On June 30, 2016, the New York Department of Financial Services (“NYDFS”) adopted a new anti-money laundering (“AML”) compliance regulation (the “Final Rule”) that requires Regulated Institutions to (i) maintain a transaction monitoring and filtering program, and (ii) file an annual “compliance finding” with the NYDFS.1 For a detailed explanation of the initial proposal issued by NYDFS in December 2015,2 see our earlier legal update.
The Final Rule incorporates a number of changes that appear to address concerns expressed by the industry following the release of the December 2015 proposal. In particular and as discussed below, the Final Rule substantially alters the proposal’s requirement that Chief Compliance Officers (“CCOs”) provide an annual certification of the effectiveness of the Regulated Institution’s AML compliance program.
The Final Rule differs from the proposal in the following ways:
- Annual Filing Requirement. The proposal would have required a Regulated Institution’s CCO to make an annual certification that the institution complied with the NYDFS AML regulation. This certification appeared to be subject to a strict liability standard, and a CCO would have been criminally liable for making an incorrect or false certification. As adopted, the Final Rule requires the Board of Directors or Senior Officer(s) of the Regulated Institution to submit an annual “Compliance Finding” to NYDFS that states they (i) have reviewed the institution’s transaction monitoring and filtering program and (ii) believe to the best of their knowledge that it complies with the Final Rule. The Final Rule includes a general reference to the enforcement authority of NYDFS, but drops the proposal’s reference to criminal penalties for incorrect or false filings.
The “Compliance Finding” requires each signatory to have reviewed internal reports, sub-certifications, and opinions showing the Regulated Institution’s compliance with the Final Rule, and will require each board member to separately sign the filing. While it is possible that a Board of Directors could be in a position to make the representations required in the “Compliance Finding,” it seems more likely that in practice one or more Senior Officers will execute the “Compliance Finding” because of the logistical difficulties involved in having each board member review the necessary materials and sign the filing. Senior Officers are defined as “the senior individual or individuals responsible for the management, operations, compliance and/or risk of a Regulated Institution,” which may provide institutions with important flexibility with respect to having a Senior Officer other than the CCO review the necessary documents and sign the “Compliance Finding.”
- Filtering Program. The proposal would have required a Regulated Institution to detect, and where appropriate interdict, transactions that were prohibited under applicable sanctions programs, including Office of Foreign Assets Control (“OFAC”) sanctions, politically exposed person (“PEP”) lists, and internal watch lists. The Final Rule omits any references to PEP lists or internal watch lists, and is instead focused solely on identifying and preventing transactions that are prohibited by OFAC.
- Threshold Setting. The proposal would have prohibited a Regulated Institution from changing its monitoring and filtering program to avoid or minimize the filing of suspicious activity reports or because the institution lacked the resources to review all of the alerts created by the program. The Final Rule rephrases this requirement to specify that a Regulated Institution must document when it identifies components of its monitoring and filtering program that require “material improvement, updating, or redesign”, and the “remedial efforts” to be undertaken on those components.
- Record Retention. The proposal did not contain an express record retention requirement. The Final Rule specifies that a Regulated Institution must retain for five years the records that support its annual “Compliance Finding” filing.
While the Final Rule addresses many industry concerns, it retains less clearly defined provisions; the Final Rule does not address the implementation of a vendor selection process if a third party vendor is involved with the Regulated Institution’s transaction monitoring and filtering program, nor does it clarify circumstances whereby Regulated Institutions could rely on manual, rather than automated, transaction monitoring and filtering processes.