Yes, they need to remain separate. They are established for entirely different reasons. When you are doing your risk assessment for Identity Theft Prevention Policy (ITPP), it would be helpful to put your information security risk assessment and your BSA risk assessment into the mix. Some issues will be very similar, others may augment the ITPP.
Allan D. Virr, CRCM,CRP
Compliance Audit Solutions, LLC