By William P. Barry, Miller & Chevalier Chartered ([email protected])

Co-authored by Michelle Ramus (Summer Associate Attorney) 

All banks, trust companies, private bankers, savings banks, and saving and loan associations chartered pursuant to the New York Banking Law and all branches and agencies of foreign banking corporations licensed to conduct banking operations in New York must submit a confirmation regarding compliance with 3 N.Y.C.R.R. Part 504, which requires that they maintain transaction monitoring and watch list filtering programs consistent with Bank Secrecy Act AML requirements.Part 504 of the New York Department of Financial Services (NYDFS) Superintendent’s Regulations, requires that such institutions submit the annual confirmation in the form of either a Senior Officer compliance finding or a Board of Directors resolution.

In determining who the appropriate confirming person or entity should be, regulated institutions should develop a process that addresses concerns of potential personal exposure on the part of compliance officers and at the same time leverages the knowledge and experience of those most directly involved with the AML program. In this article, we discuss the requirements for the compliance finding or resolution and identify best practices for developing a process that effectively utilizes both the Board of Directors’ oversight function and the Senior Officer’s institutional knowledge, resulting in a finding or resolution process that is credible, supportable and capable of repetition on an annual basis.

Compliance Confirmation Requirement

NYDFS intended Part 504 to address deficiencies identified in institutions’ AML compliance programs.According to the regulation, Section 504.3 addresses the deficiencies not by creating new requirements, but by clarifying existing required attributes of a robust and functional compliance program.

The requirements in Section 504.3align with the recognized pillars of AML compliance: (a) written internal policies, procedures and controls; (b) designation of a qualified individual as compliance officer; (c) independent testing of the compliance program; (d) ongoing personnel training; and (e) customer due diligence.

Section 504.3 stresses that an institution’s programs must be appropriately tailored based on an enterprise-wide risk assessment of the institution. Aninstitution must document both the transaction monitoring program’s detection scenarios, controls and protocols and the intent and design of the watch list filtering program’s tools, processes and technology.Both programs need to include “end-to-end, pre- and post-implementation testing”of technical functionality.Institutions must designate and train qualified personnel to oversee all aspects of the programs.

Section 504.4 requires a Senior Officer or the Board of Directors to annually review the regulated institution’s transaction monitoring and watch list filtering programs and confirm that both programs comply with Section 504.3. This entails reviewing documents, reports, certifications and opinions of officers, employees, representatives, outside vendors and other individuals to assess compliance. “Senior Officer” is defined as “the senior individual or individuals responsible for the management, operations, compliance and/or risk of a regulated institution including a branch or agency of a foreign banking organization subject to this Part.” The signature on the annual finding or resolution is intended to confirm that the institution complies with the requirements of Section 504.3.

Although Part 504 seeks only to clarify existing AML requirements, the confirmation requirement poses significant challenges for regulated institutions. Unlike traditional AML compliance certifications that typically require certification that the institution maintains a reasonably designed compliance program and system of controls, Section 504.4 requires confirmation that the institution actually complied with every requirement in Section 504.3—and threatens individual criminal penalties if an institution files an incorrect or false certification.

Reaction from the Financial Industry

Members of the financial industry expressed concerns regarding the certification requirement during the public comment period for the proposed rule, in which NYDFS initially mandated that the Certifying Senior Officer alone must execute and submit the certification.Additionally, proposed Section 504.5 stated that the institution would face penalties if it failed to maintain compliant programs and that the Certifying Senior Officer would face criminal penalties for filing an incorrect or false certification.Public comments largely objected to individual criminal penalties without a clear mens rea requirement.Some also took issue with the fact that such certifications are typically made by senior management, such as the chief executive officer or the chief financial officer.Many noted that the certification might prove counterproductive by discouraging qualified compliance officers from working at financial institutions regulated by NYDFS, or otherwise chilling compliance officers from raising issues that may call into question prior confirmations.

When NYDFS published the Final Rule, it amended Section 504.4 to allow institutions to choose whether to proceed via a Senior Officer compliance finding or a Board of Directors resolution confirming compliance with Part 504’s transaction monitoring and watch list filtering requirements.It also changed Section 504.5’s explicit warning regarding individual criminal penalties to a general assertion that the regulation would be enforced pursuant to any applicable laws.

Despite these changes, compliance and management personnel at regulated institutions remain concerned.Under Section 504.5, a certifying individual—either a Senior Officer or a member of the Board of Directors—remains at risk for both criminal and civil penalties.Furthermore, Section 504.4 leaves institutions with an additional decision to make: where should an institution place the responsibility and potential personal liability of a Part 504 confirmation, on a Senior Officer or on the Board of Directors?

 Determining Who Should Sign the Confirmation

As with many compliance issues, there is no one-size-fits-all answer to the question of what person/s or entity should sign the compliance confirmation. Regulated institutions come in different corporate forms, sizes and corporate governance models.

In the event a regulated institution chooses a Senior Officer or combination of such officers to make the finding, candidates may include the chief executive officer, chief financial officer and the chief compliance officer or anti-money laundering compliance officer.Of these, the chief compliance officer or anti-money laundering officer will have the most comprehensive understanding of the scope and efficacy of the AML compliance program. On the other hand, the chief executive officer and chief financial officer are more senior within the institution’s corporate governance framework. Any of these individuals can be expected to consider potential personal liability that may flow from being responsible for the finding.

There are benefits to having the Board of Directors make the confirmation by way of resolution, such as the clear message this approach conveys regarding the importance of AML compliance. However, issues of transaction monitoring and filtering are not likely to fall within the board’s expertise. The board’s time and focus may be better spent providing direction to senior management regarding the importance of compliance and providing oversight and guidance to the institution’s compliance experts.

For many institutions, the best approach may be a hybrid of the options described above. For example, a chief compliance officer could act as Senior Officer in presenting to the board of directors a proposed finding for the board’s consideration and approval. A member of senior management would represent that he/she concurs with the proposed finding. The Senior Officer would then execute the finding on behalf of the institution. This approach makes use of the institution’s compliance expert, provides the formality of a board decision to support the process, and assures the Senior Officer that he has board support.

Recommended Best Practices

Regardless of which person or entity ultimately provides the required compliance confirmation, there are best practices regulated institutions can and should implement now, in anticipation of the April 2018 deadline. 

1. Take the Steps Necessary to Build a Compliant BSA/AML Program.Regulated institutions will most likely have Bank Secrecy Act compliant anti-money laundering programs in place, but now is the time to review those programs, beginning with a risk assessment that contemplates AML risk associated with the institution’s business, products, services and customers/counterparties. As part of the annual review process, regulated institutions should pay particular attention to the transaction monitoring and filtering portions of their program. In addition to testing the procedures and systems themselves, institutions should evaluate how their personnel use the data the systems generate. For example, institutions might identify how many transactions or counterparty filtering alerts gave rise to internal reviews, and how those reviews were undertaken and documented. Moreover, evaluating adherence to the requirements under Part 504.3 (a)–(d) is not enough; institutions should document relevant enhancements and train relevant personnel and the Board of Directors on the manner in which these functions operate.

2. Develop a Clear Process to Support the Confirmation. The process for conducting the review and supporting the confirmation is as important as the substance of the confirmation. Institutions should develop (a) a series of milestones and deadlines for testing, assimilating and evaluating information regarding the AML program; (b) criteria for making the decision whether the confirmation is supported; and (c) a basis for determining what person or entity will provide the confirmation. The benefits of this approach are twofold. First, it will assist the institution in identifying what roles and responsibilities its officers and directors should execute as part of the confirmation process. Second, it allows the institution to be in position to explain the process should regulators or stakeholders raise questions.

3. Implement a Sub-Certification Procedure. Tailored sub-certification procedures can provide great value to the compliance process and the institution. Such procedures give comfort to the certifying official or entity that there is a good faith basis to provide the confirmation and that the process has been well-designed to percolate up problematic issues. However, the benefit of sub-certification procedures transcends the confirmation process itself. The sub-certification process communicates the importance of AML compliance throughout the organization. Sub-certifiers in the finance, technology, client relations and business products/services divisions of a financial institution are confronted with the fact that AML compliance is critical to the institution’s success, and that each individual has a role to play in ensuring that success.

4. UseExperienced Counsel to Advise on the Process.Institutions may find that experienced counsel can provide value by assisting the institution in understanding the expectations of regulators and counterparties, and navigating issues such as the application of foreign data privacy restrictions and competing AML regulation in other jurisdictions. Counsel with experience conducting AML compliance testing and/or third party administrator audits can efficiently spot problematic issues and offer solutions. Counsel can also help navigate the process of evaluating and enhancing the AML compliance infrastructure in a manner that can be documented but respects confidentiality concerns. Finally, the involvement of counsel may give comfort to those asked to sign the compliance confirmation.

5. Document the Process and Identify Enhancements and Efficiencies for Future Confirmations.The confirmation process is an opportunity to build the compliance file. Thoughtful legal and compliance personnel can use the process to demonstrate the institutions commit to ethical conduct, positive tone and culture. In addition to enabling the institution to become increasingly efficient in responding to annual compliance confirmations, a well-developed compliance file can be evidence of appropriate intent in the event the firm finds itself confronted by regulators regarding a suspicious transaction or problematic relationship.

Conclusion

The new NYDFS Part 504 compliance confirmation requirements pose risks and challenges for the financial industry at both the institutional and the human level. A thoughtful, documented approach and a clear process will go a long way toward assuring regulators, counterparties and personnel that the firm is well-positioned to succeed in this era of heightened scrutiny regarding AML and counter-terrorism financing.

By William P. Barry, Miller & Chevalier Chartered ([email protected])

Co-authored by Michelle Ramus (Summer Associate Attorney) 

All banks, trust companies, private bankers, savings banks, and saving and loan associations chartered pursuant to the New York Banking Law and all branches and agencies of foreign banking corporations licensed to conduct banking operations in New York must submit a confirmation regarding compliance with 3 N.Y.C.R.R. Part 504, which requires that they maintain transaction monitoring and watch list filtering programs consistent with Bank Secrecy Act AML requirements.Part 504 of the New York Department of Financial Services (NYDFS) Superintendent’s Regulations, requires that such institutions submit the annual confirmation in the form of either a Senior Officer compliance finding or a Board of Directors resolution.

In determining who the appropriate confirming person or entity should be, regulated institutions should develop a process that addresses concerns of potential personal exposure on the part of compliance officers and at the same time leverages the knowledge and experience of those most directly involved with the AML program. In this article, we discuss the requirements for the compliance finding or resolution and identify best practices for developing a process that effectively utilizes both the Board of Directors’ oversight function and the Senior Officer’s institutional knowledge, resulting in a finding or resolution process that is credible, supportable and capable of repetition on an annual basis.

Compliance Confirmation Requirement

NYDFS intended Part 504 to address deficiencies identified in institutions’ AML compliance programs.According to the regulation, Section 504.3 addresses the deficiencies not by creating new requirements, but by clarifying existing required attributes of a robust and functional compliance program.

The requirements in Section 504.3align with the recognized pillars of AML compliance: (a) written internal policies, procedures and controls; (b) designation of a qualified individual as compliance officer; (c) independent testing of the compliance program; (d) ongoing personnel training; and (e) customer due diligence.

Section 504.3 stresses that an institution’s programs must be appropriately tailored based on an enterprise-wide risk assessment of the institution. Aninstitution must document both the transaction monitoring program’s detection scenarios, controls and protocols and the intent and design of the watch list filtering program’s tools, processes and technology.Both programs need to include “end-to-end, pre- and post-implementation testing”of technical functionality.Institutions must designate and train qualified personnel to oversee all aspects of the programs.

Section 504.4 requires a Senior Officer or the Board of Directors to annually review the regulated institution’s transaction monitoring and watch list filtering programs and confirm that both programs comply with Section 504.3. This entails reviewing documents, reports, certifications and opinions of officers, employees, representatives, outside vendors and other individuals to assess compliance. “Senior Officer” is defined as “the senior individual or individuals responsible for the management, operations, compliance and/or risk of a regulated institution including a branch or agency of a foreign banking organization subject to this Part.” The signature on the annual finding or resolution is intended to confirm that the institution complies with the requirements of Section 504.3.

Although Part 504 seeks only to clarify existing AML requirements, the confirmation requirement poses significant challenges for regulated institutions. Unlike traditional AML compliance certifications that typically require certification that the institution maintains a reasonably designed compliance program and system of controls, Section 504.4 requires confirmation that the institution actually complied with every requirement in Section 504.3—and threatens individual criminal penalties if an institution files an incorrect or false certification.

Reaction from the Financial Industry

Members of the financial industry expressed concerns regarding the certification requirement during the public comment period for the proposed rule, in which NYDFS initially mandated that the Certifying Senior Officer alone must execute and submit the certification.Additionally, proposed Section 504.5 stated that the institution would face penalties if it failed to maintain compliant programs and that the Certifying Senior Officer would face criminal penalties for filing an incorrect or false certification.Public comments largely objected to individual criminal penalties without a clear mens rea requirement.Some also took issue with the fact that such certifications are typically made by senior management, such as the chief executive officer or the chief financial officer.Many noted that the certification might prove counterproductive by discouraging qualified compliance officers from working at financial institutions regulated by NYDFS, or otherwise chilling compliance officers from raising issues that may call into question prior confirmations.

When NYDFS published the Final Rule, it amended Section 504.4 to allow institutions to choose whether to proceed via a Senior Officer compliance finding or a Board of Directors resolution confirming compliance with Part 504’s transaction monitoring and watch list filtering requirements.It also changed Section 504.5’s explicit warning regarding individual criminal penalties to a general assertion that the regulation would be enforced pursuant to any applicable laws.

Despite these changes, compliance and management personnel at regulated institutions remain concerned.Under Section 504.5, a certifying individual—either a Senior Officer or a member of the Board of Directors—remains at risk for both criminal and civil penalties.Furthermore, Section 504.4 leaves institutions with an additional decision to make: where should an institution place the responsibility and potential personal liability of a Part 504 confirmation, on a Senior Officer or on the Board of Directors?

 Determining Who Should Sign the Confirmation

As with many compliance issues, there is no one-size-fits-all answer to the question of what person/s or entity should sign the compliance confirmation. Regulated institutions come in different corporate forms, sizes and corporate governance models.

In the event a regulated institution chooses a Senior Officer or combination of such officers to make the finding, candidates may include the chief executive officer, chief financial officer and the chief compliance officer or anti-money laundering compliance officer.Of these, the chief compliance officer or anti-money laundering officer will have the most comprehensive understanding of the scope and efficacy of the AML compliance program. On the other hand, the chief executive officer and chief financial officer are more senior within the institution’s corporate governance framework. Any of these individuals can be expected to consider potential personal liability that may flow from being responsible for the finding.

There are benefits to having the Board of Directors make the confirmation by way of resolution, such as the clear message this approach conveys regarding the importance of AML compliance. However, issues of transaction monitoring and filtering are not likely to fall within the board’s expertise. The board’s time and focus may be better spent providing direction to senior management regarding the importance of compliance and providing oversight and guidance to the institution’s compliance experts.

For many institutions, the best approach may be a hybrid of the options described above. For example, a chief compliance officer could act as Senior Officer in presenting to the board of directors a proposed finding for the board’s consideration and approval. A member of senior management would represent that he/she concurs with the proposed finding. The Senior Officer would then execute the finding on behalf of the institution. This approach makes use of the institution’s compliance expert, provides the formality of a board decision to support the process, and assures the Senior Officer that he has board support.

Recommended Best Practices

Regardless of which person or entity ultimately provides the required compliance confirmation, there are best practices regulated institutions can and should implement now, in anticipation of the April 2018 deadline. 

1. Take the Steps Necessary to Build a Compliant BSA/AML Program.Regulated institutions will most likely have Bank Secrecy Act compliant anti-money laundering programs in place, but now is the time to review those programs, beginning with a risk assessment that contemplates AML risk associated with the institution’s business, products, services and customers/counterparties. As part of the annual review process, regulated institutions should pay particular attention to the transaction monitoring and filtering portions of their program. In addition to testing the procedures and systems themselves, institutions should evaluate how their personnel use the data the systems generate. For example, institutions might identify how many transactions or counterparty filtering alerts gave rise to internal reviews, and how those reviews were undertaken and documented. Moreover, evaluating adherence to the requirements under Part 504.3 (a)–(d) is not enough; institutions should document relevant enhancements and train relevant personnel and the Board of Directors on the manner in which these functions operate.

2. Develop a Clear Process to Support the Confirmation. The process for conducting the review and supporting the confirmation is as important as the substance of the confirmation. Institutions should develop (a) a series of milestones and deadlines for testing, assimilating and evaluating information regarding the AML program; (b) criteria for making the decision whether the confirmation is supported; and (c) a basis for determining what person or entity will provide the confirmation. The benefits of this approach are twofold. First, it will assist the institution in identifying what roles and responsibilities its officers and directors should execute as part of the confirmation process. Second, it allows the institution to be in position to explain the process should regulators or stakeholders raise questions.

3. Implement a Sub-Certification Procedure. Tailored sub-certification procedures can provide great value to the compliance process and the institution. Such procedures give comfort to the certifying official or entity that there is a good faith basis to provide the confirmation and that the process has been well-designed to percolate up problematic issues. However, the benefit of sub-certification procedures transcends the confirmation process itself. The sub-certification process communicates the importance of AML compliance throughout the organization. Sub-certifiers in the finance, technology, client relations and business products/services divisions of a financial institution are confronted with the fact that AML compliance is critical to the institution’s success, and that each individual has a role to play in ensuring that success.

4. UseExperienced Counsel to Advise on the Process.Institutions may find that experienced counsel can provide value by assisting the institution in understanding the expectations of regulators and counterparties, and navigating issues such as the application of foreign data privacy restrictions and competing AML regulation in other jurisdictions. Counsel with experience conducting AML compliance testing and/or third party administrator audits can efficiently spot problematic issues and offer solutions. Counsel can also help navigate the process of evaluating and enhancing the AML compliance infrastructure in a manner that can be documented but respects confidentiality concerns. Finally, the involvement of counsel may give comfort to those asked to sign the compliance confirmation.

5. Document the Process and Identify Enhancements and Efficiencies for Future Confirmations.The confirmation process is an opportunity to build the compliance file. Thoughtful legal and compliance personnel can use the process to demonstrate the institutions commit to ethical conduct, positive tone and culture. In addition to enabling the institution to become increasingly efficient in responding to annual compliance confirmations, a well-developed compliance file can be evidence of appropriate intent in the event the firm finds itself confronted by regulators regarding a suspicious transaction or problematic relationship.

Conclusion

The new NYDFS Part 504 compliance confirmation requirements pose risks and challenges for the financial industry at both the institutional and the human level. A thoughtful, documented approach and a clear process will go a long way toward assuring regulators, counterparties and personnel that the firm is well-positioned to succeed in this era of heightened scrutiny regarding AML and counter-terrorism financing.