We are OCC also. I would recommend a full BSA audit be conducted annually. But CTRs, "high" risk accounts, KYC procedures, wire transfers, & a few others should be monitored quarterly on a small scale. Training should be conducted annually which includes money laundering, anti-money laundering, OFAC, Identity Theft, "suspicious" activity, and internal policies. also a method should be implemented to train "new" employees until the annual training is conducted.
I am "hard" on this reg. I take it too seriously. I hope this helps.
Opinions are mine not my employer.