Compliance professionals may balk at proposal requiring CCOs to ‘certify’ effectiveness systems

New York is likely to face resistance in implementing a new proposal requiring the top compliance cops at financial institutions to certify in writing that the complex systems they are using to detect money laundering, terrorism and other crimes are effective and sufficient.

The proposed changes were released Tuesday by Governor Andrew Cuomo, with financial institutions given a short 45-day window to submit comments. If the proposals become law, some financial crime compliance professionals are concerned that they could create program redundancies, further crimp strained resources and raise costs as some of the state initiatives appear to go beyond corresponding federal anti-money laundering (AML) rules and guidance.

Conversely, the proposed rules may take some of the guesswork out of tuning complicated monitoring and filtering systems, due in large part to their prescriptive specificity.

Broadly, the new rules would put heightened scrutiny on the transaction monitoring and filtering systems banks use to detect financial crime, sanctioned persons and other blacklisted groups. The rules also emphasize an increased regulatory focus on the decision-making of staff analyzing generated alerts, and the quality and accuracy of the underlying data flowing through the programs. To read a copy of the proposed rules, please click here.

If the certification by a chief compliance officer (CCO) is later found to be false or inaccurate, that individual could face criminal penalties.

Depending on how the proposed rules are implemented, they could be potentially duplicative and time-consuming to outright burdensome and unreasonable, said Nicole Bocra, principal of Arlington, Va.-based Infinity Investigative Solutions and a former Finra special investigator.

The proposed rules could “be a big deal and an added cost,” to already strapped compliance budgets, she said, adding that many key details are still unclear, leading to uncertainty.

For instance, it’s unknown if these more rigorous transaction and filtering testing methods can be done in conjunction with the sample transaction testing in standard financial crime audits – currently done as one of the four prongs of the AML program – or if these new assessments must be standalone initiatives, which could further strain resources, Bocra said.

On the sanctions front, the new rules would call for a watch list filtering program to include OFAC and other sanctions lists, politically-exposed persons lists, and internal watch lists.  Bocra noted that the term “other sanctions lists” is non-descriptive and questioned if a bank would also be required to include sanctions lists issued by foreign governments.

Sign on the dotted line?

But some financial crime professionals think their CCOs will resist the changes.

Even if the new rules are enacted, “I really doubt any CCO will want to certify anything in writing,” said a compliance officer at a large bank in the United States, who asked not to be named. “I am sure there will be a lot of pushback from the private sector.”

One potential solution is that CCO’s will try to outsource the work to a reputable auditing or consulting firm that engages in similar work with other financial institutions, said the person, but that still may not provide immunity because mistakes made by a third-party would be borne by the financial institution.

“That at least gives the CCO a bit of comfort that they at least had a third party come in and give another pair of eyes and conclude that the monitoring and filtering systems are up and running in a manner consistent with other organizations that they have also validated. But that is where it ends. I don’t think any CCO will want to voluntarily certify that their transaction monitoring or filtering tools are flawless.”

The proposal is clearly informed and likely hastened by the ISIS-related shootings in Paris last month that killed more than 120, but is chiefly a response to the New York State Department of Financial Services (NYDFS) finding significant gaps in the terrorist financing, sanctions and AML compliance programs at large international banks in the past four years.

As a result of these investigations, the state regulator has “uncovered (among other issues) serious shortcomings in the transaction monitoring and filtering programs of these institutions and that a lack of robust governance, oversight, and accountability at senior levels of these institutions has contributed to these shortcomings,” according to the statement released by Governor Cuomo’s office.


Here are some excerpts from the NYSDFS on the new proposal that could be particularly persnickety for institutions or could cause challenges in implementation:

  • Maintain a Transaction Monitoring Program. Each regulated institution will maintain for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting, which system may be manual or automated, and which shall, at a minimum include the following attributes:
    • Include an end-to-end, pre-and post-implementation testing of the Transaction Monitoring Program, including governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output, as well as periodic testing.
    • Include investigative protocols detailing how alerts generated by the Transaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other action, who is responsible for making such a decision, and how investigative and decision-making process will be documented; and
    • Be subject to an on-going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters, and assumptions.
  • Maintain a Watch List Filtering Program. Each regulated institution will maintain for the purpose of interdicting transactions, before their execution, that are prohibited by applicable sanctions, including OFAC and other sanctions lists, politically exposed persons lists, and internal watch lists, which system may be manual or automated, and which shall, at a minimum, include the following attributes:
    • o Include an end-to-end, pre- and post-implementation testing of the Watch List Filtering Program, including data mapping, an evaluation of whether the watch lists and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and Watch List Filtering Program output.
    • o Utilizes watch lists that reflect current legal or regulatory requirements.
    • o Be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the watch lists and the threshold settings to see if they continue to map to the risks of the institution.
  • Additional Requirements. Each Transaction Monitoring and Filtering Program shall, at a minimum, require the following:
    • Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program.
    • Funding to design, implement and maintain a Transaction Monitoring and Filtering Program that complies with the requirements of this Part.
    • Qualified personnel or outside consultant responsible for the design, planning, implementation, operation, testing, validation, and on-going analysis, of the Transaction Monitoring and Filtering Program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filing.
    • No regulated institution may make changes or alterations to the Transaction Monitoring and Filtering Program to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts, or to otherwise avoid complying with regulatory requirements.


State proposal tougher than federal counterpart

The impending requirements to also validate the integrity, accuracy and quality of the data in the systems, beyond simply ensuring that the monitoring and filtering models themselves are working properly, appear at first blush to go “beyond what banks are already required to do,” in regulations and interagency exam manual guidance, Bocra said.

Currently, banks are required to engage in customer-due-diligence and gather know-your-customer details that are used to build a customer risk assessment. That assessment is then quantified and fed into the transaction monitoring system.

The figures are typically only updated if the transactional activity for a given customer trips alert protocols, if the bank files a suspicious activity report on a customer, if the customer is named in an indictment or subpoena or the bank is told by regulators to review and update the risk rankings of their customer population in totality or certain, risk-weighted tranches.

But banks typically are not required to constantly recheck data on customers and transactions. Such updates are done on a risk-based approach and could be on differing audit cycles extending from a few months to several years.

In addition, there could be some logistical hurdles as part of the new requirements to do an “end-to-end, pre-and post-implementation testing” of monitoring and filtering systems if a system has yet to be installed. There is no foolproof way to catch and preview every bug that could be encountered in a complex systems installation that can take months or years to complete, Bocra said.

Too many competencies needed to comply

To bring in what is envisioned to be significant extra work tied to the new requirements under the proposal, have oversight of such a sprawling project and concurrently keep up with day-to-day compliance and auditing operations will be difficult, said the compliance person.

It will be unlikely that banks can be both the “maker and checker” of the various systems and keep the work in-house, said the person, forcing the need for costly outside consulting services for an undetermined amount of time.

“I don’t know too many people in a bank compliance department who possess all the competencies needed” to comply with the new obligations, including financial crime expertise, systems implementation, data analytics and model validation, said the person.

Despite the challenges inherent in the proposed rules, New York officials seem to feel that past compliance failings, and current threats around terrorist financing, warrant a tougher approach.

“Money is the fuel that feeds the fire of international terrorism,” said Governor Cuomo in a statement. “Global terrorist networks simply cannot thrive without moving significant amounts of money throughout the world. At a time of heightened global security concerns, it is especially vital that banks and regulators do everything they can to stop that flow of illicit funds.”