Personal Liability for Senior Compliance Officers Under New York’s Proposed Anti-Money Laundering and Anti-Terrorism Regulation

December 7, 2015

(Updated January 5, 2016)

On December 1, 2015, New York Governor Andrew M. Cuomo announced that the New York State Department of Financial Services ("DFS") had proposed a new anti-money laundering ("AML") and anti-terrorist financing rule applicable to DFS-regulated institutions, to be set forth in Part 504 of the DFS Superintendent’s Regulations.  The proposed rule was published in the New York State Register on December 16, 2015.[1]  As proposed, the rule would continue an aggressive enforcement strategy initiated by former DFS Superintendent Benjamin Lawsky.  Under Superintendent Lawsky, financial institutions, mostly non-U.S. banks with New York-regulated branches, were threatened with the loss of their New York banking licenses.  Since 2011, DFS has imposed nearly $8.5 billion in penalties on financial institutions.[2]

Under the proposed rule, DFS-regulated institutions would be required to maintain a transaction monitoring program to detect potential violations of the Bank Secrecy Act ("BSA") and other AML laws and to identify and report suspicious activity.  In addition, regulated institutions would be required to maintain a watch list filtering program to identify and interdict transactions prohibited by applicable sanctions and terrorist financing rules, including those promulgated by the U.S. Department of the Treasury’s Office of Foreign Assets Control ("OFAC"), politically exposed person ("PEP") lists, and other internal watch lists. 

The proposed rule would require an annual certification by the Chief Compliance Officer, or functional equivalent, of covered institutions.  This certification would state that, to the best of the officer’s knowledge, the institution’s "Transaction Monitoring and Filtering Program complies with all the requirements" of the rule.  The proposed rule states that an "incorrect or false" certification could lead to criminal penalties for the officers making the certification, citing Section 672 of the New York Banking Law.  As discussed in the commentary below, the proposed certification is the most controversial aspect of the proposal.

Former Superintendent Lawsky previewed the proposed rule in a February 2015 speech,[3] when he suggested that DFS was considering measures to improve monitoring and filtering systems and hold more financial industry executives responsible for compliance failures.  Superintendent Lawsky described state bank supervisors as important counterparts to federal financial regulators, suggesting that state governments could "serve as incubators for new approaches to vexing policy problems," which could subsequently be adopted by other states or the federal government.  In this regard, he pointed to New York’s efforts to "move towards individual accountability" in the resolution of settlements with financial institutions,[4] an approach that also has been taken by federal regulators and enforcement agencies.

The proposed rule would apply broadly to "Regulated Institutions," including banks, trust companies, Article IV private bankers, savings banks, savings and loan associations, money transmitters, check cashers, and non-U.S. bank branch and agency offices, in each case chartered or licensed under the New York Banking Law.  The intended purpose of the proposed rule, including its specific requirements for transaction monitoring and watch list filter programs, is to address serious shortcomings revealed during recent investigations.

Comments must be received by February 1, 2016.

Transaction Monitoring Program 

The proposed rule would require regulated institutions to maintain a transaction monitoring program for potential violations of BSA/AML laws and suspicious activity reporting, which should at a minimum:

• be based on a comprehensive risk assessment of the institution;
• reflect all current BSA/AML laws, regulations and alerts, as well as any relevant information available from the institution’s related programs and initiatives, such as "know your customer due diligence," "enhanced customer due diligence" or other relevant areas, such as security, investigations and fraud prevention;
• map BSA/AML risks to the institution’s businesses, products, services, and customers/counterparties;
• utilize BSA/AML detection scenarios that are based on the institution’s risk assessment with threshold values and amounts set to detect potential money laundering or other suspicious activities;
• include an end-to-end, pre- and post-implementation testing of the transaction monitoring program, including governance, data mapping, transaction coding, detection scenario logic, model validation, data input and program output, as well as periodic testing;
• include easily understandable documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters, and thresholds;
• include investigative protocols detailing how alerts generated by the transaction monitoring program will be investigated, the process for deciding which alerts will result in a filing or other action, who is responsible for making such a decision, and how investigative and decision-making process will be documented; and
• be subject to an ongoing analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters, and assumptions.

Most components of the rule proposed by DFS are consistent with U.S. federal regulatory requirements and guidance as well as industry best practices.  Nevertheless, certain DFS requirements would present challenges, particularly with respect to model validation, where the regulators’ expectations are not necessarily clear or well understood by the industry.  Some requirements subject to certification may present additional challenges or may not be reasonable for smaller banking institutions and foreign bank operations, money transmitters, and check cashers; one may contrast the certification proposal with the certification requirement under the Volcker Rule, which applies only to sizeable institutions.

Watch List Filtering Program 

Under the proposed DFS rule, regulated institutions must also maintain a watch list filtering program for the purpose of interdicting transactions, before their execution, that are prohibited by applicable sanctions, including those administered by OFAC.  The proposal would go further by requiring that the programs identify and interdict transactions with PEPs and persons on internal watch lists.  The requirement to interdict all PEPs presents additional compliance challenges for regulated institutions given the significant volume of individuals who may fall in this category and may not be reasonable for smaller financial institutions. 

This system may be manual or automated, and must:

• be based on the risk assessment of the institution;
• be based on technology or tools for matching names and accounts, in each case based on the institution’s particular risks, transaction and product profiles;
• include an end-to-end, pre- and post-implementation testing of the watch list filtering program, including data mapping, an evaluation of whether the watch lists and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and watch list filtering program output;
• utilize watch lists that reflect current legal or regulatory requirements;
• be subject to ongoing analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the watch lists and the threshold settings to see if they continue to map to the risks of the institution; and
• include easily understandable documentation that articulates the intent and the design of the program tools or technology.

Additional Requirements 

The proposed rule would require each transaction monitoring and filtering program to include the following attributes:

• identification of all data sources that contain relevant data;
• validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the transaction monitoring and filtering program;
• data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used;
• governance and management oversight, including policies and procedures governing changes to the transaction monitoring and filtering program to ensure that changes are defined, managed, controlled, reported, and audited;
• vendor selection process if a third-party vendor is used to acquire, install, implement, or test the transaction monitoring and filtering program or any aspect of it;
• funding to design, implement and maintain a transaction monitoring and filtering program that complies with the requirements of this Part;
• qualified personnel or outside consultant responsible for the design, planning, implementation, operation, testing, validation, and ongoing analysis, of the transaction monitoring and filtering program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filings; and
• periodic training of all stakeholders with respect to the transaction monitoring and filtering program.

No regulated institution may make changes or alterations to the transaction monitoring and filtering program to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts, or otherwise avoid complying with regulatory requirements.

Certification Requirement

Under the proposed rule, each subject institution would be required to submit to the DFS by April 15th of each year a certification duly executed by its chief compliance officer or functional equivalent that, to the best of his or her knowledge, the institution’s transaction monitoring and filtering program complied with all the requirements of the regulation.  This certification requirement is reminiscent of those under the Sarbanes-Oxley Act and the Volcker Rule.  Unlike the Volcker Rule, however, the proposed DFS certification goes to actual compliance with the regulation’s requirements, not the existence of a program that is "reasonably designed" to achieve compliance.  The "reasonably designed" formulation in the final Volcker regulations responded to industry concerns about the collateral effects of requiring certification that compliance had actually been achieved, given the breadth of the Volcker Rule’s requirements – a breadth that is certainly analogous to New York’s proposal.

In addition, DFS states that "false or incorrect" certifications could lead to criminal penalties.  Although the proposed rule is silent on the state of mind necessary for such criminal penalties, Section 672 of the Banking Law, which is cited as legal authority for aspects of the proposed rule, and which imposes criminal penalties for the making of false entries in bank books, requires an intent to deceive.  Presumably, the DFS would see itself acting within the authority of Section 672 and therefore imposing a state of mind requirement, but that is not clear on the face of the proposal.

Commentary

If the overall objective of the proposed DFS rule is for regulated institutions to develop and implement effective risk-based measures that are reasonably designed to detect and prevent money laundering and terrorist financing, the certification component could prove to be counterproductive.  As many recent high-profile BSA/AML/OFAC enforcement actions demonstrate, compliance officers do not operate in a vacuum and do not have unfettered control over the resources (personnel and technology) that support the institution’s program or the customer risk assumed by the business. 

Instead of helping compliance officers do a better job, the certification requirement proposed by DFS could drive many dedicated and competent compliance professionals away from New York financial institutions or to non-compliance positions.  In the current regulatory environment, the rewards are small for compliance officers in comparison to the pressures and risks.  Tension is already running very high among compliance professionals in the wake of the assessment of a civil money penalty by the Financial Crimes Enforcement Network against the former compliance officer of MoneyGram, the FINRA penalties assessed against BSA/AML officers of securities broker-dealers, and the September 2015 memorandum issued by Deputy Attorney General Sally Yates regarding individual accountability in cases of corporate wrongdoing.

[1]  New York Register, Department of Financial Services, Proposed Rule Making, Regulating Transaction Monitoring and Filtering Systems Maintained by Banks, Check Cashers and Money Transmitters, I.D. No. DFS-50-15-00004-P (Dec. 16, 2015), at 9.

[2] Press Release, Governor Cuomo Announces Anti-Terrorism Regulation Requiring Senior Financial Executives To Certify Effectiveness of Anti-Money Laundering Systems, New York Department of Financial Services (Dec. 1, 2015), available at http://www.dfs.ny.gov/about/press/pr1512011.htm; New York Department of Financial Services Superintendent’s Regulations, Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications (Dec. 1, 2015), available at: http://www.dfs.ny.gov/legal/regulations/proposed/rp504t.pdf.

[3] Superintendent Benjamin M. Lawsky’s Remarks at Columbia Law School, Financial Federalism: The Catalytic Role of State Regulators in a Post-Financial Crisis World (Feb. 25, 2015), available at http://www.dfs.ny.gov/about/speeches/sp150225.htm.  

[4] DFS has for some time placed significance on individual responsibility, including its June 2014 settlement with the French bank BNP Paribas, which required the bank’s Chief Operating Officer, Senior Advisor and Head of Compliance, and Head of Ethics and Compliance for North America, among others, to step down.