BSA's "annual" training requirement is mythological unless your bank has made a statement to that effect in its own policies and procedures. The same for Regulation CC. Both require training, neither specifies a frequency. Regulation P does not contain a training requirement. The information security portion of GLBA might, I don't remember.
_________________________
In this world you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant.