Risk Assessment & OFAC

I've seen two schools of thought in regards to the Risk Assessment and its relation to OFAC, and I was looking to find out what other members of this site are doing.

Some information I've read says that the OFAC Risk Assessment can be included in the BSA/AML Risk Assessment, however other sources state that they need to be separate. I'm wondering if this is based off institution size, as well as risk appetite.

I'm from a moderate size community bank, only located in 2 states, and have what I believe to be an extremely low amount of risk. As a result, I think it's completely feasible to include the OFAC risk assessment as a section of the BSA/AML risk assessment, however I didn't want to get slammed by the examiners for doing so.

Thoughts? Examples? Feedback is much appreciated!

We have one BSA/AML/OFAC risk assessment document. One section has the risks for BSA/AML and the second section has the risks for OFAC. We've never had a problem with them both being in the same document.

Same here.

I have them in one document but they are not combined. Each is presented as a distinct risk statement.

Same here and at my last two jobs.

Our regulatory examiner "suggested" (aka required) we make the risk assessments separate and also to make our audits separate (even though when both the risk assessment and audit was incorporated within the BSA risk assessment and BSA audit, they did not have any comments on either being deficient.)

Awesome! Thanks for the feedback everyone. Maybe it was the wording that was giving me the confusion, they can be "combined" into the same document, but a SEPARATE risk assessment needs to be performed on each.

One document but risk assessed separately.