Transaction Monitoring Certification (504)
As of January 1, 2017, regulated institutions must maintain programs to monitor and filter transactions for potential Bank Secrecy Act (BSA) and anti-money laundering (AML) violations, prevent transactions with sanctioned entities, and certify compliance with the regulation annually to DFS. The first certification of compliance was due April 16, 2018. Regulated Institutions should submit the required certification covering the prior calendar year by April 15 of each year via the DFS Portal.
"As Of” Date for Certification
The Department expects full compliance with the regulation. A Regulated Institution may not submit a certification under 3 NYCRR 504.7 unless the Regulated Institution is in compliance with the requirements of Part 504 as of the effective date of the certification.
Submit your Certification of Compliance
In order to submit your certification of compliance, a Portal account is required. Please create a DFS Portal Account if you don’t already have one. Once you have successfully logged in you can submit a Regulation 504 compliance certification via our secure portal:
Regulated Institutions are not required to submit explanatory or additional materials with their certification. The certification is intended as a stand-alone document required by the regulation.
The Department does expect that the Regulated Institution maintain documents and records necessary to support the certification, should the Department request such information in the future. Likewise, under 3 NYCRR 504.3(d), to the extent a Regulated Institution has identified areas, systems, or processes that require material improvement, updating or redesign, the Regulated Institution must document such efforts and maintain such schedules and documentation for inspection during the examination process or as otherwise requested by the Department.
Pre-Implementation Testing of Operational Systems
The Department will not require full end-to-end, pre-implementation testing of systems that the Institution uses that were operational prior to the effective date of the regulation, as is required when adopting new systems. However, under 3 NYCRR 504.3(a)(2), Regulated Entities’ systems and programs must “be reviewed and periodically updated at risk-based intervals” and thus Regulated Institutions are expected to conduct periodic risk based systems testing and data validation on all systems that support the transaction monitoring and filtering program.
Vendor Selection for Vendors Engaged Prior to Regulation
The Department does not require a regulated institution to conduct a vendor selection process for vendors that were engaged prior to the effective date of the regulation, as is now required when hiring a new vendor to acquire, install, implement or test the transaction monitoring and filtering program. However, on an ongoing basis, 3 NYCRR 504.3(c)(7) requires Regulated Institutions to engage qualified personnel or outside consultants for these purposes and as such Regulated Entities should have processes in place to confirm that the personnel and vendors it has engaged to execute its transaction monitoring and filtering program are qualified and competent.
Questions related to Transaction Monitoring filings or compliance should be directed to [email protected].