Issue #24 - July 2017 

Why You Should Pay Attention to New York's 504 Rule

Amber Goodrich, Compliance Strategist, CSI

By now, all financial institutions should be intimately familiar with BSA/AML regulations. The problem is, the modern criminal is also aware, constantly inventing methods to circumnavigate the regulatory environment. 

This fact, coupled with the increasing complexities of moving money digitally, has many regulatory agencies questioning whether current BSA/AML requirements are enough. And it’s true that financial institutions have struggled with reporting suspicious activity in recent years; their adherence to legacy IT systems propagates concerns surrounding lapses in data integrity and surveillance systems that are unfit for automated money movement. 

The question of whether current BSA/AML requirements remain effective served as the primary catalyst for a recent regulatory upgrade from the New York Department of Financial Services (NYDFS). According to the NYDFS, these regulations need a major overhaul. 

What is the 504 Rule? 

The NYDFS 504 Rule, to put it lightly, “beefs up” current BSA/AML standards by including requirements of validation and personal liability by senior compliance officers (detailed below). The main objective of the rule is to ensure that financial institutions’ BSA/AML programs are on pace with the technological advancements of the industry. 

Further, this new rule serves as a prelude to future regulations. Financial institutions nationwide need to take a long, hard look at the 504 Rule, because similar regulations are likely to be adopted and implemented by other states. And as money laundering and fraud become increasingly embedded in digital channels, BSA/AML regulations will likely expand to incorporate these additional requirements.

Breaking Down the 504 Rule’s Requirements 

  1. Risk Assessment. The risk assessment will prove to be the core consideration when adhering to the various requirements of the 504 rule. BSA/AML rules require an annual risk assessment, so this should not be new territory for financial institutions. 

  2. Director and Officer Liability. Perhaps the most crucial aspect of the new rule, NYDFS 504 states that director and senior officer liability will increase, putting more pressure on these individuals to ensure that their respective institutions remain compliant. Regulated institutions must submit either a board of director’s resolution or a senior officer’s written consent, which confirms compliance with the NYDFS final rule starting April 15, 2018. Though more stringent under the 504 Rule, personal liability by directors and senior executives has been prevalent in recent years. From Jan. 1, 2009, through March 18, 2016, the FDIC has authorized suits in connection with 151 failed institutions against 1,213 individuals for “D&O” (Director and Officer) liability. 

  3. Transaction Monitoring Program. All institutions under the regulatory umbrella of the NYDFS must maintain a monitoring program to enhance discovery of BSA/AML violations. This monitoring program must be based on the institution’s risk assessment, and is required to have thorough documentation articulating detection scenarios. 

  4. Watch List Filtering Program. All institutions are required to have a watch list screening program in place. This program must be designed, either by automation or manually, to prevent the completion of transactions prohibited by OFAC. It’s interesting to note that other watch lists, like PEP lists and FinCEN’s 314a, originally were included in the proposed version of the requirement, but were excluded from the final piece of legislation. Currently OFAC is the only required watch list in the 504’s watch list filtering program. However, it would not be a surprise to see this requirement expanded out to include the aforementioned lists.
  5. Retention and Validation. Financial institutions must maintain all records, schedules and data supporting the programs mentioned above. The Chief Risk Officer or appropriate director is also responsible—and personally liable—for signing off on the above mentioned programs, essentially validating that they are up to par with the 504’s requirements. 

Though perhaps far removed from the regulatory authority of the NYDFS, financial institutions nationwide should nevertheless be viewing these requirements with increasing interest. It is likely that similar, if not identical, requirements of the 504 will be adapted by other state and federal regulatory agencies in the coming months or years


<Back to July 2017 WIB Compliance Digest >