Some US and foreign banks with New York offices will soon face the challenge of proving that their transaction monitoring and sanctions filtering programs for catching criminal activity really work.
The New York Department of Financial Services (DFS) believes that although banks and banking-regulated institutions may already have AML programs, there are still too many illegal transactions slipping through the cracks. Case in point, the $215 million fine that an international bank was forced to pay DFS last November for obfuscating US dollar transactions that might violate sanctions or AML laws.
New York’s two-step answer: first, a far more prescriptive rules-based approach. Although the DFS’ expectations are mostly in line with federal regulations, they require codification. “The new rules call for end-to-end pre- and post-implementation testing of the transaction monitoring program including a review of the governance, data mapping, model validation, data input and program output,” explains Donna Daniels, an executive director for fraud investigation and dispute services at EY in New York.
“The program must be subject to ongoing analysis to assess the logic and performance of the technology or tools for matching names and accounts against the OFAC sanctions and other lists and the threshold settings to see if they continue to map to the risks of the organization,” Daniels adds. The Office of Foreign Assets Control, a unit of the US Department of Treasury, prohibits US firms or individuals from doing business with certain foreign countries or entities which it considers to be fostering terrorist or other illegal activities.
The second new step in compliance is that a bank’s chief compliance officer, board of directors or other senior-ranking executive must provide the DFS annual certification of compliance with the new rules. That certification, beginning in April 2018, shouldn’t be taken lightly even though the final language of the DFS’ rules is less draconian than the original December 2015 draft version. “The initial proposed language stated that an officer filing an incorrect or false certification could be subject to criminal penalties while the new version says that the rules will be enforced pursuant to the authority of the DFS superintendent,” says Daniels. “However, the DFS won’t hesitate to refer a bank or individual to a prosecutorial authority for possible criminal charges in the event of an intentionally inaccurate or false certification.”
The NY DFS rules won’t be taking New York banking by surprise. “They should already have implemented a transaction monitoring program based on the risk-profile of the customer involved and the risk appetite of the bank,” says Kathleen Nandan, co-chair of the AML and trade sanctions team at the law firm of Reed Smith in Pittsburgh. The higher the risk ranking of the client the more closely its business activity with the bank is overseen and the lower the threshold of funds which might trigger an alert or warning of suspicious activity. Those alerts must then be investigated by AML analysts before a suspicious activity report is written up. Sanctions filtering typically occurs at the time a customer is onboarded. The bank must check the identity of the client against OFAC and other lists.
So what’s the real difference with the DFS’ new program requirements? The mandatory periodic reviews and updates at “risk-based intervals,” which the DFS defines as any changes to AML laws and regulatory warnings as well as changes to the bank’s own risk profile. Defined threshold values and amounts within the detection scenario as well as details of the investigation of alerts must also be fully documented.
Transaction monitoring and sanctions list filtering are error-fraught. Starting off on the wrong foot means ending up on the wrong foot. “A system to ensure the accurate risk ranking of the client is critical to ensuring a correct transaction monitoring model,” says Kelvin Dickenson, vice president of compliance and data solutions at Opus, a New York and London-based regulatory technology firm. “Likewise, systems and procedures need to reduce the likelihood that an AML analyst might not investigate an alert correctly.”
Sanctions filtering also isn’t as easy as it sounds. “There can be multiple variations in spelling of the last name and in some countries there are complex combinations of multiple first and last names,” says Dickenson. “Aliases are also common.” Arabic names can have dozens of transliterations while sanctions lists only provide a few alternative spellings. As a result, banks sometimes rely on sorting through files manually.
Managing Data Convergence
Expected to cause the most consternation among banks is a new requirement common to both transactions monitoring and sanctions filtering. It is the identification of all data sources, correct data mapping and data extraction. “Even the largest regulated banks may grapple with data management challenges to meet this requirement,” says Daniels. “These challenges will be compounded by the convergence of different information technology systems used throughout the various departments of a large institution. Additional data analysis or mapping may be required to document compliance.”
Relying on the best technology and data management might help ensure that potential wrongdoing can be caught through alerts, but it still won’t be enough to meet the DFS requirements. The DFS will also expect that a bank has sufficiently trained AML analysts to follow up on any alert. Banks can no longer blame budget cuts or shortage of staff for not investigating suspicious activities or individuals.
Nor can bank branch offices point the finger to lack of support from the top. “The certification process will require the bank to enforce a culture of compliance because multiple units responsible for the AML and sanctions filtering process will have to verify that each has done its fair share of work,” says Nandan. Those include customer onboarding, transaction monitoring, sanctions filtering, transaction modeling, internal audit and IT departments. Likewise, the vendor selection process must be documented and the relationship continually monitored.
Although each of those bank departments will have their own work to do, they will likely have to interact a lot more with each other as well, and with the reporting party to make certain weaknesses are that identified and corrected. The DFS does not specify what a bank should do if it has not corrected a shortcoming when its annual certification is due. Presumably, a bank would not have to disclose problems it has already fixed.
What do banks have to worry about the most? “Because banks already have transaction monitoring and watchlist screening systems in place, the big expense won’t be in technology implementation or improvements,” predicts Dickenson. “Instead, it will be in policy creation, documentation and testing.” As a rule of thumb, the larger the size of the bank, the higher the number of departments, branch offices and staff that will be involved in the certification process.
Dickenson cautions that banks should pay the closest attention to wire transfer departments. The reason: they are subject to the highest volume of time-sensitive transactions and the highest potential for the identities of the actual senders or beneficiaries of the funds to be misrepresented or hidden in the message formats. The DFS says that when the major international bank that was fined sent wire transfer messages through the network operated by SWIFT, it masked the true identities of the parties to the fund transmission.