I.            Final Rule on Transaction Monitoring and Filtering Programs

On June 30 of 2016, the New York State Department of Financial Services (“NYSDFS” or “DFS”) published a press release announcing Final Rule on Transaction Monitoring and Filtering Programs.[i]  While this rule expressly applies to institutions supervised by NYSDFS, the scope of the potential ramifications extends to every banking institution in the United States (“U.S.”).  The way in which this rule, particularly Part 504, is interpreted will significantly impact banking institutions’ responses, and, subsequently, the gravity of its overall effect in the banking industry. 

The rule is duplicitous, and enforcers at entities obligated to comply must consider the implications of the associated incongruities.  Where the scope of the rule is perceived as narrow or redundant, little weight is given to comprehensive compliance.  Oversights could include something as meticulous as a glitch in the validation of data feeds or as routine as failing to properly or punctually submit the Annual Board Resolution or Senior Officer(s) Compliance Finding form.[ii] Alternately, a misunderstanding or miscommunication between NYSDFS regulators and the supervised institutions under their jurisdiction may lead to otherwise avoidable infractions, such as standards for program funding and personnel training.  In any case, when institutions take reasonable measures to comply and the interpretation by the regulator is different, even more lenient, then institutions will have misallocated resources in trying to comply. 

However, the rule is not inherently paradoxical.  The potential disconnect between purpose, response and effectiveness can be reconciled.  It is important for banking institutions to understand the particularities of the rule and assess next steps.  Definitively, not all institutions will be directly in the purview of this rule.  However, the rule’s scope has a much broader reach than may be apparent from simply reading the regulation’s text.  While the effect of the rule is dependent, in part, on the interpretation by individual institutions across the industry, most financial institutions can expect to experience ramifications of an industry-wide response due to NYSDFS’s jurisdiction and its extraterritorial reach.  Namely, New York State is a banking and financial hub not only for National banks with branches or agencies around the country but also for international banks with branches or offices in the U.S. 

New York State has one of the highest concentrations of institutions under financial regulatory supervision.  The NYSDFS’ 2016 annual report shows the following:

• The Community and Regional Banks (“CRB”) Unit has supervisory oversight of 83 banking and saving institutions;
• The Foreign and Wholesale Banks (“FWB”), which is responsible for the regulatory oversight of branches, agencies, and representative offices of Foreign Banking Organizations, wholesale domestic banks, Article XII investment companies and one private bank, has supervision over a total of 204 institutions;
• Licensed Financial Services (“LFS”) has regulatory oversight of 32 budget planners, 110 check cashers, 14 licensed lenders, 87 money transmitters, 45 premium finance agencies, and 92 sales finance companies;
• In addition, the Real Estate Finance Division’s Mortgage Banking Unit, the Mortgage Assistance Unit, and the Mobile Command Center is responsible for the licensing and supervision of mortgage bankers.

Nearly half of the foreign banks operating in the U.S. are regulated by the NYSDFS.[iii] Per the NYSDFS 2016 annual report, of the 679 institutions in operating in New York State, 112 are considered foreign branches and 13 are foreign agencies; and of the 234 with State charter, 95 of those are foreign branches and agencies.  28 of the foreign institutions operate under a Federal charter.[iv] New York State chartered and licensed banking, lending and financial services institutions listing shows 86 institutions with foreign branches and 13 institutions with foreign agencies.  Furthermore, many New York State banks have offices and/or branches in other states.  [v]

Moreover, regardless of whether a bank is directly affected by this rule in April of 2018, any rule of this sort, especially if enforced strictly – a hallmark of NYSDFS supervision – sets a precedent for many banks not directly regulated by NYSDFS.  Such a precedent can act as a domino knocking its neighbor in a lineup; the cumulative effect is that institutions follow suit as if by mechanical compulsion.  Historical examples of a “domino effect” include the targeted review practice, e.g.  the Federal Reserve Bank of New York’s correspondent banking peer review in 2004.  What many believed to be a standard safety and soundness peer review of banks conducting corresponding banking resulted in numerous institutions penalized for money laundering, lack of controls, or insufficient due diligence.  This was the beginning of the phenomenon that has been come to be known as “De-Risking” because almost all the banks reviewed collectively began to shut down banking avenues in Belarus, Latvia and Estonia.  This type of “domino effect” may also occur as a result of NYSDFS Part 504 and may impact institutions outside of the NYS regulatory reach!  Thus, non-member or out-of-state banks should consider the following: once enforcement commences, what other states will follow, and which down-stream or related institutions will be impacted? 

The “precedent factor” and “domino effect” are synecdoche of “de facto regulation.” For the purposes of this discussion, de facto regulations are those created when regulators or consultants label certain practices “industry best practices,” a label that compels organizations to react to an industry trend even when and where it is not applicable.  Part 504 regulation may produce relevant examples and set a precedent for similar institutions to reference; nevertheless, it may create a mandate to comply with reputational, non-official “industry best practices.”  Ultimately, financial institutions must examine their unique circumstance to see whether they should be taking steps to bridge their business and various regulatory requirements to be compatible with Part 504.

II.            Key Points

Of course, the first step in responding to the rule is understanding the key points and the regulators’ intent.  At its core, Part 504 is a response to shortcomings in the transaction monitoring and filtering programs of regulated Institutions (as defined by DFS) with applicable Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) and Office of Foreign Assets Control (“OFAC”) requirements; it is meant to address deficiencies or gaps in institutions’ compliance programs subject to preceding rules and regulations.  The first section on transaction monitoring states that such programs should be risk-based – on the institution’s risk assessment, reviewed periodically at risk-based intervals, appropriately match BSA/AML risks to the operations of the institution – subject to “end-to-end, pre-and post-implementation testing” and “on-going analysis,” dictated by investigation protocols, and well-documented.  These requirements are reflected in those for the filtering program, which, in addition, must “be based on technology, processes or tools for matching names and accounts, in each case based on the institution’s particular risks, transaction and product profiles.” The rule lists requirements for data identification, validation, and extraction processes for transaction monitoring and filtering programs; ultimately, the rule outlines each element of a transaction monitoring and filtering program, from data feeds to vendor management to government oversight. 

To endorse and document compliance with all the detailed elements of the rule in one fell swoop, each institution is to submit a board resolution or “senior officer compliance finding” to the superintendent of the NYSDFS.  This endorsement, reminiscent of Sarbanes-Oxley (“SOX”) certification programs, serves the purpose of subsuming the details in a ready-made package for regulators.  Still, a board resolution cannot replace the stringent attention to detail this rule requires. 

Part 504 establishes a point-in-time review that looks at a “snapshot” of an institution’s adherence to BSA/AML & Sanctions laws.  This snapshot ostensibly provides the regulator with an overview of the way in which the institution runs its programs.  Of course, this imperative may be complicated to meet satisfactorily.  In contrast to the FFIEC examination standards, which offer suggestions for periodic and intermittent review: Part 504 creates imperative to the FFIEC guidelines, and this is especially apparent in the mandate for annual certification and point-in-time review.  Furthermore, given the fact that NYSDFS has a sharing agreement with the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”), does a failure or misrepresentation of a certification result in an immediate referral to FinCEN? 

III.            Adapting Previous Regulations

In addition to the point-in-time imperative, a unique attribute of the rule is the inclusiveness of other regulatory standards, which makes the scope of the rule ambiguous.  While the rule points out many specific bridges between previously mandated regulations, ambiguities remain, and these ambiguities are what necessitate the careful and thoughtful reflection of how the rule will affect an individual organization.  For one, the point-in-time review may present added risk to an institution compared to previous regulations.  Institutions must be cognizant not only of how their programs are doing at the time of certification, but also in the time between certification and review.  Another ambiguous element is how institutions will assign ownership and certify each layer of their program e.g. will they choose a SOX-like sub-certification architecture?  Will institutions hold all employees, at all levels, accountable for errors in sub-certifications or just keep pointing to the BSA Officer who supposedly needs to be responsible for each and every certification within an institution. 

IV.           What are institutions to do?  (Now and Later)

No system is perfect.  The rule does not take effect until April 15, 2018, but it is insufficient to prepare for that date. To adequately prepare for the date of review, institutions need to have an effective system in place that covers not only up to the point of certification but also the interim between certification and review.  An adequate compliance program accounts for its inherent imperfections with a built-in, automated review and remediation functions.  For example, should there be any discrepancies or weaknesses identified during the time of certification and review, an organization should be able to show how they are going to be addressed.  Nevertheless, the most important questions for financial institutions to answer will be how to establish a program effectively and sufficiently in order to give management the bases and justification for certifying a program’s effectiveness.  It will also be necessary for management to establish a pre-examination plan for closing any gaps.  Least we mention that there will be personnel, technology and training costs that were not originally planned nor budgeted. 

Answering to specific asks in a regulation does not make for good compliance. Compliance to any rule or regulation under any jurisdiction is continuous.  It requires review and adjustment.  No system is perfect, and institutions must consider a holistic approach to rectifying and fortifying their programs to mitigate risk and avoid regulatory reproach.  Remember, a remediation plan can be considered part of an AML program if reviewed and approved by management prior to an on-site examination or a breach. 

Have an alternate.  Every Olympic team has an alternate athlete that can quickly slide into position should a team member be unable to perform.  With the high rate of compliance officer turnover, make sure that the process and documentation are secure and that the company has at least one backup player with both technical and institutional experience.  Hiring your regulator as a stop-gap is a warning sign to the regulator and the industry!