28 Feb 2019
New York State-chartered banks spent significant sums on third-party consultancies and in-house compliance upgrades to meet a New York State deadline last year, say industry advisors.
Under rules finalized by the state’s Department of Financial Services (DFS) in 2016, banks and other covered businesses must implement and periodically update “end-to-end” anti-money laundering (AML) and sanctions controls, including transaction monitoring systems, governance and management policies, model validation processes, and data extraction procedures.
In a first for U.S. regulators, DFS also required boards of directors or senior compliance officers to sign off on their institutions’ adherence to the state rule by April 15thof each year. The agency, which initially proposed obligating the individuals to “certify” institutional compliance, amended its draft rule by clarifying that signatories need only attest that they have reviewed and approved assessments of their AML programs.
But “a lot of foreign institutions really didn’t understand the magnitude or level of effort required by the regulation, so we had to do a lot training and knowledge-sharing sessions with head office,” said Shaun Creegan, a New York-based managing director with Protiviti Inc.’s Risk and Compliance practice, adding that levels of effort by banks to upgrade their AML controls have varied broadly.
Concerns over how stringently DFS would enforce the rules and whether executives and board members of relatively small New York-based operations are qualified to sign off on compliance findings prompted some banks to spend big on outside help in 2018, according to Hal Crawford, a managing director with Alvarez & Marsal’s Financial Industry Advisory Services in New York City.
“We’re seeing companies spend a significant amount of money because the individual compliance officers or the executives who have to certify, the in-house people, don’t want to do it” absent third-party assessments, said Crawford, adding that the issue is most apparent at foreign banking operations (FBOs) that have under 50 staffers and consequently rely on global AML departments based in other jurisdictions.
“What happens when [AML compliance] technology is at the head office and they’re signing off on something but don’t know if it’s right or wrong?” he said.
Such practical concerns, coupled with the certification mandate, have led many of the compliance industry’s more seasoned professionals to keep their distance from DFS-regulated banks, according to Crawford. “The more senior people in the industry are much more cautious,” he said.
In mandating compliance certifications, New York State isn’t alone. U.K. rules that took effect in 2016 obligate depository institutions and other firms to hold their senior managers more accountable for compliance failures, in part through individual attestations submitted to British regulators.
Under the New York regulation, financial institutions must annually draft a “Compliance Finding” that outlines departmental processes, identifies program shortcomings, and documents subsequent remediation. The assessment must be made available to the agency’s superintendent and related records must be retained for at least five years, according to the rule.
In drafting such assessments, financial institutions should be sure to offer a clear view of their findings upfront, according to Tim Mueller, a managing director at Navigant Consulting, Inc. who has seen the references to the state rule, known as “Part 504,” in Matters Requiring Immediate Attention.
“Make sure you’ve got a big picture overview that provides a summary of your governance structure, the steps you took to identify whether you had gaps, whatever gaps there are, and the action plan you put in place. Have that an overall summary and then, below that, the details,” said Mueller.
To bolster their evaluations, some banks have relied on “sub-certifications” from internal compliance functions, according to Creegan.
“In one institution, the person that was in charge of risk assessment had to sub-certify that the risk assessment was working properly. The person who was in charge of data had to sub-certify that data was properly being captured,” he said. “The chief compliance or risk officer is not just going to sign a certification of adherence without getting comfort that other people along the chain feel the same way.”
But the industry’s overall reliance on outside help to document how the assessments were conducted and their conclusions reached, as well as which remedial steps lie ahead, has given rise to proprietary questions, according to Creegan. In some cases, banks and their vendors may have to rethink contracts to address what third-party data and applications need to be reviewed to comply with the 504 requirements.
Efforts to comply with 504 could impact compliance exams by other regulatory agencies, multiple consultants said.
Anecdotally, U.S. regulators have shown an interest in reviewing the 504 assessments, leaving open the possibility that the Federal Reserve, Office of Foreign Assets Control (OFAC), and other national agencies could increasingly reference the state-mandated paperwork to identify violations in their own examinations, according to Crawford.
Since imposing the rule in 2017, DFS has levied hundreds of millions of dollars in fines against banks for AML and sanctions violations, though the agency has yet to highlight 504 violations or publicly cite signatories for signing off on a flawed compliance efforts. Although DFS dropped language that would have held individuals more accountable for institutional AML controls, the degree of personal liability the rule imposes remains unclear.
“There’s a general market concern about compliance officers being held accountable for the institution, and the reality is that we haven’t seen 504 result in any individual action but it does put people off,” said Crawford.
The department, which was formed in 2011 and saw the appointment of its third superintendent earlier this month, has previously drawn criticism for what some have characterized as overly aggressive enforcement. Whether the department’s new superintendent, Linda Lacewell, will change its enforcement style remains unclear.
Questions also remain for financial institutions preparing to file their second compliance finding, according to Creegan.
“We really haven’t heard too much from DFS since the  filing date and, following up with a lot of our clients, the feedback has been minimal at best,” he said. “The industry as a whole appears to be a little frustrated with the lack of communication from the DFS and the lack of guidance on whether their certifications were done properly.”
A spokesperson for DFS declined to comment for this story.
Count reading this article to your CPD minutes, by signing up to our CPD WalletFREE CPD Wallet