NYDFS Superintendent's Regulations Part 504

Bookmark and Share
Back to Accume Alerts
Aug 28, 2017

The Road to Annual Certification


Key Dates

June 30, 2016: Adoption of Part 504 of the Superintendent's Regulations (Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications)

January 1, 2017: Effective date of Part 504 of the Superintendent's Regulations (Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications)

April 15, 2018: Submission of First Certification under Part 504 of the Superintendent's Regulations (Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications)

Compliance required effective January 1, 2017


Background for Part 504 Regulation

Financial Institutions use various methods, tools, systems and processes for transaction monitoring and sanction filtering. While some institutions have demonstrated effective controls and periodic independent reviews, analysis and audits of these processes and systems, various shortcomings have also been noticed by regulators or by independent third parties. In a few instances at least, the weaknesses and shortcomings have raised questions about corporate governance and robustness of the transaction monitoring and sanction filtering programs, which can lead to failure in identifying suspicious activities and interjection of prohibited transactions.

The New York State Department of Financial Services ("DFS"), on the basis of its investigations into compliance by institutions with applicable Bank Secrecy Act/Anti‐ Money Laundering laws and regulations ("BSA/AML") and Office of Foreign Assets Control of the Treasury Department ("OFAC") requirements, identified shortcomings in the transaction monitoring and filtering programs of these institutions. The DFS also found that these shortcomings were attributable to a lack of robust:

  • Governance,
  • Oversight, and
  • Accountability at senior levels.

The determination by the DFS led to this regulation.

Purpose of Regulation

The regulation Part 504 serves to clarify the expected attributes of:

  1. Transaction Monitoring Program, and
  2. Filtering Program

The regulation also requires that covered entities implement a process whereby the Board of Directors or Senior Officer(s) are required to ascertain compliance by the regulated entity, assure themselves of the status and submit an annual certification to the Superintendent

Regulation Effective January 1, 2017;

Applicability of Regulation

The regulation Part 504 is applicable to:

  • All banks, trust companies, private bankers, savings banks, and savings and loan associations chartered by New York State under the New York Banking Law.
  • All branches and agencies of foreign banking corporations licensed pursuant to the New York Banking Law to conduct banking operations in New York.
  • All check cashers and money transmitters licensed pursuant to the New York Banking Law.

1st Annual Certification due April 15, 2018

Record Retention and Regulatory Examination

All covered entities are required to maintain for examination by the New York State Department of Financial Services all records, schedules and data supporting adoption of the Annual Board Resolution or Senior Officer(s) Compliance Finding for a period of five years.

Required Key Governance regarding Transaction Monitoring and Filtering Programs

The governance requirements associated with both the Transaction Monitoring and Filtering Program covers all the four pillars of AML (and OFAC) Programs, including Training and Audit. Specifically the regulations require adequate:

  • Governance and management oversight.
  • Policies and procedures governing changes to the Transaction Monitoring and Filtering Program.
  • Audit coverage, including for required attributes of Transaction Monitoring and Filtering Programs.
  • Identification of all data sources; data extraction and loading processes.
  • Validation of the integrity, accuracy and quality of data flowing through the Programs.
  • Vendor selection process if a third party vendor is used
  • Funding to design, implement and maintain the programs.
  • Use of qualified personnel or outside consultant(s) responsible for various aspects of the Programs, including design, planning, implementation, operation, testing, validation, on‐going analysis, case management, review and decision making with respect to generated alerts and potential filings.
  • Periodic training of all stakeholders with respect to these Programs.

Required Key Attributes of Transaction Monitoring Program

Transaction Monitoring Program should be based on the risk assessment to align with the institution's businesses, products, services, customers and counterparties. While the monitoring system can be manual or automated, or even a combination of both, the program is required to be maintained as a living document that is reviewed and periodically updated based on various triggers, including changes in laws, regulations and guidelines; results of on-going analysis about relevance and adequacy of detection scenarios, rules, thresholds, parameters, assumptions, etc. and changes to institution's risk profile.

The program is required to ensure that the institution has effective detection rules and scenarios with appropriate thresholds to detect potential money laundering or other suspicious or illegal activities. The institution is also required to maintain adequate documentation articulating the institution's current detection scenarios and the underlying assumptions, parameters, and thresholds, as well as protocols for review and disposition of alerts, investigation process and decision making.

The regulation also mandates an end‐to‐end, pre‐ and post‐implementation testing of the Transaction Monitoring Program, including review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and program output.

Required Key Attributes of Filtering Program

Filtering Program should be based on the risk assessment and the system or technology used must be reasonably designed to identify prohibited transactions. The regulation does not mandate any technology or logic, and the institutions may use the tools deemed appropriate by them, aligning with the institution's risk, transactions, products and customers. The institution is however required to maintain adequate documentation articulating the institution's intent and design of the Filtering Program tools, processes or technology used.

The program is required to be maintained as a living document that is reviewed and periodically updated based on various triggers, including results of on-going analysis about logic and performance of the logic and performance of the technology or tools used, results of audits, regulatory examination and internal/independent reviews and validations that are performed.

The regulation also mandates an end‐to‐end, pre‐ and post‐implementation testing of the Filtering Program, including review of data matching, evaluation of threshold settings, logic of technology or tools used, model validation, data input and program output.

The regulation supplements the BSA/AML and OFAC regulations and serves to mandate certain attributes in the Transaction Monitoring and Filtering Programs maintained by institutions so that these programs are robust, are periodically reviewed and tested and formally introduces the pre- and post-implementation testing requirements.

Like the existing AML and OFAC Compliance infrastructure, all three lines of defense have crucial role in ensuring that the institution can achieve compliance and submit required certification.

Key Steps to Certification

Corp Governance

 

 

Accume Partners' Services Regarding Part 504 Compliance

Accume Partners has been assisting various covered entities achieve compliance with the DFS Regulation, through various service. :

1. Gap Assessment, Program update and documentation

2. Implementation and Monitoring

3. Training on Transaction Monitoring and Filtering

4. Model Validation of AML System and OFAC Filter

5. Pre- and Post-Implementation Audits/Reviews of new AML Systems and OFAC Filter Implementations and Version/System Upgrades

6. Comprehensive Testing and Audit for compliance with Part 504 Regulation

7. Compilation of Reports and Support for Certification, including remedial efforts planned or in-process to address identified weaknesses or deficiencies.

Email: information@accumepartners.com ; Phone: 888.696.1515

This opinion paper was written by Accume Partners' Managing Director and Leader of AML Practice, K.D. Mehra.  With over 30 years of experience with regulatory issues, Mr. Mehra lends his expertise to all aspects of BSA/AML, internal audit and risk management.  He is a speaker and trainer on BSA/AML/OFAC issues as well as published author on various related topics.

Download the printable version here