment to determine if you do and then implement a program. Thoughts?