Federal anti-money laundering (AML) regulations, rooted in the Bank Secrecy Act (BSA) and USA PATRIOT Act, have long required financial institutions to maintain internal control systems to assure compliance, provide for independent testing, designate individuals responsible for compliance and provide training for all appropriate personnel. Moving beyond this federal BSA/AML framework, the New York State Department of Financial Services (NYDFS), led by newly appointed Superintendent Maria Vullo, issued a final rule (Part 504) that includes regulations that dictate specific features for transaction monitoring and filtering programs and require annual board or senior officer certification of compliance.

According to NYDFS, the final regulation is motivated by its identification, through investigations of its regulated institutions, of shortcomings in monitoring and screening programs attributable to a “lack of robust governance, oversight, and accountability at senior levels.”

Although stringent, the majority of the regulation’s AML requirements and sanctions are in line with federal banking agency standards. Some of the regulations’ provisions apply to both AML monitoring and sanctions screening and relate to data integrity and the accuracy of data flows, governance and management oversight, funding, training, and the use of qualified personnel, vendors, and consultants.

To address these perceived deficiencies purported by the NYDFS, the final regulation requires the following measures:

                Risk Assessment

Regulators generally have expected that banks and other financial institutions implement a BSA/AML program that is risk-based, in accordance with an internal assessment of money laundering risk.  Part 504 effectively establishes this requirement, mandating that each Regulated Institution (all banks, trust companies, private bankers, savings banks, and savings and loan associations chartered pursuant to the New York Banking Law (the “Banking Law”) and all branches and agencies of foreign banking corporations licensed pursuant to the Banking Law to conduct banking operations in New York) conduct an ongoing and comprehensive assessment of the money laundering risk posed by each line of business, product, and customer.

               Transaction Monitoring Program

Reflecting the perceived inadequacies of existing programs at individual institutions, Part 504 spells out the minimum requirements of a transaction monitoring program in great detail.  Among other requirements, the program must be based on the institution’s AML Risk Assessment and mapped to specific businesses, products and customers.

               An OFAC Filtering Program

The filtering program must be designed to intercept transactions that are forbidden by applicable sanctions of the Treasury’s Office of Foreign Assets Control (OFAC).  Like the Transaction Monitoring Program, it should be based on the Institution’s ongoing Risk Assessment.  Furthermore, it should incorporate appropriate tools and technology for matching names and accounts.  While Part 504 does not mandate any particular tool, it does note that there are automated tools available that use algorithms based on so-called “fuzzy logic.” Part 504 states that the Filtering Program may be either automated or manual.

            Annual Board Resolution or Senior Officer Compliance Filing

The compliance filing component requires that the covered institution’s board of directors or senior officer sign and submit a “Compliance Finding” annually by April 15th certifying that: (i) they have reviewed relevant documents to enable the Compliance Finding to be made; (ii) they have taken all steps necessary to confirm that the financial institution has a transaction and monitoring program that complies with Part 504 and (iii) to the best of their knowledge, the system complies with Part 504. A “Senior Officer” is defined as a “senior individual or individuals responsible for the management, operations, compliance and/or risk of” an institution subject to Part 504.

           Proposed to Final Rule

Perhaps the most significant difference between what the original Proposal of the rule and the final rule is in the compliance filing component.  The Proposal stated that an officer who files a false or incorrect certification may be subject to criminal prosecution.  The final Part 504 omits any reference to criminal sanctions and responds to numerous comments expressing concern about the burden this would have put on individual compliance officers.  Among other things, the New York State Bar Association comment letter noted that this requirement would have had the adverse effect of making it difficult for an institution with compliance problems to hire a competent compliance officer.  The final Part 504 replaces this with a requirement for an annual Board Resolution or Senior Officer(s) Compliance Finding to be filed with the Superintendent; there is no longer any mention of criminal liability.  While it appears the trend in holding compliance personnel civilly liable for deficiencies in AML programs, as in U.S. Dept. of Treasury v. Haider, the verdict is still out on whether to levy criminal charges in such cases.

           The Impact of Rule 504 Beyond New York

It is uncertain, but anticipated, that the NYDFS’s regulatory strategy of aligning  its mandate for transaction monitoring and filtering programs to BSA/AML standards, which, via The Patriot Act, require a system of internal controls that include transaction monitoring and customer identification and filtering, will  induce federal and other state regulators to pursue a similar approach. Accordingly, institutions that are not Regulated Institutions under Rule 504 might consider the Rule to be a harbinger of new requirements and adapt their compliance programs to ensure that monitoring and filtering programs, along with proper oversight and validation of such programs, become integral pieces of their BSA/AML compliance programs.