New York Regulators Scrutinize Bank AML Transaction Monitoring Processes

The New York State (“NYS”) Department of Financial Services (“DFS”) has aggressively pursued sanctions against banks failing to comply with applicable anti-money laundering (“AML”) laws and regulations under the Bank Secrecy Act (“BSA”) and/or economic and trade sanction requirements issued by the Treasury Department’s Office of Foreign Assets Control (“OFAC”).  In August 2016, the DFS fined a Taiwanese bank $180 million for the multiple BSA/AML and OFAC failures by its New York branch, including internal control weaknesses and failure to report suspicious activities identified in high risk jurisdictions.  Similarly, on December 15, 2016, the DFS fined an Italian bank for AML failures by its New York branch, including deficient AML transaction monitoring and trade sanctions filtering programs. 

New York-based banking entities can expect such DFS enforcement actions to only intensify.  The aforementioned enforcement actions illustrate the DFS’s focus on compliance with BSA/AML and OFAC requirements.  A key driver for continued enforcement actions will be the DFS’s June 30, 2016 rule requiring certain New York financial institutions to enhance their BSA/AML and OFAC compliance programs.  Pursuant to Part 504 of the DFS’s Superintendent’s Regulations (“Final Rule”) (which becomes effective January 1, 2017), all Regulated Institutions¹ are required to maintain (a) Transaction Monitoring Programs reasonably designed to monitor for BSA/AML violations and suspicious activities; and (b) Filtering Programs reasonably designed to interdict transactions prohibited by OFAC.

The Final Rule articulates many requirements for a Regulated Institution’s Transaction Monitoring and Filtering Program (collectively referred to as the “Program”), including  the following key areas that track closely to conventional AML requirements:

1. Risk Assessments – Each Regulated Institution must perform a risk assessment related to its products, services, customers, counterparties and geographic locations.  The DFS previous enforcement actions have cited instances where a firm conducted inadequate risk assessments, including not adequately accounting for transactions and accounts set up in high risk jurisdictions.  The Final Rules identify risk assessments serve as critical foundations for the Program.
2. Data Matching – The Filtering Program must be based on technology, process or tools for matching names and accounts based on the institutions risk profile.  Both before and after implementing the Filtering Program, Regulated Institutions must test the data matching and whether the institution’s threshold settings on the OFAC sanctions list map to the institution’s risks.  It
3. Data Identification and Integrity – The Program requires proper identification of all data sources, validation of data integrity, and complete and accurate data extraction processes.  This requirement directly impacts processes related to payments and wire and automated clearing house (“ACH”) transfers, where Regulated Entities must properly match customer account data with risk assessment ratings.
4. Governance and Oversight – Applicable policies and procedures must be reasonably designed to ensure Program changes are defined, managed, controlled, reported and audited.  Governance and management oversight failures have been previously cited as sources of AML deficiencies,
5. Vendor Management – If using a third-party vendor for the Program, Regulation Institutions must follow a robust vendor selection process.
6. Dedicated Personnel – Whether internal resources of external consultants have responsibility over the Program, Regulated Institutions must employ qualified persons in review and decision making with AML and trade sanctions alerts and potential suspicious activity reporting.
7. Training – Similar to all AML programs, all Program stakeholders should receive periodic training (usually at least annually).

Again: The Final Rule becomes effective January 1, 2017. Regulated Institutions are required to submit their compliance findings to the Senior Officer beginning April 15, 2018.  As the DFS is expected to continue aggressive AML enforcement over banks, Regulated Institutions face significant challenges in complying with the Final Rule, in addition to meeting their core AML obligations.