New York Mandates Economic Sanctions Compliance Program
The New York State Department of Financial Services (DFS) has issued a regulation that requires certain New York regulated financial institutions to maintain programs to monitor and filter transactions for potential Bank Secrecy Act (BSA), anti-money laundering (AML) violations, and to prevent transactions with sanctioned entities. The rule, which became effective January 1, is Part 504 of DFS Superintendent’s Regulations [Rule] and details which institutions subject to DFS jurisdiction must comply. This regulation “will be enforced pursuant to [DFS’] authority under any applicable laws.” It is thus possible that violation of the rule could lead to penalties under New York’s banking and penal laws for falsifying business records, offering a false statement for filing, or failing to maintain accurate books and records.
This rule, which creates a requirement for the minimum attributes of a mandatory compliance program, is even more stringent than the economic sanctions requirements enforced by the US Department of the Treasury’s Office of Foreign Assets Control [OFAC], with respect to institutions subject to DFS jurisdiction under the rule.
No OFAC sanction regulation mandates the creation and maintenance of a screening or compliance protocol with any particular attributes per se. However, as a practical matter, the best practice has always been to maintain an OFAC compliance program to avoid any prohibited dealings or transactions with an OFAC-blocked or sanctioned party.
The New York regulation requires state-regulated institutions to submit annually a board resolution or senior officer compliance finding that confirms steps taken to ascertain compliance with the rule.
The rule also requires regulated institutions to review their transaction-monitoring and filtering programs and ensure that they are reasonably designed to comply with risk-based safeguards. The institutions also must adopt (at the institution’s option) an annual board resolution or senior officer compliance finding to certify compliance with the DFS regulation beginning April 15, 2018. The resolution or finding must state that documents, reports, certifications and opinions of officers and other relevant parties have been reviewed by the board of directors or senior official to certify compliance with the regulation.
Institutions must maintain supporting data for the certification, for review by DFS, for five years. Some key requirements of the new DFS regulation include the following:
Maintain a Watch List Filtering Program
Each regulated institution shall maintain a reasonably designed filtering program to interdict transactions that are prohibited by federal economic and trade sanctions, and which shall, to the extent they are applicable,
- be based on the risk assessment of the institution;
- be based on technology, processes or tools for matching names and accounts, in each case based on the institution’s particular risks, transaction and product profiles;
- include end-to-end, pre- and post-implementation testing of the filtering program, including, as relevant, a review of data matching, an evaluation of whether the OFAC sanctions list and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and program output;
- be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the OFAC sanctions list and the threshold settings to see if they continue to map to the risks of the institution; and
- include documentation that articulates the intent and design of the filtering program tools, processes or technology.
Each Transaction Monitoring and Filtering Program shall require the following, to the extent they are applicable:
- Identification of all data sources that contain relevant data;
- Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the program;
- Data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used;
- Governance and management oversight, including policies and procedures governing changes to the program to ensure that changes are defined, managed, controlled, reported and audited;
- Vendor selection process if a third party vendor is used to acquire, install, implement or test the program or any aspect of it;
- Funding to design, implement and maintain a program that complies with the requirements of the regulation;
- Qualified personnel or outside consultant responsible for the design, planning, implementation, operation, testing, validation and on-going analysis of the program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filings; and
- Periodic training with respect to the program.
Annual Board Resolution or Senior Officer Compliance Finding
To ensure compliance with the requirements, each regulated institution shall adopt and submit to DFS a board resolution or senior officer compliance finding by April 15 of each year. Each regulated institution shall maintain for examination by DFS all records, schedules and data supporting adoption of the board resolution or senior officer compliance finding for a period of five years.