Earlier this month, Governor Andrew M. Cuomo of New York announced newly proposed anti-terrorism and anti-money laundering regulations that impose increased compliance requirements and more importantly, vastly expanded personal liability for senior compliance officers.1
In an effort to combat “serious shortcomings in the transaction monitoring and filtering programs” of regulated entities, the Department of Financial Services (Department) has proposed rules that would create additional requirements for AML/BSA programs and impose new annual certification requirements on chief compliance officers. This rule would apply to banks chartered pursuant to New York banking law (Banking Law), all branches and agencies of foreign banking corporations licensed pursuant to Banking Law, as well as nonbank institutions such as check cashers and money transmitters licensed under Banking Law. It is important to note that New York maintains a very broad interpretation of ‘doing business’ in the state that does not necessarily require a physical presence in New York.2
The proposed rule would require licensed institutions (i) to maintain a transaction monitoring program to detect violations of BSA/AML laws and suspicious activity, (ii) to strengthen existing watch list filtering programs designed to block the execution of transactions prohibited by applicable sanctions and terrorist financing rules; and (iii) to make an annual certification by the chief compliance officer that the aforementioned programs are fully compliant with the proposed rule.3 As noted above, the proposed regulations apply not only to banks but also to nonbank regulated institutions such as check cashers and money transmitters licensed under Banking Law.
While the specific requirements of the transaction monitoring program and filtering program add additional layers of regulations to an already complex regulatory scheme, the certification requirement is most noteworthy. In an effort to address a “lack of robust governance, oversight, and accountability at senior levels,” the proposed regulations require an annual certification of the institution’s compliance with the rule.4 This certification regime is likely borrowed from the CEO/CFO certifications required under Sarbanes-Oxley. However, the certification under the proposed rule specifically attests to the adherence of the rule, rather than the more general intended design of such programs found under Section 302 of Sarbanes-Oxley.
Additionally, the proposed rule provides for criminal penalties for a compliance officer submitting an incorrect or false annual certification. While no knowledge requirement is set forth in connection with submitting an inaccurate certification, some degree of scienter is likely required.
We view these regularity developments in New York as having far reaching consequences. Not only will efforts to maintain compliant AML/BSA programs be affected, but regulated entities may increasingly struggle to hire and retain qualified compliance officers. While no other state has proposed similar regulations, New York’s proposal may inspire regulators in other states to act. Other states may well consider the New York precedent in expanding the personal liability of senior compliance officers.
We particularly caution out of state nonbank institutions such as money transmitters and check cashiers with no physical presence in the state but who have online customer transactions in New York. Combining the digital nature of the industry with New York’s broad interpretation of ‘doing business’ in the state, can result in unsuspecting foreign entities being brought under the jurisdiction of Banking Law, including the proposed rule. It remains to be seen to what extent the Department will enforce its rules in regulating entities entirely located and licensed out of state but who have occasional customer contacts originating in New York.
The public notice and comment period expires January 15, 2016. Affected companies should consider commenting on the proposed regulations.