AML Update: The NYDFS’s New Anti-Money Laundering Regulation and its Annual Compliance Certification Requirement

Consumer Finance   |   Insurance   |   Life, Annuity, and Retirement Litigation   |   Securities Litigation and Enforcement   |   White Collar Crime & Government Investigations   |   August 16, 2016

This summer, one of the nation’s top state regulators for finance announced a major new AML regulation, providing a critical hook for regulatory liability for companies that lack effective anti-money laundering controls. An understanding of this new regime is critical for bank and insurance companies that do business nationally.    

The New York Department of Financial Services (NYDFS) regulates the financial services, insurance, and banking industries in New York, including any out-of-state companies that conduct business in those industries in New York. On June 30, the NYDFS issued a new regulation (the “Rule”) setting forth specific minimum standards that its regulated institutions must use to monitor and filter transactions for potential anti-money laundering (AML) and Bank Secrecy Act (BSA) violations and to block transactions prohibited by the Office of Foreign Assets Control (OFAC).[i]   

Compliance Certification 

The most important part of the new Rule is its requirement that every NYDFS regulated institution annually submit either a board resolution or a “Senior Officer(s) Compliance Finding” certifying that the institution’s board members or a named senior officer personally reviewed documentation regarding the entity’s AML and prohibited-transaction prevention programs, and certified them as complying with the Rule’s requirements (a “Compliance Certification”).  Specifically, the board members or certifying senior officer must certify that:

  1. They have reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary to adopt the Board Resolution or Senior Officer Compliance Finding;
  2. They have taken all steps necessary to confirm that the institution has a transaction monitoring and filtering program that complies with the provisions of the Rule; and
  3. To the best of their knowledge, the transaction monitoring and the filtering program of the institution complied with the Rule during the prior year.

The Rule makes clear that the NYDFS believes the shortcomings in the banking and financial services industry’s AML systems are attributable to “a lack of robust governance, oversight, and accountability at senior levels.” Accordingly, the annual Compliance Certification requirement is meant to increase accountability of the executive leadership of financial institutions by requiring that they know of and approve the steps their institutions are taking to comply with AML regulations. The Compliance Certification required by the Rule is significantly less harsh than what was initially proposed by the NYDFS in the initial iteration of the Rule it proposed in December of 2015.[ii] The earlier version required that the certifying person be the institution’s chief compliance officer or an equivalent senior officer and provided that the certifying officer would be subject to criminal penalties for an incorrect of false Compliance Certification.[iii] The final version of the Rule simply provides that “the regulation will be enforced pursuant to . . . the Superintendent’s authority under any applicable laws.”

Technical Requirements 

The Rule’s other technical requirements are less impactful than the Compliance Certification requirement.First, the Rule requires that institutions maintain a manual or automated transaction monitoring program reasonably designed to monitor transactions for potential BSA/AML violations and suspicious activity reporting. Second, the Rule requires that institutions maintain a watch-list filtering program that is reasonably designed to intercept and prevent transactions prohibited under OFAC and other sanctions lists. Institutions must also (i) subject the effectiveness of their transaction-monitoring and filtering programs to ongoing analysis and testing and (ii) document, for inspection by the NYDFS, any areas that require improvement. Regulated institutions must also retain the records that support their yearly Compliance Certifications for at least five years. 

The Rule takes effect January 1, 2017, and regulated entities are required to submit their first Compliance Certification beginning on April 15, 2018. For the most part, if a financial institution complies with existing AML regulations, it should already maintain programs that satisfy most of the technical requirements of the Rule. However, the documentation and oversight of those programs will now be subject to a more stringent and detailed review by the NYDFS. Regulated entities and their compliance teams should institute policies requiring that all aspects of their AML and watch-list filtering systems be documented (if such policies are not already in place). To comply with the Rule and be able to comfortably issue Compliance Certifications, Regulated entities and their senior compliance personnel should carefully reevaluate the documentation, analysis, and testing of the design and effectiveness of their existing AML programs. 

The author would like to acknowledge the significant contributions of Laura Snider, summer associate from Emory University, in the preparation of the article. 


[i] NYDFS, Press Release, Final Anti-Terrorism Transaction Monitoring and Filtering Program Regulation (June 30, 2016), available at

[ii] See NYDFS, Press Release Governor Cuomo Announces Anti-Terrorism Regulation Requiring Senior Financial Executives to Certify Effectiveness of Anti-Money Laundering Systems (Dec. 1, 2015), available at

[iii] See Id. (linking earlier proposed version of the regulations in the text of the press release).

©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.