NYDFS Proposes to Require CCOs to Certify to Effectiveness of AML and Sanctions Programs
Just when you thought things could not get any weirder, along comes the New York Department of Financial Services and proposes a new regulation that sets forth minimum requirements for anti-money laundering transaction monitoring systems and sanctions watch list filtering.
The regulations include an annual requirement that the Chief Compliance Officer at New York banks and money transmitters certifies that the bank’s or money transmitter’s anti-money laundering and sanctions compliance systems are effective. Yikes, to say the least.
Before everyone starts to go apoplectic here, let’s take a deep breath. This does not mean that every CCO will be going to jail for AML or sanctions violations committed by banks and money transmitters. On the other hand, what is the purpose of the certification requirement? Why have the CCO execute it?
By analogy, in Sarbanes-Oxley, Congress added a controversial certification requirement for corporate financial reports. CEOs and CFOs are required annually to certify to the accuracy of the company’s financial reports. A specific crime was created for a willful false certification. In the aftermath of numerous reporting violations that led to collapse of some major companies, the certification requirement was created to ensure that CEOs and CFOs stood behind their financial numbers. The rationale for this is pretty obvious – the CEO and the CFO are responsible for these numbers and they better be sure they are accurate.
Now, back to the NYDFS proposed regulation. A CCO also is responsible for an AML and sanctions compliance program. However, in contrast to a CEO or the CFO in the Sarbanes-Oxley case, the CCO does not have the authority to allocate resources needed to make sure the company has an effective AML and sanctions compliance program. To be fair, holding a CCO personally accountable in this situation is not the right mechanism to accomplish improved compliance.
The proposed rule codifies current regulatory expectations as set forth in the Federal Financial Institutions Examination Council’s Bank Secrecy Act/AML Examination Manual and in recent enforcement actions.
A CCO would have to submit an annual certification that the bank or money transmitter, to the best of their knowledge, meets these requirements. CCOs also would have to c ertify they conducted an annual review of the AML and sanctions compliance program. If the NYDFS determines later that the bank or money transmitter does not meet the requirements, the CCO could be held responsible for submitting a “false or incorrect” certification.
The proposed regulation also provides that a person who files “an incorrect or false” certification may be subject to criminal penalties, but the regulations do not provide or define the standard of intent
The NYDFS proposal raises a host of difficulties and is misguided in its attempt to promote corporate compliance. While everyone understands the importance of holding someone accountable for corporate compliance failures, it is heavy-handed to impose potential individual civil or criminal liability on the very actor who is attempting to ensure compliance by the bank or money transmitter.
The NYDFS proposal ignores the most critical fact – CCOs do not have authority within any company to allocate and secure resources needed to implement an effective compliance program. Holding them accountable in this way will only damage corporate efforts to improve compliance. Simply put, accountability cannot be accomplished with a sledge-hammer – it requires careful design to incentivize actors who have the authority and capability to complete desired outcomes.