New York Governor Andrew Cuomo has proposed a slate of new anti-money laundering and anti-terrorism regulations for financial institutions that fall under that state’s supervision, including include a requirement that senior financial executives certify their institutions have sufficient systems in place to detect, weed out, and prevent illicit transactions. That demand has some fretting that compliance officers will have even more reason to fear personal liability in enforcement cases.

For the last four years, the New York State Department of Financial Services has conducted a series of investigations into terrorist financing, sanctions violations, and anti-money laundering compliance at financial institutions. As a result of these investigations, it has uncovered “serious shortcomings in the transaction monitoring and filtering programs of these institutions and that a lack of robust governance, oversight, and accountability at senior levels of these institutions has contributed to these shortcomings,” a statement says.

New requirements, subject to final approval after a 45-day public comment period, include maintaining a transaction monitoring program, manual or automated, that seeks out potential Bank Secrecy Act/AML violations and the need for Suspicious Activity Reports. The system, as stipulated, should map these risks to the firm’s businesses, products, services, customers, and counterparties. It should also incorporate all current BSA/AML laws, regulations, and alerts while factoring in relevant information from know-your-customer due diligence and enhanced customer due diligence programs.

Among the other proposed requirements:

Pre- and post-implementation testing of the transaction monitoring program, including governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output, as well as periodic testing.

Investigative protocols that detail how alerts generated by the transaction monitoring program will be investigated, the process for deciding which alerts will result in a filing or other action, who is responsible for making such a decision, and how investigative and decision-making process will be documented.

Maintaining a watch list filtering program for the purpose of interdicting transactions, before their execution, that are prohibited by applicable sanctions, including those from the Treasury Department’s Office of Foreign Assets Control and other sanctions lists, politically exposed persons lists, and internal watch lists.

Pre- and post-implementation testing of the watch list filtering program should include data mapping, and an evaluation of whether the watch lists and threshold settings map to the risks of the institution. Data should be assessed for integrity, accuracy and quality.

Governance and management oversight, including policies and procedures governing changes to the monitoring and filtering programs. to ensure they are defined, managed, controlled, reported, and audited.

To ensure compliance, each covered institution shall submit to NYDFS, by April 15 of each year, certifications on the effectiveness of their systems and controls.No regulated institution may make changes or alterations to the transaction monitoring and filtering programs to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts, or to otherwise avoid complying with regulatory requirements.

The regulations proposed by NYDFS represent, potentially, “a very significant step in anti-money laundering enforcement,” says Matthew Schwartz, a partner in the global investigations and white collar defense practice at law firm Boies, Schiller & Flexner. “When former NYDFS Commissioner Benjamin Lawsky announced back in February that he was considering a proposal to make senior bank executives personally attest to the adequacy and robustness of anti-money laundering and transaction monitoring systems, everyone stood up and took notice.”

The requirement, explicitly modeled on the Sarbanes-Oxley Act, that CEOs and CFOs personally attest to the adequacy of accounting and finance controls “fits with the broader emphasis that regulators and law enforcement have placed on Bank Secrecy Act compliance over the last several years,” he said. 

If the proposal is enacted, “senior executives will personally be on the hook for faulty AML controls—a potentially scary prospect,” Schwartz added. “DFS has shown a commitment in recent enforcement actions to hold compliance officers responsible for misconduct at their institutions by, for example, requiring that they be fired as part of any settlement with DFS.” Now, with a formal certification signed with an attestation that it is ‘accurate and complete,” DFS will have “strong ammunition to take the next step and pursue enforcement actions against compliance officers as individuals.”