Personal Certification for AML and Sanctions Compliance: New York Financial Regulator proposes new rule
A new anti-money laundering (AML) and sanctions compliance rule (Proposed Rule)1 was proposed by the New York State financial regulator (the Department of Financial Services (DFS) in December 2015. If it becomes effective, the Proposed Rule would require certain financial institutions, including all branches and agencies of foreign banking corporations licensed under the Banking Law, that conduct banking operations in New York, to adopt specific sanctions screening practices. Individual criminal liability for deviations from DFS requirements is a possibility as the Proposed Rule would also require a senior compliance officer to certify an institution's compliance.
U.S. state regulators have traditionally left the setting of AML and sanctions compliance standards to federal regulatory agencies.2 However, DFS's entry in this area has been foreshadowed by its aggressive enforcement of AML and sanctions compliance in recent years. These have included highly-publicized billion dollar fines against a number of non-U.S. banks. As the Proposed Rule explains, DFS wants to clarify the attributes of bank AML and sanctions compliance programs after becoming aware that "shortcomings in the transaction monitoring and filtering programs [and] a lack of robust governance, oversight, and accountability at senior levels of these institutions has contributed to ... shortcomings in" AML and sanctions compliance.3
Compliance programmes – more specific requirements
The Proposed Rule would require that all banks, trust companies, private bankers, savings banks, and savings and loan associations chartered pursuant to the New York Banking Law, as well as all branches of non-U.S. banking corporations (collectively Regulated Institutions), have compliance programs that meet certain specifications set out in Section 504.3.4 These programmatic requirements are split into two areas:
- Transaction Monitoring: which encompasses policies and procedures aimed at fulfilling Bank Secrecy Act (BSA) and other AML requirements, and
- Watch List Filtering: this relates to the practices used to interdict transactions that implicate U.S. or other countries' sanctions lists.5
Drawing on the controversial Sarbanes-Oxley Act (SOX) model of individual responsibility for certifying a company's financial statements and related disclosures under the securities laws, the Proposed Rule would require a Chief Compliance Officer or equivalent (called a Senior Certifying Officer under the Proposal) to certify on an annual basis that the institution's policies meet all the specifications of Section 504.3.
Key differences from current practices
While the requirements detailed by DFS mirror industry practices for AML and sanctions compliance in key respects, the Proposed Rule adds to the existing U.S. AML and sanctions regime in a few important ways.
- The Proposed Rule creates programmatic requirements for sanctions compliance that do not currently exist at the federal level. While OFAC has fostered compliance standards by considering compliance as a mitigating factor when violations are discovered, the Proposed Rule would make failure to maintain adequate compliance a violation in itself, irrespective of whether a sanctions violation occurred.
- The requirements have a much greater degree of specificity. In addition to the fundamental obligation to have in place a risk-based compliance program with appropriate training and oversight, the Proposed Rule articulates specific expectations for both AML and sanctions programs: involve "end-to-end … testing", including data mapping, detection scenarios, and model validation; subject "threshold values, parameters, and assumptions" to on-going analysis; and recap all these practices and parameters in "easily understandable documentation."6 The Proposed Rule places further focus on the management of data within the program, requiring that "data extraction and loading processes … ensure a complete and accurate transfer of data" and that, where third party vendors are used for any part of compliance, a vendor selection process is included in the program. Even banks with well-developed AML and sanctions programs may need to update their policies in order to ensure that these practices are explicitly captured for the DFS to review.
- Finally, the individual certification regime heightens the stakes for compliance officers and could increase the level of internal diligence needed to assure that the program has been adequately implemented.7 In contrast to financial reporting certifications required under SOX, the draft Annual Certification included with the Proposed Rule8 does not include a materiality threshold. As a consequence, even non-material deviations from the program requirements could lead to liability for the Senior Certifying Officer. Some observers have expressed concern that such a wide scope of responsibility could make it difficult to hire compliance personnel in New York, if the Proposed Rule failed to be changed before it is finalized.
1. Regulating Transaction Monitoring and
Filtering Systems Maintained by Banks,
Check Cashers and Money Transmitters,
28 N.Y. Reg. 9 (proposed December 16,
2015). The draft rule can also be viewed
on the DFS website at http://www.dfs.ny.gov/legal/regulations/pr oposed/rp504t.pdf, and the Governor's
press release announcing the proposal may
be found at
2. The Financial Crimes Enforcement Network or FinCEN, the U.S. federal AML regulator, and the Office of Foreign Assets Control or OFAC, which administers U.S. trade sanctions, are the specialized departments within the Department of the Treasury for AML and sanctions regulation and enforcement.
3. Proposed Rule, Sec. 504.1.
4. Proposed Rule Sec. 504.2(b). Among nonbank institutions, the Proposed Rule also covers licensed check cashers and money transmitters. Sec. 504.2(d). At this time, investment advisors and broker-dealers would not be affected.
5. See Proposed Rule, Sec. 504.3 (a-c).
6. Proposed Rule, Sec. 504.3(a, b).
7. The Certification requirement is contained in Sec. 504.4 of the Proposed Rule. Sec. 504.5 allows that all penalties for violations of the Banking Law and Financial Services Law would apply to the Proposed Rule, and that a "Certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing.
8. Attachment A of the Proposed Rule contains the proposed Certification Filing, by which the Senior Certifying Officer would certify "that the Transaction Monitoring and Filtering Program complies with all the requirements of Section 504.3."