As a result of recent investigations, the New York State Department of Financial Services (NYDFS) has uncovered industry-wide shortcomings in transaction monitoring and filtering programs, specifically in regards to the lack of robust governance, oversight, and accountability within the firms. To address these deficiencies, the Department has:1
- Clarified the requirements of robust Transaction Monitoring and Watch List Filtering programs
- Required annual certification from the Chief Compliance Officer (CCO) of the Bank about complying with these requirements
Transaction Monitoring Program Requirements
Each regulated financial institution is expected to maintain a manual or automated Transaction Monitoring program that has the following attributes:2
- Is based on risk assessment of the institution
- Is fully integrated with know your client (KYC), enhanced due diligence (EDD) and other anti-money laundering (AML) requirements outlined in laws such as the Bank Secrecy Act (BSA) and the USA PATRIOT Act by implication
- Reflects the risks posed by institution’s businesses, products, services, and customers/counterparties
- Utilizes detection scenarios that are risk-based and have threshold values and amounts set to detect potential money laundering or other suspicious activities
- Is based on adequate pre-implementation and post-implementation testing of the end-to-end Transaction Monitoring program
- Is supported by easily understandable documentation that articulates the institution’s current detection scenarios, their underlying assumptions, parameters and thresholds
- Includes standards, procedures and processes for investigating alerts generated by the transaction monitoring system
- Is subject to ongoing review and assessment and keeping the program running as intended
Watch List Filtering Program Requirements
Each regulated financial institution is expected to maintain a real-time watch list filtering program designed to interdict transactions prior to their execution, to individuals or entities listed in the Office of Foreign Assets Control (OFAC), other sanction lists, politically exposed persons (PEP) lists and internal watch lists. The program should at a minimum have the following attributes:3
- Is based on the risk assessment of the institution
- Is based on technology or tools for matching names and accounts
- Is based on adequate pre-implementation and post-implementation testing of end-to-end Watch List Filtering program
- Utilizes watch lists that reflect current legal or regulatory requirements
- Is subject to ongoing review and assessment of the matching logic and technology
- Is supported by easily understandable documentation that articulates the intent and the design of the Program tools or technology
Each Transaction Monitoring and Filtering Program shall, at a minimum, require the following:4
- Identification of all data sources that contain relevant data
- Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program
- Data extraction and loading processes to ensure a complete and accurate transfer of data
- Governance and management oversight to ensure that changes are defined, managed, controlled, reported, and audited
- Vendor selection process if a third party vendor is used to acquire, install, implement, or test any part of the program
- Funding to design, implement and maintain a Transaction Monitoring and Watch List Filtering Program that complies with the requirements
- Qualified personnel or outside consultant responsible for the design, planning, implementation, operation, testing, validation, and on-going analysis of the Transaction Monitoring and Filtering Program
- Periodic training of all stakeholders with respect to the Transaction Monitoring and Filtering Program
Finally, no regulated institution is permitted to make changes or alterations to the Transaction Monitoring and Filtering Program to avoid or minimize filing suspicious activity reports (SARs) or because the institution does not have adequate number of resources to investigate the alerts generated.
To comply with the requirements, each regulated institution’s Certifying Senior Officer (Chief Compliance Officer or equivalent) shall duly execute and submit its certification to the Department by April 15 of each year.5 According to section 504.5 of the regulation, failure to do so or filing an incorrect or false annual certification may expose the Certifying Senior Officer to criminal penalties.
This regulation from the New York State Department of Financial Services points to the following areas of interest:
- Most medium sized and large banks currently have automated transaction monitoring and watch list filtering systems in place. However, this New York state regulation compels banks to establish, fund and monitor ongoing Transaction Monitoring and Watch List Filtering programs to address known deficiencies. Some of these gaps would be highlighted during regulatory reviews, leading to consent orders and penalties. However, by coming up with this legislation, the state government is forcing banks and their management to proactively review and remediate issues and gaps within these programs.
- While enforcement actions against CCOs’ have been more common for violations of securities-related regulations, banks’ management have not been held personally liable for deficiencies in the BSA/AML Program. However, this new regulation holds banks’ Compliance leadership personally accountable for the robustness of the programs.
- These requirements shall be effective immediately and apply to all state fiscal years beginning with the fiscal year starting on April 1, 2017.
- “Governor Cuomo Announces Anti-Terrorism Regulation Requiring Senior Financial Executives To Certify Effectiveness of Anti-Money Laundering Systems,” New York State Department of Financial Services, Press Release, December 1, 2015. Access at: http://www.dfs.ny.gov/about/press/pr1512011.htm
Newsletter Author: Bharat Sadula, Jack Porritt, J.H. Patel
Newsletter Contact Person: Craig Unterseher
This blog is intended for general informational purposes only, does not take into account the reader’s specific circumstances, may not reflect the most current developments, and is not intended to provide advice on specific circumstances. Accenture disclaims, to the fullest extent permitted by applicable law, all liability for the accuracy and completeness of the information in this blog and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professional.
Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 358,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Its home page is www.accenture.com.
Copyright © 2016 Accenture. All rights reserved.
Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
This document is produced by Accenture as general information on the subject. It is not intended to provide advice on your specific circumstances.
If you require advice or further details on any matters referred to, please contact your Accenture representative.