In the post-Yates Memo landscape, increasing attention is being paid to high-level individuals within business entities under government scrutiny. Yet another example of this trend are regulations recently adopted by the New York Department of Financial Services (DFS), effective January 1, 2017, which create new transaction monitoring and filtering requirements for New York banks to ensure compliance with the Bank Secrecy Act (BSA), anti-money laundering (AML) regulations, Department of Treasury Office of Foreign Asset Controls (OFAC) rules, and related provisions of law. These regulations also require each subject bank to submit an annual certification of compliance, signed by the bank’s board of directors or by a designated senior officer, with the first such certifications due April 15, 2018. While DFS softened the proposed rules in several respects in response to concerns raised during the comment period, the final regulations still create a host of new requirements, and they present new risks for bank directors and officers.

The regulations apply to all “Bank Regulated Institutions,” defined to encompass “all banks, trust companies, private bankers, savings banks, and savings and loan associations chartered pursuant to the New York Banking Law . . . and all branches and agencies of foreign banking corporations licensed pursuant to the [New York] Banking Law to conduct banking operations in New York.” The rules also apply to “Nonbank Regulated Institutions,” defined as “all check cashers and money transmitters licensed” under the New York Banking Law. The rules refer collectively to these “bank” and “nonbank” institutions as “Regulated Institutions.”

New York has long required that financial institutions maintain AML programs and risk-based procedures to ensure compliance with BSA and OFAC requirements. New York banks could, however, safely assume that if they complied with federal AML rules, they would also be deemed compliant with corresponding New York regulations. This may no longer be the case.

DFS originally proposed new rules in December 2015, citing investigations that had made the Department “aware of the shortcomings in the transaction monitoring and filtering programs” in banking institutions. DFS concluded that “a lack of robust governance, oversight, and accountability at senior levels . . . contributed to these shortcomings,” and proposed regulations to “clarify the required attributes of a Transaction Monitoring and Filtering Program” and to require each Regulated Institution’s chief compliance officer (or functional equivalent) to annually certify compliance with the regulations. The proposed regulations additionally provided that institutions would be subject to penalties for failing to comply with the regulations, and that a chief compliance officer who filed an incorrect or false certification could “be subject to criminal penalties” for such a filing.

In implementing final regulations, DFS modified these compliance requirements slightly. Most notably, it allowed that the annual certifications of compliance might be made by a resolution of a bank’s board of directors or by a “Senior Officer” (defined as “the senior individual or individuals responsible for the management, operations, compliance and/or risk of a Regulated Institution including a branch or agency of a foreign banking organization subject to this Part”) rather than by the bank’s chief compliance officer. In addition, DFS omitted the specific reference to “criminal penalties,” though it still made clear that the regulations “will be enforced pursuant to . . . the [DFS’s] authority under any applicable laws.”

Like the proposed regulations, the final regulations require Regulated Institutions to create Transaction Monitoring and Filtering Programs. While the proposed regulations defined minimum attributes for the Transaction Monitoring and Filtering Programs precisely, the final regulations list certain attributes that should be included, “to the extent they are applicable.”

The Transaction Monitoring Program can be manual or automated and is to be “reasonably designed for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting.” It should:

  • Be based on a Risk Assessment (defined as “an on-going comprehensive risk assessment, including an enterprise wide BSA/AML risk assessment, that takes into account the institution’s size, staffing, governance, businesses, services, products, operations, customers, counterparties, other relations and their locations, as well as the geographies and locations of its operations and business relations”);
  • Be reviewed and updated at risk-based intervals to reflect changes to applicable laws, regulations, and warnings, as well as any other information the institution deems relevant;
  • Match risks “to the institution’s businesses, products, services, and customers/counterparties”;
  • Include BSA/AML detection scenarios with threshold volumes and amounts;
  • Involve “end-to-end, pre- and post-implementation testing” of the program, “including, as relevant, a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output”;
  • Include documentation articulating the institution’s detection scenarios;
  • Include protocols for investigating alerts, determining when alerts will result in a filing or other action, and documenting the investigation and decision-making process, as well as identifying the operating areas and individuals responsible for making decisions about alerts; and
  • Be subject to ongoing analysis and assessment of the detection scenarios, rules, values, parameters, and assumptions underlying the program.

The Filtering Program, which can also be automated or manual, should be “reasonably designed for the purpose of interdicting transactions that are prohibited by OFAC” and should, to the extent applicable:

  • Be based on a Risk Assessment;
  • Be “based on technology, processes or tools for matching names and accounts, in each case based on the institution’s particular risks, transaction, and product profiles (the regulation explicitly states that no particular technology is mandated, just that the system or technology employed ’must be reasonably designed to identify prohibited transactions”‘);
  • Include end-to-end, pre- and post-implementation testing;
  • Involve “on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the OFAC sanctions list and the threshold settings” to ensure that they match the institution’s risks; and
  • Document the Filtering Program’s “tools, processes or technology” and articulate the “intent and design” of those tools, processes or technology.

Both the Transaction Monitoring and Filtering Program must, to the extent applicable:

  • Identify all relevant data sources;
  • Validate the integrity and accuracy of the data to ensure that “complete data flows through the Transaction Monitor and Filtering Programs”;
  • Include “data extraction and loading processes” if automated systems are put in place in order to ensure complete and accurate data transfer;
  • Establish policies and procedures governing changes to the programs as well as governance and management oversight;
  • Include a vendor selection process if vendors are involved in any part of the programs;
  • Be appropriately funded;
  • Involve qualified personnel (including outside consultants) to design, plan, implement, operate, test, validate, and analyze the programs, as well as qualified personnel or outside consultants to manage, review, and make decisions about alerts and potential filings or other actions; and
  • Involve periodic training for all stakeholders.

Regulated Institutions are also required to document “areas, systems, or processes that require material improvement,” as well as remediation efforts aimed at addressing such areas, systems, or processes; and such documentation “must be available for inspection by the Superintendent [of DFS].”

While it remains to be seen how the DFS will interpret and enforce these regulations, particularly the compliance certification requirement, recent reports indicate that the DFS is aggressively targeting BSA/AML and OFAC violations, with multiple settlements requiring payments in excess of $100 million in the last few months alone. These new regulations will likely provide additional grounds for DFS and other regulators and law enforcement agencies to scrutinize New York financial institutions and their directors and officers. Institutions covered by these rules should ensure that they augment their existing BSA/AML monitoring and filtering programs accordingly. They should also be proactive about assessing risks to the organization and thoroughly investigating concerns brought to light by compliance or operations personnel. Finally, bank directors and officers should take care to assess the compliance procedures of their institutions, and to rigorously scrutinize the institutions’ responses to AML risks—beginning very soon, they will be personally attesting to the institution’s compliance.