As 2015 wound down, New York’s Department of Financial Services was ramping up a renewed focus on money laundering and heaping new responsibilities on compliance officers’ already full plate.
On Dec. 1, New York Governor Andrew Cuomo proposed a slate of new anti-money laundering regulations for financial institutions that fall under that state’s regulatory regime and supervision (in other words, pretty much any big bank or foreign-owned institution).
Once final, New York will require banks and other financial firms—including money services business and Bitcoin businesses—to maintain a transaction monitoring program, either manual or automated, that seeks out potential Bank Secrecy Act and money laundering violations. The system, as mandated, must map risks to the firm’s businesses, products and customers, incorporating existing know-your-customer due diligence programs. The most controversial proposal would require chief compliance officers to annually submit, by April 15 of each year, certifications on the effectiveness of these systems and controls. Certifications that are later found to be incorrect or false could lead to criminal liability.
With the public comment period for the new rule wrapping up on Jan. 15, we spoke to Carol Van Cleef, a partner at law firm Manatt, Phelps & Phillips and co-chair of its global payments practice group, about the proposal and what it means for compliance officers.
What was your initial reaction to the proposal?
The proposal itself was not a surprise because of former Superintendent Benjamin Lawsky’s speech earlier this year at Columbia Law School [where he pitched a Sarbanes-Oxley-inspired attestation requirement for senior bank executives]. The designation of the chief compliance officer or functional equivalent as the certifying senior officer was, however, a surprise.
Where do compliance officers fit in?
The purpose is to address certain problems that have been identified by the DFS during examinations and investigations and ensure a more robust compliance environment. While its expectations are similar to those of federal regulators, the big difference is putting those expectations into an enforceable regulation. This means failure to comply with the regulation could result in penalties and possible other sanctions.
The chief compliance officer would seem like the obvious person to provide such certification. However, as a practical matter the CCO is probably not the right person in most organizations.
The CCO is likely to be the person overseeing—either directly or indirectly—the implementation and maintenance of the AML program. But in many organizations, the CCO may not have sufficient gravitas to command the resources necessary to ensure the organization’s compliance program lives up to regulatory expectations.
Even if the CCO has the necessary resources and authority to effect change, he or she may face pressure to sign the certification before needed changes are made. Senior management could impose such pressure by demanding its execution, or the pressure could be internally generated if the CCO has concerns about losing a job, being demoted, or not receiving a bonus if the certification is not signed.
Congress and the federal regulators recognize the importance of having someone other than the compliance function itself evaluate the compliance program. The independent review mandated by the BSA should be sufficient. However, even after almost 15 years of heightened AML compliance efforts, we are still lacking standards for the conduct of such reviews—and the reviewers themselves—like what exists in the accounting industry. It may be more effective to increase the expectations for independent reviews to achieve the results the DFS is seeking.
ABOUT CAROL VAN CLEEF
Carol Van Cleef is co-chair of the Global Payments practice group and a member of the Financial Services and Banking practice. She represents financial services companies and other clients in federal and state regulatory, compliance, and enforcement matters, including anti-money laundering, electronic payments, federal deposit insurance, and other bank regulatory issues. She counsels banking organizations, credit unions, securities firms, insurance companies, finance companies, money service businesses and hedge funds, among others.
Van Cleef has significant experience working with all types of MSBs (including domestic and foreign money remitters, bill payment systems, check cashers, currency dealers/exchangers), third-party payment processors, stored value (prepaid card) programs, and other alternative payment systems regarding state money transmitter licensing and regulatory requirements, federal MSB registration, BSA/AML compliance, privacy and information security programs. She has represented publicly traded companies and private equity funds in purchasing and selling bill payment companies, money transmitters and other types of money services businesses. Van Cleef also has worked closely with the management and shareholders of money services businesses seeking new funding sources and confronting bankruptcy. She is the author of the legal/regulatory section of the National Automated Clearing House Association's popular 2007 Guidelines for Billers and Walk-in Payment Providers. A Certified Anti-Money Laundering Specialist, Van Cleef is a frequent speaker on AML compliance-related issues and a member of the Editorial Task Force of ACAMS Today. She has created a series of highly acclaimed AML compliance training programs sponsored by the Conference of State Bank Supervisors, including the Boot Camp for BSA/AML Compliance Professionals, the Mini-Boot Camp for Developing Prepaid Card AML Compliance Programs, and an intermediate course, Officer Training for BSA/AML Professionals. These programs have been attended by regulators from more than 45 states and representatives of domestic and foreign banks, securities firms, MSBs and other companies.
Van Cleef regularly advises clients on compliance with the USA Patriot Act, the Bank Secrecy Act, and Office of Foreign Assets Control regulations. She assists clients in developing, reviewing, and enhancing BSA, AML, and OFAC compliance programs. She also works with clients in analyzing implementation of their automated BSA/AML compliance solutions, addressing enforcement actions and preparing for regulatory examinations and independent compliance reviews.
A veteran of the savings and loan crisis, Van Cleef has represented more than 50 banking organizations on a number of federal deposit insurance assessments and coverage issues. She has worked with numerous banks and savings institutions on various types of transactions involving failing and failed depository institutions, asset acquisitions, and contracting to provide services to receivers or conservators. She also served as special regulatory counsel for the holding company of a failed bank in federal bankruptcy proceedings.
In addition to CSBS, Van Cleef works closely with the Money Transmitter Regulators Association and the National Association of State Credit Union Supervisors. She is an active member of NACHA's Council for Electronic Billing and Payment. Van Cleef has served as the vice-chair of the Legislative Process and Lobbying Committee of the American Bar Association's Administrative Law and Regulatory Practice Section and a member of the Executive Committee of the Federal Bar Association's Banking Law Committee. She is a past president of Women in Housing and Finance.
Prior to practicing law, Van Cleef was a consultant with the bank consulting firm Golembe Associates, Inc.Source: Manatt, Phelps & Phillips
How difficult will these new demands be?
Presumably, most organizations already are compliant, as the proposed regulations are very similar to existing federal regulatory expectations. Some money services business, especially smaller ones, may find initially complying with the proposed regulations a bit more challenging.
How do the new requirements fit within existing regulatory regimes and in-house AML efforts?
The requirements are very similar with federal regulatory expectations in many ways. However, the DFS requirements are much more prescriptive than federal law and that may cause problems in examinations as examiners will have less discretion when reviewing compliance efforts.
Many are likely to find themselves investing significant resources in creating documentation necessary to demonstrate compliance with these rules as proposed. For smaller institutions, the time and costs associated with this effort are likely to be crushing. For banks, the added effort required by the proposed rule could be sufficient justification to convert to federal charters.
One area where more clarification is necessary is with respect to “watch lists.” There are a number of different types of lists that institutions are expected to check as a matter of best practices. Identifying customers who are on those lists does not mean that the institution can’t do business with them. As proposed, the regulation would seem to prohibit transactions with anyone on these lists. Some of these lists—like politically exposed persons—are used to identify customers that may present higher risks. However, institutions are not prohibited from doing business with these customers.
Should CCOs be concerned that pending regulation could increase their personal liability?
Absolutely. This proposal imposes criminal liability for a certification that is incorrect or false, and it should be a major concern for all CCOs. Regardless of how good an institution’s program may be, there is not a CCO I know who is not concerned about the institution’s program, given all of the unforeseen issues that may arise. A good compliance officer recognizes that even with the best compliance programs, things can go wrong. AML compliance is ever-evolving, and what an institution did well last year may not be enough this year, due to evolving criminal and terrorist activities.
The CCO is being asked by the regulator to assume full liability for the institution’s failure to be compliant, even when such failure may well be beyond his or her control. The world can change in an instant, and certainly between the time the certification is made and an examination.
If I were a CCO, I would want someone at an appropriately senior decision-making level in the organization to be responsible for making this certification, especially if I don’t have full control over every decision that needs to be made about the program or the institution’s business activities.
I would also definitely want a raise.