Following Maria Vullo's confirmation as Superintendent earlier this month, the New York Department of Financial Services ("DFS") yesterday finalized its closely watched proposed regulation on anti-money laundering (AML) monitoring and sanctions screening requirements for banks, branches, and other covered entities. According to DFS, the final regulation is motivated by its identification, through investigations, of shortcomings in monitoring and screening programs attributable to a "lack of robust governance, oversight, and accountability at senior levels."
Although stringent, the majority of the regulation's AML and sanctions requirements are in line with federal banking agency expectations. Some of the regulations' provisions apply to both AML monitoring and sanctions screening and relate to data integrity and the accuracy of data flows, governance and management oversight, funding, training, and the use of qualified personnel, vendors, and consultants.
The final regulation will go into effect January 1, 2017. The first annual compliance "finding" will be required on April 15, 2018. Covered institutions should begin the process (if they have not already done so in light of the proposal) of assessing whether their systems, policies, and procedures comply with the regulation and formulating a plan for closing any gaps. Institutions should also renew their attention to documenting and tracking their compliance efforts, including with an eye towards building a process for preparing the annual compliance finding that must be submitted to DFS.
Differences Between DFS's Proposed and Final Regulations
The final regulation largely mirrors the December 2015 proposal, although certain aspects have been modified or scaled back. (A redline comparison of the proposed and final regulations is available here). Notably, throughout the final regulation DFS has added moderating phrases such as "reasonably designed," "to the extent they are applicable," and "as relevant." The DFS press release also emphasizes that the regulation is "risk-based." The following are some of the more notable changes reflected in the final regulation:
- Annual Compliance Finding: One of the most controversial aspects of the proposal was a requirement that a senior compliance officer annually certify the compliance of the institution's AML and sanctions screening programs with the regulation. In the final regulation, this was modified to permit a broader range of senior official(s) (those responsible for "management, operations, compliance and/or risk") to make an annual finding of such compliance. Alternatively, an institution's board can do so through a board resolution. Under both the proposed and final regulations, the certification or finding was to be made to the best of each person's knowledge.
- Narrowed Filtering Lists: The proposed regulation's screening or "filtering" requirements applied not only to the OFAC lists, but also to lists of politically exposed persons (PEPs) and institutions' "internal watch lists." The final regulation, however, confines the filtering requirements to the OFAC lists.
- Omitted "Tuning" Prohibition: The proposed regulation prohibited an institution from instituting changes to its transaction monitoring or filtering programs to "avoid or minimize" filing Suspicious Activity Reports (SARs) or because the institution does not have resources to review the number of alerts generated by its programs. This sought to address so-called "tuning" efforts by institutions designed, for example, to reduce the number of false positives generated by screening. The final regulation omits this prohibition and puts in its place a requirement that when an institution identifies systems or processes that require "material improvement, updating or redesign," the institution shall document the "identification and the remedial efforts planned."
Summary of the Final Regulation
Covered Institutions. The final regulation applies to "Bank Regulated Institutions," which is defined to mean "all banks, trust companies, private bankers, savings banks, and savings and loan associations" chartered pursuant to the New York Banking Law and all "branches and agencies of foreign banking corporations" licensed pursuant to that that law to conduct banking operations in New York. The final regulation also covers "Nonbank Regulated Institutions," which is defined to mean "all check cashers and money transmitters" licensed pursuant to that law.
AML Monitoring Requirements. The final regulation requires each institution to maintain a program "reasonably designed" for the purpose of monitoring transactions after their execution for potential BSA/AML violations and suspicious activity reporting. This risk-based system may be manual or automated and must include a number of attributes to the extent applicable. Among these many attributes are the following:
- Periodic reviews and updates to the system at "risk-based intervals" to reflect changes to applicable BSA/AML laws, regulations, and "regulatory warnings," as well as any other information determined by the institution to be relevant "from the institution's related programs and initiatives." (The proposed regulation gave the examples of know-your-customer diligence and fraud investigations, among others; these examples were omitted in the final).
- End-to-end, pre- and post-implementation testing of the transaction monitoring program, including, as relevant, a review of "governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output."
Sanctions Screening Requirements. The final regulation requires that institutions maintain a risk-based screening or "filtering" program, which may be manual or automated, that is "reasonably designed" for the purpose of interdicting OFAC-prohibited transactions before they are consummated. Among the attributes that the program must include "to the extent applicable," are the following:
- The program must be based on technology, processes, or tools for matching names and accounts, in each case based on the institution's particular risks, transactions, and product profiles. The regulation does not "mandate the use of any particular technology," only that the system or technology must be "reasonably designed to identify" (not "adequate to capture," as in the proposal) prohibited transactions.
- End-to-end, pre- and post-implementation testing of the filtering program, including, as relevant, a review of "data matching, an evaluation of whether the OFAC sanctions lists and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input Program output."
- The program must be subject to on-going analysis to assess the "logic and performance of the technology or tools for matching names and accounts," as well as the "OFAC sanctions list and the threshold settings to see if they continue to map to the risks of the institution."
Cross-cutting requirements regarding data integrity and data flows, governance, and vendors/personnel/consultants. The final regulation also has a series of requirements that apply to both transaction monitoring and filtering programs, to the extent applicable. These requirements involve, among other things, governance and management oversight, funding, and training. They also include the following:
- Identification of all data sources that contain relevant data.
- Validation of the "integrity, accuracy and quality of data to ensure that accurate and complete data flows through" the monitoring and filtering programs.
- "[D]ata extraction and loading processes" to ensure "complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used."
- A vendor selection process if a vendor is used to implement, install, or test the monitoring and filtering programs.
- Qualified personnel or outside consultant(s) responsible for the design, implementation, operation, testing, and ongoing analysis of the monitoring and filtering programs.
Annual Board Resolution or Senior Officer(s) Compliance Finding. The final regulation requires the annual submission of a compliance finding to DFS that is made by a resolution of an institution's board  or by one or more senior officers, defined as senior individuals "responsible for the management, operations, compliance and/or risk" of a covered institution. The regulation has an attachment that prescribes the wording of the certification. The board or senior officer(s) must certify that (1) they have reviewed documents, reports, certifications, and so forth as necessary to adopt the board resolution or compliance finding; (2) they have taken "all steps necessary to confirm" that the institution has transaction monitoring and OFAC filtering programs that comply with the regulation; and (3) to the best of their knowledge, the programs comply with the regulation. An institution must maintain records and data underlying the compliance finding for a period of five years.
The proposed regulation contained language about institutions being subject to "all applicable penalties" for violations of the regulation, and it included the following statement: "A Certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing." This language was omitted in the final regulation in favor of the following general statement: "This regulation will be enforced pursuant to, and is not intended to limit, the Superintendent's authority under any applicable laws."
Effective Date. As noted, the regulation will take effect on January 1, 2017. Institutions must submit the annual board resolution or senior officer(s) compliance findings commencing April 15, 2018.
DFS's regulation continues the heightened regulatory focus on financial institutions' anti-money laundering and sanctions compliance programs. Notably, DFS-regulated banks and branches of foreign banks will now have to implement over the near term both this DFS regulation and FinCEN's regulation issued in May on beneficial ownership and customer due diligence requirements.
Although DFS's AML and sanctions expectations are mostly in line with those of the federal banking agencies, the novelty of DFS's initiative is that these expectations are now codified in a regulation and subject to annual compliance findings by institutions' boards or senior officers. As noted, some aspects of the proposed regulation were modified or scaled back in the final regulation, which indicates that DFS listened to some degree to the concerns of institutions and compliance officials. It remains to be seen, however, whether DFS will be willing to provide more guidance on how it views many of the broadly worded standards in its final regulation and whether it will in practice apply these standards in the risk-based spirit in which they were promulgated.
DFS's final regulation can be found here and its press release can be found here. A redline comparison between the proposed and final regulations can be found here.