New York’s money laundering rules will spur risk changes everywhere
The financial services and payments industries will look back on this time as the point at which a fundamental shift took place in the world of sanctions screening (also referred to as "filtering") and anti-money laundering (AML) compliance.
It will be seen as the point at which regulators around the world fully accepted the role that technology and automation plays in meeting AML requirements and subtly changed their emphasis to focus on the quality of the systems and processes that institutions put in place.
The catalyst for this change is the New York State’s Department of Financial Services (DFS) requirements, widely known as “Part 504.”
Part 504 was developed to fortify the State’s AML legislation, amid concerns that current rules were falling short of addressing the growing threats of financial crime in the millions of transactions that flow through New York City every year. The DFS says its investigations into AML and sanctions screening found “shortcomings in the transaction monitoring and filtering programs of these institutions, attributable to a lack of robust governance, oversight and accountability at senior levels.”
Part 504 clarifies how institutions should monitor transactions and screen sanctions lists issued by the US Office of Foreign Assets Control (OFAC). But critically, it goes a lot further.
It places significant emphasis on the use of technology as part of the wider sanctions screening program. Such programs, it says, must be based on “technologies or tools for matching names and accounts,” must be tested end-to-end, and must be tested before and after implementation.
This requirement is solidified with a clear understanding that senior management will be held responsible for the effectiveness of the systems and tools used. Regulated financial institutions must certify annually, through their board or senior officer, that their screening and monitoring systems meet the standards required, and records, schedules and data must support this certification. The first round of certification was required in April 2018.
This is hugely significant because the DFS is saying that sanctions filtering is no longer just about setting up a tool. Instead, the regulator expects to see a comprehensive program, starting with a thorough assessment of OFAC non-compliance risks, and duly overseen by senior management. This programme needs to be supported by an adequate set of tools and other resources, and by sufficient funding.
The requirements include: Technology for matching names and accounts must be thoroughly calibrated and tested to ensure no true match with OFAC lists is ever missed; testing processes must form part of the project to implement filtering tools, to guarantee ongoing quality in screening performance; ongoing monitoring of data quality is needed, notably to ensure the completeness of internal data sources, the timely acknowledgement of OFAC updates, and the accuracy of the datasets processed through the filtering tools; and skilled staff with sound and adequate training.
Expectations have been raised. Financial institutions and payment service providers will need to be in a position to explain to regulators why they believe their screening system is fit for purpose. They will need to demonstrate that they can control the software and that the actual results of screening correspond to the organisation’s risk appetite.
This all requires robust data and informative, documented analysis around screening systems and filters, and institutions need to be able to explain their decisions, processes and results to regulators with confidence. If any part of the sanctions screening programme is outsourced to third parties, institutions should use a formal selection criteria. Ultimately, the entire programme needs to be extensively documented and controlled.
Part 504 cannot be dismissed as a local anomaly. New York City is one of the world’s major financial hubs. The impact of Part 504 is wide ranging, bearing in mind that almost every major worldwide financial institution has a branch in New York State, and that ‘regulated financial companies’ covers the full spectrum of financial services. Hardly any major institution is immune from its requirements.
We strongly believe that this is just the start of a general direction of travel among regulators worldwide. With Part 504, a major regulator is saying clearly that it is no longer enough simply to have filters in place. The emphasis has shifted from the existence (or otherwise) of technology to meet sanctions screening requirements, towards the effectiveness of the results that technology generates. Technology that merely produces ‘black box’ results with no meaningful explanation attached will not be enough. Technology will become smarter, more mature, and automation will be key to driving efficiency and meeting requirements.
We believe that the DFS legislation will significantly shape best practice in the regulation of sanctions screening programmes and set a precedent that others will follow. A new industry standard in terms of the quality of filtering programmes is here and it is simply inconceivable that it will not quickly spread across the globe.
For example, the Hong Kong Monetary Authority issued guidance earlier this year that bears remarkable similarities to Part 504. Institutions need to be ahead of this change and make sure that their software and systems are ready to provide the information that regulators will be looking for.
It is now about the ability to prove, at a granular level, the ongoing alignment of an institution’s risk assessment, its screening policies, procedures and controls - down to the actual configuration and outputs of their screening systems.
In this new age of screening, the detail is everything.