As of the fiscal year starting on April Fool's Day 2017, New York Governor Andrew Cuomo is proposing to start holding bank executives personally (and perhaps criminally) accountable for their institutions' failures in the field of money-laundering control and sanctions. He has now extended the deadline for comments - an indication of the proposal's importance.

The proposal is to make senior compliance officers sign annual affirmations that say: "In compliance with the requirements of the New York State Department of Financial Services (the “Department”) that each Regulated Institution maintain a Transaction Monitoring and Filtering Program satisfying all the requirements of Section 504.3 and that a Certifying Senior Officer of a Regulated Institution sign an annual certification attesting to the compliance by such institution with the requirements of  Section 504.3, each of the undersigned here by certifies that they have reviewed, or caused to be reviewed, the Transaction monitoring Program and the Watch List  Filtering Program (the “Programs”) of (name of Regulated Institution) as of  ___________ (date of the certification) for the year ended________(year for which certification is provided) and hereby certifies that the Transaction  Monitoring and Filtering Program complies with all the requirements of Section 504.3."

The proposal is explicit in calling for a risk-based transaction monitoring 'program' which, it says, should have the following attributes.  

• It should be based on the insitution's risk assessment.
• It should uphold all current laws, regulations and alerts issued under the Bank Secrecy Act 1970, plus other relevant information such as "know your customer due diligence",  "enhanced customer due  diligence" or other things such fraud prevention.
• It should "map BSA/AML risks to the institution’s businesses, products, services and customers/counterparties" (i.e. perform a risk assessment).
• It should evolve AML detection scenarios that spring from its risk assessment, with threshold values and amounts.
• It should include an end-to-end, pre-and-post-implementation testing of the transaction monitoring program, including governance, data mapping, transaction coding, detection scenario logic, model validation, data input and 'program  output, as well as periodic testing.
• The documents should be easy to understand.
• It should include investigative protocols that say how it is going to investigate alerts generated by the 'program,' the process for deciding which alerts will result in the 'filing' of a suspicious activity report (SAR) or other action, who is responsible for making such a decision and how investigative and decision-making process will be written down.
• Finally, its detection techniques, underlying rules, threshold values, parameters and assumptions must be subject to continual analysis.

Cuomo's proposal paper also calls on banks and other firms to maintain a watch list filtering program for the purpose of stopping transactions, before their execution, that are prohibited by applicable sanctions, notably those administered by the Office of Foreign Assets Control. Part (d) of the section that deals with this makes interesting reading: "No regulated institution may make changes or alterations to the Transaction Monitoring and Filtering Program to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts generated by a program established pursuant to the requirements of this part, or to otherwise avoid complying with regulatory requirements." In other words, the New York Department of Financial Services will be enquiring into the money and resources devoted to each firm's screening efforts - and perhaps into how much it pays its software vendors. If the department follows the practice of its federal brethren in the Securities and Exchange Commission, it will expect small firms to spend a larger proportion of their resources on this than large ones.

It adds: "A Certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing." There is no mention of any mens rea that the officer (defined earlier in the paper as "the institution’s chief compliance officer or their functional equivalent") might have to have before being judged criminally liable, so this appears to be a strict liability offence that requires no guilty mind - a worrying possibility but possibly a source of extra remuneration for compliance directors.

Some firms in this area use software that develops matching algorithms, such as those that use various forms of so-called “fuzzy logic” and culture-based name conventions to match names. The proposed regulation is not designed to force them to choose any particular package but it does state "that the system or technology used must be adequate to capture prohibited transactions." Just this stipulation on its own might send many firms scurrying off to visit AML software vendors with a view to upgrading their IT.

A dissenting voice

Daniel Gallagher, one of the commissioners of the SEC, has noticed a trend towards this kind of accountability in the unrelated field of the federal Investment Advisors Act. Here the SEC has already been holding chief compliance officers (CCOs) to account, and in a letter on its site last June Gallagher expressed his displeasure: "I have long called on the commission to tread carefully when bringing enforcement actions against compliance personnel. [Two] recent actions fly in the face of my admonition, and I feel compelled to explain my rationale for dissenting.

"In both instances, the commission’s order states that the chief compliance officer was responsible for the implementation of the firms’ policies and procedures. Both settlements illustrate a commission trend toward strict liability for CCOs. Actions like these are undoubtedly sending a troubling message that CCOs should not take ownership of their firm’s compliance policies and procedures, lest they be held accountable for conduct that, under Rule 206(4)-7, is the responsibility of the advisor itself. Or worse, that CCOs should opt for less comprehensive policies and procedures with fewer specified compliance duties and responsibilities to avoid liability. As it stands, the commission seems to be cutting off the noses of CCOs to spite its face."