New York’s top financial services regulator released new rules Thursday on the creation, testing and updating of transaction monitoring and sanctions screening systems, but compromised on a proposal that would have required chief compliance officers in writing to “certify” the effectiveness of these systems in stopping financial crime.
The final rules issued by the New York State Department of Financial Services (NYDFS) call for regulated banks to adopt risk-based anti-money laundering (AML) and anti-terrorism financing systems that monitor for suspicious and aberrant transactions, create alerts for further investigation by compliance staff, and filter for sanctioned individuals and entities, among other objectives.
Broadly, the new rules would put enhanced scrutiny on the transaction monitoring and filtering systems banks use to detect financial crime, sanctioned persons and other blacklisted groups. The rules evince an increased regulatory focus on the decision-making of staffers analyzing generated alerts, and the quality and accuracy of the underlying data flowing through the programs.
“The certification requirement, as well as the roadmap of specific obligations whose effectiveness institutions must verify, are steps that take us from general compliance to measurable compliance metrics, to which a growing list of officers, not just the entity, will be held accountable,” said Jorge Guerrero, chief executive office of Austin, Tx.-based Optima Compass Group, a financial crime compliance consultancy.
“This will drastically change the compliance approach of most institutions and requires AML compliance to be an integral component of management decisions, not an afterthought,” he said.
The regulator stated that over the past four years, examiners and investigators have engaged in a broad analysis of AML systems, and found major deficiencies, while also levying some of the largest financial crime compliance-related penalties, soaring into the hundreds of millions of dollars, in the state’s history.
As a result of these investigations, the NYDFS has uncovered “serious shortcomings in the transaction monitoring and filtering programs of these institutions and that a lack of robust governance, oversight, and accountability at senior levels of these institutions has contributed to these shortcomings.”
“Financial institutions doing business in New York must do everything they can to help stem the tide of illegal financial transactions that fund terrorist activity,” said Financial Services Superintendent Maria Vullo, in a statement accompanying the release of the final rules.
The final regulation follows a largely similar proposal in December – modeled itself on Sarbanes-Oxley – that would have required the “chief compliance officer (CCO) or functional equivalent” to annually certify that their institution has “sufficient systems in place to detect, weed out, and prevent illicit transactions.” To read a copy of the proposed rules, please click here.
If the duly certified systems were later found to be inadequate, the CCO would have faced civil and potentially criminal liability exposure and penalties.
Compliance professionals at all levels and of all stripes roundly decried the proposal for a bevy of reasons, at the top of the list being that potentially a wrong decision by a much lower-ranking AML analyst, staffer or system vendor who didn’t install something correctly or failed to validate some arcane piece of technological code, could result in criminal prosecution of the CCO.
For example, the American Bankers Association (ABA), a powerful bank lobbying group, in March wrote a 12-page comment letter to the NYDFS that the initiative would cause widespread “confusion” and that the requirements were both “inconsistent” and in some cases directly “conflict” with corresponding federal AML requirements.
More muted rules still a ‘game changer’
The New York regulator apparently heeded the banking sector’s calls for temperance, making many changes large and small from the proposal to the final rule, the biggest of which is making the certification by the CCO optional, the initiative could also be approved by the board, and changing the certification itself to a “compliance officer finding.”
Despite the modifications, the new rules will be challenging to implement and could still increase compliance officer liability and exposure to penalties, Guerrero said.
“Although the certification was somewhat diluted, it follows the [US Treasury’s Financial Crimes Enforcement Network’s (FinCEN)] imposition of a personal assessment against MoneyGram’s former compliance officer,” he said. “It is yet another step toward personal accountability of official functions that exists in few other industries. It is a game changer.”
The risk-based rule adopted by NYDFS takes into consideration comments that were submitted by the financial services industry and others during the extended comment period for the previously-proposed regulation, which ended March 31, 2016.
Under the new rule, which will be effective January 1, 2017, relevant regulated institutions “are required to review their transaction-monitoring and filtering programs and ensure that they are reasonably designed to comply with risk-based safeguards,” according to the rule.
The institutions also must, now through either one of these options, adopt an annual board resolution or senior officer compliance finding to certify compliance with the DFS regulation beginning April 15, 2018.
The resolution or finding “must state that documents, reports, certifications and opinions of officers and other relevant parties have been reviewed by the board of directors or senior official to certify compliance with the regulation,” according to the regulator.
Moreover, regulated banks must “maintain for examination by DFS all records, schedules and data supporting adoption of the board resolution or senior officer compliance finding for a period of five years.”
“It is time to close the compliance gaps in our financial regulatory framework to shut down money laundering operations and eliminate potential channels that can be exploited by global terrorist networks and other criminal enterprises,” Vullo said.
Here is a comparison of key tenets in the finalized rule and how they differ, in most cases being more muted and less stringent, from the proposed rule. The changes, updates or deletions are in bold italics.
Maintain a Transaction Monitoring Program
Each relevant regulated institution shall maintain a reasonably designed program for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting. The system, which may be manual or automated, shall, at a minimum, to the extent they are applicable:
- Be based on the risk assessment of the institution; Unchanged.
- Be reviewed and periodically updated at risk-based intervals to take into account and reflect changes to applicable BSA/AML laws, regulations and regulatory warnings, as well as any other information determined by the institution to be relevant from the institution’s related programs and initiatives; The proposal originally started with “reflect all current BSA/AML laws, regulations and alerts as well as any relevant information available from the institution’s related programs and initiatives.”
- Appropriately match BSA/AML risks to the institution’s businesses, products, services and customers/counterparties; The proposal started with “map BSA/AML risks…”
- BSA/AML detection scenarios with threshold values and amounts designed to detect potential money laundering or other suspicious or illegal activities; Unchanged.
- End-to-end, pre-and post-implementation testing of the Transaction Monitoring Program, including, as relevant, a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and program output; The proposal didn’t have the words “as relevant.”
- Documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters and thresholds; The proposal stated to “include easily understandable documentation…”
- Protocols setting forth how alerts generated by the Transaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other action, the operating areas and individuals responsible for making such a decision, and how the investigative and decision-making process will be documented; and Unchanged.
- Be subject to an on-going analysis to assess the continued relevance of the detection scenarios, the underlying rules, threshold values, parameters and assumptions. Unchanged.
Maintain a Watch List Filtering Program
Each relevant regulated institution shall maintain a reasonably designed filtering program for the purpose of interdicting transactions that are prohibited by federal economic and trade sanctions, and which shall include the following, to the extent they are applicable:
- Be based on the risk assessment of the institution; Unchanged.
- Be based on technology, processes or tools for matching names and accounts, in each case based on the institution’s particular risks, transaction and product profiles; Unchanged
- End-to-end, pre- and post-implementation testing of the Filtering Program, including, as relevant, a review of data matching, an evaluation of whether the Office of Foreign Assets Control sanctions list and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and program output; Unchanged.
- Be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the OFAC sanctions list and the threshold settings to see if they continue to map to the risks of the institution; and Unchanged.
- Documentation that articulates the intent and design of the Filtering Program tools, processes or technology. The proposal stated the documentation had to be “easily understandable.”
- This line was deleted from the final rule: “Utilizes watchlists that reflect current legal or regulatory requirements.”
Each Transaction Monitoring and Filtering Program shall require the following, to the extent they are applicable:
- Identification of all data sources that contain relevant data; Unchanged.
- Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program; Unchanged.
- Data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used; Unchanged.
- Governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Filtering Program to ensure that changes are defined, managed, controlled, reported and audited; Unchanged.
- Vendor selection process if a third party vendor is used to acquire, install, implement or test the Transaction Monitoring and Filtering Program or any aspect of it; Unchanged.
- Funding to design, implement and maintain a Transaction Monitoring and Filtering Program that complies with the requirements of the regulation; Unchanged.
- Qualified personnel or outside consultant responsible for the design, planning, implementation, operation, testing, validation and on-going analysis of the Transaction Monitoring and Filtering Program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filings; and Unchanged.
- Periodic training with respect to the Transaction Monitoring and Filtering Program. The proposal had “periodic training of all stakeholders with respect to…”
- The proposed line was deleted from the final rule: “No regulated institution may make changes or alterations to the Transaction Monitoring and Filtering Program to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts, or to otherwise avoid complying with regulatory requirements.
Annual Board Resolution or Senior Officer Compliance Finding
To ensure compliance with the requirements, each regulated institution shall adopt and submit to the Superintendent a board resolution or senior officer compliance finding by April 15 of each year.
The original proposal said this: To ensure compliance with the requirements, each institution shall submit to the Department by April 15 of each year certifications duly executed by its chief compliance officer or functional equivalent.