The New York Department of Financial Services (DFS) has issued a final rule, to take effect on January 1, 2017, requiring regulated institutions to adopt risk-based programs to monitor and filter transactions for potential violations of the Bank Secrecy Act and anti-money laundering laws.
This “final” regulation reflects substantial revisions to an earlier draft proposed by DFS last year (see our coverage here) which appear to respond to a storm of criticism that the initial rule, by expressly threatening criminal penalties against chief compliance officers for inaccurate certifications of compliance, would impede, rather than encourage, enhanced compliance efforts.
Many of the elements of the initial rule remain, but the DFS has now relaxed its attempts to prescribe with specificity the measures that must be implemented. Regulated institutions must now maintain a program “reasonably designed” to monitor transactions; enumerated features of such a program, which were previously specified in the proposed rule without qualification, are now required only “to the extent they are applicable” and “relevant.” Similar acknowledgement of institutional discretion may be found in those provisions requiring that regulated institutions maintain a “watch list filtering program” for the purpose of interdicting transactions prohibited by federal economic and trade sanctions. Regulated institutions are now required to maintain a program “which may be manual or automated” and “reasonably designed for the purpose of interdicting transactions.” Minimum program requirements are specified, such as testing, “including, as relevant, a review of data matching,” but a previous requirement that “watch lists reflect current legal or regulatory requirements” has been scrapped in favor of a more specific reference to the OFAC sanctions list alone.
The proposed rule enjoined regulated institutions from “making any changes or alterations to the monitoring program” “to avoid or minimize filing suspicious activity reports.” Much criticism was directed at this provision, which, read literally, prohibited institutions from adjusting and refining their programs to eliminate false positives that otherwise would be the subject of suspicious activity reports. The final rule addresses DFS’s concern in a more balanced fashion: “to the extent a Regulated Institution has identified areas, systems or processes that require material improvement, updating or redesign, the Regulated Institution shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes.”
The most closely watched provisions of the proposed rule, concerning the potential criminal liability of chief compliance officers, have undergone the greatest change. Section 504.4 no longer requires “certification “ by a “certifying senior officer” attesting to compliance with all substantive provisions of the rule. Instead, each regulated institution must adopt and submit a “board resolution” ( or a “senior officer compliance finding”) that, “to the best of its knowledge,” the institution’s transaction monitoring and filtering program “complies with all requirements of Section 504.3.”
This revision may offer cold comfort to company boards but has apparently been received with some measure of relief in the compliance community, especially because many compliance officers considered the initial certification requirement to call for more knowledge and authority than they possessed. Section 504.5 of the rule, concerning “Penalties/Enforcement Actions,” has also undergone an even more radical makeover; the original language has been deleted almost completely, including that sentence which formerly read: “ A certifying senior officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing.” In its place, the Section now reads in its entirety: “This regulation will be enforced pursuant to, and is not intended to limit, the Superintendent’s authority under any applicable laws.”
It is still too early to assess the financial industry’s response to the final rule. It remains clear that the DFS intends to be an aggressive participant in an arena previously dominated by federal regulatory agencies. Financial Services Superintendent Maria T. Vullo stated as much in her forceful announcement of the final rule: “it is time to close the compliance gaps in our financial regulatory framework to shut down money laundering operations and eliminate potential channels that can be exploited by global terrorist networks and other criminal enterprises.”
At very least, however, the final rule reflects an acknowledgement that in a risk-based environment, institutions should be afforded some discretion to determine what is reasonable and applicable to their operations. And perhaps most notably, the rule takes a small step back from the alarming focus on personal liability of compliance officers that was the centerpiece of the proposed rule. Such a step is far more likely to ensure the committed participation of the compliance world than the menacing language which preceded it.