The New York Department of Financial Services (NYDFS) has published a final rule aimed at addressing purported shortcomings on the part of financial institutions in detecting and preventing money laundering and sanctions violations.

Who is subject?

There are essentially three groups of financial institutions subject to the final rule, referred to collectively as “Regulated Institutions.”

First, all:

  • Banks
  • Trust companies
  • Private bankers
  • Savings banks and
  • Savings and loan associations

…chartered under New York banking law.

Second, all:

  • Foreign bank branches and
  • Foreign bank agency offices

… licensed under New York banking law.

Third, all:

  • Check chasers and
  • Money transmitters

…licensed under New York banking law.

What is required?

Regulated Institutions must enhance elements of their Bank Secrecy Act and anti-money laundering (BSA/AML) compliance program and sanctions compliance program in order to meet standards set forth by the final rule. The NYDFS refers to the actions outlined in the final rule as clarifications of requirements, suggesting that they do not view them as newly created requirements. Under the final rule, Regulated Institutions must ensure their transaction monitoring program and filtering (or screening) program are reasonably designed to comply with risk-based safeguards outlined in more detail below. Regulated Institutions must also adopt an annual board resolution or senior compliance officer finding (the choice is that of the institution) certifying compliance with the NYDFS regulation.

Transaction monitoring program

Each Regulated Institution must maintain either a manual or automated transaction monitoring program reasonably designed to identify potential BSA/AML violations after transactions are executed and report suspicious activity. At a minimum and to the extent applicable, to be compliant with the rule a program must:

  • Be based on an ongoing and comprehensive risk assessment of the Regulated Institution that takes into account the institution’s size, staffing, governance, businesses, services, products, operations, customers, counterparties and the geographies and locations of its operations and business relations.
  • Be reviewed and periodically updated to reflect changes to applicable BSA/AML laws, regulations and regulatory warnings, as well as other information determined by the institution to be relevant.
  • Appropriately match BSA/AML risks to the institution’s businesses, products, services, customers and counterparties.
  • Include detection scenarios with threshold values and amounts designed to detect potential money laundering and other suspicious or illegal activities with documented and articulated detection scenarios and the underlying assumptions, parameters and thresholds. The final rule specifically requires ongoing analysis of the continued relevance of these detection scenarios, underlying rules, thresholds, parameters and assumptions.
  • Test the program’s effectiveness (pre- and post-implementation), including, as relevant, program governance, data mapping, transaction coding, detection scenario logic, model validation, data input and program results.
  • Include protocols for:
    • investigation of alerts generated by the program
    • decisions on which alerts prompt filings or other actions
    • identification of individuals and operating areas responsible for decision-making and
    • documentation of investigations and decision-making processes.

Filtering program

Each Regulated Institution must maintain either a manual or automated filtering program that is reasonably designed to prevent transactions that are prohibited by US sanctions laws and regulations implemented by Treasury’s Office of Foreign Assets Control (OFAC). The final rule specifically requires filtering programs to:

  • Be based on an ongoing and comprehensive risk assessment of the Regulated Institution that takes into account the institution’s size, staffing, governance, businesses, services, products, operations, customers, counterparties and the geographies and locations of its operations and business relations.
  • Match names and accounts, through the use of software, tools or manual processes, in each cased based on the institution’s particular risks, transaction, and product profiles. While not mandating specific technology, the final rule does suggest that institutions should use algorithms or “fuzzy logic” to identify potential matches that are not exact.
  • Test the program’s effectiveness (pre- and post-implementation), including, as relevant, a review of data matching, an evaluation of whether the OFAC sanctions list and threshold settings map to the institution’s risks, the logic of matching technology or tools, model validation, and data input and program results.
  • Be subjected to ongoing analyses and assessments of:
    • the logic and performance of the matching technology or tools
    • coverage for changes to the OFAC sanctions list and 
    • threshold settings to ensure continued mapping to the institution’s risks.
  • Document the intent and design of the program’s tools, processes or technology.

Both the transaction monitoring and filtering programs must:

  • identify all sources of data
  • validate the accuracy and quality of the data and
  • ensure complete and accurate extraction and loading of data.

To ensure effective and efficient management of the programs, the final rule requires management oversight, periodic training, case management, appropriate funding, a vendor selection process if applicable, and qualified personnel or outside consultants.

To the extent that a Regulated Institution determines material improvement, updating, or redesign is necessary to satisfy the final rule, the institution must document these issues and plans, recognizing that the NYDFS may review such documentation.

Certification

Annually by April 15, each Regulated Institution must submit to the Superintendent of the NYDFS either a board resolution or senior officer compliance finding (in the form provided by the NYDFS as an attachment to the final rule) that the certifying party has:

  • reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary and
  • taken all steps necessary

to confirm, to the best of the certifying party’s knowledge, that the Regulated Institution complies with the final rule. Regulated institutions must maintain records supporting the certification for a period of five years, for review and examination by the NYDFS. For these purposes, a senior officer means the senior individual or individuals responsible for the management, operations, compliance and/or risk of a Regulated Institution.

Penalties

Notably, the final rule diverges from the NYDFS’s previously proposed rule and omits the explicit reference to criminal penalties for a certifying senior officer who files an incorrect or false annual certification. However, compliance with the final rule will be enforced pursuant to the Superintendent’s authority under any applicable laws.

When does the final rule become effective?

The final rule becomes effective on January 1, 2017. The first annual certifications must be filed by April 15, 2018.

Authors’ insights

The final rule presents an overlap of AML and sanctions compliance programs that, in practice, may be inconsistent with the approach taken by certain organizations. At the federal level, the agencies and the laws that impose each of the requirements are different, with AML generally implemented by FinCEN under BSA authority and sanctions compliance enforced by OFAC under authority of various laws, regulations, executive orders and treaties. It is not unusual (and sometimes is advisable) for AML and sanctions compliance programs within an organization to operate separately and be managed by different personnel. Such an approach may present complexities as it relates to the annual certification required by the final rule.

The final rule appears to assume parallel coverage of New York state law and federal law as it relates to the definition of money transmission. More specifically, the federal Bank Secrecy Act explicitly exempts some entities from the definition of money transmitter, thereby exempting them from BSA/AML compliance obligations. However, the NYDFS has found certain companies that are exempt from money transmission compliance obligations at the federal level to be within the scope of New York’s Transmitters of Money Act, nonetheless. For companies that are not money transmitters under the Bank Secrecy Act but are licensed as money transmitters in New York, the final rule could represent a significant change in their compliance approach and obligations.

Further to the preceding point, the final rule imposes certain suspicious activity reporting obligations on Regulated Institutions by specific reference to the federal regulations for SAR reporting. In implementing SAR reporting obligations on financial institutions under the Bank Secrecy Act, FinCEN mandates automated reporting through online portals that require credentials of the financial institutions. In those instances where New York law is more expansive in its definition of Regulated Institution than the corresponding federal law, it is unclear how a Regulated Institution can file SARs without the associated FinCEN credentials.