On December 1, 2015, New York Governor Andrew Cuomo announced proposed New York State Department of Financial Services (“NYDFS”) rules that would require New York-chartered and -regulated banking institutions to enhance their Bank Secrecy Act (“BSA”)/anti-money laundering (“AML”) compliance programs by:

  • adopting Transaction Monitoring and Watch List Filtering Programs,
  • certifying annually, through a senior compliance officer, that they maintain such programs; and
  • subjecting the certifying officer to potential criminal penalties for filing an “incorrect or false certification.”

Both the substance of the proposed rules and the language used by Governor Cuomo to announce them appear drawn from remarks made earlier this year by former NYDFS Superintendent Benjamin Lawsky. 1 In those earlier remarks, Mr. Lawsky suggested that greater individual accountability was necessary to ensure that banks adopt systems adequately designed to detect money laundering and terrorist financing transactions; he also said that “it is our hope that our actions in this area will help encourage other regulators to consider similar measures.” 2

The proposed rules represent an unusual exercise of power by a state regulator in setting compliance rules for federal regimes such as the BSA and the sanctions regimes administered by the Office of Foreign Assets Control (“OFAC”).

There will be a 45-day comment period following publication of the proposed rules in the New York State Register. The regulations are proposed to “be effective immediately . . . [and] to apply to all State fiscal years beginning with the Fiscal Year starting on April 1, 2017.” It is not clear on the face of the proposed rules whether the first Annual Certification would be required by April 15, 2016 or April 15, 2017.

WHO IS COVERED BY THE PROPOSED RULES?

The proposed rules would apply to entities chartered or licensed under the New York Banking Law, including banks, branches and agencies of foreign banks, trust companies, private bankers, savings banks, savings and loan associations, check cashers and money transmitters (“covered institutions”). No exemptions from the requirements are proposed and, accordingly, the requirements would apply to all covered institutions without regard to size or business model.

WHAT ARE THE PROPOSED PROGRAM REQUIREMENTS?

Under the proposed rules, a covered institution would need to maintain both:

  • A Transaction Monitoring Program designed to reflect the institution’s risk profile and implemented to monitor transactions, after their execution, for potential “BSA/AML violations and Suspicious Activity Reporting.” It is not entirely clear what the reference to BSA/AML violations encompasses, and this may be a reference to monitoring for transactions structured to evade federal BSA reporting requirements (such as those involving cash transactions).
  • A Watch List Filtering Program designed and implemented to “interdict,” before their execution, transactions “that are prohibited by applicable sanctions, including OFAC and other sanctions lists, politically exposed persons lists, and internal watch lists.” The regulations do not define what types of transactions the NYDFS would consider “prohibited by . . . politically exposed persons lists, or internal watch lists.”

Transaction monitoring and watch list filtering systems are standard components of AML compliance programs and the topic of extensive guidance from federal regulators and agencies.3 The proposed requirements, however, are more detailed and prescriptive than current federal BSA/AML rules and may present practical implementation issues for covered institutions.4

For example, the proposed rules specify the required attributes of the Transaction Monitoring and Watch List Filtering Programs through numerous undefined technical terms (e.g., “detection scenario logic,” “end-to-end, pre- and post-implementation testing,” and “data mapping, transaction coding, detection scenario logic, model validation, data input and Program output”). Although many of these terms are in common usage, they are potentially subject to varying interpretations. It is an open question as to how covered institutions should interpret these terms, particularly because monitoring and filtering systems often are customized, if not entirely bespoke, to each institution’s operations and risk profile. This issue is compounded by the potential criminal penalties facing a compliance officer who incorrectly interprets the requirements, as discussed below.

The proposed rules also would prohibit a covered institution from making changes or alterations to its Transaction Monitoring Program or Watch List Filtering Program to avoid or minimize the filing of suspicious activity reports or because the institution does not have the resources to review the number of alerts generated by the Program.

WHAT IS THAT CERTIFICATION REQUIREMENT?

As a third requirement of the proposed rules, by April 15th of each year, the chief compliance officer or equivalent of a covered institution would need to sign an Annual Certification in a form set out in the proposed rules. The certification states that the signatory has “reviewed, or caused to be reviewed,” the Transaction Monitoring and Watch List Filtering Programs and that, “to the best of their knowledge,” the programs comply with the NYDFS’ regulations.

The proposed rules would subject a compliance officer who files an “incorrect or false” Annual Certification to potential criminal penalties. This imposition of potential criminal penalties expands on and furthers a trend, which the NYDFS has been leading, of holding individuals (and compliance personnel) accountable for alleged institutional compliance deficiencies. As we have highlighted elsewhere, until recently, individual accountability has been rare, and enforcement actions targeting individual compliance officers have focused on civil penalties in circumstances of alleged willful and egregious AML deficiencies.5 This proposed requirement is likely to draw significant adverse comment.