Are you on board the Part 504 train?

Part 504 is a game changing New York State Department of Financial Services (“DFS”) regulatory requirement under the Bank Secrecy Act (“BSA”) / Anti Money Laundering (“AML”) laws and regulations. It requires regulated financial institutions to submit an annual certification of their Transaction Monitoring and Filtering Programs confirming compliance with the regulation.

The rule goes into effect on January 1, 2017 with the first certification to be submitted in April of 2018.  Between now and then, institutions must ensure they have a plan for each of the 21 elements that make up Part 504, as well as an attestation framework that will give a senior executive or the board the comfort to sign an attestation by the April 2018 date.   

These 10 tips will help you fast track your part 504 preparations and avoid possible derailments:

  1. Funding – Part 504 is no short ride, so make sure to allocate budget! The first year will likely be the heaviest lift for institutions but it doesn’t stop there and neither can the funding.
  2. Staffing – Dedicated resources need to be assigned to ensuring the 504 train doesn’t go off the rails. The regulation specifically requires a staffing assessment to ensure qualified staff are responsible for the development, implementation, monitoring and governance of the programs. Tip: Skilled resources are limited so act fast!
  3. Key Stakeholders – This is not just a compliance project! It is important all key stakeholders (i.e. operations and IT) board the 504 train at the first stop. If head office is not based in New York, their upfront involvement and cooperation from head office is also critical.
  4. Plan – Develop a timeline, set milestones and define owners to be held accountable. While 504 doesn’t specifically ask for much that is new, the scope is broad and the documentation expectations are explicit, so do not underestimate how long the 504 train may be.
  5. Risk Assessment – If you have not already performed one, this must be your first stop. An accurate and detailed risk assessment will serve to establish a framework for your institutions Transaction Monitoring and Filtering Programs.
  6. Gap Assessment – 504 requires an Independent Review over the Transaction Monitoring and Filtering Programs. Whether performed by internal audit or an external third party, a program review and gap assessment is critical to understanding what is currently missing with respect to 504 requirements.
  7. Remediation – All gaps must be clearly documented, a detailed remediation plan put in place (including clear milestones) and evidence the plan is being implemented and milestones are being hit must be documented. Critical gaps identified should be prioritized for remediation because come April 15, 2018 a senior executive must be ready to sign the annual certification.
  8. Certification Protocol – Map out the certification process during the planning stages of 504. For example, a sub-certification process where owners of key processes/systems are held accountable for their components of 504 can give the signing senior executive comfort in submitting the official certification to DFS. Tip 1: Make sure all key stakeholders are involved in the decision of who will be signing the final certification. This should also be decided upon during the planning stages. Tip 2:  If applicable, look to your current state SOX program for a potential sub-certification model.
  9. Documentation – 504 explicitly asks for clear and accurate documentation of the Transaction Monitoring and Filtering Programs and supporting models. Review and test the accuracy of the documentation before the DFS audits your 504 train.
  10. Key Dates - Effective: January 1, 2017                                                                - First annual certification: April 15, 2018                                            - Annual certification period: January 1 – December 31

Make sure you’re not left standing at the station, start planning your 504 journey today!


Click here to learn more about Regulatory Compliance

Implementing a new system? How involved should you be? Part II
How Can Your CISO Benefit from Quantitative Risk Scoring?
Related Posts
How Does the FSSCC Cybersecurity Profile Support CISOs?
How Does the FSSCC Cybersecurity Profile Support CISOs?
Benefits and Uses of the FSSCC Cybersecurity Profile
Benefits and Uses of the FSSCC Cybersecurity Profile
The End of PPP: 5 Changes to Consider
The End of PPP: 5 Changes to Consider