A pending rulemaking (the “Proposed Rule”) by the New York State Department of Financial Services (the “NYSDFS”) would add potential New York State criminal liability to the burdens of chief compliance officers of New York chartered banks, trust companies, savings banks, savings and loan associations, New York licensed branches and agencies of foreign banks, as well as all New York licensed check cashers and money transmitters (but not credit unions) (collectively, the “Regulated Institutions”).

The rulemaking was announced in December 2015 by New York’s Governor Cuomo as “a new anti-terrorism and anti-money laundering regulation that includes — among other important provisions — a requirement modeled on Sarbanes-Oxley that senior financial executive certify that their institutions has sufficient systems in place to detect, weed out, and prevent illicit transactions.”[1]  It was published in the New York State Register on December 16, 2015, and is open for public comment until March 31, 2016.  If adopted, it would be codified as a new Part 514 of the Superintendent’s Regulations.

Although the proposed rule purports not to alter existing federal requirements, but only to provide “more granular guidance”, it substantively changes New York law by imposing New York-specific non-risk based standards over and above federal standards governing Bank Secrecy Act, Anti-Money Laundering and Office of Foreign Assets Control (BSA/AML/OFAC) compliance, which are risk based and allow for reasonable management judgment.

New York financial institutions subject to these rules will find it difficult to meet the New York standards, and compliance officers will likely resist providing certifications that risk criminal prosecution.  The rule may also require New York institutions to rely extensively on outside consultants, or detailed sub-certification processes, to enable compliance officers to provide the mandatory certifications.  Accordingly, the proposed rule, if adopted in its present form, will significantly disadvantage New York chartered and licensed financial institutions, make it harder for them to maintain effective BSA/AML/OFAC compliance programs, and make it more difficult to attract and retain competent compliance officers.[2]

Certifications by the Chief Compliance Officer

The Proposed Rule would require the chief compliance officer (or functional equivalent official) (the “Senior Certifying Officer” or “SCO”) to certify, to the best of his or her knowledge, that he or she has reviewed, or caused to be reviewed, the institution’s Transaction Monitoring Program and the Watch List Filtering Program (the “Programs”) and that such Programs comply with all the requirements set forth in the Proposed Rule.[3]  The certification must be filed by the Regulated Institution by April 15^th of each year.  The Proposed Rule specifically warns that an SCO who files an incorrect or false certification may be personally subject to criminal penalties.[4]

Potential Criminal Violations

The Proposed Rule includes among its statutory authorities a criminal statute (N.Y. Banking Law §672) that makes it a felony for a bank officer to make a false entry in a bank’s books or records (or omit to make a true entry) with intent to deceive, among others, any bank examiner or, in effect, the Superintendent.  There are not many cases under this section.  People v. Horvatt (3d Dept. 1932) 237 A.D. 289, 261 N.Y.S. 303, affirmed 262 N.Y. 508, 188 N.E. 41, and People v. Mangan, 1931, 140 Misc. 783, 252 N.Y.S. 44., each held that directors who submitted a call report for a bank that failed owing to the president’s defalcations, were not responsible under the predecessor to the statute since they did not gain personally nor have any involvement in the fraud giving rise to the failure, and mere negligence, rather than intent to deceive, does not violate the statute.  A more recent third case, People v. Calandra, 1983, 117 Misc.2d 972, 459 N.Y.S.2d 549, does not alter the analysis.

In addition, New York Penal Law Sections 175.05, .10 and .15 (Falsifying business records) and 175.30 and .35 (Offering a false instrument for filing), define additional crimes that potentially could be charged should the certification prove false.  Falsifying business records and offering a false instrument for filing in the second degree, each require intent to defraud as an element.  (See the Practice Commentaries for §§175.05 and 175.30).  Beyond this, criminal charges for aiding and abetting, misapplication of bank funds (i.e., getting a bonus based on purported criminal activity) and other charges may follow in the hands of a determined prosecutor.  Regardless of the likelihood of conviction, the threat of criminal prosecution will have a chilling effect on incumbent SCOs, and on anyone asked to take on that responsibility.

Criminalizing Business Decisions Permitted Under Federal Law

By mandating New York specific requirements for BSA/AML/OFAC monitoring systems, and requiring that the SCO certify compliance with them, the Proposed Rule criminalizes decisions that, under federal law, involve significant management discretion.  The federal rules are risk based and, as pointed out in a recent FATF Report: “The [risk based approach] RBA is not a “zero failure” approach; there may be occasions where an institution has taken reasonable AML/CFT [counter-terrorist financing] measures to identify and mitigate risks, but is still used for [money laundering or terrorist financing] purposes in isolated instances.”[5]  In contrast, an SCO for a New York financial institution who believes that the firm’s transaction monitoring systems do not completely fulfill the rules’ requirements, even if they fully meet federal standards, would have the choice of providing the certification and risking criminal prosecution, or withholding certification and causing his or her employer to be targeted for violation of the Proposed Rule.

As a practical matter, given the complexity of the systems involved, it may be virtually impossible not to be second guessed by an examiner or prosecutor for a BSA/AML or OFAC error.  Looming as well is the growing concern of SCOs with personal liability of corporate officers and employees under the new U.S. Justice Department’s policy as articulated in the Yates Memo,[6] as well as the massive civil penalties levied by the NYSDFS and the Manhattan District Attorney’s Office, among others, against a number of foreign banks with New York licensed branches and agencies in recent years.[7]

These concerns are compounded by the fact that while the rule purports not to alter existing federal requirements, but only to provide “more granular guidance”, it nonetheless substantially differs from the federal regime.  Federal BSA/AML/OFAC rules adopt a risk based standard that relies heavily on reasonable management judgment, while the New York proposal creates a highly structured and normative regime.[8] It also substantively adds to pre-existing New York law that required Regulated Institutions to establish and maintain anti-money laundering programs that comply with applicable federal law and to comply with the regulations issued by OFAC.[9]

Certifications based on matters outside the control of the senior compliance officer

The Proposed Rule requires the SCO to certify as to several matters that are outside his or her control.  For example, BSA/AML/OFAC monitoring systems are built upon, among other things, each Regulated Institution’s customer identification program (“CIP”) and related customer risk assessments.  While the SCO, subject to Board of Directors approval,[10] may be responsible for the institution’s customer identification program (“CIP”), the CIP is implemented at the ground level by numerous and, in large institutions, hundreds or thousands of branch personnel, private bankers and lending and trust officers, who do not report to, and whose priorities appropriately differ from, the SCO.  Similarly, systems work will be the responsibility of the institution’s information technology department or outside vendors. In this connection, the Proposed Rule requires the SCO to account for “other relevant areas, such as security, investigations and fraud prevention.”

The BSA Manual states that: “When multiple departments are responsible for researching unusual activities ….the lines of communication between the departments must remain open.” [11]  However, the responsibility of ensuring that these lines of communication remain open is with senior management, not the SCO.  In order for the SCO to provide the mandated certification, he or she may need assurance that the systems are compliant from outside consultants, or from sub-certifications from all relevant areas, or both.

Likewise, the proposed rule requires the SCO to certify that the transaction monitoring systems are, in effect, adequately funded,[12] which, as discussed later, is also a matter that will be ultimately determined by senior management and the Board of Directors, rather than by the SCO.

Substantive changes to AML/BSA/OFAC monitoring requirements.

The proposed rule creates a series of requirements, either explicit or implicit, that fail to acknowledge the significance of management’s risk-based approach to its BSA/AML/OFAC monitoring systems, as contemplated by federal law.

100% interdiction standard; barring adjustments to monitoring systems

The Proposed Rule appears to require OFAC monitoring systems interdict all unlawful transactions[13] and also bars Regulated Institutions from making “changes or alterations” to the transaction monitoring programs “to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts generated by a Program…”.^[14]  Specifically, Section 503.3(b)(2) of the Proposed Rule requires that the OFAC monitoring system be based on the institution’s particular risks, transaction and product profiles, but nonetheless fails to recognize that the monitoring system may have thresholds consistent with these risks that will not identify all potential transactions, regardless of risk, subject to OFAC sanctions.  Note 4 to the Proposed Regulation states, in relevant part: “This regulation does not mandate the use of any particular technology, only that the system or technology used must be adequate to capture prohibited transactions.”

However, the federal regulators recognize that the OFAC screening system does not require a “zero failure” approach and should have thresholds consistent with an institution’s risk assessment that may not identify all potential transactions subject to OFAC sanctions.  The BSA Manual states that “Decisions to use interdiction software and the degree of sensitivity of that software should be based on a bank’s assessment of its risk and the volume of its transactions.  In determining the frequency of OFAC checks and the filtering criteria used (e.g., name derivations), banks should consider the likelihood of incurring a violation and available technology.”^[15]

The federal approach (and the State’s approach prior to the Proposed Rule) to setting thresholds for monitoring systems provide a good deal of flexibility and recognize that there is always a tradeoff between a systems’ ability to identify all transactions potentially covered and the need to avoid substantial numbers of false positives.  In the OFAC context, the lists of names that must be screened contain many names and spelling variations, the software may identify other, non-listed spelling variations and, in any case, there are many very commonly used names on the lists.  If the screen is set too broadly, there will be many false “hits” that will require substantial time and resources to resolve.  In this case, the BSA Manual advises: “The bank’s policies, procedures, and processes should also address how the bank determines whether an initial OFAC hit is a valid match or a false hit.  A high volume of false hits may indicate a need to review the bank’s interdiction program.^[16]  Even the NYSDFS has recognized this issue in an enforcement action agreed to after the issuance of the Proposed Rule, which requires the subject institution to include, in a written plan to enhance its compliance with OFAC regulations: “procedures to ensure that the processes used to suppress repetitive false positives are periodically reviewed and updated to ensure appropriateness and relevance. ^[17] [Italics added.]

An institution’s transaction monitoring systems both at implementation, and thereafter, need to be adjusted to reduce the number of false alerts, which detract from an institution’s ability to address “true” alerts.  Implementation of any transaction monitoring system is an iterative process that uses the risk-based settings of the system to minimize the number of false alerts and maximize the number of “true” alerts.  Accordingly, given that this iterative process is found in the development and ongoing or periodic maintenance of every monitoring system, it is hard to see how an SCO can certify compliance with the foregoing prohibitions.  An SCO may also find it difficult to certify to the funding that supports the transaction monitoring systems, knowing that their settings have been optimized, and continue to be optimized, in this manner.

Continuous risk monitoring and watch list updates

The Proposed Rule appears to require that each regulated institution continuously revise its BSA/AML/OFAC risk assessments on which its monitoring systems are based.  The Proposed Rule defines “Risk Assessment” as “an on‐going comprehensive risk assessment, including an enterprise wide BSA/AML risk assessment, that takes into account the institution’s size, businesses, services, products, operations, customers/counterparties/other relations and their locations, as well as the geographies and locations of its operations and business relations…”.[18] [Italics added.]  It requires that the institution’s monitoring systems be based on its “risk assessment”, as defined, and that the institution “map its “BSA/AML risks to the institution’s businesses, products, services, and customers/counterparties…”.^[19]

While these provisions accurately state the overall goal of a firm’s BSA/AML/OFAC risk assessments and their role in developing its overall BSA/AML/OFAC program, of which the monitoring systems are a part, the federal requirements, as set forth in the BSA Manual are far more nuanced, and specifically provide that unless there are changes in the institution’s risk profile, such as a merger, or the introduction of new products or services, “it is a sound practice for banks to periodically reassess their BSA/AML risks at least every 12 to 18 months.”^[20] [Italics added.] This is a far cry from the rule’s mandate of an “ongoing comprehensive” assessment of BSA/AML/OFAC risk on which a violation of the rule and criminal penalties can be predicated.  The Proposed Rule should make clear the “ongoing assessment” refers to the standard set forth in the BSA Manual.

The Proposed Rule also requires that the firm’s suspicious activity monitoring system “reflect all current BSA/AML laws, regulations and alerts, as well as any relevant information available from the institution’s related programs and initiatives, such as ‘know your customer due diligence’, ‘enhanced customer due diligence’ or other relevant areas, such as security, investigations and fraud prevention…”.[21]  [Italics added.]  Regulated Institutions and their SCOs will certainly seek to meet this requirement; however, the sheer volume of these issuances and the number of changes render a certification that the monitoring systems fully comply with the foregoing, even subject to a knowledge exception, difficult to provide.

Funding

As noted earlier, the Proposed Rule in effect requires that Regulated Institutions adequately fund their BSA/AML/OFAC monitoring systems.  In a risk based regulatory environment, there are a wide variety of choices to be made by management and the Board of Directors in implementing, operating and maintaining such systems, and each option carries a different cost.  Acquisition and implementation costs of these systems range from a few hundred thousand dollars to multi-millions of dollars, with no assurance that a more expensive system will generate the desired result.  The ongoing maintenance of these systems has become a very substantial element of most financial institutions’ ongoing cost structures, including IT operating and maintenance costs to ensure that the systems remain current and secure, the ongoing customer identification and reporting requirements affecting virtually all areas of the institution, and the cost of addressing all alerts, both true and false, generated by the systems.  These latter costs are measured in the number of AML analysts, investigators and managers needed to determine whether an alert is true or false, their time to fully document the determination, including documenting the reasons why an alert was determined to be false, and to take the required action, such as filing a Suspicious Activity Report or blocking or rejecting a transaction.  In addition, periodic validations of these systems by outside independent consultants are also required, which may be compounded by the costs incurred to outside consultants to enable the SCO to provide his or her required certification.

While an SCO will have input into his or her budget, of which BSA/AML/OFAC compliance is a significant part, the SCO will not have final decision-making power over the budget, which typically is in the hands of senior management and the board of directors, who must allocate finite resources over numerous priorities.  Implicating the budget process in a prescriptive regulation such as the Proposed Rule opens the door to significant issues for any institution.  Imagine a civil or criminal prosecution based on the budget discussions of the SCO with senior management, and of senior management with the board of directors.  If the Proposed Rule is adopted in its current form, such discussions and their outcomes will need to be carefully documented and justified, even beyond the current level of detailed minutes expected by examiners.  In the existing risk based BSA/AML/OFAC compliance regime under federal law, there is ample room for variation in the level of funding needed to appropriately manage the institution’s BSA/AML/OFAC compliance risks.  Under the proscriptive requirements of the Proposed Regulation, there may be little room for such variation.

Easy to understand documentation.

The Proposed Rule requires that BSA suspicious activity monitoring systems include “easily understandable documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters, and thresholds…”.^[22] However, these systems, as described in the BSA Manual, range in complexity from moderately to severely complicated.  Of necessity, the systems must monitor multiple types of transactions, including deposits, withdrawals, funds transfers, automated clearinghouse (ACH) transactions, and automated teller machine (ATM) transactions, most often directly from the bank’s core data processing systems.  Some can adapt over time based on historical activity, trends, or internal peer comparisons.  The monitoring system can employ multiple rules, overlapping rules, and complex filters, including against individual customer-account profiles.  “Intelligent” systems can adapt and filter transactions based on historical account activity or compare customer activity against a pre-established peer group or other relevant data in context with other transactions and the customer profile, building data on each customer over time.^[23]  The documentation of these systems will be as complex as is needed to describe the underlying system, and while they should be drafted so that a person reasonably acquainted with bank operations and money laundering tools can understand them, it is doubtful that they will be “be easily understandable” by a lay person.  The same may also be said for the documentation of the institution’s OFAC screening system, which in most institutions uses “fuzzy logic” and various algorithms to identify potential prohibited transactions.^[24]  Accordingly, without clarification, an SCO could not certify to this aspect of the regulation, even with the best drafted documentation.

Real-time monitoring

Section 504.1 (Background) of the Proposed Rule states that: “The Department believes that other financial institutions may also have shortcomings in their transaction monitoring programs for monitoring transactions for suspicious activities, and watch list filtering programs, for ‘real‐time’ interdiction or stopping of transactions on the basis of watch lists, including OFAC or other sanctions lists, politically exposed persons lists, and internal watch lists.”

The reference to “real-time interdiction” presumes that the monitoring systems used by financial institutions uniformly function on a real time basis, when, in fact, there is substantial variation both in the systems used and in the types of transaction processing involved.  Much transaction processing is still handled on a batch basis either at various times during the day or at night.  Under the current federal requirements, financial institutions can make a reasonable business judgment as to the most effective way of processing such transactions and a risk based judgment as to the manner in which they identify transactions required to be frozen or rejected under the OFAC rules.  The key is that the transactions are properly handled, not how the processing occurs.

Use of manual monitoring systems

Generally, the Proposed Rule gives a nod to the possibility of using manual monitoring systems.[25]  However, its language and very specific requirements strongly suggest that manual systems will not likely be compliant.  In practice, virtually every insured depository institution and large money services businesses, e.g., Western Union and MoneyGram, make use of automated monitoring systems that vary in complexity based on the nature of their business.  However, the Proposed Rule could jeopardize the business of small community banks and thrifts, and small check cashers and money transmitters, adding to the existing tension between societies’ desire to provide banking and financial services to as many people of varied economic condition as possible, and the costs and risks of failing to comply with the BSA/AML/OFAC rules.

ENDNOTES

[1] See NYSDFS Press Release dated December 1, 2015, available at: http://www.dfs.ny.gov/about/press/pr1512011.htm.  The proposed rule and related material can be found at: http://www.dfs.ny.gov/legal/regulations/proposed/banking/prop_banking_archive.htm.

[2] Any comments on the draft regulation should be submitted to the NYSDFS at comments@dfs.ny.gov. by March 31, 2016.

[3] The form of certification is Attachment A to the Regulation and reads in full as follows:

Annual Certification For Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Asset Control Transaction Monitoring and Filtering Programs To New York State Department of Financial Services

In compliance with the requirements of the New York State Department of Financial Services (the “Department”) that each Regulated Institution maintain a Transaction Monitoring and Filtering Program satisfying all the requirements of Section 504.3 and that a Certifying Senior Officer of a Regulated Institution sign an annual certification attesting to the compliance by such institution with the requirements of Section 504.3, each of the undersigned hereby certifies that they have reviewed, or caused to be reviewed, the Transaction Monitoring Program and the Watch List Filtering Program (the “Programs”) of (name of Regulated Institution) as of ___________ (date of the Certification) for the year ended________(year for which certification is provided) and hereby certifies that the Transaction Monitoring and Filtering Program complies with all the requirements of Section 504.3.

By signing below, the undersigned hereby certifies that, to the best of their knowledge, the above statements are accurate and complete.

Signed:

Name: ______________________________ Date: __________________

Chief Compliance Officer or equivalent

[4] See §§504.4 and .5 of the Proposed Rule.  §504.5 states, in relevant part, that: “ A Certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing.”

[5] See Financial Action Task Force (FATF) Guidance for a Risk-Based Approach Money or Value Transfer Services, February 2016, p. 15, at: http://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-RBA-money-value-transfer-services.pdf.

[6]  See memorandum dated September 9, 2015 from Deputy Attorney General Yates, at:  http://www.justice.gov/dag/file/769036/download.

[7] See, e.g., NYSDFS Orders dated August 6, 2012, September 21, 2012 and August 19, 2014 (civil penalties totaling $640 million from Standard Chartered Bank); November 18, 2014 ($315 million from The Bank of Tokyo-Mitsubishi UFJ, Ltd.); and March 12, 2015 ($610 million from Commerzbank A.G.) and October 15, 2015 ($385 million from Crédit Agricole S.A.).  The NY County (Manhattan) District Attorney’s Office has pursued parallel and, in some cases, independent prosecutions of BSA/AML/OFAC violations against banking institutions.  See, NY County District Attorney Press Release dated October 20, 2015 regarding a Deferred Prosecution Agreement and penalty of $312 million against Crédit Agricole S.A., which also lists similar prosecutions.

[8] Federal regulations applicable to state chartered and national banks and federal savings associations mandate that they maintain a BSA program reasonably designed to ensure compliance with the Treasury Department’s BSA rules.  The program must also be approved by the bank’s board of directors.  For example, the FRB’s Regulation H §208.63(b), 12 C.F.R. §208.63(b), applicable to state member banks, provides as follows:

“(b) Establishment of BSA compliance program—(1) Program requirement. Each bank shall develop and provide for the continued administration of a program reasonably designed to ensure and monitor compliance with the recordkeeping and reporting requirements set forth in subchapter II of chapter 53 of title 31, United States Code, the Bank Secrecy Act, and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR part 103. The compliance program shall be reduced to writing, approved by the board of directors, and noted in the minutes.” [Italics supplied.]

Identical regulations apply to national banks and federal savings associations (12 C.F.R. §21.21(b)) and FDIC insured nonmember banks (12 C.F.R.§326.8(b)(1))  The underlying regulations are issued by the Financial Crimes Enforcement Network (“FinCEN”) and the Office of Foreign Assets Control (“OFAC) of the U.S. Department of the Treasury, 31 C.F.R. Chapter X (FinCEN) and Chapter V (OFAC).

The federal standards applicable to all BSA/AML/OFAC compliance matters are set forth in nuanced detail in the 440 page BSA/AML Examination Manual (the “BSA Manual”) published by the Federal Financial Institutions Examination Council (“FFIEC”), which includes both federal and state representatives:  the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB), and the State Liaison Committee (SLC), which includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS). The BSA/AML Manual is available at:  https://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2014_v2.pdf.  In contrast, the Proposed Rule encapsulates large portions of the BSA Manual in a few pages of mandates.

[9] See, 3 NYCRR Parts 115, 116, 416 and 417.

[10] See note 8, supra.

[11] BSA Manual at p. 67.

[12] See Proposed Rule §§504.3(c)(6):    “Each Transaction Monitoring and Filtering Program shall, at a minimum, require the following:  6. Funding to design, implement and maintain a Transaction Monitoring  and Filtering Program that complies with the requirements of this Part…”.

[13] See Proposed Rule §504.3(b)(2) and the related footnote 4, discussed in the succeeding paragraph.

[14] See Proposed Rule §504.3(d) which states, in full, as follows:

“No Regulated Institution may make changes or alterations to the Transaction Monitoring and Filtering Program to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts generated by a Program established pursuant to the requirements of this Part, or to otherwise avoid complying with regulatory requirements.”

[15] BSA Manual at p. 147.

[16] Id.

[17] See Written Agreement among the Industrial Bank of Korea, its New York Branch, the FRB and the NYSDFS dated February 24, 2016, at: http://www.federalreserve.gov/newsevents/press/enforcement/enf20160301a1.pdf.

[18]  Proposed Rule §504.2(f).

[19]  Proposed Rule §§504.3(a)(1), (a)(3), and 504.3(b)(1).

[20] BSA Manual at p. 24.

[21] Proposed Rule §504.3(a)(2).

[22] Proposed Rule §§504.3(a)(6) and (b)(6).

[23] BSA Manual pp. 65-66.

[24] OFAC’s description of its own web-based search service is illuminating.  OFAC Q & As # 246 through #253 describe the complexities and discretion involved in using fairly sophisticated OFAC screening software.  These are available at: https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_lists.aspx.

[25] Proposed Regulation §§504.3(a) and (b).

The preceding post comes to us from Nixon Peabody.