Those murmurs of hushed exasperation that have been gathering in Lower Manhattan since early December aren’t all about the collapse of energy stocks. A good many emanate from the financial institutions that make New York their home. And the issues that have the bankers mumbling are, in their way, just as fiscally impactful as oil selling at $30 a barrel.
In the first week of December, the New York Department of Financial Services (NYDFS) released a proposed addition to its regulatory framework. The proposed addition, identified as Part 504 , is intended to address “shortcomings in transaction monitoring and filtering programs” used by regulated financial institutions to comply with BSA/AML and OFAC screening and reporting requirements at the state and Federal levels. The 45-day period for affected institutions and stakeholders to submit comments to NYDFS concerning Part 504 expires in mid-January, and with the intervening holiday season, it’s perhaps easy to understand why the industry response has been somewhat muted, to date.
The business end of Part 504 runs a mere four pages, but it still speaks volumes to the financial-services community, because it raises the bar significantly both for the required functionality of BSA/AML/OFAC systems implemented within regulated institutions, and for C-level compliance executives, who will need to sign and submit an annual certification document attesting to full compliance with these new requirements.
To me, the most interesting thing about Part 504 was not what it contained, but what it omitted. There was a clear emphasis on the what of compliance, but nothing about the how, as is perhaps understandable for document that is intended to define requirements. Take, for example, the description in 504.3(b) for a compliant Watch List Filtering Program. Six key attributes are presented, but a footnote clarifies that advanced name-matching automation is not mandated, because any technology — even a manual system — can be used, just so long as it is “adequate to capture prohibited transactions.”
The fact that NYDFS displays in Part 504 a keen awareness of the leading-edge techniques for name-filtering suggests strongly to me that “adequate” compliance for anything bigger than a store-front check-cashing service will involve substantial, sophisticated automation tools, integrated closely with effective, “lossless” ETL and data-stewardship practices, as well as a strong in-service training program for all personnel in BSA/AML/OFAC positions. This, then, is the new “good enough.”
Part 504 is to go into effect 1 April 2017, with signed Annual Compliance statements expected shortly thereafter. It will be very interesting to see if the financial-services community scrambles to meet the mark, or if there is enough concerted opposition to force delays. Either way, I think that NYDFS has pointed out, in no uncertain terms, the future of AML/KYC performance-levels.
Still haven’t cleaned up those millions of sloppy, messy legacy customer-data records? Good luck…
Still relying on a fault-intolerant, Anglocentric exact-match or key-based name-filtering technology? Good luck…
Still staffing your alert-clearing team with folks who can’t tell a MOHAMMED from a MAHMUD? Good luck.
The future will be here, sooner than you think.