Enhancements Needed to Address Deficiencies
April is fast approaching, and with it comes the deadline for certification with the New York State Department of Financial Services (NYDFS) Part 504 rule. The requirements pose considerable challenges for financial institutions, and any regulated institution that fails to detect or report suspicious money laundering transactions may be found to be deficient and in violation of the NYDFS Part 504 Rule. Todd Pleune, Managing Director at Protiviti details what you need to know to become compliant.
With the first deadline to certify annual compliance rapidly approaching on April 15, 2018, regulated entities are working hard to comply with the New York State Department of Financial Services (NYDFS) Part 504 rule. This rule is a risk-based anti-terrorism and anti-money laundering regulation that requires regulated institutions to maintain effective programs to monitor transactions for potential Bank Secrecy Act (BSA) and anti-money laundering (AML) violations and filter transactions to prevent sanctions violations. Regulated entities include most financial services businesses operating in New York state, such as banks, trust companies and other lenders, branches and agencies of foreign banking corporations, check cashers and money transmitters. The final rule was issued on June 30, 2016 and became effective on January 1, 2017, but work is still ongoing to enhance programs and processes and submit compliance findings by April 15, 2018.
Activities in progress as the deadline approaches include updating systems and processes, fine-tuning existing rules and conducting reviews and testing by independent model validation and internal audit. While the deadline is imminent, the Rule allows regulated institutions to document the identification of areas that require material improvement, updating or redesign and the planned remediation efforts underway. Many of these efforts are currently in progress.
Regulated institutions are required to assess the reasonableness, effectiveness and relevancy of the controls for transaction monitoring and sanction filtering models and programs. They are also required to submit documentation that articulates, among other things, current detection scenarios, name-filtering technology, underlying model assumptions, limitations, parameters, thresholds and processes. While these systems have been in place for the past several years, enhancements to both systems and documentation are still ongoing to satisfy these requirements.
The NYDFS Part 504 requirements pose considerable challenges for financial institutions. Any regulated institution that fails to detect or report suspicious money laundering transactions may be found to be deficient and in violation of the NYDFS Part 504 Rule. The rule exposes boards of directors and senior officers in regulated institutions to a heightened risk of personal liability.
Rationale for the Rule
When the rule was announced, NYDFS Superintendent Maria Vullo stated, “It is time to close the compliance gaps in our financial regulatory framework to shut down money laundering operations and eliminate potential channels that can be exploited by global terrorist networks and other criminal enterprises.” NYDFS was concerned that different types of financial institutions had various levels of compliance with existing federal regulations with respect to monitoring transactions for suspicious activities and real-time interdiction of transactions on the basis of watch lists, including Office of Foreign Assets Control (OFAC) or other sanctions lists, politically exposed person (PEP) lists and other watch lists.
To address these deficiencies, the NYDFS adopted requirements for transaction monitoring and filtering models, as well as a requirement for a certifying senior officer of a regulated institution to file an annual certification attesting to compliance with the standards described in the NYDFS Superintendent’s Regulations Part 504. While the rule does not include criminal penalties, it is this annual certification that can expose boards of directors and senior officers in regulated institutions to a heightened risk of personal liability.
Several activities must be undertaken by regulated entities for their anti-money laundering models and processes to comply with the requirements of NYDFS Part 504 and for them to file their certification attestations with confidence. While the particular activities are enumerated in the rule, below we discuss current enhancements being made to AML programs and model validation activities needed to provide sufficient assurance for the certification process.
Transaction Monitoring and Filtering Program Enhancements
Currently many financial institutions are enhancing their AML programs to address deficiencies identified by conducting NYDFS Part 504 gap analyses, independent assessments, federal supervisory reviews, internal audits and model validations. Enhancements underway at several entities known to this author are to shore up gaps in data quality, documentation and system effectiveness, as well as to transition manual processes to those that are more automated. As these enhancements are made, each entity is paying close attention to NYDFS Part 504 requirements and the compliance deadline.
AML programs and models must be based on the institution’s own risk assessments and be appropriately aligned with its risk profile. Programs must have sufficient controls performed at appropriate intervals to address changes to the institution’s risk exposures, as well as changes in regulatory requirements and expectations. Under the new requirements, financial institutions are required to perform end-to-end testing of their risk-based AML models. This testing can be conducted as part of a rigorous independent model validation program.
Model Validation
Banks have been subject to model validation requirements since at least 2000 and have been applying these standards to a broader set of models for the past several years. Check cashing and money services businesses, however, may need more support to ensure their models are validated. Validation requirements include replicating outputs and testing the AML system via a sophisticated process. Each institution must develop policies and procedures to govern these processes and work with experienced model validators to confirm the sufficiency of their systems and controls.
Testing of the AML scenario rules and name-matching logic validation tests should be undertaken. Testing must ensure appropriate controls for model data accuracy, integrity and completeness. Firms must perform ongoing analysis and testing of the AML models to assess the scenario logic, performance, model technology, assumptions and model parameter settings.
To meet the requirements with respect to model performance, regulated institutions should consider the following potential issues:
- Lack of comprehensive AML model data assessment procedure and controls to maintain model effectiveness
- Lack of effective end-to-end model data quality control tools
- Inadequate independent validation procedures
- Lack of a quantitative approach and/or the tools for AML model performance testing
- Improper AML model use, such as for setting thresholds
- Inadequate model risk assessments
- Insufficient model controls that are disproportionate to inherent risk levels
When considering a provider to validate AML models, it is important to use tools that accelerate review and testing of transaction monitoring, sanction screening and other anti-money laundering models, including rule replication and threshold setting validation. When AML models undergo independent model validation, certifying senior officers can be confident in the annual submission attesting that the institution’s models are complete, effective and sustainable.