On June 30, 2016, the New York State Department of Financial Services (DFS or the Department) announced its adoption of the final version of its new regulation (the Final Rule) setting forth the required elements of “Transaction Monitoring and Filtering Programs” maintained by New York State-licensed financial institutions to ensure compliance with the federal Bank Secrecy Act/anti-money laundering (BSA/AML) laws and regulations, as well as compliance with sanctions programs administered by the federal Office of Foreign Assets Control (OFAC). The Final Rule, which becomes effective Jan. 1, 2017, applies to all financial institutions, including domestic banks, New York branches and agencies of foreign banks, trust companies, money transmitters and check cashers that are chartered or licensed under the New York Banking Law. DFS proposed a version of this same rule (the Proposed Rule) on Dec. 1, 2015, and after receiving a large number of comments from regulated entities, extended the comment period for the Proposed Rule to March 31, 2016.
The concerns expressed in response to the Proposed Rule led many to believe that DFS would publish an amended version for further public comment before adopting the Final Rule. Its decision not to do so leaves some important questions unanswered. Lingering concerns about the scope and meaning of the specific requirements imposed on regulated entities under the Final Rule, coupled with the absence of any opportunity for additional comments, may give rise to legal challenges from regulated entities objecting to the new requirements.
The Proposed Rule
Described by DFS as an attempt to “clarify” the attributes of Transaction Monitoring and Filtering Programs that federal bank regulatory authorities expect regulated institutions to implement pursuant to non-binding published federal guidance for accounts of all types and pursuant to binding regulations of the Financial Crimes Enforcement Network (FinCEN) that on their face are limited to non-U.S. correspondent accounts and certain private banking accounts, the Proposed Rule included a number of specific requirements well beyond what is explicitly required under federal guidance and FinCEN regulations. In particular, each New York-regulated institution would be required:
To maintain a Transaction Monitoring and Filtering Program for the purpose of monitoring for potential BSA/AML violations and suspicious activity reporting, and a Watch List Filtering Program for the purpose of interdicting transactions prohibited by applicable sanctions, including OFAC sanctions lists, internal watch lists and politically exposed persons lists (together, the Programs).
To ensure that its Programs incorporate end-to-end, pre- and post-implementation testing of various Program attributes, including governance, data mapping, detection scenario logic, and data input and Program output.
To base its Programs on its own ongoing and comprehensive enterprise-wide assessment of BSA/AML risks, taking into account the institution’s size, services, products, geographical locations, and customers.
To ensure its Transaction Monitoring and Filtering Program uses all relevant data sources and takes into account currently available BSA/AML laws, regulations and alerts, as well as any relevant information available from the institution’s related programs and initiatives, such as Know Your Customer information.
To incorporate into its Watch List Filtering Program technological or other tools designed to match names and accounts, based on the institution’s particular risks, transactions, and product profiles.
To refrain from making any changes or alterations to its Transaction Monitoring and Filtering Program “to avoid or minimize filing suspicious activity reports.”
Notably, the Proposed Rule also required that an institution’s senior compliance officer annually certify that the Transaction Monitoring and Filtering Program in place complies with the Rule’s requirements. It also stated that providing “incorrect” or “false” information could expose the certifying officer to criminal penalties, without explicitly providing a related “intent” standard for the imposition of such penalties. Unlike analogous certification requirements under federal law, which generally require certification as to the existence of a program “reasonably designed” to achieve compliance, the Proposed Rule appeared to require certification of an institution’s actual, full compliance with the Rule’s requirements. Many observers commented that this provision threatened to substantially undermine effective institutional compliance efforts by deterring senior compliance professionals from assuming the risk that less than perfect compliance may ultimately carry penal consequences.
Cumulatively, the new requirements reflected in the Proposed Rule generated substantial concern within the financial services industry. Regulated entities already subject to transaction monitoring requirements or supervisory expectations and related penalties under existing federal BSA/AML laws would now be faced with a set of overlapping requirements which, while generally consistent with the federal regime, nonetheless imposed a heightened compliance burden by expressly dictating the necessary attributes of an acceptable BSA/AML monitoring program. Moreover, many of the requirements contained in the Proposed Rule were ambiguously stated and, to the particular concern of money-transmitters and other non-bank financial institutions, appeared to leave little room for institutions to tailor their programs to the unique features and risks associated with business models outside of the traditional banking sector.
The Final Rule
The Department’s amendments address some of the concerns expressed by regulated entities and others during the comment period for the Proposed Rule. Although the substance of the required compliance program attributes remains largely intact, the Final Rule incorporates a number of amendments that appear designed to allow institutions greater flexibility in implementing those attributes. For example, the Final Rule now requires institutions to adopt Transaction Monitoring and Filtering Programs and Watch List Filtering Programs that are “reasonably designed” for the purpose of monitoring potential BSA/AML violations and interdicting prohibited transactions. This “reasonably designed” standard tracks the standard imposed by federal bank regulators with respect to AML program regulations. Similarly, the enumerated program attributes are expressly required only “to the extent they are applicable.” These changes should offer some flexibility to institutions concerned about the “one size fits all” approach of the Proposed Rule, which offered insufficient leeway to non-bank institutions whose business models differ significantly from those of traditional banking institutions and impose unique compliance challenges.
The Final Rule also abandons the requirement that regulated institutions refrain from taking any actions designed to avoid or minimize the filing of suspicious activity reports (SARs). Many institutions complained that this provision in the Proposed Rule would prohibit them from employing technology and other tools and refinements to eliminate the accidental or mistaken flagging of innocent transactions as suspicious, which could otherwise lead to the filing of unnecessary SARs. The Final Rule removes this prohibition, requiring instead that institutions document any steps taken to update or materially improve their Transaction Monitoring and Filtering Programs, including, presumably, steps to reduce or eliminate unnecessary SARs, and to keep such documentation available for possible inspection by the Department.
Importantly, the Final Rule amends the annual certification requirement to require that either the institution’s Board of Directors or a Senior Officer annually adopt and file with the Department a Board Resolution or Senior Officer Compliance Finding confirming the existence of a Transaction Monitoring and Filtering Program “reasonably designed” to meet the Rule’s requirements. The Rule also dispenses with the earlier language stating that the filing of an incorrect certification could lead to criminal penalties and instead states only that it is enforceable by DFS pursuant to its authority “under any applicable laws.” Filing a false Resolution or Compliance Finding could still theoretically lead to criminal liability, but the Department seems to be signaling its intention not to create a broad new basis for criminal sanctions and to instead rely on existing provisions which, in the case of criminal books and records or false instrument provisions, typically incorporate standards of willfulness.
The Final Rule might ultimately address some industry concerns by providing for more flexibility in implementing the Rule’s requirements and by scaling back the threat of criminal sanctions reflected in the Proposed Rule. There are still many unanswered questions, however, regarding the scope and meaning of the specific program attributes required under the Final Rule and their adaptability to varying business models, operational needs, and existing compliance programs. Although some of these questions may be resolved through guidance from the Department and ongoing dialogue with the regulated institutions subject to the Final Rule, many expected DFS to submit its amendments to the Proposed Rule for additional public comment before adopting them outright. In the absence of opportunity for further comment, continued concerns about the Rule may encourage some regulated entities or industry groups to consider mounting legal challenges to the Rule before it becomes effective on Jan. 1 of next year.
One thing that is clear about the Final Rule, however, is that the NYDFS becomes the first regulator in the country to detail in published regulations that have the force of law – not guidance or other non-binding authority – what a Transaction Monitoring and Filtering Program should consist of. Effectively, then, the NYDFS has put federal bank regulatory authorities on notice that federal AML transaction monitoring and filtering expectations should be spelled out in federal regulations.