Governor Andrew M. Cuomo today announced that his Administration is proposing a new anti-terrorism and anti-money laundering regulation that includes -- among other important provisions -- a requirement modeled on Sarbanes-Oxley that senior financial executive certify that their institutions has sufficient systems in place to detect, weed out, and prevent illicit transactions.
"Money is the fuel that feeds the fire of international terrorism," said Governor Cuomo. "Global terrorist networks simply cannot thrive without moving significant amounts of money throughout the world. At a time of heightened global security concerns, it is especially vital that banks and regulators do everything they can to stop that flow of illicit funds."
Over the last four years, the New York State Department of Financial Services (NYDFS) has conducted a series of investigations into terrorist financing, sanctions violations, and anti-money laundering compliance at financial institutions. As a result of these investigations, the Department has uncovered (among other issues) serious shortcomings in the transaction monitoring and filtering programs of these institutions and that a lack of robust governance, oversight, and accountability at senior levels of these institutions has contributed to these shortcomings.
The key requirements of the new anti-terrorism and anti-money laundering regulation that NYDFS is proposing, – which will be subject to a 45-day notice and public comment period before final issuance – include the following:
- Maintain a Transaction Monitoring Program. Each regulated institution will maintain for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting, which system may be manual or automated, and which shall, at a minimum include the following attributes:
- Be based on the Risk Assessment of the institution.
- Reflect all current BSA/AML laws, regulations and alerts, as well as any relevant information available from the institution’s related programs and initiatives, such as "know your customer due diligence", "enhanced customer due diligence" or other relevant areas, such as security, investigations and fraud prevention.
- Map BSA/AML risks to the institution’s businesses, products, services, and customers/counterparties.
- Utilize BSA/AML detection scenarios that are based on the institution’s Risk Assessment with threshold values and amounts set to detect potential money laundering or other suspicious activities.
- Include an end-to-end, pre-and post-implementation testing of the Transaction Monitoring Program, including governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output, as well as periodic testing.
- Include easily understandable documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters, and thresholds.
- Include investigative protocols detailing how alerts generated by the Transaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other action, who is responsible for making such a decision, and how investigative and decision-making process will be documented; and
- Be subject to an on-going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters, and assumptions.
- Maintain a Watch List Filtering Program. Each regulated institution will maintain for the purpose of interdicting transactions, before their execution, that are prohibited by applicable sanctions, including OFAC and other sanctions lists, politically exposed persons lists, and internal watch lists, which system may be manual or automated, and which shall, at a minimum, include the following attributes:
- Be based on the risk assessment of the institution.
- Be based on technology or tools for matching names and accounts , in each case based on the institution’s particular risks, transaction and product profiles.
- Include an end-to-end, pre- and post-implementation testing of the Watch List Filtering Program, including data mapping, an evaluation of whether the watch lists and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and Watch List Filtering Program output.
- Utilizes watch lists that reflect current legal or regulatory requirements.
- Be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the watch lists and the threshold settings to see if they continue to map to the risks of the institution.
- Include easily understandable documentation that articulates the intent and the design of the Program tools or technology.
- Additional Requirements. Each Transaction Monitoring and Filtering Program shall, at a minimum, require the following:
- Identification of all data sources that contain relevant data.
- Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program.
- Data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used.
- Governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Filtering Program to ensure that changes are defined, managed, controlled, reported, and audited.
- Vendor selection process if a third party vendor is used to acquire, install, implement, or test the Transaction Monitoring and Filtering Program or any aspect of it.
- Funding to design, implement and maintain a Transaction Monitoring and Filtering Program that complies with the requirements of this Part.
- Qualified personnel or outside consultant responsible for the design, planning, implementation, operation, testing, validation, and on-going analysis, of the Transaction Monitoring and Filtering Program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filing.
- Periodic training of all stakeholders with respect to the Transaction Monitoring and Filtering Program.
- No regulated institution may make changes or alterations to the Transaction Monitoring and Filtering Program to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts, or to otherwise avoid complying with regulatory requirements.
To ensure compliance with the requirements, each institution shall submit to the Department by April 15 of each year certifications duly executed by its chief compliance officer or functional equivalent.
To view a copy of the proposed Transaction Monitoring and Filtering Program regulation, please click here. The regulation will published in an upcoming edition of the New York State Register, commencing a 45-day notice and comment period.