Why it matters

The New York Department of Financial Services (DFS) may have launched its strongest offensive yet against observed shortcomings in the Bank Secrecy Act and anti-money laundering (BSA/AML) compliance efforts at NY regulated entities. Citing "a lack of robust governance, oversight and accountability at senior levels" of these organizations, the DFS has formally proposed a new regulation to require the establishment of "Transaction Monitoring" and "Watch List Filtering" Programs by banks, money transmitters and check cashers—but not Bitlicense companies.

The program requirements themselves require close review due to the specificity of what the DFS proposes and the likely costs to implement. However, much of the buzz around the DFS proposal focuses on the requirement that the chief compliance officer must certify annually his or her institution's compliance with new requirements. And, an incorrect or false certification could result in criminal penalties for the CCO. While most banks presumably are already compliant with what is prescribed in the regulation, most money transmitters are likely to have a much more difficult time initially complying due to the level of specificity and the scope of work that will be required to put the required programs in place.

Detailed discussion

New York's Department of Financial Services (DFS) is taking compliance with the federal Bank Secrecy Act and anti-money laundering (BSA/AML) to a new level. Citing its awareness of "shortcomings" in both transaction monitoring and filtering programs in institutions it regulates as well as "a lack of robust governance, oversight and accountability at senior levels" that has contributed to such shortcomings, it is proposing to require certain regulated entities to develop and maintain formal Transaction Monitoring and Filtering Programs. It is also proposing that the chief compliance officer (or functional equivalent) certify that the entity is compliant with these requirements.

The DFS proposes that the entity would be subject to all applicable penalties for failing to maintain the required programs and for failing to file a certification. And, probably most controversial, the DFS proposes that the officer making such certification be subject to criminal penalties for an "incorrect or false" certification.

In the wake of the Paris terrorist attacks, New York Governor Andrew Cuomo announced the new regulatory proposal stating that "Money is the fuel that feeds the fire of international terrorism." Since "Global terrorist networks simply cannot thrive without moving significant amounts of money throughout the world" he said "it is especially vital that banks and regulators do everything they can to stop that flow of illicit funds."

Pursuant to the proposal, not only banks but also money transmitters and check cashers regulated by the DFS would be required to establish a Transaction Monitoring Program "for the purpose of monitoring transactions after their execution for potential BSA/AML violations and the Suspicious Activity Reporting." The proposed regulation sets out a detailed list of minimum required attributes of a compliant program. Among other things, the program must (1) be based on the Risk Assessment of the institution, (2) reflect all current BSA/AML laws, regulations, and alerts as well as information available from "related" programs and initiatives like KYC and enhanced customer due diligence or other "relevant areas, such as security, investigations and fraud prevention," (3) be a map of the BSA/AML risks to the bank's various businesses, products, services, and customers and (4) use BSA/AML detection scenarios based on the Risk Assessment to detect potential money laundering or other suspicious activities.

The program must also include (1) extensive "end-to-end, pre- and post-implementation testing" of the program, (2) documentation articulating the institution's detection scenarios and underlying assumptions, parameters and thresholds, and (3) investigative protocols about how alerts will be investigated and the decision-making involved if additional steps are necessary. The program must also be subject to an ongoing analysis to assess the continued relevance of the various elements of the program.

The Watch List Filtering Program attributes are similarly specific. The purpose of this program is "interdicting transactions, before their execution, that are prohibited by applicable sanctions, including OFAC and other sanction lists, politically exposed persons lists and internal watch lists. In addition to being based on the Risk Assessment, the program must be based on the technology or tools used for matching names and accounts and provide for "end-to-end testing" of the program.

Both programs must also "require" a number of very specific data related processes including identification of data sources with relevant data, validation of the integrity, accuracy and quality of the data to ensure accurate and complete data flows through the programs, and data extraction and loading processes. In addition the programs must require (1) governance and management oversight, (2) a vendor selection process if one is used for any aspect of the programs, (3) funding to design, implement and maintain the programs in compliance with the NY regulation, (4) qualified personnel or outside consultants and (5) periodic training of all stakeholders.

The regulation also includes a specific prohibition on making changes or alterations to the programs to minimize or avoid filing SARs or because the entity does not have the resources necessary to review the number of alerts generated by the program.

The annual certification of the CCO or functional equivalent must address two points. The first is that the CCO has "reviewed, or caused to be reviewed" the two programs for the year at issue. The second is a certification that the two programs comply with all of the detailed requirements of the regulation.

The proposal is currently open for a 45-day comment period. If enacted, the regulations would take immediate effect with enforcement beginning April 1, 2017.

To read the Transaction Monitoring and Filtering Program Requirements, click here.