Client Alert | Banking Testing the Limits of Bank Officer Accountability – The NYDFS AML Personal Liability Proposal January 2016 Authors: Kevin Petrasic, Helen Lee, Katherine Lamberth The New York Department of Financial Services (“NYDFS”) is currently soliciting public comment on a proposed regulation that would require certain NYDFS-regulated financial institutions (“Regulated Institutions”)1 and their senior-level management to comply with more stringent anti-terrorism and anti-money laundering (“AML”) standards, and impose potential criminal sanctions on senior executives for failure to comply (“Proposed Regulation”).2 The proposal follows a series of high-profile enforcement actions taken by the NYDFS in recent years, including record-setting settlements involving violations of the Bank Secrecy Act (“BSA”), U.S. AML laws, and U.S. sanctions laws.3 The Proposed Regulation, announced by Governor Andrew Cuomo on December 1, 2015, seeks to codify the New York regulator’s heightened expectations for financial institutions’ compliance and risk-management programs and affirms the NYDFS’s previouslyexpressed intention to exact more individual accountability from senior executives of Regulated Institutions.4 In addition to requiring Regulated Institutions to strengthen their existing BSA/AML compliance programs, the Proposed Regulation also contains an annual certification provision that requires the chief compliance officer, or other applicable senior executive, of each Regulated Institution to certify that the institution has sufficient systems in place to detect, filter, and prevent illicit transactions.5 Comments on the Proposed Regulation are due by January 30, 2016. 1 If enacted, these requirements will apply to certain financial institutions currently regulated by NYDFS, namely all New York-chartered banks, trust companies, private bankers, savings banks, and savings and loan associations; all foreign banking corporations licensed pursuant to the New York Banking Law to conduct banking operations in New York; and all check cashers and money transmitters licensed pursuant to the New York Banking Law. Proposed Regulation § 504.2(b), (d) and (e). 2 New York Department of Financial Services Superintendent’s Regulations, Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications (“Proposed Regulation”), N.Y. Reg. (December 16, 2015), at 9, adding Part 504. See NYDFS Press Release dated Dec. 1, 2015 and link to Proposed Regulation, available at http://www.dfs.ny.gov/about/press/pr1512011.htm. 3 See 31 U.S.C. 5311, et seq. and 31 CFR Chapter X. The NYDFS expressly designed the Proposed Regulation to address the findings of recent investigations that identified shortcomings in financial institutions’ transaction monitoring and filtering programs and a “lack of robust governance, oversight, and accountability at senior levels of these institutions [that] has contributed to these shortcomings.” Proposed Regulation § 504.1. 4 Speech by Benjamin M. Lawsky, Superintendent of Financial Services for the State of New York, Financial Federalism: The Catalytic Role of State Regulators in a Post-Financial Crisis World (“Lawsky Speech”) (Feb. 25, 2015), available at http://www.dfs.ny.gov/about/speeches/sp150225.htm. 5 Id. The proposal seeks to codify NYDFS “heightened expectations for financial institutions’ compliance and riskmanagement programs and…exact more individual accountability from senior Client Alert White & Case 2 Several aspects of the Proposed Regulation are of potential concern, including subjective standards that may present challenges for institutions and individuals to gauge the exact level of compliance that is required. Given the significant consequences potentially at stake for Regulated Institutions and individual officers— including criminal liability for “incorrect or false” certifications—it is important for Regulated Institutions and other stakeholders to closely monitor the status of the Proposed Regulation and register concerns during the comment period. Transaction Monitoring and Filtering Program Requirements The Proposed Regulation requires each Regulated Institution to maintain a transaction monitoring program that meets state-specific technical requirements to detect potential BSA/AML violations and report suspicious or potentially suspicious or illegal activities. Under the proposal, Regulated Institutions are also required to maintain a watch list filtering program that again meets state-specific technical requirements to interdict transactions that are prohibited by applicable sanctions, including those promulgated by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) and politically exposed person lists. Each Regulated Institution’s transaction monitoring and watch list filtering programs must be specifically tailored based on that institution’s ongoing, comprehensive risk assessment. While the transaction monitoring and watch list filtering program requirements are more specific and technical than what is required under federal law, they generally do not represent novel requirements for purposes of regulatory compliance. However, the added specificity regarding compliance program attributes will likely require Regulated Institutions to enhance or augment their existing BSA/AML and OFAC compliance programs. For instance, the Proposed Regulation requires end-to-end, pre-and post-implementation testing of the transaction monitoring and watch list filtering programs, and identifies the technological and logical components of each program that must be included in such testing.6 Under the proposal, both the transaction monitoring and watch list filtering programs of a Regulated Institution would also be required to include “easily understandable documentation” that articulates the program’s design.7 The Proposed Regulation also prohibits Regulated Institutions from changing or altering the transaction monitoring and watch list filtering programs to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts generated by required programs.8 Annual Certification Requirement Perhaps the most significant aspect of the Proposed Regulation is a certification requirement, modelled after the officer certification requirement under the Sarbanes-Oxley Act,9 which would subject a Regulated Institution’s chief compliance officer to unprecedented personal—and potential criminal—liability for compliance failures. The provision requires each Regulated Institution to submit an annual certification, duly executed by the institution’s chief compliance officer or functional equivalent, to the NYDFS by April 15th of each year (“AML certification requirement”). In executing the annual certification, the chief compliance officer would have to attest to having reviewed, or caused to be reviewed, the Regulated Institution’s transaction monitoring and watch list filtering programs and to certify that, “to the best of [his or her] knowledge,” the programs adhere to the requirements of the Proposed Regulation. The NYDFS states that it intends for the “certification requirement [to] cause compliance officers to proactively ensure compliance by their institutions.”10 6 Proposed Regulation § 504.3(a)(5) and (b)(3). 7 Proposed Regulation § 504.3(a)(6) and (b)(6). 8 Proposed Regulation § 504.3(d). 9 Pub. L. No. 107-204, 116 Stat. 745 (2002). 10 Proposed Regulation, Regulatory Impact Statement. “Given the significant consequences…for Regulated Institutions and individual officers—including criminal liability for ‘incorrect or false’ certifications—it is important... to register concerns during the comment period.” Client Alert White & Case 3 Notably, the Proposed Regulation states that a chief compliance officer may be subject to criminal penalties for filing an “incorrect or false” certification.11 Regulated Institutions that fail to submit a certification are also subject to “all applicable penalties [under] the Banking Law and the Financial Services Law.”12 Concerns Regarding the Proposed Regulation Subjective Compliance Standards The Proposed Regulation generally sets forth a checklist of transaction monitoring and filtering program requirements, which, at first glance, seems straightforward and likely to facilitate compliance by a Regulated Institution. However, both the transaction monitoring and filtering programs are required to include “easily understandable documentation.” This is a subjective standard that involves some degree of difficulty in gauging the level of precision that is required for compliance, which thereby increases the risk of noncompliance. In this regard, clarification from the NYDFS would be beneficial. Financial Federalism by NYDFS In recent years, the NYDFS has taken a more prominent role in pursuing actions for purported violations of BSA/AML and U.S. sanctions laws. Several of these enforcement actions, conducted in conjunction with federal regulators and law enforcement agencies, have targeted some of the world’s largest banks and resulted in headline-grabbing settlements.13 If the proposed certification provision becomes law, it could provide NYDFS with an even more effective mechanism to continue pursuing enforcement actions in these types of cases going forward.14 While the federal banking regulators have discussed the need for increased personal accountability and liability of bank officers and directors, to date, federal law does not require any similar type of certification provision for chief compliance officers of federally chartered and other statechartered financial institutions as that being proposed by the NYDFS. Potential Market Impact and Differentiation from the SEC’s Approach If the NYDFS certification proposal becomes law, it is unclear what impact it will have on the behavior and activities of Regulated Institutions with respect to their compliance with BSA/AML and U.S. sanctions laws. Rather than increasing personal and institution accountability, the threat of criminal liability coupled with the lack of a stated scienter requirement could actually deter competent and qualified compliance professionals from accepting the very types of chief compliance officer and similar positions targeted by the law. Perhaps more perverse, the certification requirement could discourage chief compliance officers from taking ownership of compliance programs and performing rigorous due diligence so that they do not obtain knowledge that could be problematic in light of the certification provision. SEC Commissioner Daniel M. Gallagher recently raised these very same concerns in the context of what he viewed as overreaching by the SEC in two actions brought against the chief compliance officers of investment adviser firms for their failure to implement policies and procedures required by the 11 Proposed Regulation § 504.5. 12 Id. 13 See, e.g., NYDFS Press Release, Cuomo Administration Announces BNP Paribas to Pay $8.9 Billion, Including $2.24 Billion to NYDFS, Terminate Senior Executives, Restrict U.S. Dollar Clearing Operations for Violations of Law (June 30, 2014), available at http://www.dfs.ny.gov/about/press/pr1406301.htm; NYDFS Press Release, NYDFS Announces Commerzbank to Pay $1.45 Billion, Terminate Employees, Install Independent Monitor for Banking Law Violations (March 12, 2015), available at http://www.dfs.ny.gov/about/press/pr1503121.htm. 14 This appears to be precisely the intended effect. Based on the remarks of former NYDFS Superintendent Lawsky when proposing the certification provision, it appears that NYDFS is intent on setting the standard for future action by federal regulators. In a February 2015 speech, Lawsky stated that “[s]tate financial regulators…should play a similar role to the state-level reformers of the early 20th century” by “serv[ing] as incubators for new approaches to vexing policy problems” and, to the extent the NYDFS certification provision proves effective, he urged “other regulators [to] take similar steps.” Lawsky Speech, supra note 4. “Perhaps the most significant aspect of the Proposed Regulation is a certification requirement [that] would subject a…chief compliance officer to unprecedented personal—and potential criminal—liability for compliance failures.” “…the threat of criminal liability coupled with the lack of a stated scienter requirement could actually deter competent and qualified compliance professionals from accepting the very types of chief compliance officer and similar positions targeted by the law.” Client Alert White & Case 4 Investment Advisers Act Rule 206(4)-7.15 Noting that Rule 206(4)-7 merely requires the chief compliance officer to administer policies and procedures promulgated by the investment adviser, Commissioner Gallagher expressed concern that “continuing uncertainty as to the contours of liability [for chief compliance officers] will disincentivize a vigorous compliance function at investment advisers.”16 In an effort to calm industry concerns regarding the scope of liability for compliance personnel, SEC Chair Mary Jo White stated that “it is not [the SEC’s] intention to use our enforcement program to target compliance professionals” and clarified that compliance officers will not be sanctioned when acting on their “good faith judgment, but rather when their actions or inactions cross a clear line that deserves sanction.”17 Consistent with the sentiment expressed by Chair White, it may be prudent for NYDFS to similarly clarify the extent to which criminal liability will apply to chief compliance officers under the Proposed Regulation. It is particularly concerning that the NYDFS proposed language relating to the imposition of chief compliance officer liability lacks a stated standard of “scienter,” which would require the NYDFS to make a specific finding of intent or knowledge of wrongdoing by the party making the required certification prior to imposing liability. Although as proposed, the certification provision allows the chief compliance officer to make the certification “to the best of [his or her] knowledge,” the provision relating to liability indicates that a chief compliance officer may be subject to criminal penalties for filing an “incorrect or false” certification.18 However, section 672 of the New York Banking Law, which makes it a felony to falsify or willfully omit a material statement in any book, report or statement with intent to deceive, clearly contains a scienter requirement.19 Accordingly, the NYDFS should clarify whether the scienter requirement of section 672 will extend to the proposed certification requirement. Jurisdictional Reach to Foreign Banks Another troubling aspect of the proposal is its purported jurisdictional scope, particularly for the numerous foreign banks operating in New York. The Proposed Regulation applies to “all banks…chartered pursuant to the New York Banking Law and all branches and agencies of foreign banking corporations licensed pursuant to the New York Banking Law to conduct banking operations in New York.”20 While the Proposed Regulation would apply to the enterprise-wide operations of a New York state-chartered bank, foreign banks with branch or agency operations in New York should seek clarification and confirmation from the NYDFS that the proposed certification provision would apply only to the operations of the licensed foreign bank’s New York branch(es) or agency(ies). This is significant for the purpose of appropriately limiting the scope of liability for a foreign Regulated Institution because the chief compliance officer of a New York-based branch or agency of a foreign bank would generally not be expected to have any authority over enterprise-wide compliance policies or knowledge of worldwide compliance procedures of the foreign bank that may be proscribed by the Proposed Regulation. Accordingly, it would be helpful for the NYDFS to clarify the jurisdictional reach of the Proposed Regulation and scope of the certification provision to better define the reach and limits of the proposal, particularly with respect to foreign banks operating in New York. 15 SEC Press Release, Daniel M. Gallagher, SEC Commissioner, Statement on Recent SEC Settlements Charging Chief Compliance Officers With Violations of Investment Advisers Act Rule 206(4)-7, available at http://www.sec.gov/news/statement/sec-cco-settlements-iaa-rule-206-4-7.html. Commissioner Gallagher noted that the SEC actions “illustrate a Commission trend toward strict liability for [chief compliance officers] under Rule 206(4)- 7,” which he viewed as contradicting the rule’s requirement that the investment adviser itself “[a]dopt and implement written policies and procedures reasonably designed to prevent violation[s].” 16 Id. 17 Speech, Mary Jo White, SEC Chairman, Opening Remarks at the Compliance Outreach Program for Broker-Dealers, available at http://www.sec.gov/news/speech/opening-remarks-compliance-outreach-program-for-broker-dealers.html. 18 For statutory authority, NYDFS cites Section 672 of the New York Banking Law, stating that such section “imposes potential criminal liability on individuals submitting reports containing false entries or statements.” Proposed Regulation, Regulatory Impact Statement. 19 N.Y. Banking Law § 672. 20 Proposed Regulation § 504.2(b). NYDFS should “better define the reach and limits of the proposal, particularly with respect to foreign banks operating in New York.” Client Alert White & Case 5 Action Items The NYDFS proposal is subject to a 45-day notice and public comment period that ends on January 30, 2016. As proposed, the Proposed Regulation would be deemed to be effective immediately upon adoption, and would be applicable to fiscal years starting on and after April 1, 2017. Regulated Institutions should consider the potential impact of the Proposed Regulation on their operational needs going forward, including their ability to remain competitive in terms of their compliance staffing needs, and submit a comment letter addressing concerns, which may include the following, among others: • The lack of a clearly articulated scienter requirement for the annual certification; • Clarification on what exactly is required to comply with the subjective requirements for “easily understandable documentation” under the transaction monitoring and filtering program provisions of the Proposed Regulation; • The potential for the Proposed Regulation, if adopted, to have the counterproductive effect of actually deterring more effective oversight of bank BSA/AML compliance programs; and • The potential chilling effect on the New York market with respect to the impact of the proposed certification requirement (and potential for individual criminal liability) on the Regulated Institution’s ability to remain competitive in hiring of qualified compliance staff personnel. White & Case LLP 1155 Avenue of the Americas New York, New York 10036-2787 United States T +1 212 819 8200 White & Case LLP 701 Thirteenth Street, NW Washington, District of Columbia 20005-3807 United States T +1 202 626 3600 In this publication, White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities. This publication is prepared for the general information of our clients and other interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.