Current through Register Vol. 46, No. 12, March 20, 2024
(a) Each Regulated Institution shall maintain
a Transaction Monitoring Program reasonably designed for the purpose of
monitoring transactions after their execution for potential BSA/AML violations
and Suspicious Activity Reporting, which system may be manual or automated, and
which shall include the following attributes, to the extent they are
applicable:
1. be based on the Risk
Assessment of the institution;
2.
be reviewed and periodically updated at risk-based intervals to take into
account and reflect changes to applicable BSA/AML laws, regulations and
regulatory warnings, as well as any other information determined by the
institution to be relevant from the institution's related programs and
initiatives;
3. appropriately match
BSA/AML risks to the institution's businesses, products, services, and
customers/counterparties;
4.
BSA/AML detection scenarios with threshold values and amounts designed to
detect potential money laundering or other suspicious or illegal
activities;
5. end-to-end, pre-and
post-implementation testing of the Transaction Monitoring Program, including,
as relevant, a review of governance, data mapping, transaction coding,
detection scenario logic, model validation, data input and Program
output;
6. documentation that
articulates the institution's current detection scenarios and the underlying
assumptions, parameters, and thresholds;
7. protocols setting forth how alerts
generated by the Transaction Monitoring Program will be investigated, the
process for deciding which alerts will result in a filing or other action, the
operating areas and individuals responsible for making such a decision, and how
the investigative and decision-making process will be documented; and
8. be subject to an on-going analysis to
assess the continued relevancy of the detection scenarios, the underlying
rules, threshold values, parameters, and assumptions.
(b) Each Regulated Institution shall maintain
a Filtering Program, which may be manual or automated, reasonably designed for
the purpose of interdicting transactions that are prohibited by OFAC, and which
shall include the following attributes, to the extent applicable:
1. be based on the Risk Assessment of the
institution;
2. be based on
technology, processes or tools for matching names and
accounts4, in each case based on the institution's
particular risks, transaction and product profiles;
3. end-to-end, pre- and post-implementation
testing of the Filtering Program, including, as relevant, a review of data
matching, an evaluation of whether the OFAC sanctions list and threshold
settings map to the risks of the institution, the logic of matching technology
or tools, model validation, and data input and Program output;
4. be subject to on-going analysis to assess
the logic and performance of the technology or tools for matching names and
accounts, as well as the OFAC sanctions list and the threshold settings to see
if they continue to map to the risks of the institution; and
5. documentation that articulates the intent
and design of the Filtering Program tools, processes or technology.
(c) Each Transaction Monitoring
and Filtering Program shall require the following, to the extent applicable:
1. identification of all data sources that
contain relevant data;
2.
validation of the integrity, accuracy and quality of data to ensure that
accurate and complete data flows through the Transaction Monitoring and
Filtering Program;
3. data
extraction and loading processes to ensure a complete and accurate transfer of
data from its source to automated monitoring and filtering systems, if
automated systems are used;
4.
governance and management oversight, including policies and procedures
governing changes to the Transaction Monitoring and Filtering Program to ensure
that changes are defined, managed, controlled, reported, and audited;
5. vendor selection process if a third party
vendor is used to acquire, install, implement, or test the Transaction
Monitoring and Filtering Program or any aspect of it;
6. funding to design, implement and maintain
a Transaction Monitoring and Filtering Program that complies with the
requirements of this Part;
7.
qualified personnel or outside consultant(s) responsible for the design,
planning, implementation, operation, testing, validation, and ongoing analysis
of the Transaction Monitoring and Filtering Program, including automated
systems if applicable, as well as case management, review and decision making
with respect to generated alerts and potential filings; and
8. periodic training of all stakeholders with
respect to the Transaction Monitoring and Filtering Program.
(d) To the extent a Regulated
Institution has identified areas, systems, or processes that require material
improvement, updating or redesign, the Regulated Institution shall document the
identification and the remedial efforts planned and underway to address such
areas, systems or processes. Such documentation must be available for
inspection by the Superintendent.