Financial firms that are chartered or licensed to do business in New York should be aware of an important new regulation that became effective on January 1, 2017. Money laundering and terrorist financing are generally thought to be the regulatory turf of the federal government, but New York now has requirements that go beyond the federal rules. Titled “Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications,” this regulation requires all firms defined as “Regulated Institutions” to have in place by April 15, 2017 programs to monitor transactions for potential Bank Secrecy Act or Anti Money Laundering (“BSA/AML”) violations and Suspicious Activity Reporting. The regulation further requires such Regulated Institutions to maintain a “Filtering Program” reasonably designed to interdict transactions that are prohibited by the United States Treasury Department’s Office of Foreign Asset Control (“OFAC”). Finally, the regulation is unique in that it requires that the board of directors or senior officer(s) of each Regulated Institution annually certify by April 15 that the institution is in compliance with the regulation.
The rule defines Regulated Institutions to include “Nonbank Regulated Institutions,” which are defined as licensed money transmitters and check cashers. Regulated Institutions also include banks, trust companies and other New York chartered depository institutions, as well as foreign bank branches licensed in New York. Banking institutions are generally well aware of the need to have robust compliance programs, and only the certification requirement might catch them unawares. However, money transmitters and check cashers may be unaware that these new compliance requirements apply to them, particularly because the regulation is published separately from the money service business regulations, and could easily be overlooked. Failure to provide a timely certification could attract an investigation and potential enforcement action.
The regulation requires that the BSA/AML and suspicious activity Monitoring Program (which may be automated or manual) include the following attributes, to the extent they are applicable:
- be based on the “Risk Assessment” of the institution, which is defined as an ongoing comprehensive assessment, including a BSA/AML risk assessment, that considers the institution’s size, staffing, governance, businesses, services, products, operations, customers, counterparties, among other specified factors;
- be reviewed and periodically updated at risk-based intervals to take into account and reflect changes to applicable BSA/AML laws, regulations and regulatory warnings, as well as any other information determined by the institution to be relevant from the institution’s related programs and initiatives;
- appropriately match BSA/AML risks to the institution’s businesses, products, services, and customers and counterparties;
- BSA/AML detection scenarios that include threshold values and amounts designed to detect potential money laundering or other suspicious or illegal activities;
- end-to-end, pre-and post-implementation testing of the Transaction Monitoring Program, including, as relevant, a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output;
- documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters, and thresholds;
- protocols setting forth how alerts generated by the Transaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other action, the operating areas and individuals responsible for making such a decision, and how the investigative and decision-making process will be documented; and
- be subject to an on-going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters, and assumptions.
A similarly detailed list of required attributes is included for the Filtering Program for OFAC-prohibited transactions, which must likewise be ongoing and based upon the Risk Assessment of the institution.
The regulation also details data, governance, vendor oversight, testing and funding attributes that DFS requires in both the Monitoring and Filtering Programs.