Putting management on the line: New York anti-money laundering and sanctions regulations look to senior management for written compliance findings

The New York State Department of Financial Services (“NY DFS”) recently finalized regulations (“Banking Regulations”) requiring state-chartered banking organizations, state-licensed branches and agencies of foreign banks, and state-licensed check cashers and money transmitters (“covered financial institutions”), to maintain “robust” transaction monitoring and filtering systems designed to better enable these financial institutions to comply with relevant federal and state anti-money laundering (“AML”) and federal economic sanctions regulations. The regulations also require specific board and/or senior management to review and execute a written “Compliance Finding” as to the financial institution’s compliance with the regulations.

According to the NY DFS, the new Part 504 of the Banking Regulations was proposed after a series of investigations into AML and sanctions compliance revealed “shortcomings” in their transaction monitoring and watch list filtering systems and a lack of “robust governance, oversight and accountability at senior levels of these institutions.”

This shift in focus by the NY DFS towards the obligations of senior management follows similar changes to the UK regulatory regime, which the UK Financial Conduct Authority (“FCA”) has termed “the beginning of a new era of increased individual accountability.” While the recently implemented Senior Managers and Certification Regime (“SMCR”) in the UK is much broader in scope, it demonstrates common policy objectives of financial regulators in New York and London and highlights the need for responsible individuals to ensure that their business has adequate procedures in place across multiple jurisdictions to avoid AML and sanctions breaches.

This article sets out some of the key areas of the new Part 504 of the Banking Regulations and touches on similarities with the approach to AML and sanctions compliance in the UK.

The proposed Banking Regulations were issued in December 2015 for public comment. As proposed, there were three primary components to the proposed regulations:

• Transaction Monitoring System: The proposal set out the minimum requirements for a system to monitor transactions after their execution for potential AML violations, based on the covered institution’s “Risk Assessment” that takes into account the specific characteristics of, among other things, the institution’s businesses, products, customers, and locations.
• Watch List Filtering Program: The proposal also set out the minimum requirements for a system maintained that will interdict transactions before their execution that are prohibited by applicable economic sanctions and internal and external watch lists; this system too was to be based on the covered institution’s Risk Assessment.
• Chief Compliance Officer Certification: By April 15th of each year, the institution’s Chief Compliance Officer or functional equivalent would be required to certify to the best of the certifier’s knowledge that the institution is in compliance with these regulations.

As noted above on the last point, Chief Compliance Officers would need to certify annually the financial institution’s compliance with the regulations. The term used in the proposal was “Certifying Senior Officer” which was defined as the institution’s Chief Compliance Officer (or functional equivalent) rather than, for example, its chief executive officer. In the commentary accompanying the proposal as published in the New York State Register, the NY DFS noted that the proposal provided a “more granular framework” to follow in ensuring compliance and that the certification requirement was to cause “proactive” compliance by the institutions. Most severely, the proposed regulations stated that a Chief Compliance Officer that filed an “incorrect or false” certification might be subject to personal criminal liability.

The proposed certification requirement unsurprisingly proved to be of significant concern to commenters, with some commenters labeling the proposal draconian or fundamentally unfair, and noting the difficulty there would be in the capability of covered institutions to comply. The proposal likely also would lead to a divergence in AML enforcement among federal and other state regulators.

On June 30, 2016, the NY DFS issued the final Banking Regulations, which will be effective beginning January 1, 2017.

In response to the comments, several substantive changes were made by the DFS, although the basic requirement for a covered institution to maintain these monitoring and filtering systems in accordance with its own risk assessment remains the basic underpinning of the Banking Regulations. The final Banking Regulations add the words that the systems be “reasonably designed” to carry out the purposes of the systems as set forth in the regulations.

Among the substantive changes in the final Banking Regulations to the three components of the system’s requirements:

• Transaction Monitoring System: The final regulations maintain essentially the same minimum requirements as in the proposal but did add consideration of the covered institution’s staffing and governance to the list of characteristics for a covered institution to take into account when developing its risk assessment. The final regulations also revised the proposed requirement that the system reflect, among other things, all current AML laws, regulations and alerts, to a requirement that the system be reviewed and updated at periodic intervals so as to include changes in applicable AML laws, regulations and regulatory warnings.
• Filtering Program: The final regulations limit the reach of this system to the detection of transactions prohibited by the Office of Foreign Assets Control (“OFAC”) economic sanctions regulations.
• Annual Board Resolution or Senior Officer Compliance Filing: The controversial proposed chief compliance officer certification has been replaced by a requirement that the covered institution’s board of directors or senior officer sign and submit a “Compliance Finding” annually by April 15th certifying that: (i) they have reviewed relevant documents to enable the Compliance Finding to be made; (ii) they have taken all steps necessary to confirm that the financial institution has a transaction and monitoring program that complies with Part 504; and (iii) to the best of their knowledge, the system complies with Part 504. A “Senior Officer” is defined as a “senior individual or individuals responsible for the management, operations, compliance and/or risk of” a covered institution subject to Part 504. The first Compliance Finding is not due until April 15, 2018.

The final Banking Regulations also revise the Penalties/Enforcement Actions section to eliminate the sentence that “A Certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing” and the language regarding applicable penalties, and replaces it with the simple statement that the “regulation will be enforced pursuant to, and is not intended to limit, the Superintendent’s authority under any applicable laws.”

In the UK the Financial Services and Markets Act 2000 gives the FCA certain powers and responsibilities over individuals that carry on certain roles within UK financial services firms. These powers and responsibilities were amended by The Financial Services (Banking Reform) Act 2013 (“the Act”). Part IV of the Act, which introduced the SMCR, alongside associated conduct rules, came into force on March 7, 2016. Like new Part 504 of the Banking Regulations, the SMCR was introduced to improve senior management responsibility. It was proposed after a report by the UK Parliamentary Committee on Banking Standards criticized the previous “Approved Persons Regime” stating that “a lack of personal responsibility has been common place throughout the industry. Senior figures have continued to shelter behind an accountability firewall”.

This article is not intended to address the SMCR in detail and further information on the regime can be found in the UK section of our “Financial services: Regulation tomorrow” blog together with previous publications (e.g., see The new accountability regime). However, similarities can be drawn between the approaches in the US and the UK in that one of the requirements of the SMCR is for relevant firms to give a senior manager explicit responsibility for overseeing the firm’s efforts to tackle financial crime. “Financial crime” is used as an umbrella term by the FCA and includes both AML and economic sanctions. This individual, who may or may not be the existing Money Laundering Reporting Officer, has overall responsibility for ensuring that the firm has adequate systems and controls in place to mitigate the risk that they might be used to commit financial crime. The SMCR is only partially implemented at this stage and will apply more widely to certain middle managers from March 2017, which in practice will make it easier for the FCA to identify and pursue cases against responsible levels of management.

Regulators and prosecutors in the US and the UK are continually increasing their focus on individual accountability. Senior managers and other key personnel must be aware of the ever-evolving AML and sanctions regulatory landscape, and take an active role in reviewing and updating operating procedures to ensure that they remain in compliance with their obligations.