The New York DFS finalized its new AML and Sanctions screening regulations.
Interestingly, the NYDFS backed off its original proposal to require a Chief Compliance Officer to certify to a compliance “finding” that the bank or other covered entities maintain an adequate AML and sanctions compliance program. In its place, the NYDFS regulations require an annual certification from senior management, i.e. those responsible for “management, operations, compliance, and/or risk”) or the board of directors through a board resolution.
The board or senior officer(s) must certify that (1) they have reviewed documents, reports, certifications, and so forth as necessary to adopt the board resolution or compliance finding; (2) they have taken “all steps necessary to confirm” that the institution has transaction monitoring and OFAC filtering programs that comply with the regulation; and (3) to the best of their knowledge, the programs comply with the regulation. An institution must maintain records and data underlying the compliance finding for a period of five years.
The new regulations go into effect on January 1, 2017. The first annual compliance finding will be due on April 15, 2018.
No one should be surprised by the certification requirement. The NYDFS proposed the certification requirement in its original December 2015 proposal. Such certifications are becoming more commonplace. The HHS-OIG is imposing such certifications from senior officers and board members as part of Corporate Integrity Agreements. Given the interest is promoting accountability, I would expect prosecutors and regulators to embrace certification requirements in relevant circumstances.
The NYDFS cited shortcomings in monitoring and screening programs of robust governance, oversight and accountability at senior levels of banks and other covered entities. Most of the NYDFS regulations mirror federal banking requirements. Banks and covered entities should take a hard look at their systems, policies and procedures to ensure compliance the regulations and develop plans to improve their programs to meet the regulatory requirements. It is critical that banks and covered entities develop policies and procedures for documenting their compliance programs and building a system to support a compliance finding made by senior managers or the board of directors.
The new regulations apply to all banks, trust companies, private banks, savings banks and savings and loan associations chartered under New York Banking Law, as well as all “branches and agencies of foreign banking corporations” licensed to conduct banking operations in New York. The NYDFS regulations also apply to nonbank regulated institutions that include “all check cashers and money transmitters” licensed in New York State.
Each institution is required to maintain a program “reasonably designed” to monitor transactions for potential BSA/AML violations and suspicious activity reporting. Such a system must include: (1) periodic reviews and updates to the system based on relevant risks, changes in law or regulatory warnings; and (2) testing of transaction monitoring systems, including a review of governance, data mapping, transaction coding, data input and program output.
Banks and covered entities are required to maintain a risk-based screening or “filtering” program to prevent OFAC-prohibited transactions. The program must match names and accounts based on specific risks and product profiles. The technology used must be “reasonably designed” to identify prohibited transactions, and must be monitored and regularly assessed. The regulations require validation of the “integrity, accuracy and quality of data to ensure that accurate and complete data flows through the monitoring and filtering systems, if automated systems are used.” Also, if the institution relies on a vendor to install and maintain a monitoring and filtering program, the institution has to create and maintain a vendor selection process.