This summer, one of the nation’s top state regulators for finance announced a major new AML regulation, providing a critical hook for regulatory liability for companies that lack effective anti-money laundering controls. An understanding of this new regime is critical for bank and insurance companies that do business nationally.
The New York Department of Financial Services (NYDFS) regulates the financial services, insurance, and banking industries in New York, including any out-of-state companies that conduct business in those industries in New York. On June 30, the NYDFS issued a new regulation (the “Rule”) setting forth specific minimum standards that its regulated institutions must use to monitor and filter transactions for potential anti-money laundering (AML) and Bank Secrecy Act (BSA) violations and to block transactions prohibited by the Office of Foreign Assets Control (OFAC).[i]
The most important part of the new Rule is its requirement that every NYDFS regulated institution annually submit either a board resolution or a “Senior Officer(s) Compliance Finding” certifying that the institution’s board members or a named senior officer personally reviewed documentation regarding the entity’s AML and prohibited-transaction prevention programs, and certified them as complying with the Rule’s requirements (a “Compliance Certification”). Specifically, the board members or certifying senior officer must certify that:
- They have reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary to adopt the Board Resolution or Senior Officer Compliance Finding;
- They have taken all steps necessary to confirm that the institution has a transaction monitoring and filtering program that complies with the provisions of the Rule; and
- To the best of their knowledge, the transaction monitoring and the filtering program of the institution complied with the Rule during the prior year.
The Rule makes clear that the NYDFS believes the shortcomings in the banking and financial services industry’s AML systems are attributable to “a lack of robust governance, oversight, and accountability at senior levels.” Accordingly, the annual Compliance Certification requirement is meant to increase accountability of the executive leadership of financial institutions by requiring that they know of and approve the steps their institutions are taking to comply with AML regulations. The Compliance Certification required by the Rule is significantly less harsh than what was initially proposed by the NYDFS in the initial iteration of the Rule it proposed in December of 2015.[ii] The earlier version required that the certifying person be the institution’s chief compliance officer or an equivalent senior officer and provided that the certifying officer would be subject to criminal penalties for an incorrect of false Compliance Certification.[iii] The final version of the Rule simply provides that “the regulation will be enforced pursuant to . . . the Superintendent’s authority under any applicable laws.”
The Rule’s other technical requirements are less impactful than the Compliance Certification requirement.First, the Rule requires that institutions maintain a manual or automated transaction monitoring program reasonably designed to monitor transactions for potential BSA/AML violations and suspicious activity reporting. Second, the Rule requires that institutions maintain a watch-list filtering program that is reasonably designed to intercept and prevent transactions prohibited under OFAC and other sanctions lists. Institutions must also (i) subject the effectiveness of their transaction-monitoring and filtering programs to ongoing analysis and testing and (ii) document, for inspection by the NYDFS, any areas that require improvement. Regulated institutions must also retain the records that support their yearly Compliance Certifications for at least five years.
The Rule takes effect January 1, 2017, and regulated entities are required to submit their first Compliance Certification beginning on April 15, 2018. For the most part, if a financial institution complies with existing AML regulations, it should already maintain programs that satisfy most of the technical requirements of the Rule. However, the documentation and oversight of those programs will now be subject to a more stringent and detailed review by the NYDFS. Regulated entities and their compliance teams should institute policies requiring that all aspects of their AML and watch-list filtering systems be documented (if such policies are not already in place). To comply with the Rule and be able to comfortably issue Compliance Certifications, Regulated entities and their senior compliance personnel should carefully reevaluate the documentation, analysis, and testing of the design and effectiveness of their existing AML programs.