Are you ready for April 15, 2018?

Steps Financial Institutions Can Take for Compliance with NYDFS 504

With the New York State Department of Financial Services (“DFS”) Part 504 regulation’s first annual compliance certification deadline less than two months away, DFS-regulated institutions must ensure they have all of the pieces in place for compliance. Here are some steps you can take to benchmark your current programs against Part 504’s specific requirements. 

 

---

 

Each regulated institution shall maintain a transaction monitoring program reasonably designed for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting (SAR).

Practical Steps: Review your risk assessment to ensure that it adequately addresses your institutions’ unique risks and circumstances and reflects any changes in laws, regulations, or other relevant information. Based on these risks, review your detection scenarios to ensure the relevant risks are being addressed by your monitoring program. Conduct and document end‐to‐end, pre‐, and post‐implementation testing of the transaction monitoring program, including, as relevant, a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input, and program output. Ensure that adequate system documentation is maintained which articulates any assumptions, parameters, and thresholds. Documentation should also be maintained on the transaction monitoring investigative processes, as well as, processes to review the current system settings, thresholds, and parameters on a periodic basis. 

 

---

 

Each regulated institution shall maintain a filtering program, either manual or automated, that is reasonably designed for the purpose of interdicting transactions that are prohibited by OFAC.

Practical Steps: Similarly to the transaction monitoring program, the filtering program should  be based on the institutions’ risk assessment. Review the risk assessment to ensure that it adequately captures the sanctions’ risk exposure associated with your institution. Your technology, process, or controls for matching names and accounts must be in line with those risks. Conduct and document end‐to‐end, pre‐, and post‐implementation testing of the filtering program, including, as relevant, a review of data matching, the logic of matching technology or tools, model validation, data input, and program output. Ensure that you also have documented processes for validating the risks and your filtering program on a periodic basis.

 

---

 

Additional items Transaction Monitoring and Filtering Program shall require (see the Regulation for full list): identification of sources of data; validation of integrity, accuracy, and quality of data; governance and management oversight; vendor management processes; funding; periodic training for stakeholders.

Practical Steps: Conduct and document an analysis in order to identify all the sources of data and any gaps in monitoring or filtering. Conduct a validation of both the transaction monitoring and filtering program. Ensure there are documented processes in place which specify the frequency of validation and the validation criteria. Conducting the validation will allow your institution to identify any weaknesses or areas for improvement and assist with the certification process. In addition, implement or revise policies and procedures to include governance and management oversight and vendor management. This includes periodic updates to the program to ensure that changes are defined, managed, controlled, reported, and audited. Additionally, any updates to the transaction monitoring and filtering programs should be well documented in written form and provided to senior management and the board of directors, which will act as a record of efforts taken by the institution to comply with Part 504. Management and the board of directors should be appraised on training efforts for key stakeholders.

 

---

 

To the extent a regulated institution has identified areas, systems, or processes that require material improvement, updating, or redesign, the regulated institution shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation must be available for inspection by the superintendent.

Practical Steps: Documentation is critical in complying with DFS Part 504. Implementing a tracking mechanism is an effective tool in demonstrating your institutions compliance findings and board resolutions. When documenting weaknesses or deficiencies, ensure that you vet them as they will need to be made available to the superintendent upon request.

 

---

 

Each regulated institution shall adopt and submit to the superintendent a board resolution or senior officer(s) compliance finding by April 15th of each year.

Practical Steps: Identify the appropriate person to submit the annual certification. Determine the process of approving the certification document before submission and retain copies of records and supporting documents for five years. In preparation for submission, provide periodic reports to the board of directors of your institutions progress, and, as always remember to document.

---

BDO works with regulated financial institutions to develop a comprehensive approach to BSA/AML/OFAC compliance. We are well-versed in the DFS Part 504 regulation, and are well-equipped to help clients quickly assess their current transaction monitoring and filtering programs, highlighting areas of strength and uncovering areas of weakness or noncompliance.