NY Department of Financial Services (NYDFS)

On February 16, 2017, the New York Department of Financial Services (NYDFS) published a final rule (the “Rule”) imposing new cybersecurity requirements on covered financial institutions. The Rule takes effect on March 1, 2017; however, covered institutions will have 180 days to come into compliance with most requirements, with longer transition periods of 1-2 years for certain obligations. The Rule requires covered entities to certify annually that they are in compliance with its requirements, with the first certification due on February 15, 2018. NYDFS revised its prior drafts of the Rule based on two rounds of public comment.

The Rule is notable for its potentially broad reach.  Specifically, the Rule defines a “Covered Entity” as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s Banking Law, Insurance Law, or Financial Services Law. (Sec. 500.01(c)).  While the Rule contains exemptions based on, for example, number of employees (fewer than 10); gross annual revenue (less than $5 million in each of the last three fiscal years from New York business operations of the Covered Entity and any affiliates); and year-end total assets (less than $10 million, including assets of all affiliates), it nevertheless potentially draws a broad range of banks, insurance companies, and other financial services providers within its reach. (Sec. 500.19).

The Rule requires Covered Entities to establish and maintain a risk-based cybersecurity program that is “designed to protect the confidentiality, integrity and availability” of its information systems, as well as any “nonpublic information” stored on such systems. (Sec. 500.02). It likewise requires Covered Entities to prepare written policies, and to designate a Chief Information Security Officer (CISO). (Secs. 500.03 and 500.04). Among the other requirements the Rule imposes are:

  • Either “effective continuous monitoring” of the Covered Entity’s information system or annual penetration testing and bi-annual vulnerability assessments, consistent with the Entity’s level of risk. (Sec. 500.05)
  • Systems that are designed to reconstruct material financial transactions sufficient to support normal obligations of the Entity and that include audit trails designed to detect and respond to cybersecurity events. (Sec. 500.06)
  • Development of third-party service provider security policies that set forth minimum cybersecurity practices required to be met by third parties providing services to the Covered Entity. (Sec. 500.11)
  • The use of multi-factor authentication, consistent with the Entity’s risk assessment, in order to prevent unauthorized access to nonpublic information or information systems. (Sec. 500.12)
  • The use of encryption, consistent with the Entity’s risk assessment, in order to protect nonpublic information held or transmitted by the Entity “both in transit over external networks and at rest.” (Sec. 500.15)
  • A requirement to provide the NYDFS Superintendent with notice within 72 hours from a determination that a qualifying cybersecurity event has occurred. (Sec. 500.17(a))
  • An annual reporting requirement to the NYDFS Superintendent certifying compliance with the Rule and setting forth any identified areas, systems, or processes requiring material improvement, updating, or redesign, and documenting any remedial efforts planned or underway to address these.  Entities also must retain for inspection all records, schedules, and data supporting the certification, for period of five years. (Sec. 500.17(b))

The Rule is the first known effort by a state regulatory agency to impose mandatory cybersecurity requirements on a class of businesses, and in that way it represents a break from prior efforts that have focused more on voluntary standards.  New York’s experience with the implementation of the Rule may inform similar efforts by other state regulators in the future.

Institutions that are already subject to other obligatory cybersecurity standards for the financial industry, such as those imposed under the Gramm-Leach Bliley Act (GLBA), or by the Financial Industry Regulatory Authority (FINRA) or the Securities and Exchange Commission’s Office of Compliance, Inspections and Examinations (SEC OCIE), may find that they already have addressed many of the steps required by the new Rule.  However, they still will have to assess for any overlaps and gaps with the requirements of the new Rule as they build compliance programs. The Rule’s impact is likely to be most prominently felt by financial services companies that are not already subject to federal cybersecurity standards, to the extent they have not already established cybersecurity programs that are largely compliant.

It is also unclear how the Rule—and others like it that may appear in the future—will interact with voluntary standards aimed at critical infrastructure more generally, such as the National Institute of Standards & Technology (NIST) Cybersecurity Framework (CSF). While the Rule addresses many of the same considerations as other pre-existing standards, it delves deeper into the specifics. For example, multi-factor authentication and encryption at rest are tools that industry can use to meet standards such as the GLBA and NIST CSF, but neither is specifically required. Given the increasing interrelationship between state and federal obligations, as well as both cybersecurity and anti-money laundering (AML) regulations, it is important for affected firms to adopt a coordinated approach with an integrated team of legal professionals. Crowell and Moring’s Privacy and Cybersecurity and AML practices are happy to provide further guidance in each of these areas.

On June 30, 2016, the New York State Department of Financial Services (NYDFS) adopted a final rule imposing new anti-money laundering (AML) and economic sanctions requirements on banks and other financial institutions regulated by the agency.

The rule applies to: (1) banks, trust companies, private bankers, savings banks, and savings and loan associations chartered under the New York Banking Law; (2) all branches and agencies of foreign banking corporations licensed under the Banking Law to operate in New York; and (3) check cashers and money transmitters licensed under the Banking Law (collectively, Regulated Institutions).

The rule requires Regulated Institutions to:

  1. Maintain a “Transaction Monitoring Program” that is “reasonably designed” for post-transaction detection of violations of AML laws and to allow appropriate filing of suspicious activity reports as required under the Bank Secrecy Act (BSA).
  2. Maintain a “Filtering Program” reasonably designed to interdict transactions prohibited by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC).
  3. Provide an annual board resolution, or finding by one or more “senior officers,” that the Regulated Institution complies with all Transaction Monitoring and Filtering Program requirements.

Both the Transaction Monitoring Program and the Filtering Program are required to have specific attributes detailed in the rule (and described below). NYDFS explained that it adopted the final rule after an investigation in which it found shortcomings in the existing transaction monitoring and filtering efforts of Regulated Institutions, which it attributes to “a lack of robust governance, oversight, and accountability at senior levels.”

Financial institutions strongly criticized the original version of the rule when it was first proposed in December 2015. The final rule adopts a number of significant changes that appear intended to address these criticisms.

The rule is effective January 1, 2017, and the first annual certification of compliance is due to the Superintendent of NYDFS on April 15, 2018.

Transaction Monitoring Program Requirement

The rule requires Regulated Institutions to maintain a program “reasonably designed for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting,” which must include the following attributes “to the extent they are applicable”:

  • Be based on an ongoing, enterprise-wide Risk Assessment of the institution and its businesses.
  • Be reviewed and updated at risk-based intervals to reflect current law and guidance, and other company information determined by the institution to be relevant.
  • Appropriately match BSA/AML risks to the institution’s businesses, products, services, customers and counterparties.
  • BSA/AML detection scenarios with threshold values and amounts designed to detect potential money laundering or other suspicious or illegal activities.
  • End-to-end, pre- and post-implementation testing of the program including, as relevant, a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and program input.
  • Documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters and thresholds.
  • Protocols explaining (a) how alerts generated by the system will be investigated, (b) the process for deciding which alerts will result in a filing or other action, (c) the operating areas and individuals responsible for making such a decision, and (d) how the investigative and decision-making process will be documented.
  • Be subject to on-going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters, and assumptions.

Filtering Program Requirement

Regulated Institutions also must maintain a Filtering Program “reasonably designed for the purpose of interdicting transactions that are prohibited by OFAC,” which must include the following attributes, “to the extent applicable”:

  • Be based on an ongoing, enterprise-wide Risk Assessment of the institution and its businesses.
  • Be based on technology, processes or tools for matching names and accounts, in each case based on the institutions’ particular risks, transaction and product profiles.
  • End-to-end, pre- and post-implementation testing of the program, including, as relevant, a review of data matching, an evaluation of whether the OFAC sanctions list and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and Program output.
  • Be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the OFAC sanctions list and the threshold settings to see if they continue to map to the risks of the institution.
  • Documentation that articulates the intent and design of the Filtering Program tools, processes or technology.

The rule also requires that both the Transaction Monitoring Programs and Filtering Programs contain the following elements, “to the extent applicable”:

  • Identification of all data sources that contain relevant data.
  • Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the programs.
  • Data extraction and loading processes to ensure a complete and accurate transfer of data from their source to automated monitoring and filtering systems, if automated systems are used.
  • Governance and management oversight, including policies and procedures governing changes to the programs to ensure that changes are defined, managed, controlled, reported, and audited.
  • Vendor selection process if a third party vendor is used to acquire, install, implement, or test the programs or any aspect of them.
  • Qualified personnel or outside consultants responsible for the design, planning, implementation, operation, testing, validation, and on-going analysis of the programs, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filings.
  • Periodic training or all stakeholders with respect to the programs.

The new rule includes a number of new qualifiers, such as “to the extent applicable,” “as determined to be relevant by the institution,” “at risk-based intervals,” and “as relevant,” which soften these requirements and make them more risked-based as compared to the original, proposed rule.

The Transaction Monitoring Program and the Filtering Program provisions also now require programs that are “reasonably designed” to detect violations or suspicious activity or to interdict transactions prohibited by OFAC, respectively. However, although this too can be read as a move toward a risk-based approach to these programs, such language arguably gives NYDFS greater discretion than it had in the proposed rule to find violations in a program even where the program includes all of the specific features enumerated in the Transaction Monitoring Program and Filtering Program provisions (on the basis that the program, despite having these features, contains other failings that make it not “reasonably designed” to accomplish its required purpose). There is also the risk that regulators considering what is reasonable will apply “20-20 hindsight” to problems that emerge later, which can be a challenge to counter.

Both the Transaction Monitoring Program and the Filtering Program must be based on a “Risk Assessment,” which the rule specifically defines as “an on-going comprehensive risk assessment, including an enterprise-wide BSA/AML risk assessment, that takes into account the institution’s size, staffing, governance, businesses, services, products, operations, customers, counterparties, other relations and their locations, as well as the geographies and locations of its operations and business relations.” This raises the question of whether banks with foreign parents or affiliates will be held responsible for sharing BSA/AML risk information globally across affiliated entities. Recent guidance and enforcement actions by the Financial Crimes Enforcement Network (FinCEN), federal banking agencies, and the Department of Justice already can be read to suggest an expectation for such an approach at the federal level. This can create challenges for U.S. institutions with limited access to information from overseas affiliates, and legal issues under international data privacy laws, and it may require affected institutions to seek clarification about their responsibilities from NYDFS.

Requirement to Document Remedial Efforts

The new rule now contains a provision that requires Regulated Institutions, in cases where they identify aspects of their programs that “require material improvement, updating, or redesign,” to “document the identification and remedial efforts planned and underway” and to make such documentation available for inspection by the Superintendent of the NYDFS.

This replaces a much-criticized provision in the proposed rule that would have prohibited Regulated Institutions from making changes to their programs “to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts generated … or to otherwise avoid complying with regulatory requirements.” Financial institutions commented that this prohibition would have punished legitimate efforts to adjust alert programs to avoid false hits, causing a substantial waste of compliance resources dedicated to reviewing such alerts as well as an increase in defensive SAR filings that would reduce the utility of such reports to law enforcement. Although the new provision removes this prohibition, it does add a new compliance burden associated with documenting, in a form suitable for inspection by the NYDFS, changes to these programs, and applies to all improvements, not just changes to SAR reporting.

Required Annual Certification

The most criticized provision of the proposed rule would have required the chief compliance officer for Regulated Institutions to certify to NYDFS each year that the institution’s Transaction Monitoring Program and Filtering Program met the specific requirements for such programs laid out in the rule, and provided for criminal penalties in the event of an “incorrect or false” certification.

The new rule now requires each Regulated Institution to adopt and submit to NYDFS, by April 15 of each year, a resolution of the institution’s board, or a finding by one or more “Senior Officer(s),” that includes certain certifications about these programs spelled out in a standard form attached to the rule. This includes a certification that: (1) the board or Senior Officer(s) have “reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors, and other individuals or entities as necessary to adopt” the resolution or finding; (2) the board or Senior Officers have “taken all steps necessary to confirm that” the Regulated Institution has a Transaction Monitoring Program and Filtering Program that comply with the rule; and (3) “to the best of the [Board’s or relevant Senior Officers’] knowledge,” these programs comply with the rule. Regulated Institutions also must maintain for examination by NYDFS all of the records relied on for the board or Senior Officer certification, for a period of five years. As noted above, the first certification is due to NYDFS on April 15, 2018.

Although this provision seems to allow the certifying parties some reliance on facts developed by more junior officers or by counsel, the required certification that the Board or Senior Officers “have taken all steps necessary to confirm” that the programs comply with the rule, in a provision separate from the one providing for reliance on information provided by others, suggests that any reliance on information prepared by others must be reasonable. In response to criticism that the proposed rule would discourage qualified professionals from serving as chief compliance officers, the final rule now defines “Senior Officer(s)” to include not only compliance officials but also persons responsible for the management or operations of the institution. It also allows more than one such officer to be responsible for the finding, or in the alternative to have the certification made through a resolution of the board. It remains to be seen how many Regulated Institutions will take advantage of this increased flexibility as to who makes the required certification.

The final rule also responds to heavy criticism of the proposed rule’s provision for criminal penalties for “incorrect or false” certifications, which fueled concerns by compliance officers that they would be punished for inadvertent mistakes. It now provides generically that the rule will be enforced according to the “Superintendent’s authority under any applicable laws.” One of the laws cited as authority for the rule that presumably qualifies as an “applicable law” is Section 672 of the New York Banking Law, which establishes that it is a felony for “[a]ny officer, director, trustee, employee or agent of any corporation to which the banking law is applicable [to make] a false entry in any book, report or statement of such […] with intent to deceive any officer, director or trustee thereof, … or any public officer, office or board to which such corporation is required by law to report, or which has the authority by law to examine into its condition or into any of its affairs[.]” However, the removal of language about penalties for “incorrect or false” certifications does provide some comfort for inadvertent violations.

One issue that likely will need clarification is what Regulated Institutions should do in cases where an institution has identified deficiencies in its programs and is in the process of remediation at the time that the annual certification is due. As discussed above, the final rule now clearly contemplates situations where Regulated Institutions will identify deficiencies in their programs and undertake initiatives to remedy them, and requires documentation of these efforts, but says nothing about how such identified issues affect an institution’s annual obligation to certify that its programs satisfy all of the requirements in the rule. In the absence of clarification, Senior Officers or board members could be caught between the threat of penalties against the institution for failing to certify that it is compliant, and the threat of individual penalties in the alternative for a false certification.

Practical Considerations

Changes to compliance programs take time, and Regulated Institutions should start assessing now what they will need to do to come into compliance with the rule by its January 1, 2017 effective date. Regulated Institutions likely already follow many of the practices required in the rule based on guidance from federal regulators or industry best practices. However, given the specificity of the new requirements, Regulated Institutions should begin a gap analysis now to identify areas where they may need to add new procedures, technology or personnel to their AML and sanctions programs to satisfy the requirements of the new rule.

This gap analysis should include in particular: (1) a review of the institution’s risk assessments for these programs to determine whether they meet the standard called for in the rule, and whether any updates to such assessments require changes in the programs; (2) a review of the institution’s detection or interdiction scenarios and logic for AML and sanctions, and the documentation for these, against the requirements of the rule; (3) considering whether additional procedures are needed to meet the new requirement in the final rule that institutions document the identification and remediation of improvements to their programs; and (4) a consideration of who in the institution will make the annual certification of compliance called for in the rule, what documents those persons will rely on to make the certification, and how these documents will be preserved for review by NYDFS.

The new rule also comes at a time when banks subject to BSA regulation are preparing to comply, by May 11, 2018, with new FinCEN rules which require banks to obtain and incorporate into their AML programs beneficial ownership information about their legal entity clients (see our analysis of FinCEN’s beneficial ownership rule here). Regulated Institutions should consider whether and how they will implement anticipated beneficial ownership information into their Risk Assessments, detection scenarios, and other aspects of their Transaction Monitoring Programs and Filtering Programs.

Regulated Institutions should expect aggressive enforcement of the new rule. The NYDFS in the past has taken a very aggressive approach to enforcing sanctions and AML-related violations committed by financial institutions, and the new rule provides the agency more bases for additional enforcement. Although Maria Vullo, the recently-confirmed Superintendent of the agency, has demonstrated some responsiveness to industry concerns regarding the proposed rule, in particular the concern about a “strict liability” standard for the annual certification, she also has indicated a willingness to impose accountability at high levels.