The New York State Department of Financial Services (“NY DFS”) recently issued final regulations to require state-chartered banking organizations, state-licensed branches and agencies of foreign banks, and state licensed check cashers and money transmitters (“covered institutions”), to put in place transaction monitoring and filtering systems designed to better enable these financial institutions to comply with relevant federal and state anti-money laundering (“AML”) and federal economic sanctions regulations. The final regulations are effective beginning January 1, 2017.

As proposed in December 2015, Part 504 of the New York Financial Services Regulations had three primary components: (1) a system to monitor transactions after their execution for potential AML violations, (2) a system to interdict transactions prohibited under US economic and trade sanctions and other watch lists before their execution and (3) most controversially, a certification requirement by the covered institution’s chief compliance officer that the institution is in compliance with these regulations. The DFS proposed the regulations after a series of investigations into AML and sanctions compliance revealed “shortcomings” in their transaction monitoring and watch list filtering systems and a lack of “robust governance, oversight and accountability at senior levels of these institutions.”

In response to the comments, several substantive changes were made, although the basic requirement for a covered institution to maintain these monitoring and filtering systems in accordance with its own risk assessment remains the basic underpinning of the regulations. The final regulations add the words that the systems be “reasonably designed” to carry out the purposes of the systems as set forth in the regulations.

Among the substantive changes in the final regulations to the three components of the system’s requirements:

  • Transaction Monitoring System: The final regulations maintain essentially the same minimum requirements as in the proposal but did add consideration of the covered institution’s staffing and governance to the list of characteristic for a covered institution to take into account when developing its risk assessment. The final regulations also revised the proposed requirement that the system reflect, among other things, all current AML laws, regulations and alerts, to a requirement that the system be reviewed and updated at periodic intervals to reflect among other things, changes in applicable AML laws, regulations and regulatory warnings.
  • Filtering Program: The final regulations limit the reach of this system to the detection of transactions prohibited by the Office of Foreign Assets Control (“OFAC”) economic sanctions regulations.
  • Annual Board Resolution or Senior Officer Compliance Filing: The controversial proposed chief compliance officer certification has been replaced by a requirement that the covered institution’s board of directors or senior officer sign and submit a “Compliance Finding” annually by April 15th certifying that: (i) they have reviewed relevant documents to enable the Compliance Finding to be made; (ii) they have taken all steps necessary to confirm that the financial institution has a transaction and monitoring program that complies with Part 504 and (iii) to the best of their knowledge, the system complies with Part 504. A “Senior Officer” is defined as a “senior individual or individuals responsible for the management, operations, compliance and/or risk of” an institution subject to Part 504.

The final regulations also revised the Penalties/Enforcement Actions section to eliminate the sentence that “A Certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing” and the language regarding applicable penalties, and replaces it with the simple statement that the “regulation will be enforced pursuant to, and is not intended to limit, the Superintendent’s authority under any applicable laws.”

As noted above, the final regulations are effective beginning January 1, 2017, but the first Compliance Finding is not due until April 15, 2018.