New York Law Could Shake Up Compliance Departments

Gilbert Carrillo
Executive Editor
Loyola University Chicago School of Law, JD 2017


The state of New York is in the process of implementing a new rule requiring some financial U.S. and foreign institutions, with New York offices, to prove that their transaction monitoring and sanctions filtering programs for catching criminal activity do in fact work. Not only must a bank’s chief compliance officer, board of directors or other senior-ranking executive certify their AML (Anti-money laundering) transactions monitoring and screening programs to the New York Department of Financial Services (DFS), but the certifying officer must sign a document stating the programs comply with all federal statutes. Additionally, a false filing could lead to a financial and criminal penalty on the institution–and on the certifying officer.

This effort stems from DFS concerns that while banks and banking-regulated institutions may already have AML programs, there are still too many illegal transactions taking place. For example, last November an international bank was forced to pay DFS $215 million fine for obscuring US dollar transactions that might violate sanctions or AML laws.

Impact on Compliance

DFS took a big step by extending personal liability to the certifying officer. Now, certifying officers are more likely to ensure their company’s monitoring and screening programs are working. Institutions subject to this new regulation, starting in April 2018, will need to address a few things. First, the institution will need to define and document the roles and responsibilities of all involved parties. Second, the institution will need to maintain risk-based evidence for any decision being made about the company. Third, the institutions must ensure that their monitoring and screening programs are mapped to ACTUAL risks the institution faces. Finally, the institution should adequately assess their risk/shortcomings in their programs.

Another pressing concern involves whether or not any institution should self-disclose errors prior to the effective date of the regulation in April 2018. Some questions are: Is there a duty to disclose? If there is, what if we (institution) do not have a remediation plan?

There is no question the compliance departments will need to address these questions in their compliance programs. Absent the institutions addressing these areas, the institutions will be in danger of noncompliance. These compliance departments will have a tough task ahead of them. Only time will tell how successful and prepared the compliance departments are for the coming changes.