Does anyone risk rate their RDC customers in order to not have to perform an annual due diligence? We are wanting to risk rate and assign reviews from 1-3 years based off of risk and was wondering if any one else did this.

It should be risk-based. There is no requirement for annual reviews. You should do a risk assessment that outlines your risks, controls, and conclusion that outlines why you determined that reviews should be done at 1 year, 2 year, or 3 year, or whatever you decide.

*edited to add: you should also have procedures that state what the reviews will consist of (activity review, site visit, update of due diligence forms, etc ---- whatever it is that your institution has in place).