Financial institutions operating in New York — including New York state licensed banks, trust companies, private bankers, savings banks, savings and loan associations, branches of foreign banks, check cashers, and money transmitters (Regulated Institutions) — will soon need to comply with a new first-of-its-kind rule from the New York State Department of Financial Services (NYDFS). The rule requires the maintenance of transaction monitoring and filtering tools to detect unlawful or suspicious funds transfers as well as the submission of a board of directors resolution or a senior officer “compliance finding” to NYDFS regarding the adequacy of those tools on an annual basis.
The new rule seeks to address the NYDFS perception that there are weaknesses in the transaction monitoring and filtering systems that financial institutions use to comply with Bank Secrecy Act/Anti-Money Laundering laws and regulations (BSA/AML) as well as regulations issued by the Office of Foreign Assets Control (OFAC). The rule also provides NYDFS with a new standard against which it can enforce BSA/AML or OFAC compliance shortcomings that it detects through examinations or other investigations.
The rule becomes effective on January 1, 2017, and the first annual submission will be due April 15, 2018. Regulated Institutions will need to consider the adequacy of their transaction monitoring and filtering programs with regard to the requirements of the final rule and implement any necessary changes. To ensure that the signatories of the annual resolution or compliance finding are informed of the obligation and have the necessary information available to them to adopt the required statements, Regulated Institutions will need to have procedures in place well before April 15, 2018. These steps will need to be taken while simultaneously managing other ongoing AML compliance projects, such as the implementation of the Financial Crimes Enforcement Network’s final customer due diligence rule (see May 16, 2016, client alert “FinCEN Finalizes Customer Due Diligence Rule Amid Other Actions to Enhance Financial Transparency”), and while managing frequent and often unexpected changes to the OFAC sanctions.
Transaction Monitoring and Filtering Program Requirements
Every Regulated Institution must maintain a program to monitor transactions after their execution for potential BSA/AML violations and reportable suspicious activity. Similarly, every Regulated Institution must maintain a filtering program to screen transactions against OFAC lists and interdict transactions that potentially violate OFAC sanctions. The specific requirements of the transaction monitoring and filtering programs are detailed in the final rule. However, the two programs share a number of common themes:
- Risk-Based Program With Appropriately Calibrated Tools. The transaction monitoring program must be based on the risk assessment of an institution and appropriately calibrated using detection scenarios and other parameters reasonably designed to detect potential money laundering or other suspicious or illegal activities. Likewise, the filtering program must use matching logic and the thresholds that are mapped to the risks of the institution.
- Ongoing Analysis of Scenarios, Rules, Thresholds and Parameters. Although Regulated Institutions must provide the NYDFS superintendent with a submission regarding the transaction monitoring and filtering programs only once per year, these programs require ongoing attention. The programs must be reviewed at regular, risk-based intervals and updated when necessary to take into account regulatory changes and other relevant information.
- Adequate Documentation of the Programs. Regulated Institutions must maintain adequate documentation to support the transaction monitoring program, including procedures that articulate the current detection scenarios, underlying assumptions, and thresholds and protocols detailing how alerts are investigated. With respect to the filtering program, documentation must articulate the intent and design of the filtering program tools, processes, or technology.
- Testing and Remediation. Both programs must be subject to pre- and post-implementation testing. To the extent a Regulated Institution identifies areas, systems, or processes that require material improvement, updating or redesign, the Regulated Institution must document both the identification of the issue and the action plan for remediation.
- Data Accuracy, Quality and Access. The programs must require the identification of all data sources that contain relevant data and must contain processes for validating the integrity, accuracy and quality of the data. If automated tools are used, data extraction and loading processes must ensure a complete and accurate transfer of data from its source to the automated monitoring and filtering tools.
- Governance and Oversight. There must be adequate governance and management oversight of the programs, including of changes to the program and the vendor selection process. The board of directors and senior management also are responsible for ensuring that the programs are adequately funded and staffed by qualified personnel or outside consultants; these individuals will be responsible for the design, planning and implementation, operation, testing, validation and ongoing analysis of the programs.
Resolution or Compliance Finding Requirement
The final rule requires that a board resolution or compliance finding be filed with the superintendent by April 15 of each year. In the resolution or finding, the signatory — either all members of the board of directors or a single senior individual or multiple senior individuals responsible for the management, operations, compliance and/or risk of an institution — must make three statements: (1) that the signatory has reviewed documents necessary to adopt the resolution or compliance finding, (2) that the signatory has taken all steps necessary to confirm that the institution has a transaction monitoring and filtering program that complies with the rule, and (3) that, to the best of the signatory’s knowledge, the transaction monitoring and filtering program complies with the rule.
Key Differences Between the Proposed and Final Rule
Compared to most federal AML rulemakings, the NYDFS rule was finalized quickly. The final rule differs from the December 2015 proposed rule in four notable respects:
- The proposed rule extended the requirements of the filtering program to several lists, including the OFAC lists, other sanctions lists, politically exposed persons lists and internal watch lists. The final rule limits the filtering program to the OFAC lists only.
- The proposed rule prevented Regulated Institutions from making changes to either the transaction monitoring or filtering program in order to avoid or minimize filing suspicious activity reports or because the institution does not have the resources available to review the number of alerts generated. The final rule removes this prohibition and instead focuses on the remediation of identified areas, systems or processes that require material improvements, updating or redesign and the documenting of such remedial measures.
- The proposed rule required an annual certification. The annual certification could only be signed by a single senior officer (i.e., the chief compliance officer or the functional equivalent). The final rule retains the proposed rule’s emphasis on accountability by continuing to require an annual submission but softens it from a certification to a resolution or compliance finding. The final rule also eases the burden on individual compliance officers by giving each Regulated Institution the board resolution option.
- The proposed rule provided that a senior officer who signs an incorrect or false certification document may be subject to criminal penalties for doing so. The final rule does not contain this language explicitly.