DFS 504 – Developing a Sound Risk-Based Transaction Monitoring Program

July 17, 2017

On June 30, 2016, the New York State Department of Financial Services (“DFS”) issued a Final Rule (Regulation 504) requiring regulated institutions to maintain “Transaction Monitoring and Filtering Programs.”  The Final Rule applies to all banks, trust companies, private banks, savings banks, and savings and loan associations chartered under New York Banking Law and all New York-licensed branches and agencies of foreign banks.  The Final Rule requires that regulated institutions have Transaction Monitoring and Sanctions Filtering Programs that are “reasonably designed” to meet their purpose and that regulated institutions’ Board or Senior Officer(s) make annual certifications to the DFS confirming compliance with the Final Rule. The requirements went into effect on January 1, 2017, and the first compliance certification is to be filed by April 15, 2018.
Specifically, § 504.3(a) requires that each regulated institution maintain a Transaction Monitoring Program reasonably designed for the purpose of monitoring transactions after their execution for potential BSA/AML violations and suspicious activity reporting. The system may be manual or automated, and shall include the following attributes:

  1. be based on the Risk Assessment of the institution;
  2. be reviewed and periodically updated at risk‐based intervals to take into account and reflect changes to applicable BSA/AML laws, regulations and regulatory warnings, as well as any other information determined by the institution to be relevant from the institution’s related programs and initiatives; and
  3. appropriately match BSA/AML risks to the institution’s businesses, products, services, and customers/counterparties.

Accordingly, Financial Institutions (FIs) must implement a sound transaction monitoring program that ensures alignment with their BSA/AML Risk Assessment.

What you can do

From our experience working with a number of FIs to assist in their DFS 504 compliance, we recommend the following systematic approach:

  • Conduct an annual BSA/AML Risk Assessment in which the FI describes the inherent risk, control effectiveness and residual risk factors of:
    • Products and services offered
    • Geographical business areas
    • Customer base 
  • Determine applicable red flags for each of the products and service types – and AML scenarios typologies
  • Determine current automated transaction monitoring rules / scenarios implemented
  • Identify gaps if any
  • Identify any additional mitigating factors (manual)
  • Identify residual gaps if any
  • Identify remedial steps – additional rules to implement to enhance coverage and eliminate gaps.

FIs should also ensure the specific AML risks and red flags unique to their business operations are identified and mitigated within the functionality of the transaction monitoring program.  

How ACA can help

ACA Telavance has helped numerous FIs build a sound risk-based transaction monitoring program in line with the DFS 504 requirements, built on the following key components:

  • Specific transaction monitoring rules to mitigate risks identified in the Risk Assessment (for high risk products, customer types and geographies).
  • Identification of unusual activity based on red flags. The FFIEC guidance on red flags is a good basis for identifying the applicable red flags.
  • Implementation of behavior based rules to identify unusual patterns and deviations from expected behavior.
  • The Transaction Monitoring Program or “Model” should be subject to periodic review, validation and optimization and tuning. 
  • Validation of model should include validation of rule design and configuration by back testing the system functionality and its effectiveness, and testing of model effectiveness and efficiency. 
  • Ensure data integrity from the source of transactions, mapping into the transaction monitoring system, implementation of reconciliation controls.
  • Identify Key Data Elements (KDEs) required for transaction monitoring and analyze data quality, identify and remediate data quality gaps, if any.
  • Use Data Analytics to gather better insights into the underlying transactional activity and behavioral patterns
  • A robust governance, oversight and change management program must be in place to manage the model and improve model performance over time.
  • A strong alert and case management system to review transactional activity and identify and report on activity considered suspicious.

For more information, please contact Mahesh Viswanathan at ACA Telavance or your regular ACA Telavance consultant.


About the author
Uday Gulvadi is the Director, Internal Audit, Risk and Compliance for ACA Telavance. With over twenty years of business domain and information technology experience, he is a thought leader in the areas of corporate governance, enterprise risk assessments, COSO internal audit, regulatory compliance, Anti Money Laundering (AML), Sarbanes-Oxley, business process improvements and information technology governance.