Addressing the DFS Duo for AML and cyber
Overview
With compliance deadlines for the New York State Department of Financial Services’ (DFS) anti-money laundering (AML) and cybersecurity regulations rapidly coming into effect, financial institutions are underway adjusting their controls, policies, and procedures in preparation.
DFS’s AML regulation (i.e., Part 504) sets standards for technology and risk management regarding transaction monitoring and filtering programs, and requires that either senior officers or the board of directors certify the effectiveness of the programs. Its cybersecurity regulation (i.e., Part 500) calls for a broad set of controls (i.e., encryption, multi-factor authentication), governance, and reporting requirements – the earliest of which came into effect the first of this month. Like Part 504, Part 500 also requires that senior officers or the board of directors certify compliance with the rule.
Part 504 and Part 500 similarities
Fortunately, similarities exist between Part 504 and Part 500, which when addressed holistically create opportunities to leverage efforts across both regulations. This paper addresses three key benefits institutions achieve by utilizing Part 504 efforts to comply with Part 500 requirements. The three main benefits are as follows:
- Knowledge of payment systems – identification of the universe of payment systems in-scope for Part 504, which are a subset of the universe of systems in-scope for Part 500
- Coordinate reporting processes – coordination of AML/Fraud and Cybersecurity groups to deliver consistent reporting
- Certification Uniformity – designing a consistent certification process across both Part 504uPart 500 requirements
