Federal anti-money laundering (AML) regulations, rooted in the Bank Secrecy Act (BSA), have long required financial institutions to maintain internal control systems to assure compliance, provide for independent testing, designate individuals responsible for compliance and provide training for all appropriate personnel. Building beyond the federal BSA/AML framework, the New York State Department of Financial Services (DFS), led by newly appointed Superintendent Maria Vullo, has issued regulations that dictate specific features for transaction monitoring and filtering programs and require annual board or senior officer certification of compliance. The new regulations take effect January 1, 2017.

Specifically, the new regulations cover New York-chartered banks; trust companies; private bankers; savings banks and savings and loan associations; New York-licensed branches and agencies of foreign banking corporations; and New York-licensed check cashers and money transmitters (Regulated Institutions). At their core is a mandate for each Regulated Institution to perform a comprehensive enterprise-wide BSA/AML risk assessment tailored to its size, staffing, governance, businesses, services, products, operations, customers, counterparties and other relations and their locations, as well as the geographies in which it conducts its business.

Under the new regulations, a Regulated Institution must devise and maintain both a Transaction Monitoring Program and a Filtering Program based on its risk assessment and reasonably designed to comply with risk-based safeguards. The purpose of the Transaction Monitoring Program is to monitor transactions after their execution for potential BSA/AML violations and reporting of suspicious activities, while the purpose of the Filtering Program is to interdict transactions that are prohibited by the federal Office of Foreign Assets Control (OFAC). Standards are enumerated for these programs, including periodic review and updating, multi-stage testing, alert processing protocols, adequate funding, management oversight and engagement of qualified personnel or outside consultants.

In the wake of intense controversy, DFS has adopted a somewhat more flexible certification requirement than the one originally proposed. Beginning April 15, 2018, and on each April 15th thereafter, every Regulated Institution is required to submit a prescribed form containing a board resolution or senior officer compliance finding attesting that, to the best of their knowledge based on their thorough review, the transaction monitoring and filtering programs comply with the provisions of the new regulations.

By increasing administrative burden and casting boards and senior compliance officers as quasi-guarantors of BSA/AML compliance, the new regulations arguably put DFS-supervised institutions at a competitive disadvantage to uncovered New York financial institutions like national banks, federal savings associations and Federal branches of foreign banks. However, in tying its mandate for transaction monitoring and filtering programs to BSA/AML standards, DFS may be telegraphing a tacit intent to induce federal regulators to pursue a similar approach.

Deserving of the highest priority is the special challenge Regulated Institutions face as they begin to determine how to manage costs and avoid duplicative effort in complying with DFS regulations, BSA regulations and, in many cases, Sarbanes-Oxley internal control certifications. To support the certification process, as the new regulations suggest, Regulated Institutions can benefit from advice of experienced legal counsel and consultants. These experts will be invaluable in mapping an overall control framework that encompasses structuring of risk assessment, apportionment of internal duties, design of effective testing mechanisms and development of relevant training modules, as well as preservation of a reliable audit trail.

Walter Donaldson