On December 1, 2015, the New York Department of Financial Services (DFS) issued a proposed rule (Part 504), Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications. In its announcement of the proposal, the DFS said that it resulted from four years of investigations of transaction monitoring and filtering systems, during which it identified serious program shortcomings attributable to lack of robust governance, oversight and accountability at senior levels of financial institutions.
The proposal was modeled on the Sarbanes-Oxley Act and would have required the chief compliance officer (CCO) or functional equivalent of a New York-regulated financial institution to certify annually that his/her organization has systems in place to detect and prevent illicit transactions and that these systems are operating effectively. If these systems were subsequently found to be ineffective, the CCO could have faced civil and potentially criminal liability. This proposal got the attention of the financial services industry well beyond the borders of New York – and was met with a loud outcry from compliance professionals and industry trade associations voicing concerns ranging from the possibility of criminal penalties for the failure to detect a technical system coding error to conflicts with federal law.
The final Part 504 rule, which was issued on June 30, 2016, and is effective on January 1, 2017, modifies the certification requirement of the proposal in favor of, at the option of the institution, an annual board resolution or the finding of a senior officer(s) that the board or senior officer has reviewed all relevant documentation; has taken all necessary steps to comply with the requirements of the regulation; and believes, to the best of their knowledge, the systems are operating in accordance with the requirements. While compliance professionals may be breathing a sigh of relief at the softened language, the requirement is nonetheless groundbreaking in the way that it reinforces accountability. And, although the final rule does not include the language included in the proposal indicating that a CCO who files an incorrect or false Annual Certification also may be subject to criminal penalties, failure to comply with Part 504 is still subject to the full range of the DFS’ enforcement authority.
For financial institutions outside of New York, this regulation is hopefully not an omen of things to come. It is, however, a stark reminder of the current regulatory environment for anti-money laundering (AML) and sanction compliance and a growing focus on personal accountability.
In this Flash Report, we discuss what the regulation requires, some of the challenges the regulation presents, and what New York-state regulated financial institutions need to consider prior to the January 1, 2017, effective date and leading up to the initial annual certification.
What Institutions Are Covered by the Regulation?
The regulation applies to all DFS-regulated banks (i.e., banks, trust companies, private bankers, savings banks, and savings and loan associations and branches and agencies of foreign banking organizations [FBOs]), and DFS-regulated nonbanks (i.e., check cashers and money transmitters).
What Does the Regulation Require?
Part 504 establishes requirements for the development and maintenance of transaction monitoring and filtering or sanction screening programs. The final Part 504 does recognize that transaction monitoring and filtering programs may be automated or manual. As a practical matter, however, it is unlikely that any bank, no matter its size, relies solely on manual monitoring or sanction screening, although this may be the case for some nonbank institutions.
On the face of it, the requirements of Part 504 generally track the Model Risk Guidance issued by the Office of the Comptroller of the Currency (OCC 2011-12) and the Federal Reserve Board (SR 11-7), as well as that included in various technology-related releases of the Federal Financial Institution Examination Council (FFIEC). Part 504 also seems to make clear the DFS’ position that both transaction monitoring and filtering systems are models that require periodic validation. But the DFS, unlike the federal regulatory bodies, has upped the ante by codifying its expectations into regulation.
§ 504.3: Transaction Monitoring and Filtering Program Requirements
In summary, transaction monitoring programs are required to be:
Transaction monitoring programs must be based on the institution’s risk assessment and appropriately aligned with the BSA/AML risks of the institution’s businesses, products, services and customers/counterparties. In addition, processes must be reviewed and updated at appropriate intervals to consider changes in regulatory requirements or expectations as well as changes to the institution’s risks and circumstances.
The institution must have BSA/AML detection scenarios with threshold values and amounts designed to detect potential money laundering or other suspicious or illegal activities. In addition, institutions must conduct ongoing analysis to assess the continued relevancy of the detection scenarios, underlying rules, threshold values, parameters and assumptions.
Programs must be supported by documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters and thresholds.
There must be end‐to‐end, pre‐and post‐implementation testing of the transaction monitoring program, including, as relevant, a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and output.
- Supported by Investigation Protocols
Institutions must develop and maintain protocols detailing how alerts generated by the transaction monitoring program will be investigated, the process for deciding which alerts will result in a filing or other action, the operating areas and individuals responsible for making such a decision, and how the investigative and decision-making process will be documented.
Similar requirements apply to filtering programs:
Filtering programs must be based on the institution’s risk assessment, and technology, processes or tools for matching names and accounts must be aligned with the institution’s particular risks, transactions and product profile.
Filtering programs must be supported by documentation that articulates the intent and design of the program tools, processes or technology.
Filtering programs must be subject to end-to-end pre‐and post‐implementation testing of data matching, and an evaluation of 1) whether the OFAC sanctions list and threshold settings map to the risks of the institution, 2) the logic of matching technology or tools, 3) model validation, and 4) data input and output.
Filtering programs must be subject to ongoing analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the OFAC sanctions list, and to assess the threshold settings to see if they continue to map to the risks of the institution.
In addition to the foregoing, the following requirements apply to both transaction monitoring and filtering programs:
- Governance and Oversight
There must be adequate governance and management oversight, including policies and procedures governing changes to the transaction monitoring and filtering program to ensure that changes are defined, managed, controlled, reported and audited, and sufficient funding should be made available to design, implement and maintain a transaction monitoring and filtering program that complies with the requirements.
There must be qualified personnel or outside consultants responsible for the design, planning, implementation, operation, testing, validation and ongoing analysis of the transaction monitoring and filtering program, including automated systems, if applicable, as well as case management, review and decision making with respect to generated alerts and potential filings. In addition, all stakeholders of the transaction monitoring and filtering program must be provided periodic training.
- Third-Party Risk Management
There must be an adequate vendor selection process if a third-party vendor is used to acquire, install, implement or test the transaction monitoring and filtering program or any aspect of it. Additionally, although the regulation itself only explicitly refers to the initial vendor selection process, regulators, as a practical matter, expect institutions to have effective ongoing third-party oversight programs in place throughout the life of a vendor relationship. This is particularly important in the context of the DFS rule for institutions, as an example, that rely on a third-party vendor to maintain updates to OFAC sanctions lists used in filtering programs.
- Data Access and Integrity
Institutions must identify all of the sources that contain relevant data; data extraction and loading processes must be designed and maintained to ensure complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used; and there must be a process for validating the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the transaction monitoring and filtering program.
Finally, to the extent a covered financial institution identifies areas, systems or processes that require material improvement, updating or redesign, the institution must document the need identified as well as the planned remedial action and must make this information available to the DFS.
§ 504.4: Annual Certifications
Each covered institution is required to submit by April 15 of each year a board resolution or senior officer(s) finding, as described above, in the format prescribed by Appendix A of the regulation. For purposes of the certification, “board of directors” means the governing body of a regulated institution or the functional equivalent for a regulated institution that does not have a board of directors, and “senior officer” means the senior individual or individuals responsible for the management, operations, compliance and/or risk of a regulated institution.
The first board resolution or senior officer filing is due April 15, 2018. All records, data and supporting information for these submissions must be retained for a period of five years.
Potential Compliance Issues Posed by the Final Rule
Financial institutions have invested heavily in transaction monitoring and sanction screening programs, both in terms of technology and people. Yet, the effectiveness of these programs is often called into question by the regulators and, for some institutions, the ability to evidence sound decision making with respect to the selection, installation and use of enabling technologies and maintenance of effective investigation protocols remains a challenge.
While not intended to be exhaustive, the following are examples of issues we frequently see in financial institutions that will make compliance with Part 504 problematic:
- Insufficient support for system selection, ranging from failure to identify and document critical and desired system functionality to inadequate due diligence of third-party vendors.
- Poor selection of sanctions lists used by the filtering system.
- Inadequate management of “bad guy” and “good guy” lists for sanctions filtering.
- Poorly executed contracts with third-party vendors, which make it difficult for institutions to obtain information they need.
- Failure to configure the system to align with the institution’s risk profile (e.g., using a vendor’s “out-of-the-box” rules and/or threshold settings without a clear understanding of their appropriateness in a particular institution).
- Failure to implement risk-aware thresholds that align with customer risk levels.
- Nonexistent or poorly executed pre- and post-implementation reviews.
- Deficient or stale system documentation, which makes it difficult, if not impossible, to understand the current configuration of rules and thresholds.
- Lack of understanding of and ongoing attention to ensuring the integrity of the critical data elements that feed the system.
- Lack of understanding of system functionality, resulting in underoptimization or potential misuse.
- Inadequate updating and tuning of systems.
- Insufficient or understaffed (in terms of numbers and/or skillsets) processes for investigating potentially suspicious activity of clearing sanction alerts.
These and other issues often result from underinvestment in the transaction monitoring and filtering programs; lack of clearly defined roles and responsibilities among compliance, technology, model validation and internal audit personnel; inadequate customization of third-party systems, insufficient understanding by compliance personnel of the technologies deployed; and, in the case of some FBOs that rely on their head offices for aspects of their transaction monitoring and filtering programs, decisions that are not made or documented locally and which may not fully consider the needs of the U.S. operations. These issues may be more pronounced in smaller financial institutions, but can exist in larger institutions as well.
Many of these issues can be addressed prospectively. However, it is very difficult to compensate for poorly selected and documented systems.
With the effective date of the regulation is less than six months away, DFS-regulated institutions would be well-advised to take immediate steps to ensure they will be in compliance with the regulation. These steps should include, but are not necessarily limited to, the following:
- Form a transaction monitoring and filtering program working group to manage and report on the compliance effort. The working group should be sponsored by a senior executive and should include, at a minimum, representatives from compliance, model validation (if in-house), technology, head office for FBOs that rely on head office for any aspect of their transaction monitoring or sanction screening program, and (as an observer) internal audit. In some institutions, the working group might need to be expanded to include, as examples, line of business AML officers, representatives of quality assurance functions that may be separate from the compliance function, and operations personnel responsible for clearing sanctions hits.
- Assign the working group responsibility for the following activities:
- Evaluate existing policies and procedures for the selection, installation and use of third-party systems.
- Review existing scenario coverage for transaction monitoring and list selection for filtering systems.
- Review the institution’s most recent AML risk and sanction risk assessments to ensure alignment with the transaction monitoring and filtering programs.
- Review existing supporting documentation, including data mapping, for transaction monitoring and filtering systems to be sure it is complete and up-do-date.
- Review model governance policies and procedures to ensure, among other considerations, that they clearly assign responsibility for system tuning, model validation, data reconciliation and data integrity audits, and business continuity.
- Determine whether the latest model validation of automated transaction monitoring and sanction screening systems was sufficiently comprehensive and that any identified issues have been, or are in the process of being, corrected.
- Review the results of recent quality assurance reviews, internal audits and regulatory examinations for any issues relating to transaction monitoring and filtering programs, and confirm that any identified issues have been, or are in the process of being, corrected.
- Review performance metrics for transaction monitoring and filtering systems.
- Assess the current transaction monitoring and sanction screening operations, including the completeness and clarity of investigation protocols and the sufficiency of assigned personnel to carry out their responsibilities effectively.
- Based on the above, the working group should:
- Create an action plan with clear assignment of responsibilities, including project management, and due dates to remediate any identified program weaknesses.
- Define key stakeholders for purposes of the training requirement of the regulation, and assign responsibility for developing and scheduling training.
- Consider how best to present the institution’s transaction monitoring and filtering program holistically to the regulators at the institution’s next examination.
- Based on input from the working group, executive management and the board should determine which option (board resolution of senior officer finding) will be used for annual reporting to the DFS, identify supporting materials that will be required, and ensure that appropriate personnel document the process, including downstream sign-offs (as deemed appropriate), to be followed to meet the April 15 annual certification due date. As a practical matter, this process should also include escalation and ultimate decision-making protocols if the parties responsible for this process become aware of weaknesses in the compliance program they believe will require disclosure to the DFS and/or impact filing of the certification.
- Following the initial certification, management should refine the process based on lessons learned and document it for future use.
It seems unlikely that a board of directors that does not have the same degree of content knowledge as a senior officer would opt to provide a board resolution in lieu of a senior officer’s finding, but even if the board were to agree to do so, we would expect the board to rely heavily on the senior officer(s) to determine the institution’s compliance with Part 504. Starting the implementation process today is key to self-identifying and addressing issues that may complicate the certification process and may need to be reported to the DFS once the rule is effective.