In several recent cases involving New York-licensed institutions, the New York Department of Financial Services (“NYDFS”) imposed measures that go beyond those imposed by federal authorities settling charges involving anti-money laundering (“AML”) compliance failings. These additional measures include separate penalty amounts and, in some instances, appointing a monitor.1
On December 1, 2015, New York signaled that it will continue to pursue this separate path, when Governor Andrew Cuomo proposed a new AML regulation to address terrorist financing, sanctions violations and money laundering activities. The regulation would require (i) covered institutions to maintain a transaction monitoring and watch list filtering program, and (ii) institutions’ Chief Compliance Officers (“CCOs”) to file an annual certifications of compliance with the NYDFS.2 When finally implemented, the regulation will apply to New York-chartered banks and trust companies and New York-licensed branches and agencies of foreign banks, as well as check cashers and money transmitters (collectively, “Regulated Institutions”).3
When announcing the proposed regulation, Governor Cuomo pointed out that during the last four years, NYDFS investigations into terrorist financing, sanctions violations and anti-money laundering compliance at Regulated Institutions have identified serious shortcomings with respect to transaction monitoring and filtering programs as well as lack of robust governance, oversight and accountability at senior levels of these institutions that has contributed to these shortcomings.
Notwithstanding the existence of a comprehensive federal enforcement regime that was established initially in 1970 by the enactment of the Bank Secrecy Act (“BSA”), which was significantly enhanced following the September 11, 2001, attacks through the enactment of the USA PATRIOT Act, Governor Cuomo and the NYDFS believe that additional state-level regulation is necessary to ensure that Regulated Institutions “do everything they can to stop that flow of illicit funds.”
The proposed regulation imposes the following requirements.
Transaction Monitoring Program. Regulated Institutions must maintain a program for monitoring transactions for potential BSA/AML violations and suspicious activity reporting. Transaction monitoring may be accomplished through a manual or an automated protocol and only needs to focus on completed transactions.
Additionally, once the regulation is finalized, each institution’s transaction monitoring program must:
- Reflect current BSA/AML laws, regulations and alerts, as well as relevant “know your customer due diligence,” “enhanced customer due diligence,” security, investigations and fraud prevention data;
- Map BSA/AML risks to the Regulated Institution’s businesses, products, services and customers/counterparties;
- Utilize BSA/AML detection scenarios;
- Include an end-to-end, pre-and post-implementation testing of the program;
- Include investigative protocols detailing how alerts generated as a result of transaction monitoring will be investigated, the process for deciding which alerts will result in a filing or other action, who is responsible for making such a decision and how the investigative and decision-making process will be documented; and
- Be subject to an on-going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters and assumptions.
Watch List Filtering Program. Under the proposal, Regulated Institutions will be required to maintain a program for monitoring transactions that are prohibited under applicable sanctions programs, including Office of Foreign Assets Control (“OFAC”) sanctions, political exposed persons (“PEPs”) lists and internal watch lists. This monitoring also can be accomplished through a manual or automated monitoring protocol, but such protocols must be capable of identifying (and, if appropriate, interdicting) prohibited transactions prior to their execution. Additionally, watch list monitoring programs must:
- Be based on technology or tools for matching names and accounts;
- Include an end-to-end, pre- and post-implementation testing;
- Utilize watch lists that reflect current legal or regulatory requirements; and
- Be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the watch lists and the threshold settings to see if they continue to map to the risks of the institution.
Regulated Institutions that use a third-party service provider in the creation or implementation of a transaction or watch list monitoring program will be required to establish a vendor selection process to identify qualified outside consultants. Also, once implemented, presumably after a period of initial adjustment, Regulated Institutions will not be allowed to change or alter their transaction monitoring or watch list filtering program in a manner that would lower or otherwise minimize its filing Suspicious Activity Reports (“SARs”), regardless of whether the Regulated Institution lacks the resources to review all of the alerts generated by the program.4
Annual CCO Certification. A Regulated Institution’s CCO will be required to submit an annual certification to NYDFS by April 15. A certification form is attached to the proposed regulation. The proposed version of the form provides that the CCO has reviewed, or caused to be reviewed, the transaction monitoring program and the watch list filtering program and that the CCO certifies that the Regulated Institution complies with the requirements set out in the regulation. Certifying compliance with the regulation without any qualifications would effectively hold the CCO strictly liable. This is particularly problematic because the proposed regulation would make the CCO criminally liable for filing an incorrect or false certification.5
The NYDFS proposal will be subject to a 45-day comment period, which ends on February 1, 2016. The regulation could be finalized as early in the first quarter of 2016, which would require Regulated Institutions to implement transaction monitoring and watch list filtering programs (including CCO certification) as early as 2017.
Many aspects of the NYDFS proposal codify procedures that have become commonplace as a result of guidance that was provided as part of the federal examination process or through conditions imposed on institutions as part of supervisory settlements. In other respects, however, the NYDFS proposal appears to contain elements that are no longer regarded as best practice—such as manual transaction monitoring—or that go well-beyond BSA requirements, such as prohibiting transactions involving PEPs or requiring CCOs to personally vouch for the sufficiency and effectiveness of their compliance procedures. In an environment where institutions are already challenged to retain seasoned compliance professionals, the CCO certification may further constrict the market for eligible candidates and could substantially increase the cost of compensation packages. Additionally, increased operational costs that will result from the proposal could force smaller regulated entities (especially check cashers and money transmitters) out of business or increase their costs to customers.