A consultant suggested that we do a stand-alone UDAAP risk assessment rather than include it within our annual Compliance risk assessment. Are you aware of any regulatory guidance to suggest a stand-alone UDAAP risk assessment?
I’m not aware of regulatory guidance that requires a stand-alone risk assessment for UDAAP. With that said, I do believe a UDAAP risk assessment is expected by examiners, shows your institution takes UDAAP seriously and finally, it is important for comprehensively evaluating UDAAP risk institution-wide. UDAAP should also be incorporated into other risk assessments as necessary.