Following recent enforcement actions against foreign financial institutions for deficient risk management and compliance programs, the New York Department of Financial Services announced new regulations requiring all financial institutions (including money transmitters and check cashers) licensed by New York to adopt risk-based anti-money laundering and sanctions compliance programs. These rules will go into effect on January 1, 2017, and impose some stringent requirements that are new for state-level regulation.

In March 2016, the Department reached settlements with banks from Pakistan and South Korea requiring more robust anti-money laundering and sanctions compliance programs at their NY branches. Under the terms of these agreements, the foreign banks are required to draft written plans, including enhanced internal controls for correspondent accounts, and submit these plans to the Department for its approval, subject to additional penalties. These enforcement actions show the Department is focused on ensuring international institutions comply with its state regulations.

With the publication on June 30 of new rules requiring more robust compliance programs, New York is making future enforcement actions against all financial institutions even easier. The new rules mandate that banks and other financial institutions licensed to operate in NY maintain anti-money laundering transaction monitoring programs and sanctions and anti-terrorism filtering programs that meet certain criteria and requires directors or officers annually certify that their banks’ procedures comply with the regulations. By January 1, 2017, covered financial institutions must update their compliance programs to comply with the new standards. Foreign financial institutions should pay particular attention to NY’s new requirements, as recent enforcement actions (three in the last seven months alone) demonstrate the state’s willingness to enforce its rules against foreign institutions.

Under the new requirements, covered financial institutions must maintain risk-based programs “reasonably designed” to monitor transactions for potential violations of Banking Secrecy Act/Anti-Money Laundering (“BSA/AML”) laws and regulations1 and Office of Foreign Assets Control (“OFAC”) sanctions regulations.2 Covered entities must also document and justify the design of their programs, require regular training, and describe how identified risks and red flags will be managed. In addition, covered entities must test and regularly assess their programs to ensure they maintain the appropriate scope and functionality. If a third party vendor is used to acquire, install, implement, or test a compliance program, the covered entity must also maintain a vendor selection process.

Each year, starting on April 15, 2018, the board or senior officers of regulated financial institutions must certify that (1) they have reviewed the documentation required to make the certification; (2) they have taken all steps necessary to confirm that their transaction monitoring and filtering program complies with the regulations; and (3) to the best of their knowledge, the monitoring program complies with the regulations.3 Regulated institutions must maintain records of the information relied upon to make the annual certification for a period of five years.

These new rules apply to banks and other financial institutions licensed by New York. Specifically, regulated institutions include all banks, trust companies, private bankers, savings banks and savings and loan associates chartered pursuant to the New York Banking Law. All check cashers and money transmitters licensed pursuant to the Banking Law are also required to comply with the new rules. Additionally, the regulations cover all branches and agencies of foreign banking corporations licensed pursuant to the Banking Law to operate in NY.

Before these new regulations come into effect on January 1, 2017, financial institutions operating in NY should assess whether the new rules apply to their operations. If so, regulated institutions must determine whether their compliance programs meet the new standards and to build the systems necessary for their directors and officers to make the required certification.