On December 1, 2015, the New York Department of Financial Services (the DFS) released a proposed rule that would require certain New York-regulated financial institutions (Regulated Institutions) to comply with enhanced anti-terrorism and anti-money laundering (AML) requirements and subject chief compliance officers to potential criminal liability for noncompliance (the Proposal).
The proposed regulations aim to strengthen New York financial institutions’ fight against terrorist financing and money laundering at a time when terrorism concerns are at their highest in years. The Proposal, which was developed by the DFS over several months, also comes amid persistent calls from the general public to prioritize individual liability for financial services executives following the financial crisis. This confluence of factors provides a ripe environment for New York to push an aggressive regulation – ahead of any promulgation of the same by the federal banking agencies or the Treasury Department’s Financial Crimes Enforcement Network (FinCEN).
Indeed, emphasizing the importance of AML regulation, New York Governor Andrew M. Cuomo stated, “[g]lobal terrorist networks simply cannot thrive without moving significant amounts of money throughout the world. At a time of heightened global security concerns, it is especially vital that banks and regulators do everything they can to stop that flow of illicit funds.” With this Proposal, New York seeks to enhance AML program requirements and impose personal – even criminal – liability on heads of compliance for failure to adequately satisfy these new expectations.
I. Annual Certifications and Individual Criminal Penalties
Similar to the annual certification required of principal executive and financial officers under the Sarbanes-Oxley Act of 2002, a Regulated Institution’s chief compliance officer (or functional equivalent) would be required to certify annually to the DFS by April 15 that the officer’s institution maintains a transaction monitoring and filtering program compliant with the Proposal’s requirements. Under the Proposal, a chief compliance officer who incorrectly or falsely certifies that the Regulated Institution’s transaction monitoring and filtering programs meet the requirements of proposed Part 504 of the DFS Superintendent’s Regulations on the annual certification may be subject to criminal penalties.
The Proposal also states that any Regulated Institution that fails to comply with Part 504 would be subject to applicable penalties under New York Banking Law (NYBL).
II. Enhanced AML Program Requirements
New York-Regulated Institutions are currently subject to federal and New York AML laws and regulations,1 but the Proposal adds, among other AML program requirements, greater specificity to certain transaction monitoring and filtering requirements, codifies the requirement to conduct an ongoing, comprehensive risk assessment, and expressly eliminates a Regulated Institution’s ability to adjust its monitoring and filtering programs to limit the number of alerts generated.
Transaction Monitoring and Filtering Programs. Under the Proposal, each Regulated Institution must maintain a transaction monitoring program and an OFAC watch list filtering program to interdict transactions. Although a vast majority of financial institutions’ AML programs may already comply with the Proposal’s transaction monitoring and filtering program requirements, the Proposal contains certain incremental enhancements that may require alterations to a financial institution’s existing program. Such incremental enhancements include:
- a requirement to base programs on ongoing, comprehensive risk assessments of the institution;
- easily understandable documentation for both the transaction monitoring and filtering programs that articulates the institution’s current detection scenarios and the underlying assumptions, parameters, thresholds, and intent and design of the program tools or technology;
- end-to-end, pre- and post-implementation testing of the transaction monitoring and filtering program, including governance, data mapping, transaction coding, and the logic of matching technology or tools;
- ongoing analyses to assess the continued relevancy of detection scenarios, the underlying rules, threshold values, parameters, and assumptions for transaction monitoring programs, and to assess the logic and performance of the technology or tools for matching names and accounts for filtering programs; and
- investigative protocols detailing how alerts generated by the transaction monitoring program will be investigated, the process for deciding which alerts will result in a filing or other action, who is responsible for making such a decision, and how the investigative and decision-making process will be documented.
Risk Assessment. The Proposal would subject Regulated Institutions to a mandatory risk assessment. The results of the risk assessment would be used by the institution to maintain its transaction monitoring and filtering programs. Currently, although it is a common best practice for Regulated Institutions to implement a risk assessment process, neither the existing New York AML laws and regulations nor the federal AML laws and regulations explicitly require such assessment. Instead, the existing rules only require that policies, procedures, and controls are “risk-based.” Rather than this risk-based approach, the Proposal would mandate that each Regulated Institution bases its transaction monitoring and filtering program on “an on-going comprehensive risk assessment, including an enterprise wide BSA/AML risk assessment, that takes into account the institution’s size, businesses, services, products, operations, customers/ counterparties/ other relations and their locations, as well as the geographies and locations of its operations and business relations.”
Program Alteration Prohibited. The Proposal prohibits a Regulated Institution from modifying or altering its transaction monitoring or filtering program to avoid or minimize the filing of suspicious activity reports, or because the institution does not have the resources to review the number of alerts generated by a program established under the Proposal, or to otherwise avoid complying with regulatory requirements.
III. Covered Institutions
The Proposal broadly defines two classes of institutions that will be subject to its requirements: (i) Bank Regulated Institutions and (ii) Nonbank Regulated Institutions. Bank Regulated Institutions include all banks, trust companies, private bankers, savings banks, and savings and loan associations chartered under NYBL and all foreign bank branches and agencies licensed under NYBL to conduct banking operations in New York. Nonbank Regulated Institutions include all check cashers and money transmitters licensed under NYBL. The Proposal does not apply to bank and nonbank institutions not already subject to the supervision of the DFS.
IV. Industry Impact
New York is the financial center of the world, and the DFS is responsible for nearly 1,700 banking and other financial institutions, with assets totaling more than US$3.2 trillion.2 New York is also keenly aware of the threats posed by terrorist and other illegal activity. Moreover, as stated by Governor Cuomo in the release accompanying the Proposal, “[m]oney is the fuel that feeds the fire of international terrorism.” Accordingly, in an industry that has been tightly regulated to help identify and deter illicit activity since the passage of the Bank Secrecy Act in 1970, the DFS has signaled to the industry and other regulators that it is looking to take the lead in raising compliance standards and imposing heavier regulation to keep pace with New York’s elevated risk. Taking regulatory action prior to action by the federal regulators is not new to the DFS. The DFS’ enforcement history – specifically as it relates to enforcement of sanction regulations in 2013 and 2014 – demonstrates that it has not been shy about taking action in areas that have historically been the province of the federal agencies. When the DFS has acted in advance of the federal agencies and FinCEN, it has taken precedent-setting actions, resulting in fines greater than US$300 million, sending strong messages to the rest of the industry. If the Proposal is finalized as currently drafted, it will arm the DFS with yet another powerful enforcement tool.
The DFS will accept comments on the Proposal for 45 days after it is published in the New York State Register. New York-Regulated Institutions should carefully consider whether to submit comments expressing concerns with the Proposal and communicating to the DFS how exactly the Proposal may impact their institutions.