The Department of Financial Services “DFS” released a final rule known as Part 504 on June 30th 2016. The effective date for Part 504 begins January 1st 2017 with the first requirement being that all covered institutions in the state of New York submit a yearly attestation stating that:
Section 504.3 requires that Directors or Senior Officer(s) signing the attestation have a sound understanding of the underlying technology and frameworks that have been built to comply with the various AML and OFAC regulations that govern their institution. SQAAC is positioned to deliver the necessary guidance and framework for financial institutions to comply with these new Part 504 requirements. For example, SQAAC is able provide an end to end review of a financial institution’s Transaction Monitoring and Filtering Programs as well as execute targeted reviews of key assurance program components (e.g. Data Quality, Filter Effectiveness Testing, etc.). SQAAC will work with its clients to ensure that their systems are working as intended and, if any deficiencies are noted, SQAAC can aid in any remediation efforts that are required to bring the client’s systems into compliance.
SQAAC utilizes a seven-step process that provides a comprehensive review of a financial institution’s compliance program and systems. Upon completion of this review process, the designated Senior Officer(s) or Board of Directors of the financial institution impacted by the Part 504 requirements will be able to sign the yearly attestation with confidence.
Below is a brief overview of the seven-step review process utilized by SQAAC:
Step 1 – Policy Review
SQAAC will review the financial institution’s policies and procedures related to AML, Sanctions & Terrorist Financing (Financial Crime), and supporting systems along with the financial institution’s Risk Assessment to determine the requirements for what is to be reviewed.
Step 2- Gap Analysis
After a review of the financial institution’s policies and procedures and Risk Assessment, SQAAC will perform a gap analysis to determine if the policy and procedures are missing any requirements that are relevant to section 504 or the assurance process. During this time, SQAAC will also identify if there are any bespoke tests that are required outside of the normal SQAAC Assurance Testing program.
Step 3- Data Profiling
SQAAC will work with on-site SMEs to determine the relevant data that needs to be profiled. During this time, SQAAC will also identify where the relevant data is housed as well as its formatting.
Examples of data that can be profiled:
Step 4- Assurance Execution Plan
In preparation for the screening assurance testing, SQAAC will work closely with the financial institution to confirm both a date and format for the test files to be run through the live test environment. During this time, SQAAC will also identify the in-house systems that are used to store and feed information into the payment and name filtering programs. This will allow SQAAC to request the information necessary to review system mapping, the change management processes and any possible underlying system models that need to be validated.
Step 5 – Test File Generation and System Review
After confirming all requirements for the screening assurance testing, SQAAC will generate the necessary test files for processing through the financial institution’s live test environment. SQAAC will also be available to work with IT and systems owners, however necessary, to ensure that the files have been successfully processed. In addition, SQAAC will perform an end-to-end analysis of the identified in-house data repositories to confirm that the system mapping has been completed accurately.
Step 6 – Analysis
Once compiled and available, SQAAC will then review the results from the work detailed in the Assurance Execution Plan. Whenever necessary, SQAAC will collaborate with on-site SMEs and Vendors to determine the root cause of any issues as well as determine if any remediation is necessary.
Step 7 – Presentation of Observations and Final Report
After completing the analysis, SQAAC will present a detailed report to the financial institution’s stakeholders that outlines all testing and assurance work that was completed as well as any proposed remediation efforts. All work detailed in the report will be provided with the supplemental work papers to allow for an independent third party review.