The New York Department of Financial Services (DFS) has finalized a new regulation setting rigorous standards for monitoring and filtering programs to monitor transactions for potential anti-money laundering (AML) and Bank Secrecy Act (BSA) violations and block transactions prohibited by the Treasury Department’s Office of Foreign Assets Control (OFAC).

The regulation, which becomes effective January 1, 2017, will apply to all (1) banks, trust companies, private bankers, savings banks, and savings and loan associations chartered under the New York Banking Law (NYBL), (2) branches and agencies of foreign banking corporations licensed under the NYBL to conduct banking operations in New York, and (3) check cashers and money transmitters licensed under the NYBL (Regulated Institutions). For financial institutions not subject to this New York regulation, it is instructive as a benchmark for future standards likely to come from other states and/or federal regulators.

When first proposed in December 2015, the regulation would have required a Regulated Institution’s chief compliance (or equivalent) officer to attest annually that the institution’s monitoring and filtering programs comply with the regulation’s requirements. However, under the final regulation, beginning on April 15, 2018, a Regulated Institution must submit to DFS by April 15 of each year either a "Senior Officer Compliance Finding" or a resolution of its "Board of Directors" to certify compliance with the regulation.

A "Senior Officer" is "the senior individual or individuals responsible for the management, operations, compliance and/or risk" of a Regulated Institution. The "Board of Directors" is the "governing board of every Regulated Institution or the functional equivalent if the Regulated Institution does not have a Board of Directors." This flexibility may create practical tensions between an institution's board and its compliance department, because one or the other must submit the required form.

Aside from providing flexibility regarding who may provide the certification, the annual submission form has undergone some changes in wording from the original proposal. One of the biggest changes is through incorporation: the final form states that the signatory has taken "all steps necessary to confirm" that the Regulated Institution has transaction and filtering programs that comply with the final provisions of Section 504.3. That section now requires programs to be "reasonably designed" to attain their purposes, "to the extent they are applicable." This standard is slightly more forgiving than the language of the proposed rules, which appeared to demand categorical and de facto compliance with all of the various, specific requirements listed within Section 504.3, rather than a program that was "reasonably designed" to attain the specific requirements that in fact were relevant to the Regulated Institution at hand. This revision may be particularly helpful to those non-depository institutions that may not have all the outlined requirements in their current programs.

The resolution or finding must state that the Senior Officer or Board of Directors has reviewed documents, reports, certifications, and opinions of such officers, employees, outside vendors, and other parties as necessary to adopt the resolution or compliance finding. A Regulated Institution must maintain for DFS examination, for a period of five years, all records, schedules, and data supporting adoption of the board resolution or senior officer compliance finding. Of note, prior language simply announcing in part that "[a] certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing"—language that, by itself, did not create a new substantive criminal provision—has been replaced by more generic language in the final regulations, stating that "[t]his regulation will be enforced pursuant to, and is not intended to limit, the Superintendent's authority under any applicable laws."

The final regulation requires a Regulated Institution to maintain a manual or automated "Transaction Monitoring Program" and "Filtering Program" that are reasonably designed to, respectively, monitor transactions after their execution for potential BSA/AML violations and suspicious activity reporting, and interdict OFAC-prohibited transactions. The regulation lists eight attributes that a Transaction Monitoring Program must have and five attributes a Filtering Program must have, to the extent applicable.

The listed attributes are very detailed. For example, one requires a Transaction Monitoring Program to include protocols setting forth how alerts will be investigated, "the process for deciding which alerts will result in a filing or other action, the operating areas and individuals responsible for making such a decision, and how the investigative and decision-making process will be documented."

The final regulation also lists eight additional requirements that must be part of both a Transaction Monitoring and Filtering Program, to the extent applicable. Among the areas covered by such requirements are data identification, validation of data integrity, accuracy and quality, data extraction and loading processes, governance and management oversight, vendor selection, and training.