New York Issues Final Regulations Imposing Enhanced Anti-Money Laundering Measures for Financial Institutions


The New York State Department of Financial Services (the "DFS") has made final its proposed regulation (the "Proposal") mandating enhanced anti-terrorism and anti-money laundering ("AML") requirements under the federal Bank Secrecy Act ("BSA") for financial institutions licensed and regulated by the State.  The final regulation, Part 504 of the Superintendent’s Regulations (“Part 504”) applies to all banks, trust companies, private bankers, savings & loans, savings banks, branches and agencies of foreign banks, check cashers, and money transmitters chartered or licensed by the State (“Regulated Institutions”).  Part 504 takes effect January 1, 2017; the first certification or “compliance finding” required by the new rule must be filed with the DFS by April 15, 2018. 

Although it does place additional compliance burdens on New York financial institutions, the final Part 504 differs from the Proposal in important ways.  The DFS received extensive written comments from industry groups, including the New York Bankers Association and the New York State Bar Association Banking Law Committee, highlighting aspects of the Proposal that were likely to be unduly burdensome or lead to adverse consequences.  At least some of the changes requested by the commenters are reflected in the final rule.  Most importantly, the Proposal would have, for the first time, potentially subjected the chief compliance officer (or equivalent) of a New York financial institution to criminal sanctions for noncompliance.  The final Part 504, while still requiring the board of directors or a “Senior Officer” to certify compliance, states that the regulation will be enforced by the DFS under “applicable laws” but – to the relief of financial institution compliance officers - omits any reference to criminal sanctions.

The Final Rule

The preamble to the final Part 504 states that the DFS has identified "shortcomings in the transaction monitoring and filtering programs" of Regulated Institutions and "a lack of robust governance, oversight, and accountability at senior levels" of these institutions.   To address these perceived deficiencies, the following measures are required:

1.  Risk Assessment.

Regulators generally have expected that banks and other financial institutions implement a BSA/AML program that is risk-based, in accordance with an internal assessment of money laundering risk.  Part 504 effectively codifies this requirement, mandating that each Regulated Institution conduct an ongoing and comprehensive assessment of the money laundering risk posed by each customer, product and line of business.

 2.  A Transaction Monitoring Program.

Reflecting the perceived inadequacies of existing programs at individual institutions, Part 504 spells out the minimum requirements of a transaction monitoring program in granular detail.  Among other requirements, the program should be based on the institution's AML Risk Assessment and mapped to specific businesses, products and customers.

One important change: the Proposal required documentation in “easily understandable language.”  Apparently in response to comments that this requirement was too vague to provide a basis for compliance, this language was omitted from the final rule. 

3.  A Filtering Program.

The filtering program must be designed to intercept transactions that are forbidden by applicable sanctions of the Treasury’s Office of Foreign Assets Control (OFAC).  Like the Transaction Monitoring Program, it should be based on the Institution's ongoing Risk Assessment.  Furthermore, it should incorporate appropriate tools and technology for matching names and accounts.  While Part 504 does not mandate any particular tool, it does note that there are automated tools available that use algorithms based on so-called "fuzzy logic." Part 504 states that the Filtering Program may be either automated or manual; however, given the risks involved with non-compliance, most institutions would be well-advised to implement an automated program, if they have not done so already.

Again, there were several important changes. The Proposal would have required the institution to establish “watch lists that reflect current legal or regulatory requirements” including, but not limited to, OFAC.  Again responding to commenters’ concerns regarding the uncertainty of what was expected, the final Part 504 omits any reference to “watch lists” and now is specific to the OFAC sanctions list.  The Proposal had expressly prohibited "tinkering" with the Transaction Monitoring or Filtering Programs in order to minimize the number of alerts generated or Suspicious Activity Reports (“SARs”) filed by the Regulated Institution.  The final Part 504 softens this provision.  It no longer prohibits making changes, but does require that the institution document the reason for any changes and make the documentation available to the Superintendent for inspection.

 4.  Certification.

Perhaps most significantly, the Proposal would have explicitly required that the institution's Chief Compliance Officer (or equivalent) annually prepare and sign a certification, addressed to the DFS, confirming that he/she has reviewed, or caused to be reviewed, the institution's Transaction Monitoring and Watch List Filtering programs and that both programs comply with the requirements set forth in the Proposal.  The Proposal stated that an officer who files a false or incorrect certification may be subject to criminal prosecution.  The final Part 504 omits any reference to criminal sanctions and responds to numerous comments expressing concern about the burden this would have put on individual compliance officers.  Among other things, the New York State Bar Association comment letter noted that this requirement would have had the perverse effect of making it difficult for an institution with compliance problems to hire a competent compliance officer.  The final Part 504 replaces this with a requirement for an annual Board Resolution or Senior Officer(s) Compliance Finding to be filed with the Superintendent; there is no longer any mention of criminal liability.  “Senior Officer” is defined more broadly so that one or more different officers could sign the certification. 

*                      *                      *                      *                      *

In short, while federal law already requires all institutions to have a BSA/AML compliance program in place, Part 504 raises the bar for New York institutions whose programs are not sufficiently robust.  In particular, it mandates requirements for transaction monitoring and filtering that may go beyond what the institution is already doing in these areas. 

We will be pleased to assist you in implementing Part 504.  Article written by David L. Glass, Esq. at the White Plains office. To contact Mr. Glass, please call (914) 694-4102 or via email at dglass@hhk.com for further information.

Recent Entries

©2017 HH&K Contact Us: 80 Exchange Street, P.O. Box 5250, Binghamton NY 13902-5250 | 607-723-5341 Terms of Use | Privacy Policy

ATTORNEY ADVERTISING  Prior Results Do not Guarantee a Similar Outcome