White Paper

Is NYDFS AML final rule compliance worth the hassle?

A recent Thomson Reuters Legal survey of anti-money laundering (AML) professionals uncovered a surprising trend, with 43 percent of respondents citing local regulations as the biggest driver of increased compliance workload in the last year[1].

While the survey did not elaborate on what these local regulations were, the passage of New York’s Department of Financial Services’ (NYDFS) Final Rule on Transaction Monitoring and Filtering Programs in January 2017 seems the likely culprit[2].

The NYDFS proposed these transaction monitoring and filtering reforms as a response to various shortcomings they found in Bank Secrecy Act (BSA)/AML and Office of Foreign Asset Control (OFAC) compliance rules. Putting the squeeze on the financial services C-suite, the NYDFS said these systemic inadequacies are “attributable to a lack of robust governance, oversight, and accountability at senior levels[3].”

Broadly speaking, the Final Rule features three key provisions for regulated bank and nonbank entities:

  • Maintain a transaction monitoring program for potential BSA/AML violations and suspicious activity reporting
  • Maintain a filtering program to prevent transactions that are prohibited by OFAC
  • Submit annually to New York’s DFS a confirmation regarding compliance with the Final Rule’s transaction monitoring and filtering program requirements

According to a 2016 Harvard Law School Forum on Corporate Governance and Financial Regulation article, the DFS Final Rule is the latest example of the agency asserting an outsized role in establishing standards for bank compliance with respect to AML, terrorist financing, and sanctions laws[4].

While the NYDFS Final Rule may only apply to institutions that fall under the state’s purview, “The scope of the potential ramifications extends to every banking institution in the U.S.,” according to consulting firm Alvarez & Marsal[5].

Indeed, because New York City is an international financial hub, the state of New York has “one of the highest concentrations of institutions under financial regulatory supervision[5].” Alvarez and Marsal warns that the preeminence of New York state’s financial regulatory regime could lead to an industry-wide domino effect of compliance reform.

The advisory firm highlights the Federal Reserve Bank of New York’s correspondent banking peer review in 2004, which many institutions thought to be innocuous, but that led to a wave of enforcement actions for AML violations, poor controls and weak due diligence. Ultimately, the fallout from the FDNY’s initiative spawned the “de-risking” trend, where institutions have closed operations in Baltic countries and correspondent banking business in Central America[6].

The authors of the Harvard Law School article write that the Final Rule could make compliance “difficult and uncertain” because many of its requirements are ambiguous. Alvarez & Marsal also highlight “incongruities” associated with the rule, where compliance oversights could range from something as detailed as a glitch in the validation of data feeds, to something mundane like failing to submit the required Annual Board Resolution or Senior Officer Compliance Finding form on time.

Even more vexing, an institution could take reasonable measures to comply, only to find that the regulator’s interpretation “is different” or perhaps more lenient, which means institutions will have misallocated resources and wasted budget in their efforts to comply[5].

So, a frustrating supervisory regime emerges, where a state regulator assumes broad and sweeping enforcement powers that can penalize regulated financial institutions (FIs) for violations that are increasingly “granular”[8] and open to interpretation.

In fact, a 2016 article written by litigator Arnold & Porter Advisory says the Final Rule “could have a significant impact on the operating costs of regulated institutions, and most certainly will provide the DFS with increased enforcement powers[6].”

Faced with more aggressive and byzantine regulatory guidance, both bank and nonbank entities need to develop a long-term strategic framework that anticipates how the Final Rule will impact their operations, compliance costs, and regulatory risk parameters in the future[8].

To simplify compliance with DFS Final Rule requirements, FIs should focus on the following three considerations above all others: regulatory technology (regtech); employee training; and long-term cost.

Regulatory technology

Underlying NYDFS-imposed upgrades to transaction management systems is a robust framework for data governance. For starters, regulated institutions must use existing transaction data to create new analytics-driven parameters that reflect their proprietary risk profiles.

But the NYDFS vision of risk-based compliance creates unprecedented challenges and costs for institutions. The following are just a sampling of the reporting demands regulated entities must address to comply with Part 504 of the Final Rule[2]:

  • Identification of all data sources that contain relevant data
  • Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program
  • Data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used
  • Governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Filtering Program to ensure that changes are defined, managed, controlled, reported and audited
  • Vendor selection process if a third-party vendor is used to acquire, install, implement or test the Transaction Monitoring and Filtering Program or any aspect of it

While NYDFS guidance gives institutions an option between manual or automated solutions to address data governance, the former should only be applied to critical risk issues that cannot be resolved by technology alone.

A 2017 McKinsey & Company report on sustainable compliance found that with current legacy technologies, first- and second-line compliance staff at a typical FI were “spending 80 percent of this time on issues of low or moderate materiality, and only 20 percent on critical high-risk issues.[9]”

The volume, velocity and variety of data generated by bank systems in 2017 demands cutting-edge technology to properly manage transaction records that are overflowing with increasingly complex information and non-traditional data.

By selecting a qualified regtech vendor(s), regulated entities can deploy compliance resources more intelligently, significantly cut manual review costs and mitigate the risk of enforcement action, thus saving time and money, while preserving reputational integrity.

Employee training

Complying with the Final Rule and all of its technological complexities inherently creates an enterprise-wide learning curve, where compliance personnel have to master new programs and systems.

Implementing modern regtech infrastructures will be mandatory for all FIs under NYDFS supervision, and they must be prepared to invest in training modules that prepare compliance staff for the Final Rule.

With 44 percent of Thomson Reuters survey respondents listing training for existing staff as a top priority for AML and customer due diligence (CDD) compliance, FIs need to make the learning process intuitive and efficient for risk management personnel.

According to the Governance Risk and Compliance Institute, an Australian trade organization, the primary cost burden of training are the staff work hours spent away from real operations[10]. To make training more adaptable, the GCRI advises FIs to accurately identify “prior learning,” which eliminates redundant training, and encourages the use of training simulations that present interesting content in an engaging way.

Long-term cost

As FIs formulate a long-term strategy to address NYDFS Final Rule compliance, they need to conduct a thorough cost/benefit analysis that assesses the value of being regulated by the state of New York[11].

According to former U.S. Treasury official Jonah Crane, American FIs collectively spend $60 to $70 billion a year on compliance[12]. Across the Atlantic, a 2017 report pegs the true cost of AML compliance for European FIs at $83.5 billion[13].

And with a 2017 Accenture survey reporting that 89 percent of financial services executives expect compliance spend to increase in the next two years, FIs need to analyze the benefits of doing business in New York and consider strategic alternatives.

This consideration is particularly relevant to smaller entities like money transmitters or other money service businesses (MSBs), which have higher AML risks, but may lack the resources to implement robust transaction management programs by the April 2018 deadline[7].

Looking forward

The NYDFS Final Rule introduces new regulatory risks, implementation costs and operational challenges for institutions. While the legislation may seem like an extraterritorial demand for tribute by New York State, all U.S. institutions should heed the lessons of history and weigh the risk of a domino effect.

This local regime has a rich tradition of introducing new regulatory schemes that become adopted as federal AML policy, thereby shaping new industry standards for compliance. As such, there is a good chance banks and MSBs with no business operations in the state of New York will eventually have to bend the proverbial knee to NYDFS-inspired reform.

But with a strategic framework focused on data governance, automated regtech and efficient employee training, FIs can mitigate operational disruptions caused by Final Rule adoption and the industry-wide aftershocks likely to follow in its wake.

1  http://legalsolutions.thomsonreuters.com/law-products/ns/solutions/clear-investigation-software/anti-money-laundering/acams-survey?cid=7011B000002KISk&chl=van 
2  https://www.dfs.ny.gov/reports_and_publications/press_releases/pr1606301
3  https://www.dfs.ny.gov/reports_and_publications/press_releases/pr1512011
4  https://corpgov.law.harvard.edu/2016/07/31/nys-banking-regulators-requirements-for-transaction-monitoring-and-filtering/ 
5  https://www.alvarezandmarsal.com/insights/hidden-risks-nysdfs-rule-part-504 
6  https://www.economist.com/news/international/21724803-charities-and-poor-migrants-are-among-hardest-hit-crackdown-financial-crime-means 
7  https://www.dfs.ny.gov/industry_guidance/regulations/emergency_banking
8  https://www.apks.com/en/perspectives/publications/2016/07/new-yorks-new-aml-rule 
9  https://www.mckinsey.com/business-functions/risk/our-insights/sustainable-compliance-seven-steps-toward-effectiveness-and-efficiency 
10  https://thegrcinstitute.org/news/view/2310 
11  https://www.apks.com/en/perspectives/publications/2016/07/new-yorks-new-aml-rule 
12  http://new.innovatefinance.com/uncategorised/observations-fintech-regtech-suptech/ 
13  http://www.prnewswire.co.uk/news-releases/european-financial-services-providers-face-overall-anti-money-laundering-compliance-costs-of-835-645604513.html

Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.