On December 1st, the New York Department of Financial Services (“DFS”) released a lengthy notice around the soundness and security of anti-money laundering processes and technology. Based on the increasing number of fines and perceived lapses in AML systems at financial institutions in New York, the DFS not only provided a detailed assessment on the expectations that it has of regulated financial institutions within the state, but it also took the next step by requiring that a designated entity within the institutions annually “attest” to the soundness, detail and security of AML monitoring systems. Based on the problems seen over the years with respect to AML monitoring and policies, this pronouncement should not come as a surprise and arguably is long overdue.
According to the DFS, “As a result of these investigations, the Department has uncovered (among other issues) serious shortcomings in the transaction monitoring and filtering programs of these institutions and that a lack of robust governance, oversight, and accountability at senior levels of these institutions has contributed to these shortcomings.” This is certainly a strong statement that points to both management lapses at the top of many organizations, and a lack of consistency in terms of applying policies.
This excerpt is a powerful statement for many other reasons, too. Essentially, the DFS is saying that, even in one of the most heavily regulated jurisdictions in the world, there are still significant and serious gaps in AML programs which are potentially being exploited for money laundering and terrorism financing purposes. With the rise of well-funded and organized terrorist groups around the world, coupled with the push from the Federal Government for transparency in money movements, the DFS wants to ensure that the state’s financial institutions continue to evolve and improve their systems to meet these ongoing threats and initiatives.
But this notice went beyond the expected in several other ways. Noted in the statement, the DFS emphasized, “No regulated institution may make changes or alterations to the Transaction Monitoring and Filtering Program to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts or to otherwise avoid complying with regulatory requirements.”
Financial institutions commonly argue with regulators that they simply cannot scale, human resource wise, to meet the requirements demanded of them – specifically to properly investigate and review all alerts which arise from a system. Thus, with the risk-based approach, financial institutions will often deprioritize those alerts which they view as less risky. The DFS, however, now appears to be influenced by a test they did earlier this year with an organization they later fined. During their investigation, the DFS analyzed a set of data and informed the institution that there were at least a million alerts which should have been raised and which were not. Going forward, the DFS decided that FIs must demonstrate that they are no longer taking this approach and must now document why alerts are not being raised. In addition, if there is a backlog of alerts, the institution must now be able to show what is being done to address the problem.
To be specific, the DFS stated that, “… to ensure compliance with the requirements, each institution shall submit to the Department by April 15 of each year certifications duly executed by its chief compliance officer or functional equivalent.”
For the US and the State of New York, this is a significant step. Other countries around the world have already implemented a policy around “attestations” in which an appointed officer of a financial institution annually confirms the safety and soundness of its AML program. This move by the DFS not only establishes further legal requirements, but also pressures AML departments to be completely and consistently secure in their policies and procedures.
So in light of these new directives, what should a financial institution do? Here are five broad areas which compliance officers should immediately evaluate within their institutions:
- Testing: Evaluate the state of end-to-end, pre-and post-implementation testing programs around data mapping, model validation and other processes.
- Documentation: Provide clear documentation that articulates the current detection scenarios and assumptions used to create thresholds and other factors.
- Risk: Establish well–ordered mapping of the AML risks to the institution’s businesses, products, services, and customers/counterparties.
- Governance: Create or update policies and procedures governing these changes to ensure that new criteria affecting these new rules are well-defined, managed, controlled, reported, and audited.
- Processes: Establish firm protocols detailing how alerts generated will be investigated and which alerts will result in a filing.
In summary, this is not a surprising development from the DFS, and a significant percentage of financial institutions within the State of New York already do meet the requirements laid out by the DFS. However, the DFS has now drawn a line in the sand for their future expectations and financial institutions now find themselves under a heightened level of scrutiny and additional stress.
Considering the current events in the news, and the position of New York on the world’s stage, the strictness is, perhaps, a necessity for the AML world, the soundness of our financial systems and the safety of our citizens.