View Document - New York State Register

Regulating Transaction Monitoring and Filtering Systems Maintained by Banks, Check Cashers and ...

NY-ADR

12/16/15 N.Y. St. Reg. DFS-50-15-00004-P

NEW YORK STATE REGISTER

VOLUME XXXVII, ISSUE 50

December 16, 2015

RULE MAKING ACTIVITIES

DEPARTMENT OF FINANCIAL SERVICES

PROPOSED RULE MAKING

NO HEARING(S) SCHEDULED

I.D No. DFS-50-15-00004-P

Regulating Transaction Monitoring and Filtering Systems Maintained by Banks, Check Cashers and Money Transmitters

PURSUANT TO THE PROVISIONS OF THE State Administrative Procedure Act, NOTICE is hereby given of the following proposed rule:

Proposed Action:

Addition of Part 504 to Title 3 NYCRR.

Statutory authority:

Banking Law, sections 37(3), (4) and 672; Financial Services Law, section 302

Subject:

Regulating Transaction Monitoring and Filtering Systems maintained by banks, check cashers and money transmitters.

Purpose:

To improve efficiency and transparency in the mortgage banker and mortgage broker licensing process.

Text of proposed rule:

Part 504

BANKING DIVISION TRANSACTION MONITORING AND FILTERING PROGRAM REQUIREMENTS AND CERTIFICATIONS

§ 504.1 Background.

The Department of Financial Services (the “Department”) has recently been involved in a number of investigations into compliance by Regulated Institutions, as defined below, with applicable Bank Secrecy Act/Anti-Money Laundering laws and regulations¹ (“BSA/AML”) and Office of Foreign Assets Control (“OFAC”)² requirements implementing federal economic and trade sanctions.³

As a result of these investigations, the Department has become aware of the shortcomings in the transaction monitoring and filtering programs of these institutions and that a lack of robust governance, oversight, and accountability at senior levels of these institutions has contributed to these shortcomings. The Department believes that other financial institutions may also have shortcomings in their transaction monitoring programs for monitoring transactions for suspicious activities, and watch list filtering programs, for “real-time” interdiction or stopping of transactions on the basis of watch lists, including OFAC or other sanctions lists, politically exposed persons lists, and internal watch lists.

To address these deficiencies, the Department has determined to clarify the required attributes of a Transaction Monitoring and Filtering Program and to require a Certifying Senior Officer, as defined below, of Regulated Institutions, to file Annual Certifications, in the form set forth herein, regarding compliance by their institutions with the standards described in this Part.

This regulation implements these requirements.

§ 504.2 Definitions.

The following definitions apply in this Part:

(a) “Annual Certification” means a certification in the form set forth in Attachment A.

(b) “Bank Regulated Institutions” means all banks, trust companies, private bankers, savings banks, and savings and loan associations chartered pursuant to the New York Banking Law (the “Banking Law”) and all branches and agencies of foreign banking corporations licensed pursuant to the Banking Law to conduct banking operations in New York.

(c) “Certifying Senior Officer” means the institution’s chief compliance officer or their functional equivalent.

(d) “Nonbank Regulated Institutions” shall mean all check cashers and money transmitters licensed pursuant to the Banking Law.

(e) “Regulated Institutions” means all Bank Regulated Institutions and all Nonbank Regulated Institutions.

(f) “Risk Assessment” means an on-going comprehensive risk assessment, including an enterprise wide BSA/AML risk assessment, that takes into account the institution’s size, businesses, services, products, operations, customers/ counterparties/ other relations and their locations, as well as the geographies and locations of its operations and business relations;

(g) “Suspicious Activity Reporting” means a report required pursuant to 31 U.S.C. § 5311 et seq that identifies suspicious or potentially suspicious or illegal activities.

(h) “Transaction Monitoring Program” means a program that includes the attributes specified in Subdivisions (a), (c) and (d) of Section 504.3.

(i) “Watch List Filtering Program” means a program that includes the attributes specified in Subdivisions (b), (c) and (d) of Section 504.3.

(k) “Transaction Monitoring and Filtering Program” means a Transaction Monitoring Program, and a Watch List Filtering Program, collectively.

§ 504.3 Transaction Monitoring and Filtering Program Requirements.

(a) Each Regulated Institution shall maintain a Transaction Monitoring Program for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting, which system may be manual or automated, and which shall, at a minimum include the following attributes:

1. be based on the Risk Assessment of the institution;

2. reflect all current BSA/AML laws, regulations and alerts, as well as any relevant information available from the institution’s related programs and initiatives, such as "know your customer due diligence", "enhanced customer due diligence" or other relevant areas, such as security, investigations and fraud prevention;

3. map BSA/AML risks to the institution’s businesses, products, services, and customers/counterparties;

4. utilize BSA/AML detection scenarios that are based on the institution’s Risk Assessment with threshold values and amounts set to detect potential money laundering or other suspicious activities;

5. include an end-to-end, pre-and post-implementation testing of the Transaction Monitoring Program, including governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output, as well as periodic testing;

6. include easily understandable documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters, and thresholds;

7. include investigative protocols detailing how alerts generated by the Transaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other action, who is responsible for making such a decision, and how investigative and decision-making process will be documented; and

8. be subject to an on-going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters, and assumptions.

(b) Each Regulated Institution shall maintain a Watch List Filtering Program for the purpose of interdicting transactions, before their execution, that are prohibited by applicable sanctions, including OFAC and other sanctions lists, and internal watch lists, which system may be manual or automated, and which shall, at a minimum, include the following attributes:

1. be based on the Risk Assessment of the institution;

2. be based on technology or tools for matching names and accounts⁴, in each case based on the institution’s particular risks, transaction and product profiles;

3. include an end-to-end, pre- and post-implementation testing of the Watch List Filtering Program, including data mapping, an evaluation of whether the watch lists and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and Watch List Filtering Program output;

4. utilizes watch lists that reflect current legal or regulatory requirements;

5. be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the watch lists and the threshold settings to see if they continue to map to the risks of the institution; and

6. include easily understandable documentation that articulates the intent and the design of the Program tools or technology.

(c) Each Transaction Monitoring and Filtering Program shall, at a minimum, require the following:

1. identification of all data sources that contain relevant data;

2. validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program;

3. data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used;

4. governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Filtering Program to ensure that changes are defined, managed, controlled, reported, and audited;

5. vendor selection process if a third party vendor is used to acquire, install, implement, or test the Transaction Monitoring and Filtering Program or any aspect of it;

6. funding to design, implement and maintain a Transaction Monitoring and Filtering Program that complies with the requirements of this Part;

7. qualified personnel or outside consultant responsible for the design, planning, implementation, operation, testing, validation, and on-going analysis, of the Transaction Monitoring and Filtering Program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filings; and

8. periodic training of all stakeholders with respect to the Transaction Monitoring and Filtering Program.

(d) No Regulated Institution may make changes or alterations to the Transaction Monitoring and Filtering Program to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts generated by a Program established pursuant to the requirements of this Part, or to otherwise avoid complying with regulatory requirements.

§ 504.4 Annual Certification.

To ensure compliance with the requirements of this Part, each Regulated Institution shall submit to the Department by April 15th of each year Certifications duly executed by its Certifying Senior Officer in the form set forth in Attachment A.

§ 504.5 Penalties/Enforcement Actions.

All Regulated Institutions shall be subject to all applicable penalties provided for by the Banking Law and the Financial Services Law for failure to maintain a Transaction Monitoring Program, or a Watch List Filtering Program complying with the requirements of this Part and for failure to file the Certifications required under Section 504.4 hereof. A Certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing.

§ 504.6 Effective Date.

This Part shall be effective immediately. It shall apply to all State fiscal years beginning with the Fiscal Year starting on April 1, 2017.

ATTACHMENT A

__________

(Regulated Institution Name)

APRIL 15, 20__

Annual Certification For Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Asset Control Transaction Monitoring and Filtering Programs

New York State Department of Financial Services

In compliance with the requirements of the New York State Department of Financial Services (the “Department”) that each Regulated Institution maintain a Transaction Monitoring and Filtering Program satisfying all the requirements of Section 504.3 and that a Certifying Senior Officer of a Regulated Institution sign an annual certification attesting to the compliance by such institution with the requirements of Section 504.3, each of the undersigned hereby certifies that they have reviewed, or caused to be reviewed, the Transaction Monitoring Program and the Watch List Filtering Program (the “Programs”) of (name of Regulated Institution) as of _________ (date of the Certification) for the year ended______(year for which certification is provided) and hereby certifies that the Transaction Monitoring and Filtering Program complies with all the requirements of Section 504.3.

By signing below, the undersigned hereby certifies that, to the best of their knowledge, the above statements are accurate and complete.

Signed:

Name: _______________ Date: ________

Chief Compliance Officer or equivalent

_______________

¹ With respect to federal laws and regulations, see 31 U.S.C. 5311, et seq and 31 CFR Chapter X. For New York State regulations, see Part 115 (3 NYCRR 115), Part 116 (3 NYCRR 116), Part 416 (3 NYCRR 416) and Part 417 (3 NYCRR 417).

² 31 CFR part 501 et seq.

³ For information regarding the Unites States Code, the Code of Federal Regulations and the Federal Register, see Supervisory Policy G-1.

⁴ The technology used in this area by some firms is based on automated tools that develop matching algorithms, such as those that use various forms of so-called “fuzzy logic” and culture-based name conventions to match names. This regulation does not mandate the use of any particular technology, only that the system or technology used must be adequate to capture prohibited transactions.

Text of proposed rule and any required statements and analyses may be obtained from:

Gene C. Brooks, New York State Department of Financial Services, One State Street, New York, NY 10004, (212) 709-1663, email: [email protected]

Data, views or arguments may be submitted to:

Same as above.

Public comment will be received until:

45 days after publication of this notice.

Regulatory Impact Statement

1. Statutory Authority.

Pursuant to Sections 37(3) and 37(4) of the New York Banking Law (the “BL”), the Department of Financial Services (the “Department”) has broad authority to require reports from state-chartered banks, private banks, trust companies, credit unions, licensed branches and agencies of foreign bank corporations, licensed check cashers and licensed money transmitters (each a “Covered Institution”). The Department also has broad authority to prescribe the form of all such reports pursuant to these two provisions. In addition, Section 302 of the Financial Services Law (“FSL”) provides the Department with equally broad authority to adopt regulations relating to “financial products and services” which are broadly defined in the FSL to mean essentially any product or services offered by a regulated institution. Accordingly, the Department has ample authority to adopt the proposed regulation.

In addition, Section 672 of the BL imposes potential criminal liability on individuals submitting reports containing false entries or statements.

2. Legislative Objectives.

The BL and the FSL are both intended to ensure the safe and sound operation of the financial system. The proposed regulation is intended to ensure that the financial system is not used for money laundering, sanctions violations, or terrorist funding purposes. This goal is perfectly consistent with the objective of the BL and FSL. Federal Bank Secrecy Act/Anti-Money Laundering laws and regulations and Office of Foreign Assets Control requirements (together, “Requirements”) generally prohibit financial institutions from engaging in or facilitating money laundering, sanctions violations, and funding for terrorist or criminal organizations and countries.

The proposed rule creates a more granular framework for a chief compliance officer or their functional equivalent at a Covered Institution to follow in designing, implementing and maintaining a program that ensures compliance by their institutions with the Requirements.

3. Needs and Benefits.

The proposed rule does not change existing compliance requirements imposed on Covered Institutions. Rather, it mandates that the chief compliance officer at these institutions file an annual certification with the Department regarding compliance by their institution with the Requirements. It is the Department’s intent that this certification requirement will cause compliance officers to proactively ensure compliance by their institutions with the Requirements.

4. Costs.

All Covered Institutions are currently subject to existing federal Requirements. The proposed regulation provides more granular guidance and requires the chief compliance officer or their functional equivalent at a Covered Institution to certify compliance with the proposal. It is the Department’s intent that this certification requirement will cause compliance officers to proactively ensure compliance by their institutions with existing federal Requirements. The cost of complying with the proposed regulation generally should have been incurred previously to ensure compliance. Hence, it is arguable that only costs associated with the proposed regulation reflect costs that institutions should have expensed in the past.

5. Local Government Mandates.

This proposal imposes no program, service, duty or responsibility upon any county, city, town, village, school district or other special district.

6. Paperwork.

The regulation does not change the process utilized by the Department to determine compliance with the Requirements. However, it does require Covered Institutions to document their compliance with the requirements of this proposal. Nevertheless, it is not believed that this requirement will be significant as Covered Institutions are already required to maintain compliance programs applicable to the Requirements. This proposal will only require that such compliance be documented.

7. Duplication.

The regulation does not duplicate, overlap or conflict with any other regulations.

8. Alternatives.

The Department is not aware of any alternatives to the proposed rule.

9. Federal Standards.

Not applicable.

10. Compliance Schedule.

The proposed rule will become applicable upon formal adoption.

Regulatory Flexibility Analysis

1. Effect of the Rule:

The proposed rule does not have any impact on local governments.

The proposed rule sets forth a methodology to be used by the Banking Division of the Department of Financial Services (the “Department”) to assess the processes and systems used by chartered banks, private banks, trust companies, licensed branches and agencies of foreign banking corporations, licensed check cashers and licensed money transmitters (each a “Covered Institution”) to comply with federal Bank Secrecy Act, Anti-Money Laundering laws and regulations and Office of Foreign Assets Control requirements (together, “Requirements”). The regulation should not significantly increase existing compliance costs of these entities. Rather, this new regulation requires that the chief compliance officer or their functional equivalent at these entities take steps to ensure compliance by their institutions with existing federal Requirements. Those Requirements, which are implemented under both federal and state law, protect against money laundering, sanctions violations, and funding for terrorist or criminal organizations and countries.

2. Compliance Requirements:

The proposed rule does not change existing compliance requirements imposed on Covered Institutions, except that it creates a more granular framework for the chief compliance officer or their functional equivalent for these institutions to follow in designing, implementing and maintaining a program that ensures compliance by their institutions with existing federal Requirements. It is the Department’s intent that this new certification requirement will cause compliance officers or their functional equivalents to proactively ensure compliance by their institutions with federal Requirements.

3. Professional Services:

None beyond existing costs to comply with the Requirements under applicable federal and state law.

After their review of the requirements of this proposal, certain institutions may decide to engage third party service providers to ensure compliance with applicable federal and state laws and regulations.

4. Compliance Costs:

All Covered Institutions are currently subject to existing federal Requirements. Depending on the size of the institution, regulatory compliance systems or processes may be manual or automated. The proposed regulation provides more granular guidance and requires the chief compliance officer or their functional equivalent at a Covered Institution to certify compliance with the proposal. It is the Department’s intent that this certification requirement will cause compliance officers to proactively ensure compliance with existing federal requirements. The cost of compliance with the new rule generally should have been incurred previously to ensure compliance. Hence, it is arguable that only costs associated with the proposed regulation reflect costs that institutions should have incurred in the past.

5. Economic and Technological Feasibility:

Covered Institutions should already have in place processes and systems, whether manual or automated to ensure compliance with the Requirements. At most, the proposed regulation will focus the attention of institutions on the adequacy of existing systems.

6. Minimizing Adverse Impacts:

As noted above, the proposed regulation does not impose a substantially new regulatory requirement. Rather, it is intended to cause institutions to review their systems and processes to ensure their adequacy.

7. Small Business and Local Government Participation:

This regulation does not impact local governments. Covered Institutions will be able to comment on the rule during the public comment period.

As noted above, under existing federal and state law designed to protect against money laundering and funding for terrorists organizations and countries, Covered Institutions already must have systems and processes in place to protect against money laundering and funding for terrorist organizations and countries. The proposed regulation is intended merely to foster compliance with existing requirements.

Rural Area Flexibility Analysis

A Rural Area Flexibility Analysis for these amendments is not being submitted because the amendments will not impose any adverse impact or significant reporting, record keeping or other compliance requirements on public or private entities in rural areas. There are no professional services, capital, or other compliance costs imposed on public or private entities in rural areas as a result of the amendments.

Job Impact Statement

A Job Impact Statement for the proposed amendments is not being submitted because it is apparent from the nature and purposes of the amendments that they will not have a substantial adverse impact on jobs and/or employment opportunities.

End of Document