DFS-50-15-00004-A Regulating Transaction Monitoring and Filtering Systems Maintained by Banks, Check Cashers and Money Transmitters  

  • 7/20/16 N.Y. St. Reg. DFS-50-15-00004-A
    NEW YORK STATE REGISTER
    VOLUME XXXVIII, ISSUE 29
    July 20, 2016
    RULE MAKING ACTIVITIES
    DEPARTMENT OF FINANCIAL SERVICES
    NOTICE OF ADOPTION
     
    I.D No. DFS-50-15-00004-A
    Filing No. 629
    Filing Date. Jun. 30, 2016
    Effective Date. Jan. 01, 2017
    Regulating Transaction Monitoring and Filtering Systems Maintained by Banks, Check Cashers and Money Transmitters
    PURSUANT TO THE PROVISIONS OF THE State Administrative Procedure Act, NOTICE is hereby given of the following action:
    Action taken:
    Addition of Part 504 to Title 3 NYCRR.
    Statutory authority:
    Banking Law, section 37(3) and (4); Financial Services Law, section 302
    Subject:
    Regulating Transaction Monitoring and Filtering Systems maintained by banks, check cashers and money transmitters.
    Purpose:
    To ensure that the financial system is not used for purposes of money laundering or other suspicious activities, terrorist financing, or sanctions violations.
    Text of final rule:
    Part 504
    Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications
    § 504.1 Background.
    The Department of Financial Services (the “Department”) has been involved in investigations into compliance by Regulated Institutions, as defined below, with applicable Bank Secrecy Act/Anti-Money Laundering laws and regulations1 (“BSA/AML”) and Office of Foreign Assets Control of the Treasury Department (“OFAC”)2 requirements implementing federal economic and trade sanctions.3
    As a result of these investigations, the Department identified shortcomings in the transaction monitoring and filtering programs of these institutions attributable to a lack of robust governance, oversight, and accountability at senior levels. Based on not only this experience, but also its regular examinations for safety and soundness, along with other factors, the Department has reason to believe that financial institutions have shortcomings in their transaction monitoring and filtering programs.
    As a result, the Department has determined to clarify the required attributes of a Transaction Monitoring and Filtering Program and to require that the Board of Directors or Senior Officer(s), as applicable, of each Regulated Institution submit to the Superintendent annually a Board Resolution or Compliance Finding, as defined in this Part, confirming the steps taken to ascertain compliance by the Regulated Institution with this Part.
    This regulation implements these requirements.
    § 504.2 Definitions.
    The following definitions apply in this Part:
    (a) “Annual Board Resolution or Senior Officer Compliance Finding” means a board resolution or senior officer(s) finding in the form set forth in Attachment A.
    (b) “Bank Regulated Institutions” means all banks, trust companies, private bankers, savings banks, and savings and loan associations chartered pursuant to the New York Banking Law (the “Banking Law”) and all branches and agencies of foreign banking corporations licensed pursuant to the Banking Law to conduct banking operations in New York.
    (c) “Board of Directors” means the governing board of every Regulated Institution or the functional equivalent if the Regulated Institution does not have a Board of Directors.
    (d) “Nonbank Regulated Institutions” shall mean all check cashers and money transmitters licensed pursuant to the Banking Law.
    (e) “Regulated Institutions” means all Bank Regulated Institutions and all Nonbank Regulated Institutions.
    (f) “Risk Assessment” means an on-going comprehensive risk assessment, including an enterprise wide BSA/AML risk assessment, that takes into account the institution’s size, staffing, governance, businesses, services, products, operations, customers, counterparties, other relations and their locations, as well as the geographies and locations of its operations and business relations.
    (g) “Senior Officer(s)” shall mean the senior individual or individuals responsible for the management, operations, compliance and/or risk of a Regulated Institution including a branch or agency of a foreign banking organization subject to this Part.
    (h) “Suspicious Activity Reporting” means a report required pursuant to 31 U.S.C. § 5311 et seq. that identifies suspicious or potentially suspicious or illegal activities.
    (i) “Transaction Monitoring Program” means a program that includes the attributes specified in Subdivisions (a), (c) and (d) of Section 504.3.
    (j) “Filtering Program” means a program that includes the attributes specified in Subdivisions (b), (c) and (d) of Section 504.3.
    (k) “Transaction Monitoring and Filtering Program” means a Transaction Monitoring Program, and a Filtering Program, collectively.
    § 504.3 Transaction Monitoring and Filtering Program Requirements.
    (a) Each Regulated Institution shall maintain a Transaction Monitoring Program reasonably designed for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting, which system may be manual or automated, and which shall include the following attributes, to the extent they are applicable:
    1. be based on the Risk Assessment of the institution;
    2. be reviewed and periodically updated at risk-based intervals to take into account and reflect changes to applicable BSA/AML laws, regulations and regulatory warnings, as well as any other information determined by the institution to be relevant from the institution’s related programs and initiatives;
    3. appropriately match BSA/AML risks to the institution’s businesses, products, services, and customers/counterparties;
    4. BSA/AML detection scenarios with threshold values and amounts designed to detect potential money laundering or other suspicious or illegal activities;
    5. end-to-end, pre-and post-implementation testing of the Transaction Monitoring Program, including, as relevant, a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output;
    6. documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters, and thresholds;
    7. protocols setting forth how alerts generated by the Transaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other action, the operating areas and individuals responsible for making such a decision, and how the investigative and decision-making process will be documented; and
    8. be subject to an on-going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters, and assumptions.
    (b) Each Regulated Institution shall maintain a Filtering Program, which may be manual or automated, reasonably designed for the purpose of interdicting transactions that are prohibited by OFAC, and which shall include the following attributes, to the extent applicable:
    1. be based on the Risk Assessment of the institution;
    2. be based on technology, processes or tools for matching names and accounts4, in each case based on the institution’s particular risks, transaction and product profiles;
    3. end-to-end, pre- and post-implementation testing of the Filtering Program, including, as relevant, a review of data matching, an evaluation of whether the OFAC sanctions list and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and Program output;
    4. be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the OFAC sanctions list and the threshold settings to see if they continue to map to the risks of the institution; and
    5. documentation that articulates the intent and design of the Filtering Program tools, processes or technology.
    (c) Each Transaction Monitoring and Filtering Program shall require the following, to the extent applicable:
    1. identification of all data sources that contain relevant data;
    2. validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program;
    3. data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used;
    4. governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Filtering Program to ensure that changes are defined, managed, controlled, reported, and audited;
    5. vendor selection process if a third party vendor is used to acquire, install, implement, or test the Transaction Monitoring and Filtering Program or any aspect of it;
    6. funding to design, implement and maintain a Transaction Monitoring and Filtering Program that complies with the requirements of this Part;
    7. qualified personnel or outside consultant(s) responsible for the design, planning, implementation, operation, testing, validation, and on-going analysis of the Transaction Monitoring and Filtering Program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filings; and
    8. periodic training of all stakeholders with respect to the Transaction Monitoring and Filtering Program.
    (d) To the extent a Regulated Institution has identified areas, systems, or processes that require material improvement, updating or redesign, the Regulated Institution shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the Superintendent.
    § 504.4 Annual Board Resolution or Senior Officer(s) Compliance Finding.
    To ensure compliance with the requirements of this Part, each Regulated Institution shall adopt and submit to the Superintendent a Board Resolution or Senior Officer(s) Compliance Finding in the form set forth in Attachment A by April 15th of each year. Each Regulated Institution shall maintain for examination by the Department all records, schedules and data supporting adoption of the Board Resolution or Senior Officer(s) Compliance Finding for a period of five years.
    § 504.5 Penalties/Enforcement Actions.
    This regulation will be enforced pursuant to, and is not intended to limit, the Superintendent’s authority under any applicable laws.
    § 504.6 Effective Date.
    This Part shall be effective January 1, 2017. Regulated Institutions will be required to prepare and submit to the Superintendent Annual Board Resolutions or Senior Officer(s) Compliance Findings under § 504.4 commencing April 15, 2018.
    ATTACHMENT A
    _______________ (Regulated Institution Name)
    APRIL 15, 20__
    Annual Board Resolution or Senior Officer(s) Compliance Finding For Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Asset Control Transaction Monitoring and Filtering Program
    Whereas, in compliance with the requirements of the New York State Department of Financial Services (the “Department”) that each Regulated Institution maintain Transaction Monitoring and Filtering Program in compliance with Section 504.3; and
    Whereas, Section 504.4 requires that the Board of Directors or a Senior Officer(s), as appropriate, adopt and submit to the Superintendent a Board Resolution or Senior Officer Compliance Finding confirming its or such individual’s findings that the Regulated Institution is in compliance with Section 504.3 of this Part 504;
    NOW, THEREFORE, the Board of Directors or Senior Officer certifies:
    (1) The Board of Directors (or name of Senior Officer(s)) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary to adopt this Board Resolution or Senior Officer Compliance Finding;
    (2) The Board of Directors or Senior Officer(s) has taken all steps necessary to confirm that (name of Regulated Institution) has a Transaction Monitoring and Filtering Program that complies with the provisions of Section 504.3; and
    (3) To the best of the (Board of Directors) or (name of Senior Officer(s)) knowledge, the Transaction Monitoring and the Filtering Program of (name of Regulated Institution) as of ___ (date of the Board Resolution or Senior Officer(s) Compliance Finding) for the year ended ___ (year for which Board Resolution or Compliance Finding is provided) complies with Section 504.3.
    Signed by each member of the Board of Directors or Senior Officer(s)
    (Name) _______ Date: ___
    _______________
    1 With respect to federal laws and regulations, see 31 U.S.C. § 5311, et seq. and 31 CFR Chapter X. For New York State regulations, see Part 115 (3 NYCRR 115), Part 116 (3 NYCRR 116), Part 416 (3 NYCRR 416) and Part 417 (3 NYCRR 417).
    2 31 CFR part 501 et seq.
    3 For information regarding the Unites States Code, the Code of Federal Regulations and the Federal Register, see Supervisory Policy G-1.
    4 The technology used in this area may be based on automated tools that develop matching algorithms, such as those that use various forms of so-called “fuzzy logic” and culture-based name conventions to match names. This regulation does not mandate the use of any particular technology, only that the system or technology used must be reasonably designed to identify prohibited transactions.
    Final rule as compared with last published rule:
    Nonsubstantive changes were made in sections 504.1, 504.2, 504.3, 504.4, 504.5 and 504.6.
    Revised rule making(s) were previously published in the State Register on
    December 16, 2016.
    Text of rule and any required statements and analyses may be obtained from:
    Celeste Koeleveld, Department of Financial Services, One state Street, New York, New York 10004, (212) 709-1663, email: Celeste.Koeleveld@dfs.ny.gov
    Revised Regulatory Impact Statement
    1. Statutory Authority.
    Pursuant to Sections 37(3) and 37(4) of the New York Banking Law (the “BL”), the Department of Financial Services (the “Department”) has broad authority to require reports from state-chartered banks, private banks, trust companies, licensed branches and agencies of foreign bank corporations, licensed check cashers and licensed money transmitters (each a “Covered Institution”). The Department also has broad authority to prescribe the form of all such reports pursuant to these two provisions. In addition, Section 302 of the Financial Services Law (“FSL”) provides the Department with equally broad authority to adopt regulations relating to “financial products and services” which are broadly defined in the FSL to mean essentially any product or services offered by a regulated institution. Accordingly, the Department has ample authority to adopt the proposed regulation.
    2. Legislative Objectives.
    The BL and the FSL are both intended to ensure the safe and sound operation of the financial system. The proposed regulation is intended to ensure that the financial system is not used for money laundering, sanctions violations, or terrorist funding purposes. This goal is perfectly consistent with the objective of the BL and FSL. Federal Bank Secrecy Act/Anti-Money Laundering laws and regulations and Office of Foreign Assets Control requirements (together, “Requirements”) generally prohibit financial institutions from engaging in or facilitating money laundering, sanctions violations, and funding for terrorist or criminal organizations and countries.
    The proposed rule creates a more granular framework for the Board of Directors or Senior Officer (as defined) at a Covered Institution to follow in implementing and maintaining a program and processes that are reasonably designed to ensure compliance with the Requirements and allows the Department to confirm such compliance.
    3. Needs and Benefits.
    The proposed rule does not change existing compliance requirements imposed on Covered Institutions. Rather, it mandates that the Board of Directors or Senior Officer at these institutions file an annual certification with the Department confirming that their institution has a program and processes reasonably designed to ensure compliance with the Requirements. It is the Department’s intent that this certification requirement will assist institutions to proactively ensure compliance with the Requirements.
    4. Costs.
    All Covered Institutions are currently subject to the Requirements. The proposed regulation provides more granular guidance and requires the Board of Directors or Senior Officer at a Covered Institution to certify that their Covered Institution has implemented a program that is reasonably designed to comply with the proposal. It is the Department’s intent that this certification requirement will cause covered institutions to proactively ensure compliance with existing Requirements. The cost of complying with the proposed regulation generally should have been incurred previously to ensure compliance. Hence, it is arguable that only costs associated with the proposed regulation reflect costs that institutions should have expensed in the past.
    5. Local Government Mandates.
    This proposal imposes no program, service, duty or responsibility upon any county, city, town, village, school district or other special district.
    6. Paperwork.
    The regulation does not change the process utilized by the Department to determine compliance with the Requirements. However, it does require Covered Institutions to document their compliance with the requirements of this proposal. Nevertheless, it is not believed that this requirement will be significant as Covered Institutions are already required to maintain compliance programs applicable to the Requirements. This proposal will only require that such compliance be appropriately documented.
    7. Duplication.
    The regulation does not duplicate, overlap or conflict with any other regulations.
    8. Alternatives.
    The Department is not aware of any alternatives to the proposed rule.
    9. Federal Standards.
    Not applicable.
    10. Compliance Schedule.
    The proposed rule will become applicable upon formal adoption.
    Revised Regulatory Flexibility Analysis
    1. Effect of the Rule:
    The proposed rule does not have any impact on local governments.
    The proposed rule sets forth a methodology to be used by the Banking Division of the Department of Financial Services (the “Department”) to assess the processes and systems used by chartered banks, private banks, trust companies, licensed branches and agencies of foreign banking corporations, licensed check cashers and licensed money transmitters (each a “Covered Institution”) to comply with federal Bank Secrecy Act, Anti-Money Laundering laws and regulations and Office of Foreign Assets Control requirements (together, “Requirements”). The regulation should not significantly increase existing compliance costs of these entities. This new regulation requires that the Board of Directors or Senior Officer (as defined) at these entities take steps to ensure and document compliance by their institutions with the Requirements. Those Requirements, which are implemented under both federal and state law, protect against money laundering, sanctions violations, and funding for terrorist or criminal organizations and countries.
    2. Compliance Requirements:
    The proposed rule does not change existing compliance requirements imposed on Covered Institutions, except that it creates a more granular framework for the Board of Directors or Senior Officer for these institutions to follow in implementing and maintaining a program that is reasonably designed to ensure compliance by their institutions with the Requirements. It is the Department’s intent that this new certification requirement will cause the Board of Directors or Senior Officers to proactively ensure compliance.
    3. Professional Services:
    None beyond existing costs to comply with the Requirements under applicable federal and state law.
    After their review of the requirements of this proposal, certain institutions may decide to engage third party service providers to ensure compliance with applicable federal and state laws and regulations.
    4. Compliance Costs:
    All Covered Institutions are currently subject to the Requirements. Depending on the size of the institution, regulatory compliance systems or processes may be manual or automated. The proposed regulation provides more granular guidance and requires the Board of Directors or Senior Officers at a Covered Institution certify that their institutions have a program that is reasonably designed to ensure compliance with the Requirements. It is the Department’s intent that this certification requirement will cause institutions to proactively ensure compliance with federal and state law. The cost of compliance with the new rule generally should have been incurred previously to ensure compliance. Hence, it is arguable that only costs associated with the proposed regulation reflect costs that institutions should have incurred in the past.
    5. Economic and Technological Feasibility:
    Covered Institutions should already have in place processes and systems, whether manual or automated to ensure compliance with the Requirements. At most, the proposed regulation will focus the attention of institutions on the adequacy of existing systems.
    6. Minimizing Adverse Impacts:
    As noted above, the proposed regulation does not impose a substantially new regulatory requirement. Rather, it is intended to cause institutions to review their systems and processes to ensure their adequacy.
    7. Small Business and Local Government Participation:
    This regulation does not impact local governments.
    As noted above, under existing federal and state law designed to protect against money laundering and funding for terrorists organizations and countries, Covered Institutions already must have systems and processes in place to protect against money laundering and funding for terrorist organizations and countries. The proposed regulation is intended merely to foster compliance with existing requirements.
    Revised Rural Area Flexibility Analysis
    Changes made to the last published rule do not necessitate revision to the previously published RAFA.
    Revised Job Impact Statement
    Changes made to the last published rule do not necessitate revision to the previously published JIS.
    Initial Review of Rule
    As a rule that requires a RFA, RAFA or JIS, this rule will be initially reviewed in the calendar year 2019, which is no later than the 3rd year after the year in which this rule is being adopted.
    Assessment of Public Comment
    The Department of Financial Services (the “Department”) received in excess of 20 comments on the original proposal as published in the State Register on December 16, 2015, through the close of the comment period on March 31, 2016. These comments addressed the following issues:
    1. Commentators noted that the federal framework for anti-money laundering (“AML”), Bank Secrecy Act (“BSA”) and the sanctions program administered by the Office of Foreign Assets Control (“OFAC”) are risk-based and allow covered institutions to adapt to changing circumstances and threats. The original proposal would have created, it was claimed, a static regulatory framework that could not be adapted in a timely fashion to such evolving dangers. The proposal has been amended to more clearly reflect the risk-based design of the regulation.
    2. A number of commentators asserted that the original proposed certification requirement would undermine the ability of covered institutions to develop and implement effective AML and counterterrorism financing compliance programs. In particular, commentators expressed concern that the original proposal would discourage qualified individuals from serving as compliance specialists and that the need to comply with the requirements of the proposal would divert resources from existing compliance programs. The revised regulation addresses these issues by revising the form of certification and broadening the individuals that the institution can select to provide the compliance certification.
    3. For similar reasons, a number of commentators noted that the parts of the proposal that focused on criminal penalties were unreasonable given the original wording of Section 504.5. In addition, it was suggested that criminal penalties would be inappropriate where the certifying individual was acting in reliance on many other individuals, not necessarily subject to his or her oversight or control. The revised regulation addresses these issues. The reference to criminal penalties has been removed from Section 504.5, and the form of certification and the individuals required to certify, as well as the facts that the institution is required to certify, have been amended.
    4. Many commentators also expressed concern that the certifying official would be held “strictly liable” if he or she certified that a program complied with the regulation but the program did not, in fact, comply with the regulation. The revised regulation addresses these concerns by providing that the program must be “reasonably designed” to monitor prohibited transactions; that the program must be “risk-based”; and that the program must incorporate certain attributes “to the extent they are applicable” to the particular institution. In addition, the compliance finding makes clear that it is based on the certifying individuals’ review of necessary documents and materials, which may be prepared by or under the responsibility of other parties, and that it is made to the best of the certifying individuals’ knowledge. That said, if such a program is not reasonably designed and if the compliance finding is not based on a review of necessary documents and materials, the certifying individual(s) may appropriately be subject to the Superintendent’s civil enforcement powers, and if the compliance finding was made with the intent to deceive, to criminal penalties.
    5. Commentators noted that the original regulation did not provide an opportunity to indicate that, during the course of a year, an institution identified areas requiring improvement or remediation. The revised regulation has added a provision to provide for such an opportunity.
    6. Several commentators noted that there is an existing federal framework that governs AML/BSA and OFAC. Commentators also asserted that regulations adopted by the Department should be consistent with this framework. The Department believes that the revised regulation is consistent with the federal framework and responsive to the comments.
    7. Several commentators also pointed out that the terminology used in the original proposal, while accurately reflecting terminology common to institutions and individuals in the transaction and filtering field, was not generally defined in applicable federal laws and regulations. The revised regulation de-emphasizes such terminology in an effort to ensure consistency with the existing federal framework.
    8. A number of commentators noted that the original proposal excluded credit unions from its coverage. Although credit unions are not included in the regulation because they generally present a lesser risk of money laundering and other suspicious or illegal activities, credit unions are nonetheless required to have BSA and OFAC compliant programs. The Department will continue to monitor and assess whether other types of institutions should be covered by the regulation.
    9. With respect to Section 504.3(a), a number of commentators noted that the original requirement that a transaction monitoring program “reflect all current. . . laws, regulations and alerts” was unnecessary and failed to reflect the risk-based nature of the federal guidelines. The regulation has been modified to address these comments.
    10. With respect to Section 504.3(b), concern was expressed that the original proposal would require that all transactions would have to be screened and that this requirement was inconsistent with the risk-based nature of the federal framework. The regulation has been modified to address this issue.
    11. With respect to 504.3(d) in the original proposal, many commentators noted that this part of the original proposal could be interpreted to mean that a covered institution could not scale back its monitoring and filtering systems if it turned out that the system was not operating as intended or was providing an unreasonable number of false positive alerts. This provision has been deleted from the regulation, because the concern about program changes deliberately designed to avoid regulatory requirements is adequately addressed elsewhere in the regulation and in applicable law.
    12. A number of commentators asserted that the immediate effective date provision and April 1, 2017 certification requirement did not allow sufficient time within which covered institutions could ensure their compliance. The revised regulation addresses these concerns by extending the effective date until January 1, 2017, and extending the time for the first certification until April 1, 2018.
    13. Check cashers offered their view that their industry already is subject to extensive regulation and, therefore, it is not in need of further regulation by the Department in this area. In the Department’s view, this comment misapprehends the purpose of the regulation.
    14. One commentator suggested that existing transaction monitoring and filtering systems be grandfathered. The Department believes that public policy mandates that transaction monitoring and filtering programs be up to date and operating as required by law. The revised regulation provides adequate time for regulated institutions to comply with the regulations.
    15. One commentator suggested that subsidiaries of federally chartered institutions should not be subject to the requirements of this proposal. The Department respectfully disagrees. Where such subsidiaries are subject to the Department’s jurisdiction, they are appropriately subject to this regulation.

Document Information

Effective Date:
1/1/2017
Publish Date:
07/20/2016