Rule (504) of Thumb
By now you will have heard about, or even started preparing for, the New York State Department of Financial Services (DFS) regulation outlining the criteria for transaction monitoring and filtering programs - more commonly referred to as "Rule 504". The final rule was published in June 2016, and caused a stir among NY-based financial institutions. It took effect in January 2017 and banks will be required to "certify" for the first time in April 2018 - just one year from now.
While the timing of this post is appropriate, I won't pretend to be the first person to analyze the rule and write about it. However, I will do my best to provide a unique perspective on the aspects of the regulation that I consider most interesting. To remain focused, I will only consider the parts that pertain specifically to transaction monitoring and set aside filtering.
504.1: BACKGROUND
At first glance, this section simply states that the DFS has observed numerous shortcomings in the transaction monitoring and filtering programs of regulated financial institutions. While discouraging, this should come as no surprise given the announcement of new enforcement actions seemingly every month. When I took a second pass though, I noticed that the "Department" explicitly attributes those shortcomings to a "lack of robust governance, oversight, and accountability at senior levels". That is a pretty bold and incriminatory assertion against bank leadership, and they intend to address it by requiring direct certification by the board or senior officials.
504.2: DEFINITIONS
There isn't too much here beyond some key terminology definitions. Most importantly, you should know if your organization falls into the bank or non-bank regulated institution categories. It is also useful to compare the DFS definition of a risk assessment to your own to ensure complete coverage.
504.3: TRANSACTION MONITORING AND FILTERING PROGRAM REQUIREMENTS
(A) Transaction Monitoring Criteria: this section is really the meat of the rule and specifies the major components of a transaction monitoring program expected of all financial institutions. These are things that most, if not all, organizations should already have in some shape or form, including an enterprise risk assessment, detection scenarios with relevant threshold settings, alert investigation protocols, and the documentation to justify and tie it all together. Critically, all of the mentioned components need to be subject to periodic review. This is where I come across one of the more contentious points: the Department contends that periodic reviews and updates should be conducted at "risk-based intervals". What exactly is that and how often does it translate to? Are all components of the program subject to the same interval or on their own independent schedules? The regulation is vague, but these are questions your organization will have to be prepared to answer. The DFS also requires banks to account for changes to AML/BSA regulations and warnings (external factors), as well as institutional programs and initiatives (internal factors). For this, I recommend creating an inventory of applicable regulatory bodies, laws, and internal initiatives that will notify a steering committee each time there is a material change. That central authority can review the new information and determine if it warrants action.
(B) Filtering Criteria: not applicable for this analysis.
(C) General Criteria: there are two categories of general criteria, meaning they apply to both transaction monitoring and filtering: data management and program management. Regarding data, the rule stipulates that banks properly identify all sources, validate data quality, accuracy, and integrity, detail the extraction, transformation, and loading processes, and apply governance, control, and management oversight. The word "traceability" comes to mind. I have two predictions based on this part of the regulation. First, it will be the leading cause for "remediation efforts" due to issues with existing data quality and completeness. Second, it will lead to some intense discussions and debates about who truly owns the data feeding transaction monitoring systems. Regarding management, the DFS calls out program funding, the vendor selection process (if applicable), personnel qualifications, and ongoing training of all stakeholders. What is unclear is how the Department will evaluate and measure those things. Will it suffice to simply provide evidence that they exist within your organization, or will you have to demonstrate the appropriateness of your budget, the vigor of your vendor selection, and the qualifications of your people? To me, this teeters on the edge of the now buzzing "culture of compliance".
(D) Remediation: if after evaluating your program, you find gaps that substantiate remediation, you must document those efforts and your plans to execute them. Those plans should be detailed enough to prove genuine interest and accountability on behalf of senior bank officials, as I suspect the DFS will track your progress towards delivery throughout the year.
504.4: ANNUAL CERTIFICATIONS
This section is an attestation that financial institutions shall adopt and submit the certification (according to the template provided) on an annual basis to the DFS Superintendent. It also lays out the data and documentation retention requirements (5 years) which is noteworthy.
504.5: PENALTIES/ENFORCEMENT ACTIONS
One sentence: "This regulation will be enforced pursuant to, and is not intended to limit, the Superintendent’s authority under any applicable laws." Perhaps more interesting is what was removed from the final rule. The initially proposed regulation explicitly stated that a certifying bank officer who filed incorrectly or falsely may be subject to criminal penalties. So while that language was relaxed, take note of how strictly the DFS originally wanted to penalize non-compliance and make Rule 504 a priority.
504.6: EFFECTIVE DATE
Effective: January 1, 2017
First Certification: April 15, 2018