The New York Department of Financial Services (NYDFS) BSA/AML and OFAC regulations (Part 504) contain 22 separate, specific requirements (with numerous sub-requirements) DFS-regulated institutions’ BSA/AML programs must meet. Then, the individual institution’s directors or senior officer(s) must certify they made “individual findings” that the BSA/AML program complies with Part 504.
The certification requirement suggests that an incorrect certification could come with personal liability for the certifying directors/officers.
If DFS didn’t want to hold directors/officers personally responsible for BSA/AML program failures, why the certification?
So, is it time for DFS-regulated institutions (or at least their certifying directors or officers) to panic? The answer is: It depends on how close to compliance with Part 504 your institution is and how serious it is about filling the gaps.
Prior DFS as well as federal (FinCEN, OCC, DOJ, OFAC) BSA/AML and OFAC enforcement actions suggest to us that the compliance failures must be ongoing and/or egregious before a regulator will take seriously punitive action against an institution or individual. Our educated guess is that Part 504 enforcement should be no different. That’s the good news. Here’s the not so good news:
Part 504’s requirements are specific and the director/officer certification is very broad, which means regulators will have little difficulty making a case for enforcement action (including against the individual).
Here’s a simple example, 504.3(a)(6) requires: “documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters, and thresholds.” If you don’t have the documentation, you violated 504.3(a)(6)—no questions asked. By extension, the director or officer certification is verifiably false.
You could be thinking at this point that the documentation required by 504.3(a)(6) would be easy to come by and hard for compliance staff to miss. That’s true, but, as you might imagine, the requirements get significantly more complex and correspondingly less clear. For example, 504.3(a)(5) requires:
…end‐to‐end, pre‐ and post‐implementation testing of the Transaction Monitoring Program, including, as relevant, a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output.
That’s just one of the 22 requirements of Part 504.
Part 504 represents a regulatory attempt to impose BSA/AML risk assessment and transaction monitoring best practices.
Like most regulations, Part 504 is “all stick and no carrot.” You get no credit for doing it right and can face serious (even personal) sanctions for doing it wrong. On the other hand, Part 504’s requirements are, for the most part, reasonable, and are the regulatory equivalent of a (albeit incomplete) best practice guide for a BSA/AML and OFAC risk management program.
How can you give your institution the best possible chance of compliance with Part 504? We have some ideas. Please give us a call if we can help.
About the Author
Mark Stetler is CEO of RegSmart. He has a BBA in Finance from Baylor University (cum laude, 1985) and a law degree from the University of Texas (with honors, 1988). Mark has worked in the financial services industry for 30 years as an attorney and entrepreneur. Mark previously co-owned one of the nation’s largest firms specializing in forensic financial audits. He is a Certified Anti-Money Laundering Specialist and a chief architect of RegSmart’s anti-money laundering risk assessment and audit SaaS.
About RegSmart
RegSmart offers the best-in-class automated BSA/AML risk assessment. Supported by subject matter experts, RegSmart collects data with intuitive wizards and stores that data for regulatory compliance and change management. RegSmart delivers complete, plain language reports with actionable intelligence. Please visit us at www.beregsmart.com.
If you would like to see a demonstration of our best-in-class automated BSA/AML risk assessment and audit applications, please contact us at 214.919.4670, or email John Ravita at jrravita@beregsmart.com or Mark Stetler at mstetler@beregsmart.com. We look forward to visiting with you.