There will no doubt be many concerned faces amongst senior management this year as the new rules for the Senior Managers and Certification Regime (SMR) come into force over the next 12 months. The first implementation date will be in February 2016 when firms will have to submit documents for grandfathering, then commencement of the regime goes full steam ahead in March when the ‘Responsibilities Map’ and the identification and training of certification staff need to be completed.
Whilst the rules have taken shape for increased accountability in the UK, the other side of the Atlantic has recently witnessed an announcement of new regulation that will place increased focus on Chief Compliance Officers.
The New York Department of Financial Services (DFS) announced that it will develop a new AML regulation to address terrorist financing, sanctions violations and money laundering activities. The regulation will require:
- Institutions to maintain a transaction monitoring and watch list
- Chief Compliance Officers to file an annual certification of compliance.
Those in scope include New York chartered banks, trust companies and New York licensed branches and agencies of foreign banks. It is aimed to address the apparent insufficiencies that Governor Cuomo highlighted in statement with respect to transaction monitoring, and governance and oversight of systems and controls.
The proposed regulation will prescribe that covered entities must ensure that they:
- Reflect AML laws and KYC regulations in current systems
- Map relevant risks attached to products, services and customers
- Implement end-to-end, pre and post-implementation testing
- Implement appropriate investigation protocols detailing how alerts are generated and how monitoring and alerts are investigated, showing who is responsible for escalating alerts and how all protocols and procedures are documented
- Put in place ongoing assessments of adequacy of systems and controls and update watch lists.
Banks and financial services firms will need to implement and maintain a transaction monitoring programme that can either be manually run or automated, with the overall objective of detecting Bank Secrecy Act or money laundering violations.
The monitoring system must incorporate current KYC systems, ensuring that potential risks are mapped. This may require the implementation of new systems and controls, technological changes and training of staff at time when budgets are already being strained by increased obligations and requirements. However, whilst the subject of budgets always poses a problem, the most controversial of issues that has been borne from the new regulation is the requirement of the Chief Compliance Officer having to certify the effectiveness of these controls and – like under Sarbanes Oxley – if that certification is found to be false or misleading, criminal liability will be pursued by the regulator.
Is the regulation targeting the right person?
Under the proposed regulation, it is the responsibility of the Chief Compliance Officer to ensure that the monitoring system is essentially fit for purpose and can fulfil the requirements set out by the regulator. But this will only work in an ideal setting. In many cases, the CCO, whilst overseeing implementation and the ongoing effectiveness of compliance programmes, may not hold a position authorised to command the necessary resources to ensure the regulator’s expectations are fulfilled.
In situations where the CCO does have the power, other factors may lead to them not being the right person for the job. These may include internal pressure from senior management or fear of job insecurity if the certification is not signed regardless of system effectiveness.
What will be the final effect?
The requirements are similar to the AML processes that are already mandated. That being said, these are more prescriptive than their federal law counterparts and, as a result, less discretion exists for compliance with the rules. The big push will have to from come record keeping, where documents will have to be produced and stored to demonstrate compliance. This effort takes time and manpower and, therefore, raises costs to a level that may prove to be too much for some.
Bearing in the mind the above, it is likely that the overall affect, despite concern about the emphasis on the accountability of Chief Compliance Officers, may well be limited, as most large firms should already have in place effective detection systems. As ever, though, as with a significant amount of regulation, the ones that will feel the pinch the most will be the smaller money service businesses.
Should the Chief Compliance Officer worry?
The bottom line that everyone in a senior compliance function or CCO should pay great attention to is that criminal liability can be incurred if information is found to be false or incorrect. Given the complexity that is involved with effective detection systems, and the problems that any good system can potentially face, the liability aspect is something that will be keeping CCOs awake at night. This is especially so given the fast evolving nature of AML and financial crime, where year-on-year changes are being witnessed and suddenly last year’s new systems are not good enough for this year’s requirements. Furthermore, playing catch-up, or just keeping up to date – no matter how forward looking and assertive the CCO is – still doesn’t necessarily mean that new protocols and procedures suggested will be implemented. How many Chief Compliance Officers will have the gravitas to take on a heavily budget-focused executive board?