The New York State Department of Financial Services (DFS) has recently proposed a new anti-money laundering and anti-terrorism regulation that would heighten the requirements of DFS-regulated financial institutions to monitor for violations of anti-money laundering (AML), Bank Secrecy Act (BSA), anti- terrorism, and federal economic sanctions laws and regulations. DFS’s proposal is intended to address perceived shortcomings in the transaction monitoring and filtering programs at DFS-regulated financial institutions, which, according to DFS, were caused by a “lack of robust governance, oversight, and accountability at senior levels of these institutions . . . .”

Notably, this state agency proposal seeks to require a more vigorous screening program than that imposed by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the office that administers and enforces federal U.S. economic sanctions. In addition, the proposed regulation would require each DFS-regulated financial institution to submit an annual certification executed by the institution’s Chief Compliance Officer (or functional equivalent) certifying that the institution is in compliance with the proposed regulation. The filing of an incorrect or false annual certification could subject the Chief Compliance Officer to unspecified criminal penalties. There is no similar certification requirement under federal law. DFS is accepting comments on the proposed regulation until March 31, 2016.

We summarize below the main provisions of the proposed regulation and key takeaways for financial institutions that are subject to DFS regulations.

Transaction Monitoring and Filtering Program

The proposed regulation requires DFS-regulated financial institutions to implement a Transaction Monitoring and Filtering Program to monitor transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting.

Under the proposed regulation, such a program must:

  • Be based on an ongoing comprehensive risk assessment, including an enterprise-wide BSA/AML risk assessment;
  • Reflect  all  current  BSA/AML  laws,  regulations,  and  alerts,  as  well  as  any  relevant information available from the institution’s related programs and initiatives, such as KYC  due diligence,  enhanced  customer due diligence, security,  investigations, and fraud prevention;
  • Map BSA/AML risks to the institution’s businesses, products, services, and customers/counterparties;
  • Utilize BSA/AML detection scenarios that are based on the above-mentioned risk assessment, with threshold values/amounts set to detect potential money laundering or other suspicious activities;
  • Include an end-to-end, pre- and post-implementation testing of the program and conduct periodic testing;
  • Include easily understandable documentation about the program and its details;
  • Include investigative protocols detailing how alerts generated by the program will be investigated and how alerts will be handled and by whom; and
  • Be subject to an ongoing analysis to assess the continued relevancies of the detection scenarios, rules, threshold values, parameters, and assumptions.

Many of these requirements, despite being more extensive than federal requirements, will not prove particularly onerous by themselves for financial institutions. However, it is notable that the proposed regulation explicitly prohibits making changes to the program to avoid or minimize filing Suspicious Activity Reports or because the financial institution does not have the resources to review the number of alerts generated by the program. This prohibition, combined with the personal liability that is imposed by the certification requirement, may cause smaller financial institutions to set their thresholds very low and manage the increased burden of a large number of false-positives, rather than accept the risk that legitimate alerts generated by the program might be overlooked.

Watch List Filtering Program

In contrast to the Transaction Monitoring and Filtering Program, the Watch List Filtering Program required by the proposed regulation must interdict transactions before they are executed. Transactions that must be interdicted include those with individuals and entities on OFAC lists and internal watch lists.

Under the proposed regulation, this program must:

  • Be based on an ongoing comprehensive risk assessment, including an enterprise-wide BSA/AML risk assessment;
  • Be based on technology or tools for matching names and accounts based on the institution’s particular risks, transaction, and product profiles that are adequate to capture prohibited transactions;
  • Include an end-to-end, pre- and post- implementation testing of the program;
  • Utilize watch lists that reflect current legal or regulatory requirements;
  • Be subject to ongoing analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the watch lists and threshold settings, to ensure that they continue to map to the risks of the institution; and
  • Include easily understandable documentation about the program and its details.

This program requires financial institutions to interdict transactions prohibited by economic sanctions and other regulations in real time. This represents an elevated burden compared to the current approach taken by OFAC, which generally permits a risk-based analysis that screens transactions in batches.

Certification Requirement

The proposed rule requires the Chief Compliance Officer (or functional equivalent) of a DFS-regulated financial institution to submit an annual certification by April 15th each year. The proposed text of this annual certification currently reads as follows:

In compliance with the requirements of the New York State Department of Financial Services (the "Department") that each Regulated Institution maintain a Transaction Monitoring and Filtering Program satisfying all the requirements of Section 504.3 and that a Certifying Senior Officer of a Regulated Institution sign an annual certification attesting to the compliance by such institution with the requirements of Section 504.3, each of the undersigned hereby certifies that they have reviewed, or caused to be reviewed, the Transaction Monitoring Program and the Watch List Filtering Program (the “Programs”) of (name of Regulated Institution) as of ___________ (date of the Certification) for the year ended________(year for which certification is provided) and hereby certifies that the Transaction Monitoring and Filtering Program complies with all the requirements of Section 504.3. 

By signing below, the undersigned hereby certifies that, to the best of their knowledge, the above statements are accurate and complete.

The proposed regulation states that the filing of an “incorrect or false” annual certification may subject the Chief Compliance Officer to unspecified criminal penalties (in addition to potential civil penalties for the financial institution under the New York Banking Law and New York Financial Services Law).

We note that the proposed rule (which spans less than six full pages) provides very few details about what exactly constitutes an acceptable compliance program. This is particularly concerning given that Chief Compliance Officers are being subjected to criminal prosecution for falsely representing that their compliance programs comply with the proposed regulation. For example, the broad requirement that the programs “map” risk to the institution’s businesses, products, services, and customers/counterparties is extremely vague and does not provide any guidance as to what risk factors are relevant for any given business, product, service, or categories of customers/counterparties. Similarly, no benchmarks are given by DFS as to what the post-implementation tests of the programs should reveal or measure against. As such, the proposed regulation affords DFS significant discretion to define the contours of a compliant program on a case-by-case basis, presenting significant risk and uncertainty for DFS-regulated financial institutions. Depending on the comments that DFS receives on the proposed regulation, it may take some steps to address these concerns.

Key Takeaways

DFS has proposed comprehensive requirements for financial institutions to implement new compliance procedures that exceed those currently applied by federal and state regulators. These requirements are unique in the United States, as we know of no other state that has implemented such a far-ranging program.

We also note that DFS has been a particularly active and aggressive enforcement agency since its formation in October 2011. In the sanctions arena alone, DFS has been involved with, and led, a number of high profile enforcement actions against large financial institutions. At times, DFS appears to be enforcing U.S. economic sanctions independently of OFAC, the agency that promulgates the sanctions regulations. We expect that DFS will seek to use the proposed regulation as an additional enforcement tool in this area. The proposed regulation gives DFS the power to hold DFS-regulated  financial institutions (and their Chief Compliance Officers) responsible for compliance shortcomings even when there are no related sanctions violations.