On December 1, 2015, Governor Andrew M. Cuomo announced a proposed new anti-money laundering regulation (the Proposed Rule) issued by the New York State Department of Financial Services (NYDFS) that would apply to banks, trust companies, private bankers, savings banks, savings and loan associations, branches and agencies of foreign banking organizations, check cashers and money transmitters that are chartered or licensed under the New York Banking Law (collectively, Regulated Institutions). The Proposed Rule sets forth the minimum attributes of a robust transaction monitoring and watch list filtering program for detecting illegal transactions.1 Perhaps most notably, a senior compliance officer of Regulated Institutions would be required to certify annually that the institution has sufficient programs in place to comply with the regulation, a requirement that is modeled after the Sarbanes-Oxley Act’s certification approach.
In the last few years, the NYDFS has conducted investigations on Bank Secrecy Act/anti-money laundering (BSA/AML) and sanctions compliance at financial institutions and discovered serious deficiencies, particularly with respect to transaction monitoring and filtering systems, and governance, oversight and accountability at senior levels of the institutions. The NYDFS believes that these shortcomings may be present in other financial institutions resulting in widespread failure to adequately flag suspicious activity. The Proposed Rule is intended to address these concerns, and to clarify and expand the obligations of Regulated Institutions to detect and prevent illicit transactions by terrorist organizations and other criminals. The NYDFS has also been very active in examining for AML and sanctions compliance violations and has imposed significant fines on banks for such violations.
The requirements of the Proposed Rule are summarized below. For the specific details, please see the Proposed Rule available here.
Transaction Monitoring Program. Each Regulated Institution must maintain a Transaction Monitoring Program to monitor transactions for BSA/AML violations and suspicious activity using manual or automated systems. Such a Program must include certain attributes specified in the Proposed Rule, such as: (1) system settings and detection scenarios designed to reflect the institution’s AML risk assessment, customer due diligence information and relevant information from areas such as security, investigations and fraud prevention; (2) end-to-end, pre- and post-implementation testing, as well as periodic testing of the program; (3) protocols for the investigation and decision-making process for alerts; and (4) ongoing analysis of the continued relevancy of parameters, thresholds and other settings.
Watch List Filtering Program. Each Regulated Institution must maintain a Watch List Filtering Program to interdict transactions, prior to execution, that are prohibited by applicable sanctions programs (including the Office of Foreign Assets Control (OFAC) and other sanction lists), lists of politically exposed persons, and internal watch lists. The program must include certain attributes specified in the Proposed Rule such as: (1) technology or tools that match names and accounts based on the institution’s particular risks, transaction and product profiles; (2) end-to-end, pre- and post-implementation testing of the program; (3) use of watch lists that reflect current legal or regulatory requirements; and (4) ongoing analysis of the logic and performance of the technology or tools used for name matching, watch lists and settings to assess whether they map to the risks of the institution.
The Transaction Monitoring and Watch List Filtering Programs must use all relevant data sources, validate the integrity and quality of the data used, ensure accurate data transfer, provide for governance and management oversight of the programs (including changes thereto), include a third-party vendor selection process if applicable, and be appropriately funded and staffed by qualified personnel who are appropriately trained on a periodic basis.
Regulated Institutions are prohibited from changing or altering their programs to avoid or minimize the filing of suspicious activity reports, reduce the number of alerts generated by a program (for example, by turning down the sensitivity of filters) or otherwise avoid complying with regulatory requirements.
Annual Certification. Each Regulated Institution’s chief compliance officer (or functional equivalent) would be required to sign an annual certification attesting that the institution’s Transaction Monitoring Program and Watch List Filtering Program satisfy all regulatory requirements. This requirement is modeled after Section 302 of the Sarbanes-Oxley Act of 2002 which requires top-level executives of publicly-traded companies to certify as to the truthfulness and accuracy of company financial statements.2 Benjamin M. Lawsky, the former New York Superintendent of Financial Services, mentioned this requirement in a speech made earlier this year. He stated that because the NYDFS cannot simultaneously audit every Regulated Institution, it would consider requiring senior executives to certify the adequacy and robustness of their institutions’ systems.3
Failure to comply with the Proposed Rule requirements would subject a Regulated Institution to penalties under applicable New York banking and financial services laws. Senior compliance officers may be subject to criminal penalties for filing an annual certification that is incorrect or false. Although the proposed certification form includes a qualifier that “to the best of [the officer’s] knowledge,” the statements are accurate and complete, it is not entirely clear from the Proposed Rule what level of intent or knowledge would be applicable to the imposition of penalties.
If the Proposed Rule is adopted as proposed, Regulated Institutions would face increased regulatory pressures beyond those currently prescribed by federal AML regulations. In his speech earlier this year, Benjamin Lawsky proposed random audits by the NYDFS of institutions’ transaction monitoring and filtering systems employing the same methodology used by independent monitors appointed by the NYDFS. In view of the heightened level of regulatory scrutiny suggested by the Proposed Rule, Regulated Institutions may find it advisable to review their transaction monitoring and filtering programs and to take appropriate steps to address any perceived vulnerabilities. Because these programs must be designed to reflect adequately the risks of the institution, Regulated Institutions may also need to scrutinize further their AML and OFAC risk assessment methodologies and customer due diligence procedures to ensure that they reveal an accurate and complete picture of all relevant risk exposures, including customer risks. Finally, the introduction of annual certifications and the level of accountability that accompanies such declarations would likely have a significant impact on senior compliance officers and their approach to compliance with these new requirements.
Comments on the Proposed Rule are due no later than 45 days after publication in the New York State Register.