AML Regulations in NY Force CCOs to Rethink Everything
Ask compliance officers, especially those in the financial sector, the clichéd question about what keeps them up at night and their answer these days probably falls into one of two categories: adding to their already full plate with heightened risk management demands from regulators, and the threat of personal liability. New rules proposed last week by New York’s Department of Financial Services will likely lead to even more restless nights.
On Dec. 1, New York Governor Andrew Cuomo proposed a slate of new anti-money laundering regulations for financial institutions that fall under that state’s regulatory regime and supervision. For big banks, especially foreign-owned institutions and those with an international footprint, nearly all are covered by rules and examination regimes imposed by the world’s largest financial center.
Once final, after a 45-day comment period, New York will require that banks and other financial firms (including money services business and Bitcoin services) maintain a transaction monitoring program, manual or automated, that seeks out potential Bank Secrecy Act and money laundering violations. The system, as stipulated, should map these risks to the firm’s businesses, products, services, and customers, and factor in relevant information from existing know-your customer due diligence and enhanced customer due diligence programs. There are also new demands for sanctions compliance and screening filters to help combat the financing of terrorism. Those filters must include the data from the Treasury Department’s Office of Foreign Assets Control, politically exposed persons lists, and internal watch lists. The requirements would be effective in 2017.
None of this is exactly new for banks, and similar demands are already in place from regulators, including the Federal Reserve and Office of the Comptroller of the Currency. New York’s rationale for enacting its own AML regime, despite this overlap, cites a four-year long series of investigations that found serious shortcomings with existing transaction monitoring and filtering programs, brought on at least in part by a lack of robust governance, oversight, and accountability at senior levels of the institutions managing those programs.
The key word that sets the new regime apart from others is “accountability.” The proposal requires that CCOs—or whoever is in a comparative role—must annually submit, by April 15 of each year, certifications on the effectiveness of these systems and controls. Criminal liability could be imposed on certifications that are later found to be incorrect or false. Enforcement efforts will also target any institution found to make changes or alterations to its transaction monitoring and filtering programs to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts.
The attestation requirement for compliance officers has been on the horizon since February when former NYDFS Commissioner Benjamin Lawsky floated a proposal, during a speech at Columbia Law School, to make senior bank executives personally sign off on the adequacy and robustness of anti-money laundering and transaction monitoring systems. That Sarbanes-Oxley-inspired requirement has since been expanded to compliance officers. With a formal certification signed with an attestation that it is “accurate and complete,” DFS will have “strong ammunition to take the next step and pursue enforcement actions against compliance officers as individuals,” says Matthew Schwartz, a partner at law firm Boies, Schiller & Flexner.
As originally narrowed to senior executives, the rule was potentially a way to ensure that people outside of the compliance function were paying the same sort of attention to compliance as they were to other aspects of the business for which there is direct or indirect responsibility, whether it is financial controls like those in SOX or just the performance of the business for which executives are held accountable every day. “But this is not that,” Schwartz says. “This puts a target on the back of compliance officers.”
The justifiable fear, he says, is that New York has created a strict liability enforcement regime for compliance officers, “if the one that got by the goalie ends up being a big one.”
Even with complete confidence in the abilities of themselves, their teams, and their controls, CCOs can never be fully confident they caught everything. “With the volume and flow of funds going through New York amounting to trillions of dollars each day, it is asking a lot to say you looked at every single transaction and had everything in place to find every single problem,” says Tom Bock, executive managing director of K2 Intelligence’s AML and regulatory compliance practice. The focus on terror financing poses a particular difficulty because many of the transactions supporting those groups are relatively small-dollar values.
The pending rules provide yet another reason to continually monitor the effectiveness of their AML controls and sanctions screening. “You first have to assess and know the risks associated with the services you provide your clientele and based on the locations you serve,” says Bao Nguyen, a director of risk advisory services at Kaufman Rossin. “Once you identify the risk and have a monitoring system in place to address that risk, you need to regularly test it and close any gaps you may find. Do an annual test to ensure that you didn’t miss anything throughout the year.”
The rules underscore the need for CCO independence. “Even if the CCO has the necessary resources and authority to effect change, he or she may face pressure to sign the certification before needed changes are made,” says Carol Van Cleef, a partner with law firm Manatt, Phelps & Phillips. “Senior management could impose such pressure by demanding its execution. Or, the pressure could be internally generated if the CCO has concerns about losing a job, being demoted, or not receiving a bonus if the certification is not signed.”
Van Cleef expects that many Institutions are likely to find themselves investing significant resources in creating documentation necessary to demonstrate compliance with these rules as proposed. “For smaller institutions, the time and costs associated with this effort are likely to be crushing,” she says. “For banks, the added effort required by the proposed rule could be sufficient justification to convert to federal charters.”
One area where more clarification to the rule proposal may be necessary is with respect to watch lists. There are a number of different types of lists that institutions are expected to check as a matter of best practices. Identifying customers who are on those lists does not mean that the institution can’t do business with them. “As proposed, the regulation would seem to prohibit transactions with any one on these lists,” Van Cleef says. “Some of these lists—like politically exposed persons—are used to identify customers that may present higher risks.” Under federal regulations, however, institutions are not prohibited from doing business with those customers.
Congress and the federal regulators have long recognized the importance of having someone other than the compliance function itself evaluate the compliance program. Van Cleef says that the independent review mandated by the Bank Secrecy Act should be sufficient, but even after nearly 15 years of heightened AML compliance efforts, institutions are still lacking standards for the conduct of those reviews—and the reviewers themselves—that would compare to what exists in the accounting industry.
“It may be more effective to increase the expectations for independent reviews to achieve the results the DFS is seeking,” she suggests.
Bao Nguyen, CAMS, CFE, CRCP, is a Risk Advisory Services Principal – Investment Leader at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.