Proposed regulations impose new certification requirements that could result in personal liability for compliance officers of financial institutions. On December 1, 2015, the New York State Department of Financial Services (NYSDFS), the agency that regulates the financial services and insurance industries in New York, released a proposed regulation requiring financial institutions, including banks and other financial firms, to maintain enhanced Bank Secrecy Act1 /Anti-Money Laundering (BSA/AML) and Office of Foreign Asset Control (OFAC) monitoring and reporting programs (the Proposed Rule). In addition, the Proposed Rule requires the chief compliance officer (or functional equivalent) of such institutions to make an annual certification attesting to the full compliance of BSA/AML and OFAC monitoring and filtering programs with the Proposed Rule’s requirements. The certification requirement is supported by potential criminal penalties targeted at the certifying officers. The Proposed Rule, which was published in the New York State Register on December 16, 2015, is open to a 45-day notice and public comment period that will end on February 1, 2016, after which a final rule will be issued.2 This Client Alert provides an overview of the Proposed Rule and highlights the potential challenges that some of the requirements may present to the institutions this regulation is intended to protect. Background During a time of heightened global security concerns, the NYSDFS seeks to ensure, through the Proposed Rule, that banks and other financial firms take stringent measures to prevent the flow of illicit funds on which global terrorist networks rely. Currently, banking organizations that are subject to New York Banking Law (NYBL), and foreign banking corporations that have branches, agencies or representative offices in New York, are required to comply with applicable federal anti-money laundering laws (including the obligation to file Suspicious Activity Reports (SARs) and to establish a customer identification program) and applicable OFAC requirements. 3 In addition, under current New York and federal law requirements, these institutions must establish an anti-money laundering program that meets certain minimum requirements. 4 Certain nonbanking organizations in New York, such as licensed check cashers and licensed money transmitters, are also subject to BSA/AML and OFAC requirements similar to those currently applicable to US and foreign banks in New York.5 In a speech announcing the Proposed Rule, Governor Andrew M. Cuomo noted that current AML/BSA and OFAC monitoring and filtering programs financial institutions have established in New York are insufficient to appropriately address terrorist financing, sanctions violations and anti-money laundering Latham & Watkins December 22, 2015 | Number 1908 | Page 2 compliance due to a “lack of robust governance, oversight and accountability at senior levels of such institutions.”6 In order to address these shortcomings, the Proposed Rule: • Provides a detailed description of the minimum requirements that a Regulated Institution (defined below) must consider (i) when monitoring transactions after their execution for potential BSA/AML violations and SARs, and (ii) for preventing transactions prior to their execution that are prohibited as a result of sanctions or applicable watch list violations • Holds chief compliance officers or their functional equivalent accountable for the transaction monitoring and watch list filtering programs by requiring the officers to certify annually to full compliance with the requirements relating to such programs, with potential liability for criminal penalties for any incorrect or false certification In addition, according to the NYSDFS, the intent of the Proposed Rule is not to change existing compliance requirements applicable to financial institutions, but rather to create a more granular framework for a chief compliance officer or their functional equivalent to follow in designing, implementing and maintaining a program that ensures full compliance with the Proposed Rule’s requirements. Since financial institutions are already required to maintain compliance with existing federal BSA/AML regulations and OFAC requirements, the NYSDFS contends that the costs of complying with the Proposed Rule should be minimal and only associated with the new annual certification requirement. Overview of Proposed Rule Scope of the Proposed Rule The Proposed Rule applies to “Regulated Institutions,” which include: • All banks, trust companies, private bankers, savings banks and savings and loan associations chartered pursuant to NYBL, and all branches and agencies of foreign banking corporations licensed pursuant to NYBL to conduct banking operations in New York • All check cashers and money transmitters licensed pursuant to NYBL Each Regulated Institution is required to maintain a Transaction Monitoring and Watch List Filtering Program, both of which are discussed in more detail below. Transaction Monitoring and Watch List Filtering Program Requirements The Proposed Rule introduces Transaction Monitoring and Watch List Filtering Programs that impose technical and mapping requirements on Regulated Institutions to ensure the institutions have implemented sufficiently advanced and robust systems to detect and eliminate any potential illicit transactions. Specifically, each Regulated Institution must maintain a: • Transaction Monitoring Program to monitor transactions that have already been executed for potential BSA/AML violations and SARs. The system used to implement the program may be manual or automated and must, at a minimum, meet the requirements set forth in the table below • Watch List Filtering Program to prevent the occurrence of transactions prohibited under applicable sanctions, including OFAC and other sanctions lists, politically exposed persons lists and internal watch lists. The system used to implement the program may be manual or automated, and should meet the minimum requirements described in the table below Latham & Watkins December 22, 2015 | Number 1908 | Page 3 Minimum Requirements Specific to the Transaction Monitoring Program Minimum Requirements Specific to the Watch List Filtering Program 1. Be based on the institution’s on-going comprehensive risk assessment, including an enterprise-wide BSA/AML risk assessment, that takes into account the institution’s size, businesses, services, products, operations, customers/counterparties/other relations and their locations, as well as the geographies and locations of its operations and business relations (Risk Assessment); 2. Reflect current BSA/AML laws, regulations and alerts, as well as any relevant information available from the institution’s related programs and initiatives, such as “know your customer due diligence”, “enhanced customer due diligence” or other relevant areas, such as security, investigations and fraud prevention; 3. Map BSA/AML risks to the institution’s businesses, products, services, and customers/counterparties; 4. Utilize BSA/AML detection scenarios that are based on the institution’s Risk Assessment with threshold values and amounts set to detect potential money laundering or other suspicious activities; 5. Include an end-to-end, pre-and postimplementation testing of the Transaction Monitoring Program, including governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output, as well as periodic testing; 6. Include easily understandable documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters and thresholds; 7. Include investigative protocols detailing how alerts generated by the Transaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other action, who is responsible for making such a decision, and how investigative and decision-making process will be documented; and 8. Be subject to an on-going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters and assumptions. 1. Be based on the Risk Assessment of the institution; 2. Be based on technology or tools for matching names and accounts, in each case based on the institution’s particular risks, transaction and product profiles; 3. Include an end-to-end, pre-and postimplementation testing of the Watch List Filtering Program, including data mapping, an evaluation of whether the watch lists and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and Watch List Filtering Program output; 4. Utilizes watch lists that reflect current legal or regulatory requirements; 5. Be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the watch lists and the threshold settings to see if they continue to map to the risks of the institution; and 6. Include easily understandable documentation that articulates the intent and the design of the Program tools or technology. Latham & Watkins December 22, 2015 | Number 1908 | Page 4 Minimum Requirements Applicable to Both the Transaction Monitoring and Watch List Filtering Programs 1. Identification of all data sources that contain relevant data; 2. Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Watch List Filtering Program; 3. Data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used; 4. Governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Watch List Filtering Program to ensure that changes are defined, managed, controlled, reported and audited; 5. Vendor selection process if a third party vendor is used to acquire, install, implement or test the Transaction Monitoring and Watch List Filtering Program or any aspect of it; 6. Funding to design, implement and maintain the Transaction Monitoring and Watch List Filtering Program that complies with the requirements of the Proposed Rule; 7. Qualified personnel or outside consultant responsible for the design, planning, implementation, operation, testing, validation and on-going analysis, of the Transaction Monitoring and Watch List Filtering Program, including automated systems if applicable, as well as case management, review and decision-making with respect to generated alerts and potential filings; and 8. Periodic training of all stakeholders with respect to the Transaction Monitoring and Watch List Filtering Program. Annual Certification Requirement The Proposed Rule introduces a new certification requirement intended to hold a Regulated Institution’s chief compliance officer or their functional equivalent (Certifying Senior Officer) accountable, by requiring the Certifying Senior Officer to certify on an annual basis that the institution is in compliance with all of the requirements under the Proposed Rule. Importantly, a Certifying Senior Officer who files an incorrect or false annual certification may be subject to criminal penalties for such filing. This potential personal liability may have a significant chilling effect on the ability of financial institutions that would be subject to the Proposed Rule to recruit, hire and retain qualified compliance officers. This certification requirement as proposed presents a number of challenges for Certifying Senior Officers. First, the Proposed Rule contains a number of vague, subjective standards rendering certification of complete compliance with all of the Proposed Rule’s requirements very difficult, if not impossible. Also, imposing the requirement to certify that an institution’s Transaction Monitoring and Watch List Filtering Programs comply with all the requirements outlined in the Proposed Rule sets an arguably unrealistic and impossible standard for certification. Under that standard, even an immaterial, administrative discrepancy under the Proposed Rule could subject the Certifying Senior Officer to personal liability. Given the highly technical nature of the Proposed Rule’s Transaction Monitoring and Watch List Filtering Programs, a Regulated Institution must have a Certifying Senior Officer with the requisite qualifications to carry out such programs effectively and on an enterprise-wide level to ensure the institution is in compliance with all of the Proposed Rule’s requirements. Additionally, the success of any Transaction Monitoring and Watch List Filtering Programs will depend on a Certifying Senior Officer’s sufficient authority to effect enterprise-wide change in order to meaningfully impact the institution’s ability to comply with the program. In the case of chief compliance officers at New York branches or agencies of foreign banks, providing officers with sufficient authority may be especially challenging since foreign banks are subject to home country anti-money laundering and sanctions regimes that are different from those to which their New York branches and agencies are subject. Latham & Watkins December 22, 2015 | Number 1908 | Page 5 Conclusion The Proposed Rule is the NYSDFS’ attempt to address the spate of New York financial institutions’ antimoney laundering and sanctions violations in recent years, the perceived gaps in Federal regulation relating to BSA/AML and OFAC programs and system requirements, and the pervasiveness of global terrorism. While the reasons underlying the Proposed Rule’s issuance may find public support, many aspects of the Proposed Rule, including the complexity of the Transaction Monitoring and Watch List Filtering Programs, the introduction of vague, subjective standards, and the potential for personal criminal liability, will likely present significant challenges to affected financial institutions, and will undoubtedly be subject to robust comments from industry participants during the comment period.