1. INDUSTRY
ADVISORY FROM
treliant.com
WASHINGTON, DC • NEW YORK, NY • DALLAS, TX
New York DFS Aims to Ratchet up december 2015
AML Provisions
Under new regulations proposed by the New York State Department of Financial Services (DFS), regulated financial
institutions would be required to expand and intensify their anti-money laundering (AML) and counter-terrorist
financing protections. The proposed regulations are more comprehensive and specific than current requirements
stated by the Financial Crimes Enforcement Network (FinCEN), Office of Foreign Assets Control (OFAC), or the
Federal Financial Institutions Examination Council (FFIEC) and may impose significant new burdens on banks
licensed in the State of New York as well as international institutions with branches or agencies in New York. The
new regulations also require institutions to annually certify compliance with the new requirements, and may impose
criminal liability on individual officers who file false or incorrect certifications.
This Industry Advisory summarizes the key requirements for a Transaction Monitoring and Filtering Program and
its two components—the Transaction Monitoring Program and Watch List Filtering Program.
Background and Implications
On December 1, the DFS proposed new AML and counter-terrorist financing regulations regarding transaction
monitoring and sanctions filtering program requirements and certifications. Stating that “Money is the fuel that
feeds the fire of international terrorism,” Governor Andrew M. Cuomo described the important roles that banks and
regulators play in combating terrorism and financial crime. “Global terrorist networks simply cannot thrive without
moving significant amounts of money throughout the world. At a time of heightened global security concerns, it is
especially vital that banks and regulators do everything they can to stop that flow of illicit funds.”
The DFS seeks to address shortcomings in transaction monitoring and filtering programs that have emerged as a
result of recent investigations, noting a lack of robust governance, oversight, and accountability at the senior levels of
some institutions. The Department also expressed concern over the effectiveness of programs currently implemented
to monitor suspicious activity and interdict transactions involving sanctioned persons and entities listed by OFAC, as
well as on registers of politically exposed persons (PEPs) and other internal and external watch lists. Accordingly, the
proposed regulations will clarify the required attributes of a Transaction Monitoring and Filtering Program, require
a Certifying Senior Officer, and mandate Annual Certifications. Significantly, the DFS may impose criminal liability
on Certifying Senior Officers who file incorrect or false Annual Certifications.
ThenewregulationswouldrequireallfinancialinstitutionsregulatedbytheDFStomaintainaTransactionMonitoring
Program and Watch List Filtering Program (collectively, a Transaction Monitoring and Filtering Program) with
specific characteristics, including comprehensive risk assessment, end-to-end pre- and post-implementation testing,
easily understandable documentation, ongoing analysis, and training programs. Significantly, financial institutions
would be prohibited from changing the parameters of the program in order to minimize filing of suspicious activity
reports or because the institution does not have adequate resources to review all alerts generated.
2. INDUSTRY
ADVISORY (CONTINUED)
treliant.com
WASHINGTON, DC • NEW YORK, NY • DALLAS, TX
The proposed regulations would apply to bank regulated institutions including banks, trust companies, private
bankers, savings banks, and savings and loan associations chartered in New York. It would also cover all branches and
agencies of foreign banking corporations licensed to conduct banking operations in New York, as well as nonbank
regulated institutions including check cashers and money transmitters.
Each institution’s Transaction Monitoring Program and Watch List Filtering Program would need to be based on
ongoing comprehensive risk assessment, including an enterprise-wide Bank Secrecy Act/anti-money laundering
(BSA/AML) risk assessment that takes into account the institution’s size, businesses, services, products, operations,
customers, counterparties, and the geographies and locations of its operations and business relations.
Transaction Monitoring Program Requirements
The Transaction Monitoring Program may be manual or automated, but must:
• Reflect current BSA/AML laws, regulations, and alerts, and consider other relevant information
including “know your customer” due diligence and enhanced due diligence, as well as information
obtained from security, investigations, and fraud prevention;
• Map BSA/AML risks to the institution’s businesses, products, services, customers, and counterparties;
• Use detection scenarios that are based on the institution’s risk assessment, with threshold values and
amounts set to detect money laundering and other suspicious activity;
• Include an end-to-end, pre- and post-implementation testing of the Transaction Monitoring Program,
including governance, data mapping, transaction coding, detection scenario logic, model validation,
data input, and program output, as well as periodic testing;
• Include easily understandable documentation articulating the institution’s current detection scenarios
and underlying assumptions, parameters, and thresholds;
• Include investigative protocols detailing procedures and processes by which transaction monitoring
alerts will be investigated, the process for deciding which alerts will result in filings or other action,
who is responsible for filing and other decisions, and documentation of investigations and the decision-
making process; and
• Be subject to ongoing analysis to assess continued relevancy of detection scenarios, underlying rules,
threshold values, parameters, and assumptions.
Watch List Filtering Program Requirements
The Watch List Filtering Program must be capable of interdicting transactions prohibited by OFAC and other
sanctions requirements before their execution. It may be manual or automated, but must:
• Be based on technology or tools for matching names and accounts (including, as necessary, “fuzzy
logic” or culture-based name conventions) based on the institution’s particular risks, transaction types,
and product profiles;
3. INDUSTRY
ADVISORY (CONTINUED)
treliant.com
WASHINGTON, DC • NEW YORK, NY • DALLAS, TX
• Include an end-to-end, pre- and post-implementation testing of the Watch List Filtering Program,
including data mapping, an evaluation of whether the watch lists and threshold settings map to the
institution’s particular risks, the logic of matching technology or tools, model validation, data input, and
Watch List Filtering Program output;
• Incorporate watch lists that reflect current legal or regulatory requirements;
• Be subject to ongoing analysis to assess the logic and performance of the technology or tools for
matching names and accounts, as well as the watch lists and threshold settings used to ensure that they
continue to map to the risks of the institution; and
• Include easily understandable documentation that articulates the intent and design of the program tools
or technology.
Overall Transaction Monitoring and Filtering Program Requirements
The two programs collectively must:
• Identify all data sources that contain relevant data;
• Validate the integrity, accuracy, and quality of data to ensure the accuracy and completeness of data
flowing through the programs;
• Ensure complete and accurate transfer of data from its sources to automated systems, if automated
systems are used;
• Require governance and management oversight, including policies and procedures governing changes
to the programs such that all changes are defined, managed, controlled, reported, and audited;
• Require vendor selection processes if a third party vendor is used to acquire, install, implement, or test
any aspect of the Transaction Monitoring and Filtering Program;
• Be adequately funded to ensure design, implementation, and maintenance of programs that are
compliant with the proposed regulations;
• Designate qualified internal personnel or external consultants to be responsible for the design, planning,
implementation, operation, testing, validation, and ongoing analysis of the program, including
automated systems if applicable, as well as case management, review, and decision-making with regard
to generated alerts and potential filings; and
• Provide for periodic training of all stakeholders with regard to the Transaction Monitoring and Filtering
Program.
Special note should be taken of the prohibition against making changes or alterations to the Transaction Monitoring
and Filtering Program to avoid or minimize the number of suspicious activity reports filed, or because the institution
does not have the resources to review the number of alerts generated by the required programs, or to otherwise avoid
compliance with regulatory requirements.