BSA and OFAC compliance are typically handled by our federal regulator/insurer (FDIC, NCUA, etc.). Why is DFS involved?
According to Part i504.1, DFS found “shortcomings” in the transaction monitoring (BSA) and filtering (OFAC) programs used by DFS-regulated institutions and elected to take action to “clarify” institutions’ responsibilities.
Who is required to comply with Part 504?
Basically, any bank and non-bank financial institution chartered under New York banking law, including commercial banks, credit unions, and non-bank financial institutions like money transmitters and check cashers. See Part 504.2(b), (c), and (e).
How complex is compliance with Part 504?
Part 504 is short (six pages) but it’s full of specific and fairly complex requirements. 504 contains very specific requirements for material facets of BSA and OFAC compliance starting with the risk assessment, through program development (with specific requirements) and governance, continual testing, and through to reporting. Then, there is the infamous director/senior officer certification, which covers the entirety of the institution’s compliance with 504.
Where do we start?
That’s easy…you start with a BSA/OFAC risk assessment that complies with the specific requirements of 504.3. This means that the risk assessment risk-rates every location, product, service, and customer/counterparty. You cannot comply with 504 unless you have a risk assessment because 504 requires you to “tune” your transaction monitoring (BSA) and filtering (OFAC) programs to your specific risks. If you don’t have a risk assessment, that’s impossible.
Is Part 504 a regulatory “gotcha”—a way for regulators to enforce unreasonable requirements?
BSA and OFAC compliance can be complex, but at its core, Part 504 is a best practice guide for effectively risk assessing and monitoring BSA and OFAC transactions and running a compliant BSA and OFAC program.
What happens if we don’t or can’t comply?
If you canbut you don’t, then your institution could be subject to all enforcement available to DFS including money penalties and potential criminal liability. Your certifying directors or senior officers could be subject to civil and potentially criminal penalties.
BUT, if you are working diligently to comply there maybe a path to regulatory leniency. That path is set forth in Part 504.3(d), which states:
(d) To the extent a Regulated Institution has identified areas, systems, or processes that require material improvement, updating or redesign, the Regulated Institution shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes.Such documentation must be available for inspection by the Superintendent. [emphasis added]
Do you want us to explore more about NYDFS Part 504 or any other tricky BSA/AML regulatory question, please email us at info@beregsmart.com.
About the Author
Mark Stetler is CEO of RegSmart. He has a BBA in Finance from Baylor University (cum laude, 1985) and a law degree from the University of Texas (with honors, 1988). Mark has worked in the financial services industry for 30 years as an attorney and entrepreneur. Mark previously co-owned one of the nation’s largest firms specializing in forensic financial audits. He is a Certified Anti-Money Laundering Specialist and a chief architect of RegSmart’s anti-money laundering risk assessment and audit SaaS.
About RegSmart
RegSmart offers the best-in-class automated BSA/AML risk assessment. Supported by subject matter experts, RegSmart collects data with intuitive wizards and stores that data for regulatory compliance and change management. RegSmart delivers complete, plain language reports with actionable intelligence. Please visit us at www.beregsmart.com.
If you would like to see a demonstration of our best-in-class automated BSA/AML risk assessment and audit applications, please contact us at 214.919.4670, or email John Ravita at jrravita@beregsmart.com or Mark Stetler at mstetler@beregsmart.com. We look forward to visiting with you.