In the process of reviewing Bank Secrecy Act/anti-money laundering (BSA/AML) and sanctions compliance at regulated institutions, the NYDFS discovered shortcomings in transaction monitoring and filtering programs due to the lack of robust governance, oversight and accountability at the senior levels of various institutions. To address these concerns, the NYDFS issued a proposed rule in December 2015 to clarify the minimum attributes of transaction monitoring and watch list filtering programs.1 The NYDFS sought comments on the proposed rule which were due by March 31, 2016. The Final Rule makes some modifications to the proposed rule based on the comments received, including with respect to the annual certification requirement as further discussed below.
Transaction Monitoring ProgramEach regulated institution must maintain a transaction monitoring program that is reasonably designed to monitor transactions after their execution for potential BSA/AML violations and suspicious activity reporting using either manual or automated systems. The Final Rule lists eight specific minimum attributes of a transaction monitoring program to the extent they are applicable:
- The program is based on the risk assessment of the regulated institution. The risk assessment must be comprehensive and ongoing, and take into account factors such as the institution’s size, staffing, governance, businesses, products and services, operations, customers, counterparties, other relationships and geographies.
- The program is periodically reviewed and updated at risk-based intervals to reflect changes to applicable BSA/AML laws, regulations, and regulatory warnings, as well as any other information determined by the institution to be relevant.
- The program appropriately matches BSA/AML risks to the institution’s businesses, products, services and customers/counterparties.
- The program includes detection scenarios with threshold values and amounts designed to detect potential money laundering and other suspicious or illegal activities.
- The program requires end-to-end, pre- and post-implementation testing including, as relevant, a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and program output.
- Program documentation articulates the current detection scenarios and the underlying assumptions, parameters and thresholds.
- The program includes protocols that set forth in detail the investigation and decision-making process for alerts generated by the program.
- The program is subject to ongoing analysis of the continued relevance of the detection scenarios, underlying rules, thresholds, parameters and assumptions.
Each regulated institution must maintain a manual or automated filtering program that is reasonably designed to interdict transactions prohibited under sanctions issued by the U.S. Treasury’s Office of Foreign Assets Control (OFAC). Unlike the proposed rule which applied to filtering programs that screen against “other sanctions lists” in addition to OFAC, politically exposed persons lists and internal watch lists, the Final Rule applies only to OFAC sanctions.
The Final Rule lists five specific minimum attributes of a filtering program to the extent they are applicable:
- The program is based on the risk assessment of the regulated institution.
- The program is based on technology, processes or tools reasonably designed for matching names and accounts, in each case based on the particular risks, transaction and product profiles of the institution.
- The program requires end-to-end, pre- and post-implementation testing including, as relevant, a review of data matching, whether the OFAC sanctions list and threshold settings map to the institution’s risks, the logic of matching technology or tools, model validation, and data input and program output.
- The program is subject to ongoing analysis of the logic and performance of the technology or tools used for matching names and accounts, and continuing assessment of whether the OFAC sanctions list and threshold settings continue to map to the institution’s risks.
- Program documentation articulates the intent and design of the filtering program tools, processes or technology.
Both the transaction monitoring program and the filtering program must, to the extent applicable, identify all relevant data sources, validate the integrity and quality of the data used, ensure accurate data transfer from its source to any automated systems used, provide for governance and management oversight of the programs (including changes thereto), include a third-party vendor selection process if applicable, be appropriately funded and staffed by qualified personnel or outside consultants, and provide periodic training for all stakeholders.
Documenting Improvements and Remedial Efforts
To the extent that a regulated institution has identified areas, systems or processes that require material improvement, updating or redesign with respect to its transaction monitoring or filtering programs, the institution is required to document such areas, systems or processes, as well as any remedial efforts that are planned and underway. Such documentation must be made available for inspection by the NYDFS. This is a new requirement under the Final Rule that was not included in the proposed rule.
Annual Board Resolution or Senior Officer Compliance Finding
Under the Final Rule, a regulated institution must adopt and submit to the NYDFS by April 15th of each year, either a board of directors resolution or a senior officer(s) compliance finding that certifies compliance with the Final Rule in the form provided in Attachment A of the Final Rule.
The “board of directors” refers to the governing board of the regulated institution or the functional equivalent if there is no board of directors, and “senior officer(s)” mean the senior individual or individuals responsible for the management, operations, compliance and/or risk of a regulated institution. The members of the board of directors or senior officer(s) must certify that:
- They have reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary to adopt the board resolution or senior officer compliance finding;
- They have taken all steps necessary to confirm that the regulated institution has a transaction monitoring and filtering program that complies with the provisions of Section 504.3 of the Final Rule; and
- To the best of their knowledge, the transaction monitoring and filtering program complies with Section 504.3 of the Final Rule as of the date of the board resolution or senior officer(s) compliance finding for the specified year.
Regulated institutions must maintain, for examination by the NYDFS, all records, schedules and data supporting adoption of the board resolution or senior officer(s) compliance finding for a period of five years.
The Final Rule modifies the annual certification requirement by expanding the number of potential officer certifiers compared to the proposed rule which required a regulated institution’s chief compliance officer (or functional equivalent) to provide the certification. In practice, however, the certification responsibility will most likely to fall upon the chief compliance officer, chief risk officer, or the functional equivalent because boards and other senior officers may be hesitant to provide the certification. In addition, the certification form has been revised under the Final Rule to indicate specifically that the certification process will require the taking of certain due diligence steps such as obtaining reports, certifications and opinions of certain officers, employees, representatives, outside vendors and others as necessary for the board of directors or senior officers to confirm compliance with the Final Rule.
The Final Rule revises the section on penalties and enforcement actions to state that the Final Rule will be enforced pursuant to, and is not intended to limit, the New York Superintendent of Financial Services’authority under any applicable laws. The Final Rule omits the statements in the proposed rule that regulated institutions would be subject to applicable penalties provided under New York laws for failure to maintain adequate transaction monitoring and filtering programs and failure to file the annual certifications. The Final Rule also leaves out the proposed rule’s specific mention of potential criminal penalties for a certifying senior officer who files an incorrect or false annual certification.
Maria Vullo, the recently confirmed New York Superintendent of Financial Services, had signaled earlier in June 2016 that the NYDFS would soften the standard of “strict liability,” but made clear that there will be accountability at high levels of regulated institutions for compliance deficiencies.2
With the final transaction monitoring and filtering program rules soon to become effective, each regulated institution should review and, where necessary, enhance its existing programs to ensure that they are reasonably designed and risk-based to meet the NYDFS' requirements. Such review and update may warrant, among other measures, a gap analysis, a risk assessment and additional tailoring of the programs based on the risk assessment, enhanced documentation of processes and procedures, further testing and validation of system filters and parameters, and development of a well-documented certification process that will enable senior management to make the required certifications. The NYDFS can be expected to take an aggressive approach in the enforcement of the Final Rule; therefore, regulated institutions should take all necessary precautions and measures to make certain that they will not be found deficient in these areas.
1 The NYDFS press release and Proposed Rule are available at: http://www.dfs.ny.gov/about/press/pr1512011.htm.
2 Financial Times, “New York’s top finance regulator is no ‘Clint Eastwood’,” June 22, 2016.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
|Connie M. Friesen
+1 212 839 5507
|Joel D. Feinberg
+1 202 736 8473
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.