Presuming the Basics:New York's Anti-Money Laundering Rule

Money Laundering

This article focuses on New York's recently adopted Rule 504 requiring banks to demonstrate that their anti-money laundering transaction monitoring programs and their U.S. sanctions transaction filtering programs meet explicit compliance standards. It should not escape notice that Rule 504 presumes a pretty solid underlying AML and sanctions program in many respects as a starting point. An institution preparing to comply with this rule should bear in mind that some of the basic program elements, including risk assessments, vendor management or testing and the like, might not now be in the desired condition, and are worth upgrading now.

Robert Axelrod

By Robert M. Axelrod

Robert M. Axelrod is a managing director in Deloitte Transactions and Business Analytics LLP, an affiliate of Deloitte Financial Advisory Services LLP. He specializes in projects addressing financial transactions in regulatory and compliance contexts, including anti-money laundering and antiterrorist financing, as well as anticorruption concerns in the financial services industry, specifically addressing banks, insurance companies, and broker dealers.

New York's new requirements (Rule 504) for banks to bolster their internal oversight of anti-money laundering (AML) and sanctions programs were accompanied by great fanfare when the initial proposal was introduced on December 1, 2015, and almost as great fanfare when the final rule was announced on June 30, 2016. The rule recites New York Department of Financial Services (NYDFS) standards that banks need to have in place for AML monitoring and applying sanctions by the Treasury's Office of Foreign Assets Control (OFAC), and prominently features the role of model validations.

The initial fanfare focused on the requirement that the Chief Compliance Officer or equivalent certify as to the soundness of the AML transaction monitoring program and the Sanctions data filtering program, with the prospect of criminal penalties for inaccurate certifications. With the final version of the rule, attention focused on the removal of the certification process, replacing it with a “Finding.” Other notable changes included removing the reference to potential criminal penalties and creating some alternatives as to who would be signing, so that Compliance was not the presumptive lightning rod for the programs.

The rule, from inception to final version, also set out a number of key attributes of these programs that amounted to a detailed checklist. It is this last aspect, which did not materially change in this arc, which here deserves attention.

Although largely framed in terms of the basic elements of model validation, the rule presumes some of the most basic aspects of an AML program are intact and working well: Risk assessments, program updates around new regulations and business changes, testing, vendor management/reliability, data completeness and accessibility and training. As an additional implicit matter, the rule creates an expectation of detailed documentation. Although the lead time for the first Finding is now more than a year (until April, 2018), these aspects may require relatively prompt attention to get everything done on time to an appropriate level of excellence.

Risk Assessments: Model validation includes the process of reviewing the alignment of the institution's risk profile with the algorithms selected by the bank for filtering and transaction monitoring. This may impact the initial choice of the platform, as well as potential variations or changes. A bank whose risk assessment(s) is overly judgmental, inconsistent, taken unchanged from a generic template such as the one for AML in the FFIEC manual or is otherwise lacking, will have difficulty following the rule in this regard. For better tailoring, it is likely that the institution will have a separate risk assessment for sanctions (or at least OFAC) and AML. If these risk assessments are not fit for purpose now, creating better ones is a labor intensive process that belongs at or near the head of the list for Rule 504 compliance. Without it, it is hard to have the risk based approach for the models that the rule sets out. Of course, the bank could have the worst of two worlds—a risk assessment that doesn't match rule 504 expectations (which at this point are not explicitly stated), and a model validation that requires composing its own risk profile for the bank in order to address the applicability of the scenarios and thresholds chosen.

Program Updates : Institutions may have some reference in their policies to updating their programs according to changes in rules and to their business model. However, it may be useful, since this is explicitly called out in the rule, to have a documented process and procedure around program updates, and to have a process to channel updates into the judgment of whether monitoring or filtering should be impacted. Because the rule also addresses the function of getting rid of dead weight scenarios or processes (e.g., scenarios that are no longer relevant and would be a drain on resources and attention), this updating function is even more critical to compliance. Documenting specific regulatory and business models, market and product changes, and the reasoned response to those changes, is thus strongly encouraged by the rule.

Testing: Of course, testing is one of the pillars of an AML program, and some of that testing relates to the transaction monitoring and filtering programs. In addition to the results of independent periodic testing around the programs, the rule anticipates that there will be available some history of prior end-to-end testing of these programs, as part of the evaluation taking place in the validation process. As a related matter, documentation of the goals set out for the systems when they were initially designed or amended (presumably part of the drivers for subsequent testing) is also expected. Locating the documents with the information or in some cases setting the relevant historic information into a clear format, is worth achieving early in the 504 process.

  • Special Bonus Provision on Testing: While not stated explicitly as a testing element, documenting items that require material improvement and setting in place a remediation plan accordingly may be seen as springing out of appropriate testing. This provision (504.3(d)) is not specifically called out as part of the rule's designated format for the Finding, but could find its way into the Finding, as an attachment or by way of text. The provision suggests that even a sound program may have gaps that are uncovered and dealt with in the ordinary course. It would appear that part of a sound program is documenting (and disclosing) the existence of those gaps and the plans to fix them. The process for dealing with testing (compliance testing, audit or otherwise) exceptions should thus be robust under the rule, with some provision for how and when gaps discovered will be communicated to regulators. Aside from those that arise in testing, gaps may be identified through employee suggestions, subpoenas, examinations or other processes, but the protocol to address gaps from that point forward should be much like that for test exceptions. As banks draft their initial Finding under this rule in 2018, they will need to consider how best to reference the existence of any such material issues as part of the required overall statement of compliance with the rule.

Vendor Management/Reliability: Rule 504 includes vendor selection as part of its requirements, but is not explicit about what that means. Presuming the same issues that are important to the Office of the Comptroller of the Currency are important to the NYDFS, one would expect to see an analysis for the vendors in place for the monitoring and filtering systems regarding their competence, histories, performance, insurance, availability and continued responsiveness. While almost any institution would address these issues on a day-to-day basis, having a well-documented and periodically updated analysis in this regard is advisable for an institution whose 504 compliance is being considered, particularly since the Finding format presumes a representation that there is Rule 504 compliance.

Data Completeness and Accessibility: Transaction monitoring and sanctions filtering systems are no better than the data they ingest. Some institutions, even now, may lack a coherent documentation of data architecture through which the selection of data feeds can be intelligently explained and demonstrated to be complete. Legacy systems may complicate the data extraction, transformation and loading processes necessary for the right data to be presented so that it can be accurately applied to scenarios and thresholds. Merely clarifying the current state in this regard can take many months or longer, and is another item to move to the beginning or close to the beginning for preparing to comply with this rule.

Training: Periodic training, a staple of AML and Sanctions programs, is cited in Rule 504 as well. Because a Finding of compliance will presume compliance with training, it is likely that training during the annual finding period will be called for. This is generally difficult to do at the last minute. Timely review of training content and delivery is thus advisable early in the process of preparing for 504.

Documentation: Rule provisions (504.4) require that the documentation supporting the Finding of compliance with the rule be preserved and available for inspection. The documentation anticipated is further clarified in the rule's format for a Finding as the “documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary to adopt this … Finding.” Simply put, the rule requires that banks create and preserve a documentary roadmap supporting the position that there is Rule 504 compliance. However, documents in a program are prepared for different purposes, so now sifting through what may now be available, deciding what needs to be added and identifying what changes to this mix may be useful to make the stack of documents coherent for this purpose. This is a task worth starting sooner rather than later.


Although Rule 504 has perhaps been most prominently discussed regarding its designation of particular persons at an institution as the ones to state that the monitoring and filtering systems meet the standards set in the rule, it should not escape notice that the rule presumes a pretty solid AML and Sanctions program in many respects as a starting point. An institution preparing to comply with this rule should bear in mind that these basics, whether risk assessments, vendor management or testing or the like, might not now be in the desired condition, and are worth upgrading now. And, because the rule turns on high-level people making a Finding that states they have reviewed all the documents and information necessary and taken “all steps necessary” to confirm compliance, documentation of these presumed conditions needs to be at a clear, granular, consistent, current and accurate level. There is a lot to do up front, in addition to the transaction monitoring and data filtering model validation that is the ostensible core of the rule.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.