Locke Lord QuickStudy: Final New York Anti-Money Laundering Regulations Released – Risk of Liability for AML Compliance Expands to Senior Officers and Directors

Last December we alerted our clients of newly proposed anti-money laundering regulations issued by the New York Department of Financial Services (the Department)¹. These rules generated nationwide attention (and criticism) due to their expansion of criminal liability for compliance officers and the imposition of numerous new mandates for AML/BSA compliance programs. The Department has now issued revised final rules that do little to address the concerns raised by industry stakeholders. Notwithstanding these revisions, we believe the new regulations subject boards and senior officers of regulated institutions to new risks of regulatory enforcement action and criminal prosecution. 

Perhaps in response to these concerns, the revised rules amended the monitoring program requirements and substituted the annual compliance officer certification with an annual board resolution or senior officer finding regarding the institution’s compliance. Instead of the compliance officer, the board or senior officer must now certify that (i) they have “reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary” to adopt the required certification, (ii) they have “taken all steps necessary” to confirm their institution has a monitoring program in compliance with the rules, and (iii) to “the best of [their] knowledge,” such program complies with the rules.⁴  While this finding/resolution modifies and expands upon the initial certification, it should do little to assuage the concerns of regulated financial institutions in New York. The final rules simply shifted the burden imposed by the proposed regulations away from compliance offers and on to boards and senior management. 

In many respects, the revised rules have provoked more questions. The most important of which is the scope of the new burden placed on certifying boards and senior management.  Also, the expected level of diligence and investigation that such individuals must undertake is unclear. AML compliance programs are intricate systems relying on the input and performance of multiple employees, vendors and software programs. The certifying directors or officers must attest to the actual compliance of these systems with the granular requirements of the rules. What level of negligence in investigation or knowledge of possible system weaknesses could make a certification actionable remains to be seen. 

Another item that the rules leave open is which person(s) within the organization will be forced to carry the heightened burden. The rule requires each regulated institution to submit a board resolution or a senior officer(s) compliance finding. A “senior officer” under the rules is “the senior individual or individuals responsible for the management, operations, compliance and/or risk of a Regulated Institution.” While responsibilities and titles vary among organizations based on various factors, the rules leave open whether the chief executive officer, chief operations officer, chief compliance officer or other officer must sign the certification absent a board resolution. We expect the Department to provide further clarity on this matter in due course. 

All banks chartered pursuant to New York banking law (Banking Law), all branches and agencies of foreign banking corporations licensed pursuant to Banking Law, as well as nonbank institutions such as check cashers and money transmitters licensed under Banking Law should carefully formulate plans to address the requirements of the new rules. While all of the aforementioned entities are subject to enhanced regulation due to the nature of their activities, AML compliance is subject to particularly strict scrutiny and a frequent target of enforcement actions. Perhaps by design, we believe the groups most vulnerable are smaller players in the nonbank money services business who may lack the means to achieve full compliance with the enhanced monitoring requirements. Regardless of size, we advise all affected companies to evaluate their current anti-money laundering programs in light of the new requirements. We also recommend procedures be set in place to guide those certifying directors/senior officers in making a sufficient investigation into such programs well ahead of the first certification due April 15, 2018.

While some institutions may look to avoid the new rules by leaving the Department’s jurisdiction through various methods including re-chartering in other states, we recommend exercising caution given New York’s broad interpretation of ‘doing business’ in the state. This is particularly true for those businesses heavily relying on a digital presence in multiple jurisdictions outside their corporate domiciles. Furthermore, while no other state has proposed similar regulations, New York’s new rules may inspire regulators in other states to act.