June 30, 2016
Contact: Richard Loconte, (212) 709-1691
DFS ISSUES FINAL ANTI-TERRORISM TRANSACTION MONITORING AND FILTERING PROGRAM REGULATION
The risk-based banking rule takes effect January 1, 2017.
Financial Services Superintendent Maria T. Vullo today announced that the Department of Financial Services (DFS) has adopted a risk-based anti-terrorism and anti-money laundering regulation that requires regulated institutions to maintain programs to monitor and filter transactions for potential Bank Secrecy Act (BSA) and anti-money laundering (AML) violations and prevent transactions with sanctioned entities. The final regulation requires regulated institutions annually to submit a board resolution or senior officer compliance finding confirming steps taken to ascertain compliance with the regulation.
“Financial institutions doing business in New York must do everything they can to help stem the tide of illegal financial transactions that fund terrorist activity,” said Financial Services Superintendent Maria T. Vullo. “It is time to close the compliance gaps in our financial regulatory framework to shut down money laundering operations and eliminate potential channels that can be exploited by global terrorist networks and other criminal enterprises.”
The risk-based rule adopted by DFS today takes into consideration comments that were submitted by the financial services industry and others during the extended comment period for the previously-proposed regulation, which ended March 31, 2016.
Under the new rule, which will be effective January 1, 2017, relevant regulated institutions are required to review their transaction-monitoring and filtering programs and ensure that they are reasonably designed to comply with risk-based safeguards. The institutions also must adopt (at the institution’s option) an annual board resolution or senior officer compliance finding to certify compliance with the DFS regulation beginning April 15, 2018. The resolution or finding must state that documents, reports, certifications and opinions of officers and other relevant parties have been reviewed by the board of directors or senior official to certify compliance with the regulation.
Institutions must maintain supporting data for the certification, for review by DFS, for five years.
The key requirements of the new DFS anti-terrorism and anti-money laundering regulation include the following:
Maintain a Transaction Monitoring Program
Each relevant regulated institution shall maintain a reasonably designed program for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting. The system, which may be manual or automated, shall, at a minimum, to the extent they are applicable:
- Be based on the risk assessment of the institution;
- Be reviewed and periodically updated at risk-based intervals to take into account and reflect changes to applicable BSA/AML laws, regulations and regulatory warnings, as well as any other information determined by the institution to be relevant from the institution’s related programs and initiatives;
- Appropriately match BSA/AML risks to the institution’s businesses, products, services and customers/counterparties;
- BSA/AML detection scenarios with threshold values and amounts designed to detect potential money laundering or other suspicious or illegal activities;
- End-to-end, pre-and post-implementation testing of the Transaction Monitoring Program, including, as relevant, a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and program output;
- Documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters and thresholds;
- Protocols setting forth how alerts generated by the Transaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other action, the operating areas and individuals responsible for making such a decision, and how the investigative and decision-making process will be documented; and
- Be subject to an on-going analysis to assess the continued relevance of the detection scenarios, the underlying rules, threshold values, parameters and assumptions.
Maintain a Watch List Filtering Program
Each relevant regulated institution shall maintain a reasonably designed filtering program for the purpose of interdicting transactions that are prohibited by federal economic and trade sanctions, and which shall include the following, to the extent they are applicable:
- Be based on the risk assessment of the institution;
- Be based on technology, processes or tools for matching names and accounts, in each case based on the institution’s particular risks, transaction and product profiles;
- End-to-end, pre- and post-implementation testing of the Filtering Program, including, as relevant, a review of data matching, an evaluation of whether the Office of Foreign Assets Control sanctions list and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and program output;
- Be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the OFAC sanctions list and the threshold settings to see if they continue to map to the risks of the institution; and
- Documentation that articulates the intent and design of the Filtering Program tools, processes or technology.
Each Transaction Monitoring and Filtering Program shall require the following, to the extent they are applicable:
- Identification of all data sources that contain relevant data;
- Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program;
- Data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used;
- Governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Filtering Program to ensure that changes are defined, managed, controlled, reported and audited;
- Vendor selection process if a third party vendor is used to acquire, install, implement or test the Transaction Monitoring and Filtering Program or any aspect of it;
- Funding to design, implement and maintain a Transaction Monitoring and Filtering Program that complies with the requirements of the regulation;
- Qualified personnel or outside consultant responsible for the design, planning, implementation, operation, testing, validation and on-going analysis of the Transaction Monitoring and Filtering Program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filings; and
- Periodic training with respect to the Transaction Monitoring and Filtering Program.
Annual Board Resolution or Senior Officer Compliance Finding
To ensure compliance with the requirements, each regulated institution shall adopt and submit to the Superintendent a board resolution or senior officer compliance finding by April 15 of each year. Each regulated institution shall maintain for examination by DFS all records, schedules and data supporting adoption of the board resolution or senior officer compliance finding for a period of five years.
To view a copy of the final Transaction Monitoring and Filtering Program regulation [REMOVED]. The regulation will be published in an upcoming edition of the New York State Register.