Starting January 1, 2017, financial institutions with operations in New York will be required to maintain a risk-based transaction monitoring and filtering programme to ensure that the local financial system is not used for purposes of money laundering, terrorist financing, sanctions violations or other suspicious activities. The new requirements are outlined by the New York State Department of Financial Services (NYSDFS) in a final regulation (the Rule) set forth in Part 504 to Title 3 of the New York Codes Rules and Regulations (NYCRR).

Branches and agencies of foreign banking corporations licensed pursuant to the New York Banking Law will also be subject to these regulations. The Rule was introduced in response to deficiencies in transaction monitoring processes identified by the NYSDFS, which they attributed to a lack of resilient governance, oversight and accountability at senior levels in financial institutions. 

Who must comply with the new Rule?

It applies to all “Bank Regulated Institutions,” which includes:

  • All banks, trust companies, private bankers, savings banks, and savings and loan associations chartered pursuant to the New York Banking Law (the Banking Law); and
  • All branches and agencies of foreign banking corporations licensed pursuant to the Banking Law to conduct banking operations in New York.

New requirements imposed on Institutions

The Rule requires covered Institutions to:

  • Maintain a transaction monitoring programme for potential Bank Secrecy Act (BSA)/Anti Money Laundering (AML) violations and suspicious activity reporting;
  • Maintain a filtering programme to prevent transactions that are prohibited by the Office of Foreign Assets Control (OFAC); and
  • Submit an annual confirmation to the NYSDFS, supported by a board of directors’ resolution or senior officer compliance finding, regarding compliance with the Rule’s transaction monitoring and filtering programme requirements.

The regulations outline attributes which these manual or automated systems must contain, such as being based upon the Risk Assessment of the institution and updated regularly to ensure changes to BSA/AML laws are taken into account. Further, both the BSA and OFAC programmes are required to meet a number of data and governance requirements, some of which include the identification of all data sources that contain relevant data and validation of the integrity, accuracy and quality of data to ensure that all information is accurate.

Note that covered Institutions are required to maintain all records, schedules and data supporting the adoption of the resolution or finding for five years.

Consequently, a more detailed framework in implementing and maintaining a compliance programme is needed. Financial institutions will need to undergo on-going analysis to assess the logic and performance of the technology and tools for matching functionality. Institutions who have a New York-nexus are particularly exposed and must ensure appropriate controls are in place to comply with these new requirements.

What happens if Institutions do not comply?

Despite this rule only being effective in the State of New York, the financial and reputational cost of non-compliance for financial institutions is rising as a result of global regulatory requirements changing and increasing. The Rule will be enforced by the Superintendent’s authority under any applicable regulations, which opens up the possibility that criminal penalties could be applied if a violation occurs.

Next steps companies should take

This new Rule demonstrates continued emphasis by US authorities on the enforcement of sanctions and other financial crime-related regulations. In addition to ensuring the implementation of effective transaction monitoring and filtering programmes, companies subject to these regulations should continuously review and enhance internal controls through activities including the following:

  • Financial Risk Assessments: Conduct focused assessments on trade controls and sanctions regulatory requirements, including, a review of transaction monitoring risks and internal compliance programmes. Ensure these assessments are revisited on a regular basis to certify that internal controls reflect current business risks and are adapted accordingly to incorporate changes in both the regulatory environment and operating model.
  • Training: Provide training so that the relevant individuals have an appropriate level of technical and regulatory awareness needed to comply with the relevant regulations.
  • Audits: Conduct regular assessments of compliance programmes, policies, procedures and implemented software.
  • Compliance Programme Review and Design: Review, design, enhance and implement trade finance compliance programmes and develop trade finance compliance policies and procedures.
  • Screening: Conduct a transaction screening process review to assess the effectiveness of current screening tools, including matching logic and escalation/resolution procedures, to ensure the process is accurate and efficient.

Further details on the new Rule can be found on the NYSDFS website:

Katie Jackson is a Partner in Deloitte Forensic, and specialises in financial crime advisory.
Stacey Toder Feldman is a Director in Deloitte's Global Export Controls and Sanctions team.