The New York Department of Financial Services is requiring regulated institutions to take a British-style 'risk-based approach' (RBA) to the detection of breaches of the federal Bank Secrecy Act and to prepare either board attestation letters or an American equivalent of the MLRO's annual report.

The risk-based banking rule (which the NYDFS calls a final regulation) takes effect on 1 January next year. Under it, regulated institutions will be required to review their transaction-monitoring and filtering efforts and ensure that they are reasonably designed to comply with risk-based safeguards. Each regulated institution will have to "adopt and submit to the superintendent a board resolution or senior officer(s) compliance finding [on a form provided by the DFS] by 15th April of each year." Each institution must keep all records, schedules and data supporting that document for the usual period of five years.

The correlation between this initiative and the United Kingdom's AML regime is very evident, right down to the regulator's strange conviction that a board can legally 'resolve' that something exists. This, too, is the terminology found in British 'attestation letters.' As in the UK, the regulation contains no actual penalty for boards falsely attesting to the efficacy of their AML efforts. Rather, it seems to be another instance of the regulator, in the words of one consultant who spoke to Compliance Matters, "messing with CEOs' heads."

One feature of the New York regime not seen on the other side of the Atlantic is the choice that the NYDFS is offering between (to use British parlance) attestation letters and money-laundering reporting officer (MLRO) annual reports. It is interesting to speculate which way most institutions will go in their choices.

Programme requirements

Each firm is expected to be 'reasonable' in determining the ways in which it monitors transactions after their execution for the purposes of suspicious activity reporting and the detection of BSA/AML infractions. Unlike the British Financial Conduct Authority, the regulator gives companies the choice of whether or not to automate their systems, although it could be lying about this and insisting behind closed doors on automation, as did the FCA's inglorious predecessor for many years.

The most crucial feature of each institution's AML effort, or 'programme,' is that the firm should base it on an assessment of risks. The firm should review its 'programme' and update it at periodic 'risk‐based' intervals to take changes to AML laws, regulations and regulatory warnings into account, along with any other information that it thinks is relevant in the light of its "related programmes and initiatives" - a rather vague phrase that seems to exhort the firm to take a holistic approach to money-laundering and terrorist finance. The regulator also wants to see "BSA/AML detection scenarios with threshold values and amounts."

There must also be an end‐to‐end, pre‐and post‐implementation testing of 'the' (presumably each firm's) transaction monitoring programme, including things to which the regulator refers as "a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and program output." Protocols must set out the ways in which the firm will investigate alerts generated by 'the' transaction monitoring programme, the process for deciding which alerts will result in a SAR, the operating areas and people responsible for making such a decision. All this must be subject to continual analysis, making banking a very expensive activity indeed.

Each regulated institution is also expected to maintain a filtering programme (manual or automated) that is reasonably designed for the purpose of stopping transactions that are prohibited by the US Office of Foreign Assets Control. This, too, must be based on the "risk analysis of the institution" - perhaps the NYDFS's way of referring to a business-wide AML risk assessment. As before, there must be end‐to‐end, pre‐and post‐implementation testing including a review of data-matching, an "evaluation of whether the OFAC sanctions list and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and programme output." The same review obligations apply.

Offsetting the costs

Part 504 of the NYDFS regulations, where this rule is housed, mentions the word 'programme' 34 times without ever defining its meaning. The regulator speculates that firms might use software featuring matching algorithms, as seen with 'fuzzy logic' and culture‐based name conventions to match names, but it does not prescribe this. Instead it insists only that the system in use must be 'reasonably designed' to identify prohibited transactions. Financial firms might see this as an excellent excuse to buy the cheapest software on the market, thereby offsetting some of the prohibitive costs that the AML regulations place on doing business in the financial arena.