The New York Department of Financial Services (NYDFS) has introduced Part 504 for AML compliance program deficiencies. These enhancements will provide direction for all banks, trust companies, private bankers, savings banks, and saving and loan associations chartered in New York and all branches and agencies of foreign banking corporations licensed to conduct banking operations in New York. Be ready to sign on the line and come to an agreement by April 2018.
There are two major parts to comply within Part 504. These include confirmation submittals by either the board of directors or Senior Officer and maintenance of transaction monitoring and watch list filtering programs that are consistent with Bank Secrecy Act AML requirements. It's best to identify best practices to develop a process that is credible, supportable, and capable of duplicating.
The requirements of Part 504 reinforce the pillars of AML compliance. These include written internal policies, procedures and controls; designation of a qualified individual as compliance officer; independent testing of the compliance program; ongoing personnel training, and customer due diligence. This all starts with a wide risk assessment of the institution.
The risk assessment will include documentation of both the transaction monitoring program's detection scenarios, controls and protocols, and the intent and design of the watch list filtering program's tools, processes, and technology. The company needs to define roles and train the qualified personnel to manage all aspects of the programs. These programs will include "end-to-end, pre- and post-implementation testing" of technical functionality.
A Senior Officer or the Board of Directors will be required to annually review the transaction monitoring and watch list filtering programs, while also confirming that both programs comply with Part 504. These duties include reviewing documents, reports, certifications and opinions of officers, employees, representatives, outside vendors, and others to assess compliance. The risk involved for this individual is in signing the annual finding or resolution to confirm that the organization complies with Part 504.
That signature is confirmation that the institution complied with every single requirement in Part 504. If that is not the case, whether incorrect or false, the party that signed will be under threat of individual criminal penalties. This is a big responsibility for whoever is chosen to sign.
Choose Who to Sign the Confirmation
This is a loaded question because this is not the same answer for every company. Depending on corporate forms, sizes and corporate governance models, you'll have a different solution. You'll have to make a decision based off of the benefits and dangers of each.
If you choose to use a Senior Officer or combination of officers to make the finding, you'll choose from the following individuals: Chief Executive Officer, Chief Financial Officer, and Chief Compliance Officer or Anti-Money Laundering Compliance Officer. The latter will have a more comprehensive understanding of the AML compliance program. However, the former two have seniority in the corporate governance framework. They will all have to consider the risk of personal liability if responsible for the finding.
On the other hand, if you choose to have the Board of Directors make the confirmation by way of resolution, it will send a clear message from the top down that AML compliance is a priority. In contrast, choosing the board will have a disconnect from the issues of transaction monitoring and filtering found in senior officer's expertise. The board could instead provide direction to senior management and provide oversight and guidance.
For some, the best solution will be a mix of both options. Have a Senior Officer, let's say the CCO, present a proposed finding for the board's consideration and approval. This will grant you the expertise of senior management, while also getting approval from the top of the company. After approval, the Senior Officer could execute the finding.
Here are the best practices to keep you compliant for the deadline:
1) Take a look at your current BSA/AML Program. Start with a risk assessment of the institution's business, products, services, and customers/counterparties. A regulated institution should gather careful detail from its transaction monitoring and filtering portions of their program. There should be a focus on how the data is used by their personnel. Any changes to the system should be documented and taught to relevant personnel, as well as the Board of Directors. All parties involved must be aware of how these functions operate.
2) Don't just focus on the confirmation content, but the way the confirmation is processed. There must be a clear process for conducting the review and supporting the confirmation. In this process, include a series of milestones and deadlines for testing, assimilating and evaluating information regarding the AML program; criteria for making the decision whether the confirmation is supported; and a basis for determining what person or entity will provide the confirmation. This will give all employees involved a defined role and responsibilities, as well as a process to defend when/if regulators or stakeholders have questions.
3) Put a sub-certification procedure in place. This gives a peace of mind to the certifying official or entity that others have a role in ensuring the success of the confirmation. This procedure also instills a sense of importance to AML compliance throughout the institution.
4) Have experienced counsel give direction and advise on the process. This will help the rest of the company understand the expectations of regulators and counterparties. In addition, it will help navigate issues like foreign data privacy restrictions and competing AML regulations in other jurisdictions. Counsel will also help improve the process of AML compliance infrastructure, handling it respectfully in regards to confidentiality concerns. The counsel's involvement will also add more comfort to those who are responsible for signing the compliance confirmation.
5) Keep track of where there can be enhancements and efficiencies for future confirmations. The process can demonstrate the commitment to ethical conduct and culture. Improving the process will also help the institution become more efficient in responding to annual compliance confirmations. If you have a compliance file in place that is well-developed, you can have evidence of appropriate intent should your firm run into regulators asking questions.
Financial Industry Reactions
The financial industry has had its own reaction during the public comment period. There were some concerns over the certification requirements regarding who should sign and penalties. Originally, the NYDFS had mandated that the Certifying Senior Officer alone must execute and submit the certification, the institution would face penalties if the compliant programs were not maintained, the Certifying Senior Officer would face criminal penalties for an incorrect or false certification. There was a large outcry over individual criminal penalties without a clear mens rea requirement, and many did not like the Certifying Senior Officer doing the certification when they are typically done by senior management (CEO, CFO). A lot of the financial industry expressed concerns that compliance officers would shy away from working at financial institutions regulated by NYDFS, or worse, causing compliance officers to be wary of raising issues with prior confirmations. Neither were desirable outcomes.
The final ruling amended the original Part 504, allowing institutions to choose between a Senior Officer compliance finding or a Board of Directors resolution. The specific penalty warning was also altered to a general assertion that applicable laws would be enforced. Regardless of these amendments, personnel still remain concerned.
Certifying individuals could still be charged with both criminal and civil penalties. Beyond that, an institution still needs to make a major decision on who should be personally liable for the Part 504 confirmation. These are all things to be prepared for before the April deadline.
Are You Compliant?
In a time of increasing risk and scrutiny, it is best to have a well-documented approach and clear process. This will assure regulators, counterparties, and personnel that the firm can succeed in regards to AML and counter-terrorism financing. There are many things to be done in order to prepare, including bringing in compliance and management personnel to oversee these changes.
If you need to hire a team to help you as the deadline quickly approaches, contact us for help. We can get the right people to handle what you need just in time. ICS takes the time to ensure a perfect fit between employer and employee so you can keep working without a hitch. Click below for your A-team.