The last four years has seen a trend of increased law enforcement and regulatory investigations into financial institutions for sanctions violations and anti-money laundering, or Bank Secrecy Act ("BSA"), compliance. The New York State Department of Financial Services ("NY DFS") has been no exception. NY DFS has recently stated that its investigations have: (i) "uncovered . . . serious shortcomings in the transaction monitoring and filtering programs of these institutions;" and (ii) revealed that "a lack of robust governance, oversight, and accountability at senior levels of these financial institutions have contributed to these shortcomings."
Based upon these findings, the NY DFS has proposed a new anti-terrorism and anti-money laundering regulation (the "Proposed Regulation") which requires that a "Regulated Institution," as defined below, maintain a "Transaction Monitoring Program" and a "Watch List Filtering Program" (collectively, the "Programs"). These requirements are not substantially different than what is already expected by the Bank Secrecy Act and other existing laws, or from what many financial institutions are doing already. What is notable, however (other than NY DFS increasing its enforcement role), is that the Proposed Regulation also includes a requirement that a senior financial executive annually deliver an unqualified certificate to the NY DFS that his or her institution "has sufficient systems in place to detect, weed out, and prevent illicit transactions."
According to the Press Release announcing the Proposed Regulation, the certification requirement is modeled on the certifications required under the Sarbanes-Oxley Act of 2002 ("SOX"). However, the requirements of the Proposed Regulation are more demanding than SOX certification requirements.
The Proposed Regulation applies to all banks, trust companies, private bankers, savings banks, and savings and loan associations chartered pursuant to the New York Banking Law (the "Banking Law"), as well as all branches and agencies of foreign banking corporations licensed pursuant to the Banking Law to conduct banking operations in New York, and all check cashers and money transmitters licensed pursuant to the Banking Law (each, a "Regulated Institution"). Therefore, it appears that the Proposed Regulation generally would not apply, for example, to investment advisers or broker-dealers, except to the extent that investment advisory and broker-dealer activities are conducted under the Regulated Institution.
The Proposed Regulation requires that the "Certifying Senior Officer," defined to mean "the chief compliance officer or their functional equivalent" of a Regulated Institution, annually certify, in a prescribed form attached to the Proposed Regulation (the "Annual Certification"), that he or she has reviewed the Programs of such Regulated Institution, or caused them to be reviewed, and that the Programs comply with all of the requirements of the Proposed Regulation. [v] The Proposed Regulation sets forth minimum required attributes of the Programs, such as reflecting all current Bank Secrecy Act/Anti-Money Laundering ("BSA/AML") laws, the mapping of BSA/AML risks, and that they be subject to an on-going analysis for further assessment. However, the prescribed Annual Certification does not include customary "knowledge" and "materiality" qualifications.
Certifying Senior Officers must certify, to "the best of their knowledge," that the Programs comply with all of the requirements of the Proposed Regulation. The Annual Certification itself is notable in two respects. First, the prescribed certification does not include customary "materiality" qualifications, such as the statements made are "true and correct in all material respects." Second, a "best knowledge" standard is commonly regarded as imposing a duty of investigation on the certifying party unless such an undertaking is disavowed.
In contrast, the certifications required by SOX regarding the accuracy and reliability of financial reports are based upon the certifying officers "knowledge" and belief that the reports constitute a "fair presentation" and the subject report is not "misleading" based upon "materiality" standards.[vi] SOX does not require that the executing officer deliver an unqualified certification that the regulated institution complies with all SOX requirements. As such, the certification requirements of the Proposed Regulation clearly are more strict than the SOX standard.
As regards U.S. economic sanctions, the Proposed Regulation would require Regulated Institutions to maintain a Watch List Filtering Program compliant with rigorous statutory requirements intended to interdict financial transactions in violation of U.S. economic sanctions prohibitions, including economic sanctions administered by the U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC") and other U.S. government agencies. Economic sanctions at issue broadly forbid most transactions that are directly or indirectly related to certain countries, regions, governments, legal entities and individuals. One category of economic sanctions comprises broad trade and investment embargoes against specified countries and regions. Today, OFAC administers embargoes on most trade and investment transactions with or involving Crimea, Cuba, Iran, North Korea, Sudan and Syria. Other economic sanctions prohibit transactions relating, directly or indirectly, to certain listed legal entities and individuals and some types of affiliates of listed legal entities.
New York State chartered banks whose deposit accounts are insured by the Federal Deposit Insurance Corporation and New York State chartered banks that are member banks of the Federal Reserve System are already subject to the BSA/AML program requirements administered by the Federal Financial Institutions Examination Council ("FFIEC"). Therefore, it is notable that the requirements of the Programs do not extend beyond the requirements reflected in the FFIEC BSA/AML Examination Manual [vii] and the two sets of requirements generally are consistent with one another. [viii]
Under the Proposed Regulation all Regulated Institutions will be subject to "all applicable penalties provided for by the Banking Law and the Financial Services Law [ix] for failure to maintain" Programs complying with the Proposed Regulation and for failure to file the Annual Certification. In particular, the Proposed Regulation provides that: "A Certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing." As in the case of the prescribed content of the Annual Certification, the criminal penalty provision would be applicable in the case of an "incorrect" filing without regard to its materiality.
If a Regulated Institution is already subject to the BSA/AML program requirements administered by the FFIEC, the primary impact of the Proposed Regulation will be the requirement for the filing of an unqualified Annual Certification and accompanying potential New York state liability for failure to do so or to do so incorrectly.
The Annual Certification will undoubtedly raise concerns in the compliance officer community as it represents yet another avenue for second-guessing and personal liability. The proposed Annual Certification only relates to New York. The Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) has not published a similar proposed requirement, and neither have any of the other states.
Naturally, in order to ensure compliance with the Proposed Regulation, a Regulated Institution should review its BSA/AML compliance program to ensure its compliance with all applicable standards. Also, the Certifying Senior Officer should undertake and document an internal review and investigation to evidence that he or she has exercised reasonable care in concluding that the Regulated Institution is in compliance with all of the requirements of the Proposed Regulation. [x]
As a practical matter, however, an issue is presented as to whether implementation of the unqualified liability standard of the Proposed Regulation could have an unintended chilling effect on the ability of a Regulated Institution to hire and retain competent compliance officers due to the increased risk of personal liability, or conduct business in accordance with the reasonable "risk based" standard contemplated by the BSA/AML program requirements administered by the FFIEC. [xi]
The Proposed Regulation is not yet final. The comment period will end on January 30, 2016.
[i] Press Release, New York Department of Financial Services, Governor Cuomo Announces Anti-Terrorism Regulation Requiring Senior Financial Executives to Certify Effectiveness of Anti-Money Laundering Systems (Dec. 1, 2015), available at: http://www.dfs.ny.gov/about/press/pr1512011.htm.
[ii] New York Department of Financial Services Superintendent's Regulations, Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications (Dec. 1, 2015), available at: http://www.dfs.ny.gov/legal/regulations/proposed/rp504t.pdf.
[iii] See Regulatory Impact Statement accompanying the Proposed Regulation published in NYS Register (Dec. 16, 2015), at 11:
All [Regulated] Institutions are currently subject to existing federal Requirements. The proposed regulation provides more granular guidance and requires the chief compliance officer or their functional equivalent at a [Regulated] Institution to certify compliance with the proposal. It is the Department's intent that this certification requirement will cause compliance officers to proactively ensure compliance by their institutions with existing federal Requirements.
[iv] Sarbanes-Oxley Act of 2002, Public Law 107-204, 116 Stat. 745, available at: http://www.sec.gov/about/laws/soa2002.pdf.
[v]See Regulatory Impact Statement accompanying the Proposed Regulation published in NYS Register, (Dec. 16, 2015):
The [Proposed Regulation] creates a more granular framework for a chief compliance officer or their functional equivalent at a Covered Institution to follow in designing, implementing and maintaining a program that ensures compliance by their institutions with the Requirements.
[vi] SEC. 302. CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS.
(a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m,
78o(d)), that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that—