On June 30, 2016, the New York State Department of Financial Services (“NYDFS”) adopted a final regulation imposing new anti-money laundering (“AML”) and economic sanctions requirements on financial institutions regulated by the NYDFS (the “Final Rule”). The Final Rule requires all depository institutions, trust companies, foreign bank branches or agencies, money transmitters and check cashers chartered or licensed under New York law (each, a “Regulated Institution”) to maintain a “Transaction Monitoring Program” and a “Filtering Program” (collectively, a “Transaction Monitoring and Filtering Program”) to detect potential violations of applicable AML laws and regulations and sanctions programs administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”).
During the last few years, the NYDFS has conducted investigations on Bank Secrecy Act “BSA”/AML and sanctions compliance at financial institutions and reports that it has discovered shortcomings, particularly with respect to transaction monitoring and filtering systems, and governance, oversight and accountability at senior levels of such financial institutions. The Final Rule requires Regulated Institutions to review their Transaction Monitoring and Filtering Program and ensure that such program is reasonably designed to comply with risk-based safeguards. The Final Rule also requires Regulated Institutions to adopt an annual board resolution (“Resolution”) or senior officer compliance finding (“Finding”) to certify compliance with the Final Rule, which would potentially expose any such signatories to a regulatory penalty or criminal liability if the controls are found lacking. The Final Rule is effective Jan. 1, 2017, and Regulated Institutions will be required to prepare and submit to the NYDFS their annual Resolution or Finding commencing April 15, 2018.
The Final Rule would not apply to federally-chartered depository institutions or other financial institutions not chartered or licensed by the NYDFS. It also would not cover NYDFS-regulated insurance companies or persons subject to NYDFS’ digital currency regulations, which have separate NYDFS-imposed AML requirements and, in some cases, federal AML requirements.
Key Requirements of the Final Rule and Differences Between the Proposed and Final Rule
While the Final Rule largely mirrors the proposed rule, there are a few significant differences. Most notably, the Final Rule is now risk-based, which is evidenced by several moderating phrases throughout the rule text, such as “reasonably designed,” “risk-based intervals,” “as relevant,” “to the extent they are applicable” and “as appropriate,” and Regulated Institutions now have the option of either submitting a Resolution from its board or a Finding from a senior officer. The key requirements of the Final Rule include the following:
AML Transaction Monitoring Program
Each Regulated Institution is required to maintain a program reasonably designed for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting. The system, which may be manual or automated, shall, at a minimum, include the following attributes, to the extent they are applicable:
- Be based on the risk assessment of the Regulated Institution;
- Be reviewed and periodically updated at risk-based intervals to take into account and reflect changes to applicable BSA/AML laws, regulations and regulatory warnings, as well as any other information determined by the Regulated Institution to be relevant from the Regulated Institution’s related programs and initiatives;
- Appropriately match BSA/AML risks to the Regulated Institution’s businesses, products, services and customers or counterparties;
- BSA/AML detection scenarios with threshold values and amounts designed to detect potential money laundering or other suspicious or illegal activities;
- End-to-end, pre- and post-implementation testing of the Transaction Monitoring Program, including, as relevant, a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and program output;
- Documentation that articulates the Regulated Institution’s current detection scenarios and the underlying assumptions, parameters and thresholds;
- Protocols setting forth how alerts generated by the Transaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other action, the operating areas and individuals responsible for making such a decision, and how the investigative and decision-making process will be documented; and
- Be subject to an on-going analysis to assess the continued relevance of the detection scenarios, the underlying rules, threshold values, parameters and assumptions.
OFAC Filtering Program
Each Regulated Institution is required to maintain a filtering program reasonably designed for the purpose of interdicting transactions that are prohibited by OFAC sanctions, and which shall include the following attributes, to the extent they are applicable:
- Be based on the risk assessment of the Regulated Institution;
- Be based on technology, processes or tools for matching names and accounts, in each case based on the Regulated Institution’s particular risks, transaction and product profiles;
- End-to-end, pre- and post-implementation testing of the Filtering Program, including, as relevant, a review of data matching, an evaluation of whether the OFAC sanctions list and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and program output;
- Be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the OFAC sanctions list and the threshold settings to see if they continue to map to the risks of the Regulated Institution; and
- Documentation that articulates the intent and design of the Filtering Program tools, processes or technology.
The proposed rule would have extended these requirements to unidentified “other sanctions lists, politically exposed persons lists, and internal watch lists.” That language has been dropped from the Final Rule, which is limited to OFAC prohibitions.
Additional Requirements Applicable to the Transaction Monitoring and Filtering Program
Both the Transaction Monitoring Program and the Filtering Program must require the following, to the extent they are applicable:
- Identification of all data sources that contain relevant data;
- Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program;
- Data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used;
- Governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Filtering Program to ensure that changes are defined, managed, controlled, reported and audited;
- Vendor selection process if a third-party vendor is used to acquire, install, implement or test the Transaction Monitoring and Filtering Program or any aspect of it;
- Funding to design, implement and maintain a Transaction Monitoring and Filtering Program that complies with the requirements of the regulation;
- Qualified personnel or outside consultant responsible for the design, planning, implementation, operation, testing, validation and on-going analysis of the Transaction Monitoring and Filtering Program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filings; and
- Periodic training with respect to the Transaction Monitoring and Filtering Program.
The proposed rule prohibited Regulated Institutions from making changes to their Transaction Monitoring and Filtering Program to avoid or minimize filing suspicious activity reports, or due to a lack of resources to review alerts generated by the program. This prohibition was omitted from the Final Rule. Instead, the Final Rule requires Regulated Institutions to “document the identification and remedial efforts planned and underway” to address any areas, systems or processes that the Regulated Institution believes require material improvement, updating or redesign.
Annual Board Resolution or Senior Officer Compliance Finding
The Final Rule requires each Regulated Institution to adopt and submit to the NYDFS a Resolution or Finding by April 15 of each year. A Regulated Institution can determine whether to submit a Resolution or Finding, “as appropriate,” although the Final Rule does not provide further guidance on when to submit a Resolution versus a Finding. A senior officer for this purpose does not need to be a compliance professional. The term “senior officer” is defined as “the senior individual or individuals responsible for the management, operations, compliance and/or risk of a Regulated Institution,” and more than one senior officer can submit the required compliance finding. The Final Rule notes that the Board of Directors includes “the governing board of every Regulated Institution,” as well as “the functional equivalent if the Regulated Institution does not have a Board of Directors.”
The Final Rule has an attachment that prescribes the wording of the Resolution or Finding. The Resolution or Finding requires the board or senior officer to certify that it, or he or she, has “reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary,” suggesting that the signatory may rely on reports or certifications of compliance by subordinates, similar to the process employed by public companies in certifying compliance with the requirements of the Sarbanes-Oxley Act. Nonetheless, the board or senior officer still must certify, to the best of the board’s or officer’s knowledge, that the Transaction Monitoring and Filtering Program complies with the Final Rule. The board or senior officer must also certify that it, or he or she, has “taken all steps necessary” to “confirm” that the Transaction Monitoring and Filtering Program complies with the Final Rule. The requirement to “take all steps necessary” to confirm compliance was not part of the proposed rule, and the Final Rule offers no guidance as to what steps NYDFS expects signatories should take to satisfy this requirement.
Although the language imposing criminal penalties for incorrect or false certifications on the Senior Compliance Officer has been removed in the Final Rule, the enforcement provision (§ 504.5) now states that the Final Rule will be enforced pursuant to the NYDFS’ authority under “any applicable laws,” and notes that the Final Rule is “not intended to limit, the Superintendent’s authority” under those laws. Such laws still include Section 672 of the New York Banking Law, which makes it a felony for any officer, director, trustee, employee or agent of a corporation subject to the New York Banking Laws — which could include both a Senior Compliance Officer or members of the Board of Directors — to make a false entry or material omission in any book, report or statement with intent to deceive a corporate officer or state regulator.
Each Regulated Institution must also maintain for examination by NYDFS all records, schedules and data supporting adoption of the Resolution or Finding for a period of five years.
In order to meet the Jan. 1, 2017, effective date, Regulated Institutions should now begin assessing whether their AML and OFAC policies and procedures, and transaction monitoring systems, comply with the Final Rule, and develop procedures for documenting and tracking their compliance efforts. In addition, NYDFS-regulated banks and branches of foreign banks will also have to begin to implement during the same period FinCEN’s final rule on beneficial ownership and customer due diligence requirements, which is effective May 11, 2018.