On June 30, 2016, the New York Department of Financial Services (DFS) adopted a new anti-terrorism and anti-money laundering (AML) regulation (Final Rule) that builds on federal anti-money laundering requirements to address what the DFS called “shortcomings” in current practices “attributable to a lack of robust governance, oversight, and accountability at senior levels.”1  The Final Rule requires certain DFS-regulated institutions to maintain programs to monitor and filter transactions for potential Bank Secrecy Act (BSA) and AML violations, and also requires the board of directors or a senior officer to submit to the DFS an annual certification of compliance. The new requirements apply to banks, trust companies, private bankers, savings banks, and savings and loan associations chartered pursuant to the New York Banking Law, and branches and agencies of foreign banking corporations, check cashers and money transmitters licensed pursuant to the New York Banking Law (DFS Financial Institutions). The final regulation, effective January 1, 2017, comprises new Part 504 to Title 3 of the Superintendent’s Regulations.2  

Key Takeaways

As a result of the Final Rule, DFS Financial Institutions will need at a minimum:

  • To update their BSA/AML policies, procedures and internal controls to ensure that their transaction monitoring and filtering programs comply with the Final Rule; and
  • To implement an attestation process supporting the compliance certification required by the Final Rule.

Penalties

The proposed version of the Part 504 rule included an explicit criminal penalty applicable in the event that the chief compliance officer (or the functional equivalent) of a DFS Financial Institution made an incorrect or false annual certification. Industry representatives strongly opposed this penalty provision, pointing out that it would deter qualified individuals from accepting chief compliance officer positions. In response to these concerns, the DFS removed the explicit criminal penalty from the Final Rule, which now provides instead that the rule “will be enforced pursuant to, and is not intended to limit, the Superintendent’s authority under any applicable laws.” Under the Final Rule, moreover, any “Senior Officer” (as defined)—not just the chief compliance officer—as well as the board of a DFS Financial Institution may satisfy the certification requirement.3 The DFS is expected to continue to make enforcement of its BSA/AML rules, including the Final Rule, a priority and could nevertheless resort to the New York Banking Law’s existing criminal penalties in appropriate cases involving violations of the Final Rule.

Certification Requirement

The Final Rule requires that DFS Financial Institutions submit annually either a board resolution or a “senior officer compliance finding” certifying that:

  • The board or a senior officer has “reviewed documents, reports and certifications” necessary to adopt the resolution or compliance finding;
  • The board of directors or a senior officer has “taken all steps necessary” to confirm that such DFS Financial Institution has a transaction monitoring and filtering program that complies with the Final Rule’s requirements; and
  • To the best knowledge of the board or the senior officer, as the case may be, the DFS Financial Institution’s program complies with such requirements.

DFS Financial Institutions must file their first resolution or senior officer compliance finding by April 15, 2018, and must keep all supporting records for five years.4

The DFS made some important revisions to the proposed Part 504 rule’s certification requirement in response to industry comments on such requirement:

  • In the Final Rule, compliance may be certified either via (a) a board resolution or (b) a “senior officer,” which means “the senior individual or individuals responsible for the management, operations, compliance and/or risk” of a DFS Financial Institution.5 
  • The proposed Part 504 rule would have required certification as to compliance in fact by DFS Financial Institutions, which would be difficult to establish. By contrast, in the Final Rule the board or the senior officer makes the compliance certification to the best of its knowledge. The board or senior officer(s) must, however, undertake the required due diligence in support of the certification.6 

Program Requirements

The Final Rule also requires that DFS Financial Institutions maintain a transaction monitoring program and a filtering program. The transaction monitoring program required by the final rule must be “reasonably designed for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting.” Each program must demonstrate specific attributes as detailed below, including the requirement that the programs be based on an on-going comprehensive risk assessment.7 The system may be manual or automated, and must, to the extent applicable:

  • Be based on the risk assessment of the institution;
  • Be reviewed and updated at risk‐based intervals to reflect changes to applicable BSA/AML laws, regulations and regulatory warnings, as well as any other relevant information;
  • Appropriately match BSA/AML risks to the institution’s businesses, products, services, and customers/counterparties;
  • Include BSA/AML detection scenarios with threshold values and amounts designed to detect potential money laundering or other suspicious or illegal activities;
  • Provide for end‐to‐end, pre‐ and post‐implementation testing of the transaction monitoring program;
  • Document the institution’s current detection scenarios and the underlying assumptions, parameters, and thresholds;
  • Include protocols that set forth how alerts will be investigated, the process for deciding which alerts will result in action, the operating areas and individuals responsible for making such a decision, and how the process will be documented; and
  • Be subject to on‐going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters, and assumptions.8

The filtering program required by the final rule must be “reasonably designed for the purpose of interdicting transactions that are prohibited by OFAC.” The filtering program must, to the extent applicable:

  • Be based on the risk assessment of the institution;
  • Be based on technology, processes or tools for matching names and accounts;
  • Provide for end‐to‐end, pre‐ and post‐implementation testing of the filtering program;
  • Be subject to on‐going analysis to assess the logic and performance of the technology for matching names and accounts, as well as the OFAC sanctions list and the threshold settings; and
  • Document the intent and design of the filtering program tools, processes or technology.9

Section 504.4(c) lists additional attributes that the entire program must require, to the extent applicable:

  • Identification of all data sources that contain relevant data;
  • Validation of the integrity, accuracy and quality of data;
  • Process to ensure complete and accurate data extraction and loading, if automated systems are used;
  • Governance and management oversight, including policies and procedures governing changes to the transaction monitoring and filtering program;
  • Process for selecting any third-party vendors used;
  • Funding to design, implement and maintain the transaction monitoring and filtering program;
  • Qualified personnel or outside consultant(s) responsible for the transaction monitoring and filtering program; and
  • Periodic training of all stakeholders.10

 Finally, Section 504.3(d) imposes certain record-keeping and inspection requirements on DFS Financial Institutions. To the extent that a DFS Financial Institution identifies “areas, systems, or processes that require material improvement, updating or redesign,” such DFS Financial Institution must document the identification of the issue and the remedial efforts planned and underway.11