The New York Department of Financial Services (DFS) has finalized a new regulation setting forth rigorous standards for monitoring and filtering programs to monitor transactions for potential anti-money laundering (AML) and Bank Secrecy Act (BSA) violations and block transactions prohibited by the United States Treasury Department’s Office of Foreign Assets Control (OFAC). The regulation, which becomes effective on January 1, 2017, will apply to all banks, trust companies, private bankers, savings banks, and savings and loan associations chartered under the New York Banking Law (NYBL); branches and agencies of foreign banking corporations licensed under the NYBL to conduct banking operations in New York; and check cashers and money transmitters licensed under the NYBL (Regulated Institutions). For mortgage businesses that are not affiliated with Regulated Institutions, the new regulation is instructive nonetheless as a benchmark for future standards likely to come from DFS, other states and/or federal regulators.
The most notable provisions of the new regulation require each Regulated Institution to submit to DFS by April 15 of each year either a “Senior Officer Compliance Finding” or a resolution of its “Board of Directors” to certify compliance with the regulation. A “Senior Officer” is “the senior individual or individuals responsible for the management, operations, compliance and/or risk” of a Regulated Institution. The “Board of Directors” is the “governing board of every Regulated Institution or the functional equivalent if the Regulated Institution does not have a Board of Directors.” The resolution or finding must state that the Senior Officer or Board of Directors has reviewed documents, reports, certifications, and opinions of such officers, employees, outside vendors, and other parties as necessary to adopt the resolution or compliance finding. A Regulated Institution must maintain for DFS examination, for a period of five years, all records, schedules and data supporting adoption of the board resolution or senior officer compliance finding. Specific references in the proposed rule issued in December 2015 to criminal penalties for an incorrect or false submission have been replaced by more generic language regarding the Superintendent’s enforcement authority.
The final regulation requires a Regulated Institution to maintain a manual or automated “Transaction Monitoring Program” and “Filtering Program” that are reasonably designed to, respectively, monitor transactions after their execution for potential BSA/AML violations and suspicious activity reporting, and interdict OFAC-prohibited transactions. The regulation lists eight attributes that a Transaction Monitoring Program must have and five attributes a Filtering Program must have, to the extent applicable. The listed attributes are very detailed; for example, one requires a Transaction Monitoring Program to include protocols setting forth how alerts will be investigated, "the process for deciding which alerts will result in a filing or other action, the operating areas and individuals responsible for making such a decision, and how the investigative and decision-making process will be documented[.]"
The final regulation also lists eight additional requirements that must be part of both a Transaction Monitoring and Filtering Program, to the extent applicable. Among the areas covered by such requirements are data identification, validation of data integrity, accuracy and quality, data extraction and loading processes, governance and management oversight, vendor selection, and training.
