July 22 2016

New York banking regulator issues rules for transaction monitoring and filtering programmes

Sidley Austin LLP | Banking & Financial Services - USA

Connie M. Friesen, Joel D. Feinberg

Introduction
Background
Transaction monitoring programme
Filtering programme
Documenting improvements and remedial efforts
Annual board resolution or senior officer compliance finding
Penalties and enforcement
Comment


Introduction

On June 30 2016 the New York State Department of Financial Services (NYDFS) issued a final rule setting out the minimum requirements for transaction monitoring and filtering programmes used by regulated institutions to monitor:

  • potential Bank Secrecy Act and anti-money laundering violations;
  • suspicious activity reporting; and
  • sanctions violations.

The final rule also requires regulated institutions to submit annually to the NYDFS a board resolution or senior officer finding confirming that all necessary steps have been taken to ensure compliance with the final rule. Regulated institutions include:

  • New York-chartered:
    • banks;
    • trust companies;
    • private bankers;
    • savings banks; and
    • savings and loan associations; and
  • New York-licensed:
    • branches and agencies of foreign banking organisations;
    • check cashers; and
    • money transmitters.

The final rule will take effect on January 1 2017 and the annual board resolution or senior officer compliance finding must be submitted by April 15 2018.

Background

During its review of Bank Secrecy Act and anti-money laundering and sanctions compliance at regulated institutions, the NYDFS discovered shortcomings in transaction monitoring and filtering programmes due to a lack of robust governance, oversight and accountability at the senior levels of various institutions. To address these concerns, the NYDFS issued a proposed rule in December 2015 to clarify the minimum attributes of transaction monitoring and watch list filtering programmes.(1) The NYDFS sought comments on the proposed rule by March 31 2016. The final rule makes some modifications to the proposed rule based on the comments received, including with respect to the annual certification requirement as further discussed below.

Transaction monitoring programme

Each regulated institution must maintain a transaction monitoring programme that is reasonably designed to monitor transactions after their execution for potential Bank Secrecy Act and anti-money laundering violations and suspicious activity reporting, using either manual or automated systems. The final rule lists eight specific minimum requirements for transaction monitoring programmes (to the extent that they are applicable):

  • The programme must be based on the regulated institution's risk assessment, which must be comprehensive and ongoing and take into account factors such as the institution's:
    • size;
    • staffing;
    • governance;
    • businesses;
    • products and services;
    • operations;
    • customers;
    • counterparties;
    • other relationships; and
    • geographies.
  • The programme must be periodically reviewed and updated at risk-based intervals to reflect changes to applicable Bank Secrecy Act and anti-money laundering laws, regulations and regulatory warnings, as well as any other information determined by the institution to be relevant.
  • The programme must appropriately match Bank Secrecy Act and anti-money laundering risks to the institution's businesses, products, services and customers and counterparties.
  • The programme must include detection scenarios with threshold values and amounts designed to detect potential money laundering and other suspicious or illegal activities.
  • The programme must undergo end-to-end, pre and post-implementation testing including – as relevant – in regards to
    • governance;
    • data mapping;
    • transaction coding;
    • detection scenario logic;
    • model validation;
    • data input; and
    • programme output.
  • Programme documentation must articulate the existing detection scenarios and underlying assumptions, parameters and thresholds.
  • The programme must include protocols that detail the investigation and decision-making process for alerts generated by the programme.
  • The continued relevance of the following aspects of the programme will be subject to ongoing analysis:
    • the detection scenarios;
    • the underlying rules;
    • the thresholds;
    • the parameters; and
    • the assumptions.

Filtering programme

Each regulated institution must maintain a manual or automated filtering programme that is reasonably designed to prohibit transactions prohibited under sanctions issued by the US Treasury Office of Foreign Assets Control (OFAC). Unlike the proposed rule – which applied to filtering programmes that screen against 'other sanctions lists' in addition to OFAC sanctions, politically exposed persons lists and internal watch lists – the final rule applies only to OFAC sanctions.

The final rule lists five specific minimum requirements for filtering programmes (to the extent that they are applicable):

  • The programme must be based on the regulated institution's risk assessment.
  • The programme must be based on technology, processes or tools reasonably designed for matching names and accounts, based in each case on the particular institution's risk, transaction and product profiles.
  • The programme must undergo end-to-end, pre and post-implementation testing, including – as relevant – a review of:
    • data matching;
    • whether the OFAC sanctions list and threshold settings reflect the institution's risks;
    • the logic of matching technology or tools;
    • model validation; and
    • data input and programme output.
  • The programme will be subject to ongoing analysis of the logic and performance of the technology or tools used to match names and accounts and continuous assessment of whether the OFAC sanctions list and threshold settings continue to reflect the institution's risks.
  • Programme documentation must articulate the intent and design of the filtering programme tools, processes or technology.

Both the transaction monitoring programme and the filtering programme must, to the extent applicable:

  • identify all relevant data sources;
  • validate the integrity and quality of the data used;
  • ensure accurate data transfer from its source to any automated systems used;
  • provide for governance and management oversight of the programmes (including changes thereto);
  • include a third-party vendor selection process;
  • be appropriately funded and staffed by qualified personnel or outside consultants; and
  • provide periodic training for all stakeholders.

Documenting improvements and remedial efforts

To the extent that a regulated institution has identified areas, systems or processes relating to its transaction monitoring or filtering programme that require material improvement, updating or redesign, the institution must document such areas, systems or processes and any remedial efforts that are planned and underway. Such documentation must be made available for inspection by the NYDFS. This is a new requirement under the final rule.

Annual board resolution or senior officer compliance finding

Under the final rule, a regulated institution must adopt and submit to the NYDFS by April 15 each year either a board of directors' resolution or a senior officer compliance finding that certifies compliance with the final rule in the form included as Attachment A of the final rule.

The 'board of directors' refers to the regulated institution's governing board or the functional equivalent if there is no board of directors. A 'senior officer' means the senior individual or individuals responsible for a regulated institution's management, operations compliance and risk. The members of the board of directors or the senior officer must certify that:

  • they have reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary to adopt the board resolution or senior officer compliance finding;
  • they have taken all steps necessary to confirm that the regulated institution has transaction monitoring and filtering programmes in place that comply with Section 504.3 of the final rule; and
  • to the best of their knowledge, the transaction monitoring and filtering programmes comply with Section 504.3 of the final rule as of the date of the board resolution or senior officer compliance finding for the specified year.

Regulated institutions must maintain – for the NYDFS's examination – all records, schedules and data supporting adoption of the board resolution or senior officer compliance finding for five years.

The final rule modifies the annual certification requirement by expanding the number of potential officer certifiers provided in the proposed rule, which required a regulated institution's chief compliance officer (or functional equivalent) to provide the certification. However, in practice, the certification responsibility will most likely fall on the chief compliance officer, chief risk officer or functional equivalent because boards and other senior officers may be hesitant to provide the certification. In addition, the certification form has been revised under the final rule to indicate specifically that the certification process requires certain due diligence steps to be taken (eg, obtaining reports, certifications and opinions of certain officers, employees, representatives, outside vendors and others) as necessary for the board of directors or senior officers to confirm compliance with the final rule.

Penalties and enforcement

The final rule revises the section on penalties and enforcement actions to state that it will be enforced pursuant to – and is not intended to limit – the New York Superintendent of Financial Services's authority under any applicable laws. The final rule omits the proposed rule's statements that regulated institutions would be subject to applicable penalties provided under New York laws for failure to maintain adequate transaction monitoring and filtering programmes and file annual certifications. The final rule also leaves out the proposed rule's specific mention of potential criminal penalties for a certifying senior officer who files an incorrect or false annual certification.

In June 2016 New York Superintendent of Financial Services Maria Vullo signalled that the NYDFS would soften the standard of 'strict liability', but made clear that there will be accountability for compliance deficiencies at senior levels of regulated institutions.(2)

Comment

With the final transaction monitoring and filtering programme rules soon to take effect, each regulated institution should review and, where necessary, enhance its existing programmes to ensure that they are reasonably designed and risk based to meet the NYDFS requirements. Such review and update may warrant, among other measures:

  • a gap analysis;
  • a risk assessment and additional tailoring of the programmes based on the risk assessment;
  • enhanced documentation of processes and procedures;
  • further testing and validation of system filters and parameters; and
  • the development of a well-documented certification process that will enable senior management to make the required certifications.

The NYDFS is expected to take an aggressive approach in enforcing the final rule. Therefore, regulated institutions should take all necessary precautions and measures to ensure that they will not be found deficient in these areas.

For further information on this topic please contact Connie M Friesen at Sidley Austin's New York office by telephone (+1 212 839 5300) or email ([email protected]). Alternatively, contact Joel D Feinberg at Sidley Austin's Washington DC office by telephone (+1 202 736 8000) or email ([email protected]). The Sidley Austin website can be accessed at www.sidley.com.

Endnotes

(1) The NYDFS press release and proposed rule are available at www.dfs.ny.gov/about/press/pr1512011.htm.

(2) Financial Times, "New York's top finance regulator is no 'Clint Eastwood'", June 22 2016.