Food for Thought: Key Takeaways from Exiger’s Roundtable on NYDFS Rule 504 Audits

“Food for Thought” is a series showcasing insights and best practices from Exiger’s roundtables, where senior financial services professionals and industry thought leaders come together to discuss the latest industry developments over a bite to eat.Request an invitation Since the introduction of the New York State Department of Financial Services (NYDFS) Part 504 Rule (Rule 504), banks have grappled with how to effectively ensure their organizational compliance approach satisfies its new regulatory expectations. Senior internal auditors from leading banks recently attended an Exiger roundtable discussion led by Maria Filipakis, former Executive Deputy Superintendent of the Capital Markets Division at the New York State Department of Financial Services to hear what drove the NYDFS to issue Rule 504 – and how banks can stay on the right side of it efficiently. Origins of Rule 504An increase in BSA/AML control deficiencies, ranging from minor shortcomings to major violations, lies at the heart of what drive the NYDFS to introduce Rule 504. As part of this, investigations and examinations by the NYDFS found particular shortcomings in transaction monitoring.Industry debate naturally followed about whether to regulate emerging risks, and if so, how it should be conducted.Questions that any regulatory response needed to account for included:Controls: are any key controls missing?Accountability: is there executive accountability?Escalation: did Internal Audit identify and raise concerns to a senior level?Resources: are there sufficient resources, training, and the ability to identify risks asociates with functions?Risks: are institutions mapping BSA/AML risks in real time as services evolve? And are business lines collaborating and communicating with each other to mitigate risks?Expectations from Regulators in a Business-as-Usual-StateRegulators do not expect perfection in a business-as-usual state and understand that data governance can be a particular challenge. However, as banks expand their businesses overseas and evolve their systems, they should also “know what they are buying” and dedicate the necessary resources to implement effective controls. Developing well-documented plans to manage any identified risks relating to underlying data is a key part of this. Exactly how transaction monitoring systems testing is conducted is less important than it being managed by the right people with the right skill sets. A bank needs to retain that resource themselves or engage a qualified vendor. Furthermore, any regulator will be surprised if Internal Audit does not play a critical role in Rule 504 compliance. The compliance process is different in every institution—maybe there is sub-certification, maybe not—but the critical role of Internal Audit is constant. Though NYDFS leadership has changed since the department issued Rule 504, Ms. Filipakis expects Rule 504 will likely remain a priority. She encouraged the roundtable attendees: “Don’t forget to tell your good story.” You may also be interested in:Fraud audits:Highlights from a roundtable on how to audit fraud risk at a financial institution. Read white paper >Compliance audit, assurance & testing:Further information about our compliance audit, assurance and testing services.Request an invitation >Compliance audit, assurance & testing:Read more about our audit and assurance services. Find out more >