On June 30, 2016, the New York Department of Financial Services (DFS) adopted a final rule requiring New York-regulated financial institutions to bolster their anti-money laundering (AML) programs and, most significantly, personally certify to the DFS that those enhanced programs meet the DFS’ expectations (Final Rule). Specifically, new Part 504 of Title 3 to the New York Codes, Rules and Regulations, Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications, requires Regulated Institutions (as discussed below and defined in the rule) to establish and maintain a transaction monitoring and filtering program with particularized attributes aimed at curing potential shortcomings in existing AML programs. On an annual basis, either the board of directors as a governing body or a senior officer personally must certify that the new program is compliant and that the governing body or individual certifying has undertaken all necessary steps to make such certification.
The Final Rule exposes boards of directors and senior officers at New York financial institutions to a heightened risk of personal liability unlike any other existing financial regulatory scheme. As a result, Regulated Institutions should carefully evaluate the Final Rule’s overall likely impact on future operations, compliance costs, and regulatory risk parameters, and then evaluate whether strategic alternatives exist to the institution’s continued operation under the DFS’ jurisdiction.
Although on its face the Final Rule appears to have taken into consideration comments on the proposed rule submitted by or on behalf of the New York financial services industry, in reality, little has changed from the proposed rule released in December that will be of material consequence to the institutions subject to the rule. Depending on how the Final Rule is interpreted and applied, it could have a significant impact on the operating costs of Regulated Institutions, and most certainly will provide the DFS with increased enforcement powers.
Who is Covered?
The DFS did not change any of the definitions impacting the types of institutions that are subject to the Final Rule. As a result, the Final Rule broadly applies to two classes of institutions (collectively, Regulated Institutions): (i) Bank Regulated Institutions and (ii) Nonbank Regulated Institutions. Bank Regulated Institutions include all banks, trust companies, private bankers, savings banks, and savings and loan associations chartered under New York Banking Law (NYBL) and all foreign bank branches and agencies licensed under NYBL to conduct banking operations in New York. Federally chartered, New York branches and agencies of foreign banks are not subject to the Final Rule. Nonbank Regulated Institutions include all check cashers and money transmitters licensed under NYBL. Importantly, the Final Rule does not apply to bank and nonbank institutions not already subject to the supervision of the DFS, such as national banks, federal savings banks, and federal savings and loan associations chartered by the Office of the Comptroller of the Currency (OCC) or US out-of-state banks with branch offices or other facilities located in New York.
What is Required?
Transaction Monitoring and Filtering Program. The Final Rule requires each Regulated Institution to establish and maintain a risk-based transaction monitoring and filtering program that is periodically reviewed and appropriately tailored to match the Regulated Institution’s risk profile (i.e., businesses, products, services, customers, and counterparties). Among other program characteristics, the Regulated Institution must develop and implement a program that includes documentation articulating the design and parameters of the monitoring and filtering, shows that it is periodically tested on end-to-end effectiveness, catalogs any rule and threshold changes, and is subject to ongoing analyses to assess the reasonableness, effectiveness, and relevancy of the controls. Importantly, for the first time under NYBL, the Final Rule formalizes the requirement for Regulated Institutions to conduct risk assessments for AML purposes.
Annual Board Resolution or Senior Officer(s) Compliance Finding. Magnifying the impact of the program requirements is the Final Rule’s requirement under Section 504.4 for the board of directors or a senior officer to submit annually to the DFS a board resolution or senior officer determination that the Regulated Institution is in compliance with the program requirements of Section 504.3. Although the DFS revised the Final Rule in response to industry commenters by changing the name of the document from an “Annual Certification” to a “Board Resolution” or “Compliance Finding,” the revisions are form over substance. Importantly, Attachment A of the Final Rule still requires that the board of directors or senior officer “certify” that: (i) the signee(s) reviewed necessary documents, reports, certifications, and opinions necessary to make such certification; (ii) the signee(s) took all steps necessary to confirm the Regulated Institution is in compliance with the Final Rule; and (iii) to the best of their knowledge, the transaction monitoring and filtering program is in compliance with Section 504.3. It is of no benefit to the signees of the annual certification that the DFS renamed it a “Board Resolution” or “Compliance Finding.” Irrespective of the name of the form, the DFS has reserved significant enforcement authority under the Final Rule and is now equipped with an explicit avenue to bring enforcement actions against certifying individuals.
When is the Rule Effective?
The Final Rule becomes effective on January 1, 2017 and will require the first of annual submissions of compliance findings to the DFS by April 15, 2018. Although the final rule provides 15 months of lead time before a board of directors or senior officer must make a certification of compliance, Regulated Institutions should be prepared to demonstrate their compliance as soon as the rule becomes effective for two reasons. First, the DFS will continue to conduct routine examinations, and there is nothing in the Final Rule that would exempt an institution from full compliance after January 1, 2017. Second, the Final Rule serves as notice to the industry that the DFS is concerned about deficiencies in transaction monitoring and filtering. Given this notice, should a suspicious transaction or multiple suspicious transactions occur after January 1, 2017 that the institution may have detected if it had fully implemented the Final Rule, but nevertheless went undetected and unreported, the DFS would be positioned to assert that the institution’s program was deficient, in violation of the Final Rule.
What Else Changed From the Proposed Rule?
Other minor revisions were made to the Final Rule providing some relief to Regulated Institutions. As a general matter, the DFS softened some of the requirements in Section 504.3 to allow Regulated Institutions to flexibly apply the regulation to the size, type, and risk profile of each institution (i.e., including language such as “reasonably designed,” “to the extent applicable,” and “as relevant”). In addition, the Final Rule no longer expressly provides that a certifying senior officer may be subject to criminal penalties for filing an incorrect or false certification. Instead, Section 504.5 states that the “regulation will be enforced pursuant to, and is not intended to limit, the Superintendent’s authority under applicable laws.”
In many ways, the Final Rule isduplicative of existing expectations imposed on Regulated Institutions by federal regulators, such as customer identification program requirements under 31 C.F.R. §1010.220 and the customer due diligence expectations provided in the FFIEC BSA/AML Examination Manual. Moreover, the transaction monitoring and filtering program requirements are a more granulized approach to the Financial Crimes Enforcement Network’s customer due diligence rule, which was finalized in May, formalized risk-based customer due diligence requirement as a fifth pillar of AML, and becomes effective on May 11, 2018. The distinguishing characteristic of DFS’ Final Rule is the annual certification required to be made to the DFS, which provides the DFS with an extra enforcement tool to use against Regulated Institutions and ultimately increases the compliance burden imposed on New York institutions.
The impact of the Final Rule may be particularly challenging for smaller, nonbank Regulated Institutions—such as money transmitters and other money services business—that may not have the financial resources to implement robust transaction monitoring and filtering programs in a such short period of time, but whose risk profile may require such action. These types of institutions should carefully evaluate their allocation of resources and implement their transaction monitoring and filtering programs in a thoughtful and deliberate fashion.
It is without doubt that the intent of the DFS’ Final Rule is to better protect against money laundering risks and transactions with sanctioned entities, but the effect of the annual certification imposes a burden on Regulated Institutions unlike ever before, which should cause Regulated Institutions to evaluate whether it makes business sense to remain a New York Regulated Institution.
At a minimum, Regulated Institutions have a significant and important decision to make about whether to place responsibility on the board of directors to adopt a certifying resolution for submission to the DFS, or to require a senior officer to submit a finding that the transaction monitoring and filtering programs meet the DFS’ standards. Rationally, it makes sense to impose this additional burden on a senior officer with actual knowledge of the enterprise’s compliance systems and controls. As a practical matter, however, exposing a senior officer to this heightened risk of personal liability may, at a minimum, warrant increased compensation for such officers. Similarly, the heightened threat of personal liability may cause more highly qualified officers to not seek employment at institutions regulated by the DFS, or if already employed, hasten their departure.
In our experience, new compliance burdens such as this, and the associated heightened institutional and personal liability risk, may lead some financial institutions to consider strategic alternatives allowing the institution to maintain relationships with its New York-based customers, while removing the institution’s operations from the enforcement jurisdiction of the DFS. For insured depository institutions, such strategic alternatives include:
- converting from a New York charter to a national bank charter under the OCC pursuant to Section 137 of the NYBL and 12 C.F.R. Section 5.24; and
- relocating a Regulated Institution’s headquarters to another state, and converting to the new home state’s charter, such as New Jersey or Connecticut.
What Else Can Regulated Institutions Do Right Now?
With the effective date of the Final Rule only six months away, and the first annual certification due in April 2018, Regulated Institutions should begin considering whether it makes sense to remain a DFS Regulated Institution. As part of this process, in addition to evaluating the strategic alternatives listed above, Regulated Institutions should consider the steps necessary to properly evaluate, and if necessary develop and implement enhancements to, their transaction monitoring and filtering programs by the compliance date. Just as important as the program is itself, boards of directors and senior officers alike must also ensure that they are equipped with the supporting materials and documentation necessary to appropriately certify compliance to the DFS. These materials should provide the certifying board or individual officer with a substantive understanding of how the Regulated Institution’s transaction monitoring and filtering program has been developed and implemented, and how effective the program has been since implementation.
Developing and implementing an acceptable transaction monitoring and filtering program under Part 504, together with the ongoing expenses of maintaining such a program (e.g., staffing, vendors, software upgrades, and validation testing), will come at a significant cost to a number of institutions. When these costs are coupled with the potential personal liability stemming from the annual certification, all financial institutions should consider performing a cost/benefit analysis to determine whether strategic alternatives are available prior to the Final Rule’s implementation.
Finally, after considering alternative strategies and conducting a cost/benefit analysis, if a Regulated Institution chooses to remain subject to the DFS’s jurisdiction, a number of significant questions remain. It is critical that Regulated Institutions ask these questions and carefully evaluate how their companies may be impacted by the Final Rule, then quickly and efficiently begin implementing the necessary changes to ensure compliance with Part 504 before January 1, 2017 and their next DFS examination. The full evaluation of the legal and operational impact on a Regulated Institution will likely require the use of legal counsel to advise the Board and management on the increased legal risks and the steps that can be taken to manage and minimize such risk, as well as the engagement of outside consultants to assist with any of the creation, modification, implementation, validation, or periodic testing related to the monitoring and filtering programs.