NYS DFS Part 504 AML Regulation

Are Banks Bracing for Tougher Compliance?

Every new AML regulation – or update – is meant to prompt banks and financial institutions to improve their compliance efforts. The latest announcement by the New York State Department of Financial Services (NYS DFS), enacting Part 504, is another such regulatory measure. Initially the impact will be felt only in New York, but we suspect its effects will be felt broadly very soon.

Anti-money laundering (AML) has assumed immense importance in the banking and financial services industry globally over the last decade and a half. Banks and financial institutions (FIs) have been strengthening their AML policies, governance and oversight, procedures and platforms to track and report money laundering. AML regulations and guidelines are constantly reviewed by a multitude of regulatory bodies, both global and local. Moreover, compliance by banks and FIs are strictly monitored to prevent money laundering in general and terrorist financing in particular. Regulators are concerned not just about the end reporting of suspicious activities, but also the process followed to arrive at that report, so that they are repeatable and maintain the same level of accuracy.

The latest announcement by the New York State Department of Financial Services (NYS DFS), imposing Part 504 – Banking Division Transaction Monitoring and Filtering Program Requirements & Certifications[1] – is another such regulatory measure. This regulation came into effect on January 1, 2017 with the first annual AML certification required to be submitted by regulated institutions in April 2018. This paper attempts to examine the new rule closely and in particular, the manner in which it impacts banks and FIs in New York, as well as the other states in the U.S. We also explore the possible challenges in implementing the rule, strategic alternative options banks and FIs can adopt, whether this new rule could pave the way for a similar AML rule globally and initiatives banks and FIs can undertake to strengthen their AML programs proactively by leveraging emerging digital technologies in this space.

Decoding Part 504 – Closing Compliance Gaps or Introducing Tougher Norms?

Every new AML regulation, or update to an existing one, is meant for banks and FIs to be going a notch higher in terms of compliance – be it around restructuring of the governance and oversight framework, compliance parameters and processes or reporting requirements. Serious shortcomings were discovered during the NYS DFS’ investigation of AML programs of various regulated FIs, their transactions, filtering systems and processes. Accordingly, the NYS DFS’ Part 504 rule was formulated to close such compliance gaps and overcome improper governance and oversight. Part 504 also introduced an annual resolution by the board of directors, or compliance findings by the Chief Compliance Officer or an equivalent executive of the FI, to bring about accountability of senior executives in ensuring compliance with the transaction monitoring and filtering program requirements of the Part 504 Final Rule.

A thorough risk assessment of the regulated institutions forms the bedrock of complying with this new rule, as all transaction monitoring and filtering programs need to be based on such a risk profile. A periodic review and end-to-end testing of these programs must also be undertaken according to the FIs’ risk category (i.e., more frequently for high-risk institutions, less frequently for medium- and low-risk ones). This is required to assess the effectiveness and relevance of the programs on a continuous basis and fine-tune them as required. These terms impose significant responsibilities on the FIs, who now have to commit enormous efforts and resources to meet these requirements for compliance.

The rule specifically stipulates the attributes required to be included in the FIs’ transaction monitoring and filtering programs to make them more robust and watertight, while at the same time allowing flexibility to the institutions to frame policies and design their AML programs based on their own risk profiles.

FIs need to have adequate documentation in place for all processes, suspicious activity detection scenarios, thresholds, protocols around alerts, investigation and disposition and process for decision-making on investigation results, to name a few. While some FIs may already have such documentation in place, the rest of them will now have to take up this mammoth activity on a priority basis, as the rule has already taken effect as of January 1, 2017.

The most critical clause, however, remains the Annual Board Resolution or Senior Officer Compliance Findings, which requires every regulated FI to certify on an annual basis that it is compliant with the new rule and has taken all necessary steps to confirm this. Though named as a ‘Board Resolution’ or ‘Findings,’ in essence it is a certification required from senior executives of the FI, thus making them personally liable for breach of compliance to the rule, as an incorrect certification could cause criminal penalties to be imposed on such executives.

Can NYS DFS’ Part 504 Trigger Similar Compliance Rules Globally?

New York is the first U.S. State to have come up with Part 504 Rule, possibly because of the massive transaction volume that flows though this state and therefore needs strict monitoring. Given that New York City is one of the world’s largest financial hubs, the sheer transaction sizes can be overwhelming, going up to several hundreds or even thousands of million U.S. dollars per transaction! In comparison, California is the largest U.S. state in terms of population as well as number of financial transactions, but the transaction sizes (amount per transaction) may still not compare to New York’s. No wonder then that NYS DFS became the pioneer in bringing about stricter discipline in the compliance offices in their jurisdiction – much more is at stake in every transaction here!

The Part 504 compliance rule will be binding on institutions regulated by NYS DFS within the State of New York. Obviously, institutions outside the purview of this state have no reason to worry about this regulation. However, with AML compliance norms only getting more stringent by the day, other U.S. states and global regulators can also be expected to impose the rules on all institutions going forward as part of routine compliance. New York’s regulated institutions may be the first ones to go through this new compliance, and their success or failure, challenges, initiatives and efforts will have a huge role to play in rolling out norms similar to Part 504 across the U.S. and globally.

While banks and FIs in other states and countries might just be watching the formalization of this new rule from the sidelines, some within the jurisdiction of NYS DFS might also decide to shift headquarters to another state so they need not comply with Part 504. Though such relocation remains a strategic, yet operationally challenging alternative, most regulated institutions have already embarked on the compliance journey (i.e., to take up all activities with respect to aligning their AML policies, governance and oversight, procedures and platforms and so on) to track and report money laundering with the new Part 504 Rule.

How Banks and FIs Can Strengthen Their Compliance Frameworks

Part 504 was announced on June 30, 2016 with the rule coming into effect from January 1, 2017, thus giving regulated institutions six months to plan and implement systems in compliance with the new rule. The first annual certification would be mandatory from April 2018, 15 months after the rule became effective. In the meantime, institutions can adequately test their systems to accommodate for the new compliance rule and qualify for the annual certification.

Institutions in other states and countries may well take this as a guideline for strengthening their own AML programs, as a rule that has been set rolling in New York today may well be unfolded to other jurisdictions globally in the near future. All banks and FIs, irrespective of jurisdictions, need to review their existing compliance frameworks and proactively make all efforts to strengthen their systems and processes involved in compliance. This should include:

• Strengthening processes – Banks/FIs need to mandatorily embark on enterprisewide AML risk assessment of the institution and align transaction-monitoring and filtering programs to the institution’s risk. Periodic review of the program must be set at intervals based on this risk level to assess the program performance and make changes if required. They also need to build exhaustive documentation of scenarios, thresholds and parameters to detect suspicious behavior, detailed alert investigation and reporting protocols, if not in place already.
• Upgrading systems and technology – Money-laundering behavior is getting more complex with time, so its monitoring and detection have also evolved through high-end technologies. While many large Banks are in the transition process, others need to move from manual and rule-based AML monitoring systems to automated, risk-based robust AML platforms. Such platforms should be enabled for real-time suspicious alert generation, analytics-based anomalous behavior detection and workflow-based case management. The institution must also conduct end-to-end testing of the detection scenarios and model validation of the platform at predetermined frequencies to assess their effectiveness.
• Digital initiatives – Rule-based scenarios for AML are getting redundant, as criminals and offenders find ways to bypass such rules and yet launder money. AML platforms can now be strengthened by using machine learning algorithms, also known as cognitive computing, which can detect outliers and suspicious behavior patterns even when they do not breach any AML scenario. Screening and filtering against watchlists, PEP lists, negative news and adverse media and their disposition have largely been a manual activity so far. But with steep spike in customer base and transaction volume in banks, such screening and filtering products are now being equipped with artificial intelligence (AI) for quicker and more accurate results. Banks with mature AML programs can enhance their compliance effectiveness by investing in such digital initiatives.

[1] Department of Financial Services Superintendent’s Regulations, Part 504 Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications, published on June 30, 2016. Ref: http://www.dfs.ny.gov/legal/regulations/adoptions/dfsp504t.pdf