The proposed regulation would require covered financial institutions to maintain watch-list-filtering and transaction-monitoring programs.

On December 16, 2015, the New York Department of Financial Services (NYDFS) proposed a new anti-money laundering (AML) regulation to address terrorist financing, sanctions violations and money laundering activities. The proposed regulation would require covered financial institutions to maintain watch-list-filtering and transaction-monitoring programs. Additionally, an institution’s chief compliance officer (CCO) or equivalent would be required to file an annual certification of compliance with the NYDFS.

The proposed rule has a 45-day notice and public comment period that will end on February 1, 2016, after which a final rule will be issued.

Why Now?

In the press release that accompanied the publication of the NYDFS’s proposed rule, Governor Andrew Cuomo said, “Money is the fuel that feeds the fire of international terrorism. Global terrorism networks simply cannot thrive without moving significant amounts of money through the world.”

The last few years have seen a significant uptick in New York state law enforcement and regulatory investigations into financial institutions for violations of AML or Bank Secrecy Act (BSA) compliance. The NYDFS conducted a four-year investigation into terrorism financing, sanctions violations and AML compliance at financial institutions. The NYDFS uncovered what it believes to be shortcomings in the transaction-monitoring and filtering programs of financial institutions and a lack of robust governance, oversight and accountability at the senior levels of those institutions. The proposed rule is in direct response to those concerns.

Scope

The proposed regulation would cover a number of entities that are currently subject to NYDFS regulation, including all banks, trust companies, private bankers, savings banks and savings and loan associations chartered pursuant to the New York Banking Law and all branches and agencies of foreign banking corporations licensed to conduct banking operations in New York. These entities are already subject to broad, risk-based federal AML rules issued by the federal banking regulators and the Financial Crimes Enforcement Network (FinCEN).

Additionally, the rule also covers nonbank regulated institutions, including check cashers and money transmitters licensed in New York. These nonbank entities are subject to federal rules that apply to “money services businesses,” which are comparable to, but not identical to, the federal AML requirements that banks are required to follow.

Interestingly, the proposed regulation would not cover other entities, such as New York-licensed insurance companies or persons subject to the New York “BitLicense” regulations. Federally chartered depository institutions are also exempt.

Federal AML Requirements vs. the Proposed Regulation

The federal AML rules allow for flexibility for institutions and do not specify the particular steps that the institutions must take to identify suspicious activities or sanctions targets. Instead, the federal AML rules require each financial institution to implement AML programs that are reasonably designed to satisfy their requirements, based on each individual financial institution’s specific money laundering risk.

This proposed regulation adds an additional level of specificity to the existing AML framework. It does so by detailing the required characteristics of watch-list-filtering and transaction-monitoring programs. Importantly, the proposed regulation does not seek to change any of the federal AML reporting requirements, but instead requires covered institutions to construct and maintain monitoring systems with distinct features.

The proposed regulation also adds an additional requirement, not present in the federal requirements, that holds compliance executives accountable through the certification and attestation requirements.

Transaction-Monitoring and Filtering Program Requirements

Under the proposed regulation, covered institutions would be required to maintain a watch-list-filtering program and a transaction-monitoring program. These requirements work in tandem to first prevent transactions that are prohibited by applicable sanctions — including Office of Foreign Assets Control (OFAC) and other sanctions lists, politically exposed persons lists, and internal watch lists — and second to monitor transactions, after their execution, for potential “BSA/AML violations and Suspicious Activity Reporting” as required by federal law.

Many of these requirements are already being complied with by a vast majority of financial institutions as part of their AML programs required by federal law. However, the proposal does contain some additional state-specific requirements that may require changes to existing AML programs as detailed below.

Watch-List-Filtering Program

Each regulated institution would be required to maintain a watch-list-filtering program that is based on the risk assessment of the institution and that utilizes watch lists that reflect current legal and regulatory requirements. At a minimum, the program must include the following attributes:

  • Be based on technology for matching names and accounts
  • Include end-to-end, pre-implementation and post-implementation testing of the watch-list-filtering program, including data mapping, an evaluation of whether the watch lists and threshold-setting map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and watch-list-filtering program output
  • Be subject to ongoing analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the watch lists and the threshold settings to see if they continue to map the risks of the institution
  • Include easily understandable documentation that articulates the intent and the design of the program tools or technology.

Transaction-Monitoring and Filtering Program

Each regulated institution would be required to institute a transaction-monitoring and filtering program that, at a minimum, requires the following:

  • Identification of all data sources that contain relevant data
  • Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the transaction-monitoring and filtering program
  • Data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used
  • Governance and management oversight, including policies and procedures governing changes to the transaction-monitoring and filtering program to ensure that changes are defined, managed, controlled, reported and audited
  • Vendor-selection process if a third-party vendor is used to acquire, install, implement or test the transaction-monitoring and filtering program or any aspect of it
  • Funding to design, implement and maintain a transaction-monitoring and filtering program that complies with the regulations
  • Qualified personnel or outside consultants responsible for the design, planning, implementation, operation, testing, validation and ongoing analysis of the transaction-monitoring and filtering program, including automated systems if applicable, as well as case management, review and decision-making with respect to generated alerts and potential filings
  • Periodic training of all stakeholders.

Of note, the proposed rule would also prohibit a regulated institution from making changes or alterations to its transaction-monitoring program or watch-list-filtering program to avoid or minimize the filing of suspicious activity reports or because the institution does not have the resources to review the number of alerts generated by the program.

Annual Certification

Modeled on the officer certifications under the Sarbanes-Oxley Act of 2012, the proposed regulation includes a more burdensome certification requirement. The proposed rule requires each regulated institution to submit an annual certification executed by the institution’s CCO or functional equivalent. The certification must include an attestation from the CCO that “to the best of their knowledge,” the institution’s filtering and monitoring programs are in compliance with the requirements of the proposed rule. Additionally, the CCO must certify the he or she has personally reviewed, or caused to be reviewed, those programs.

Penalties for Noncompliance

One of the most controversial aspects of the proposed regulation is the criminal penalty for a CCO who files an incorrect or false annual certification. The proposed rule does not provide or define the standard of intent for the criminal penalty.

In addition to the personal criminal liability that would applied for CCOs, regulated entities that fail to meet the requirements of the proposed regulation could be subject to all applicable penalties under the New York Banking or Financial Services Law. Those penalties are potentially significant when you consider that, over the last few years, the NYDFS has penalized or fined several institutions more than $100 million for AML and sanctions violations.

Effective Date

The proposed regulation, if finalized, would be effective immediately and apply to all “state fiscal years” beginning April 1, 2016.

Pepper Points

  • Some of the largest and most complex banking institutions in the world may havedifficulty explaining to a bank examiner, in easily understandable documentation, the design of the program tools and technology that implement real-time AML systems as required by the proposed regulation.
  • The federal AML rules that financial institutions must also follow do not specify the exact steps that financial institutions must take to identify the actual suspicious activity. Instead, the AML rules require implementation of AML programs reasonably designed to satisfy their requirements, based on the institution’s money laundering risk. Additionally, those federal rules do not require any individual at the financial institutions to certify, under threat of criminal penalty, that they have implemented the procedures required. The NYDFS does not seem to believe these flexible standards are sufficient, and the proposed regulation would require institutions to maintain systems with specific features.
  • The NYDFS has been open to making significant changes to rules between the proposal stage and the final rule based on public comment, as evidenced by the recent “BitLicense” proposal and final rule. This presents an opportunity for those in the industry to explain the significant challenges that this rule will impose, including the attestation requirement’s potential chilling on hiring of qualified compliance talent at the CCO level.
  • A fundamental question to be asked as part of the evaluation of the attestation requirement is whether the CCO is the appropriate person to sign the annual certification under the threat of criminal penalty. A CCO may not have the authorization or the resources to effectuate the change necessary to meet these new compliance requirements within the organization. However, it cannot be argued that the CEO, an independent committee within the board of directors or an independent auditor would lack the authority to make the changes necessary to implement the systems required by this proposed rule.
  • The strength of the state supervisory system is when the view of the regulatory landscape is seen by most states through a similar prism. The state supervisory system has done great things, not the least of which includes harmonizing intricate laws through the uniform law process. But, when any state goes too far in one direction or another and is off from the views of other states, it becomes much tougher for companies to comply. Often in cases like this, the state that makes the toughest standards become the default standard across the board.
  • This proposed rule begs the question whether some or all of this proposed rule is opening up the New York state to federal preemption challenges. There are certainly good arguments to be made that this rule does not directly conflict with federal AML requirements because the proposed rule would effectively provide a more granular framework of existing federal requirements and is not in direct conflict with federal law. However, it remains to be seen whether the certification under threat of criminal penalty portion of the proposed rule would stand up to a court challenge.

Walter B. Donaldson II