Citing "heightened global security concerns," New York’s Governor Andrew Cuomo and New York’s Department of Financial Services (NYDFS) have proposed a set of new financial regulations that include requiring banks’ chief compliance officers (CCOs) to certify that their institutions maintain robust anti-terrorist financing and anti-money laundering programs, with potential personal criminal consequences to the officers for providing false or misleading certifications.1
These proposals come after a recent series of terrorist financing and anti-money laundering investigations have resulted in significant fines imposed against banking institutions that the NYDFS found to have "shortcomings in the transaction monitoring and filtering programs" and "a lack of robust governance, oversight and accountability at senior levels."2 In announcing these proposed regulations, Governor Cuomo stated that "it is especially vital that banks and regulators do everything they can to stop the flow of illicit funds," adding that "[m]oney is the fuel that feeds the fire of international terrorism."3 These proposals are subject to a 45-day public notice and comment period before becoming final.
Transaction Monitoring And Watch List Filtering Programs Defined
Although there has been broad adoption among financial institutions operating in New York State of programs and policies to monitor accounts and transactions for suspicious activity, the proposed regulations impose stringent requirements as to what those programs and policies must include. Now each regulated institution, including banks chartered pursuant to the New York Banking Law, and all branches and agencies of foreign banking corporations licensed pursuant to that law, must maintain a "Transaction Monitoring Program" that maps BSA/AML risks to the institution’s businesses, products, services and customers/counterparties.4 This proposed program must "at a minimum" be subject to ongoing end-to-end, pre-and post-implementation testing and incorporate all current BSA/AML laws, regulations and alerts, as well as "any relevant information available from the institution’s related programs and initiatives, such as ‘know your customer due diligence,’ ‘enhanced customer due diligence’ or other relevant areas, such as security, investigations and fraud prevention."5
Regulated institutions are also required to maintain a "Watch List Filtering Program" designed to interdict transactions, before their execution, that are prohibited by applicable sanctions (including OFAC) and internal watch lists. This program must "at a minimum" (i) be based on technology or tools for matching names and accounts (such as, but not necessarily, software that employs "fuzzy logic" and accounts for "culture-based name conventions"); (ii) utilize watch lists that reflect current legal or regulatory requirements; and (iii) be subject to on-going analysis to assess its performance and whether it continues to "map to the risks of the institution."6
The proposed regulations, which will, if adopted, layer onto the existing and extensive federal and state laws and regulations, also include ongoing government and management oversight and data integrity and verification requirements that apply to both the Transaction Monitoring and Watch List Filtering Programs.7 And each program is also required to be tailored to a "Risk Assessment of the institution" which "takes into account, among other things, the institution’s size, businesses, services, products, operations, customers/ counterparties/ other relations and their locations, as well as the geographies and locations of its operations and business relations."8
Annual Certification Of Compliance Required
The provisions of the new regulations that should be of most concern to managers are Sections 504.4 and 504.5. Under Section 504.4, each regulated institution is required to submit by April 15th of each year a certification of compliance duly executed by its CCO or "their functional equivalent" (the Annual Certification). Under Section 504.5, in addition to stating that all regulated institutions are subject to penalties for non-compliance with these rules, a certifying senior officer "who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing."
The proposed text of the Annual Certification is as follows:
"In compliance with the requirements of the New York State Department of Financial Services (the "Department") that each Regulated Institution maintain a Transaction Monitoring and Filtering Program satisfying all the requirements of Section 504.3 and that A Certifying Senior Officer of a Regulated Institution sign an annual certification attesting to the compliance by such institution with the requirements of Section 504.3, each of the undersigned hereby certifies that they have reviewed, or caused to be reviewed, the Transaction Monitoring Program and the Watch List Filtering Program (the Programs) of (name of Regulated Institution) as of ___________ (date of the Certification) for the year ended________(year for which certification is provided) and hereby certifies that the Transaction Monitoring and Filtering Program complies with all the requirements of Section 504.3.
By signing below, the undersigned hereby certifies that, to the best of their knowledge, the above statements are accurate and complete."
The proposed rule seems to establish an almost strict criminal liability, as it appears to impose such penalties without any consideration of scienter. However, it is unclear how this rule will be interpreted in light of the Annual Certification’s requirement for CCOs to certify that their institutions are in compliance with the rules "to the best of their knowledge." The proposal does not state what the criminal penalties will be or under what law they will be imposed.
Continuing Trend Of Personal Liability
These proposed certification requirements raise significant concerns and risks for senior financial executives, most particularly the CCOs, and reflect an increased regulatory focus on individual liability. Aggressive civil enforcement actions have been brought in the past year by the U.S. Department of the Treasury and the Securities and Exchange Commission (SEC) against CCOs, the most noteworthy of which is that taken against Thomas Haider, the former chief compliance officer of MoneyGram International. The US Financial Crimes Enforcement Network (FinCen) initially fined Haider $1 million for allegedly not ensuring that his former employer followed AML laundering laws; the government subsequently filed a civil action to reduce the assessment to judgment and to enjoin Haider from ever working at a financial institution. In his defense, Haider has argued that the penalty assessed by FinCen may only be imposed on a financial institution, not an individual, and that FinCen’s assessment procedures were so deficient as to deprive him of due process.9
Similar enforcement actions have been filed by the SEC in 2015 against CCOs for alleged violations of the Investment Company Act and the Investment Advisers Act. These actions have prompted dissent from Commissioner Daniel Gallagher, who sees these initiatives as counter-productive because, in imposing what is essentially a strict liability standard, they send "a troubling message that CCOs should not take ownership of their firm’s compliance policies and procedures, lest they be held accountable…"10 In the same statement, Commissioner Gallagher also noted that some of the blame for inadequate compliance rested with the agency itself, which "in the eleven years since the rule was adopted, [had] not issued any guidance about how to comply with the rule."
The proposed NYDFS rulemaking takes the risks to CCOs beyond the civil realm and to a new and more serious level, that of potential criminal liability.
The new proposed rules demonstrate an increasing, and to some industry observers, alarming, focus on personal liability for senior financial executives charged with overseeing anti-terrorist financing and anti-money laundering compliance. While these proposals may be revised subject to public comment, and may ultimately be challenged in the courts, regulated institutions must now evaluate their compliance programs and policies in light of these new regulations, and be prepared to make those changes—which in some cases may be significant—that will be required to ensure compliance. In light of the draconian potential penalties that they now confront, CCOs and their employers must closely evaluate their potential liability exposure as a result of the Annual Certification requirement and, should they nevertheless wish to continue in their roles, assess how best to assume and fulfill their obligations in satisfaction of the new regulations.