AML Monitoring: New York Regulator Gets Prescriptive

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Sean Joyce, Joseph Nocera, Jeff Lavine, Didier Lavion, and Armen Meyer.

The New York State Department of Financial Services (NYDFS) issued its final rule on June 30, 2016 requiring either senior officers or the board of directors to certify the effectiveness of anti-money laundering (AML) and Office of Foreign Assets Control (OFAC) transaction monitoring and filtering programs. [1] The rule (Part 504 of the NYDFS Superintendent’s Regulations) is a response to weaknesses in transaction monitoring and watch list filtering programs that the NYDFS identified during routine examinations and subsequent investigations over the past several years.

The final rule differs in several critical ways from an earlier version of the rule NYDFS proposed in December of last year. Most notably, the final rule gives financial institutions the option of having a senior officer or the board certify the efficacy of their transaction monitoring and filtering programs; whereas, the proposed rule only allowed senior compliance officers to do so. Also, in light of industry feedback provided during the comment period, the NYDFS softened the tenor of the certification itself by removing the provision stipulating potential “criminal penalties” for incorrect or falsified certification filings.

Despite these modifications, the rule still represents a significant development in the evolution of AML transaction monitoring and filtering requirements that will merit the attention of senior management and the board. The required certification raises important questions and challenges regarding what a certification program should look like. As examples:

  • Do various functions and business units issue their own certifications that roll up to an overall program certification?
  • What roles do the business, compliance, and internal audit play?
  • What is a sufficient level of testing to demonstrate compliance?

Furthermore, the rule represents the first time a regulator has moved beyond oral guidance and written enforcement actions to provide a formal regulation regarding institutions’ transaction monitoring and watch list filtering programs. Therefore, in our view, despite the understandable consternation that the proposal initially caused the industry, the final rule provides regulatory clarity which helps institutions in complying with a complex requirement.

This post analyzes the regulation’s five most impactful elements and provides our view of what institutions should do now.

Key provisions

Although many banks may already be doing much of what the rule calls for, the additional specificity that NYDFS provides will require a great deal of work by virtually all institutions (particularly regarding certification and technology considerations). The following five present the greatest challenges.

  • The enterprise risk-based approach. The transaction monitoring and watch list filtering programs of each institution must be based on an enterprise-wide risk assessment [2] of the institution to ensure that the programs are sufficiently tailored to the firm’s businesses and customers/ counterparties. In many enforcement actions, regulators have cited inadequate or nonexistent enterprise-wide risk assessments as a root cause for internal control failures including those related to transaction monitoring and filtering programs. The rule also requires periodic reviews and updating of transaction monitoring and filtering programs to ensure that these programs factor in changes in applicable AML and OFAC regulations, and any other changes deemed relevant by the institution. Although these risk assessments and periodic reviews/updates are not new, they are now a written requirement for the first time for NYDFS-regulated institutions.
  • Model risk management. The rule requires: pre-implementation testing of models related to transaction monitoring and filtering; model validation; ongoing analysis of model efficacy; and documentation of the models’ design and assumptions. Although some institutions may already be taking these steps as part of their overall model risk management frameworks due to federal guidance (OCC Bulletin 2011-12 and Fed SR letter 11-7 (“Supervisory Guidance on Model Risk Management”)), the NYDFS clarifies that transaction monitoring and filtering program models must be a part of the model risk management process. For institutions that currently include these programs in their model inventory, adherence to the rule starts with enhancing their model risk management requirements to comply.

However, many institutions may not include these programs within their formal model risk management, so these institutions will have significantly more work to do.

  • Technology and data quality. Many financial institutions will need to implement or update the technology underlying these programs in order to comply with the rule. The rule specifically requires “validation of the integrity, accuracy and quality of data” as well as data extraction and loading processes that “ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems.” This requirement will challenge even the largest institutions, especially since AML and OFAC monitoring systems often involve obtaining data from complex data architectures and multiple systems. Furthermore, the regulation stipulates ongoing program optimization, so firms will need to track and document data lineage and then implement processes to identify and evaluate changes to systems and data structures. Smaller banks will be particularly challenged because, due to potential liability for noncompliance, senior officers may be hesitant to rely on third party vendors. [3]

The rule also calls for financial institutions to integrate information from other programs that may assist with transaction monitoring and filtering compliance. In many financial institutions, the functions that own potentially relevant information are siloed and often do not share intelligence. Therefore, such financial institutions will need to develop a governance model to facilitate the integration of various programs. [4] These data and technology issues are likely to be an area of greatest challenge for firms.

  • Investigation protocols and Suspicious Activity Reporting. The rule requires financial institutions to document their alert clearing and investigative protocols as well as their associated roles and responsibilities for the suspicious activity decision making and reporting process. Since most firms already perform much of this documentation due to oral guidance given by federal bank examiners, this requirement is likely to be the least challenging for firms.
  • Certification. The rule requires that either a senior officer [5] or the board of directors certify annually that their financial institution’s program meets the transaction monitoring and filtering requirements. We believe this certification is similar to the certification required by Sarbanes Oxley (SOX) for controls related to financial reporting. [6] The certification evidences the emphasis being placed by regulators on the importance of the “tone at the top” related to compliance culture that has been issued by various regulators in recent years. Even though the criminal liability provisions have been removed, those responsible for submitting the certification may still be exposed to potential individual liability if the institutions’ transaction monitoring or filtering programs are found to be deficient. Given the rule’s apparent ambiguity on this point, firms should look to seek clarity. Financial institutions will be required to submit their first certification in April 2018.

What should institutions do now?

The following are immediate next steps that firms should consider in order to meet the final rule’s requirements:

  • Develop a compliance roadmap that reflects an implementation and sustainable change management program across people, processes, data, and technology.
  • Review the AML and OFAC compliance risk assessment to assess whether it’s sufficiently enterprise-wide and adequate in scope, depth, and frequency to ensure that transaction monitoring and watch list filtering programs reflect the true risks of the business lines.
  • Assess the data architecture and source systems supporting transaction monitoring and filtering
    to begin to identify potential data quality or data flow issues.
  • Develop a management and board training program for education about the regulation and the impact it may have on the board and the institution.

Endnotes:

[1] The final rule applies to banks that are chartered or licensed by New York State (including some of the largest foreign banks) as well as nonbanks such as money service businesses.
(go back)

[2] The final rule defines “risk assessment” to include the institution’s size, staffing, governance, businesses, services, products, operations, customers, counterparties, as well as the geographies and locations of its operations and business relations.
(go back)

[3] For our specific recommendations on technology for watch list screening programs, see PwC’s Name, set, match: Enhancing watch list screening through analytics (April 2016).
(go back)

[4] For additional information regarding integrating various areas of financial crime, see PwC’s Financial crimes observer, SWIFT action: Preventing the next $100 million bank robbery (June 2016).
(go back)

[5] According to the rule, a “senior officer” is someone responsible for the management, operations, compliance, or risk management of the institution (including a branch or agency of a foreign bank).
(go back)

[6] The Volcker Rule and recent instructions from the Federal Reserve regarding stress testing data include similar SOX-like certifications. See PwC’s Regulatory brief, Matching SOX? CFO attestation for stress tests (October 2015) and PwC’s A closer look, Volcker rule clarity: Waiting for Godot (May 2014) (discussed on the Forum here).
(go back)

Both comments and trackbacks are currently closed.