On January 1st 2017 New York State’s Department of Financial Services (DFS) Part 504 went live. This rule provides a clarification on how OFAC and other lists are screened and how transactions are monitored. The impacts of this rule may one day be felt across the US, as other regulators also move to a more progressive approach to financial crime regulation.
In fact at the Securities Industry and Financial Markets Association (SIFMA) Anti- money Laundering and Financial Crimes Conference in NYC last month, Comply was on hand to hear Part 504 identified by the panel as one of the hottest topics impacting AML and financial crime compliance.
Why a New Rule?
Part 504 has been introduced to fortify New York State’s Anti-Money Laundering (AML) regulations. In the eyes of the DFS the current OFAC rules and enforcement have allowed too much money to fall through the cracks for far too long.
The primary aim of the new rule is to bring AML measures firmly into the 21st century, placing heavy emphasis on technology to revamp watchlist screening. Additionally it ties up many of the loose ends that have in the past made combating money laundering confusing. The rule applies to all companies that come under the regulated financial companies umbrella including everything from check cashers to trust companies.
What you Need to Know
The biggest change comes to watchlist list filtering programs. These must now be based on “technologies or tools for matching names and accounts”. The systems implemented by regulated companies must be end-to-end and pre and post implementation tested, and must cover OFAC sanctions and watchlists. This differs from the old regime which did not stipulate the need for a technological solution.
504 clarifies the approach companies should take to transaction monitoring however, it does not stipulate that these have to be based on technological solutions. It does require companies to test their chosen solution to ensure that these are in line with the evolving regulatory landscape and a company’s risk exposure.
For both watchlist filtering and transaction monitoring programs companies must perform ongoing analysis of the quality of the solution they have selected. Companies should produce documentation that explains why they have selected that specific system and be able to justify this convincingly. Bringing to an end the use of ‘black box’ technologies and increasing transparency in compliance. Companies must additionally be able to identify where the data they use has come from and assure its quality.
Know Your Risk
Part 504 drives home once again the need for an adequate and routinely updated risk assessment. Companies who perform watchlist filtering will have to acknowledge the shortfalls of the technology they have chosen by assessing its logic in accordance with a company’s risk exposure, justifying the parameters they have chosen. For both transaction and watchlist screening all changes must be fully audited so that effective investigations can be carried out.
For the first time companies will have to submit a certificate guaranteeing that they have complied with part 504 from either their Board or Senior Officer. This must be done each year by the April 15th and will be first due by April 15th 2018. Not only does this come with superintendent penalties for non submittal but it also forces senior management to become more involved in their company’s AML compliance.
Additionally the new rule also stipulates the need for appropriate training and periodic retraining of the relevant stakeholders – meaning that employees won’t be able to claim ignorance as a defense.
What Comply finds especially interesting about this rule is how the DFS is actively encouraging regulated firms to embrace technology. Often we hear companies are concerned about onboarding new technologies in case regulators disapprove of them further down the line.
However, this rule shows a considerable shift in US regulator attitude, no longer are they either skeptical or tentatively encouraging innovation. They are making technology a necessary component of AML compliance programs, highlighting especially for watchlist monitoring that manual solutions are no longer fit for purpose. Plus the industry shift towards real-time means newer FinTech business models want to be able to make decisions immediately and increase straight-through-processing.
This should bring a resounding sigh of relief from the global compliance community, who know all too well just how unsustainable manual compliance solutions have become and how new technologies are needed to improve this. It is also clear that the DFS is trying to make companies plan their compliance roadmap well in advance. Making them more proactive than reactive should mean that companies can mitigate developing errors much faster than before. The DFS has also been wise to try and tackle the problem of senior level complacency towards compliance with the certification requirement – a recurrent problem in AML violations. This should empower compliance officers whilst also strengthening AML compliance.