Thanks rl. I thinks it's overkill to include directors since we have other suspicious activity monitoring in place and they have no access to bank processes, procedures, accounts, etc since they aren't employees BUT we've always included them - I'm a big fan of "just because we've always done it doesn't mean it's the right way / best way now."
I'll continue to pursue the state level issue....and see if anyone else has any responses here.