Is it a requirement to review the thresholds and risk rating, etc, in your automated suspicious activity monitoring software annually? We have a data validation done every 18 months by an external auditor to make sure everything feeds in correctly, etc, but is it also a requirement to review the thresholds and risk rating criteria annually to see what adjustments should be made? We had it done by Abrigo in 2020, and wondering if it's ok to wait until early 2022 to do it again.

This depends on the risk profile of your bank. There are institutions that look at their parameters and perform full model validations on a 12 month cycle. There are other institutions who conduct these activities every 18-24 months.

The FFIEC BSA AML manual states in regard to automated monitoring systems, "Once established, the bank should review and test system capabilities and thresholds on a periodic basis. This review should focus on specific parameters or filters in order to ensure that intended information is accurately captured and that the parameter or filter is appropriate for the bank's particular risk profile." No specific timeframe is noted but based on discussion with other banks, an annual review process of filters/paramaters seems to be a good starting point. However, a more frequent timeframe may be appropriate for your organization.

Agree with all of the above. It should be based on your bank's risk profile. My last bank was a small community bank with very low risk and we had an independent review every 2 years but I reviewed alert efficiency and criteria annually.

There is usually two parts to this, one is a Model Validation to determine if the model is working as designed and the other is Model Tuning to determine if the parameters are appropriate for your institution. Most of the places I have worked hade one every other year unless there was a major change to the model. In which case it was more frequent.

I have also seen multiple tuning throughout the year and an annual validation for a very complex institution. There is simply no one size fits all for this as long as you can justify your process.