It should be risk-based. There is no requirement for annual reviews. You should do a risk assessment that outlines your risks, controls, and conclusion that outlines why you determined that reviews should be done at 1 year, 2 year, or 3 year, or whatever you decide.
*edited to add: you should also have procedures that state what the reviews will consist of (activity review, site visit, update of due diligence forms, etc ---- whatever it is that your institution has in place).
Last edited by Justin Case; 10/21/21 10:13 PM.
_________________________
CAMS