NYDFS Part 504 – transaction monitoring & watchlist filtering

NYDFS Part 504 (3 NYCRR § 504) is the New York Department of Financial Services regulation requiring covered institutions to maintain reasonably designed transaction-monitoring and watchlist-filtering programs and to file an annual certification – signed by the board or a senior officer – attesting to compliance. It is the most prescriptive AML program-design standard in the United States and the practical benchmark federal examiners increasingly use even outside New York.

Origin and scope

Part 504 went into effect 2017-01-01 in response to a series of AML enforcement cases against money-center banks operating in New York. It applies to entities chartered or licensed by NYDFS: banks, trust companies, savings banks, branches and agencies of foreign banks, money transmitters, check cashers, and certain other licensees. Fintechs holding a NY money-transmitter license or BitLicense, or operating through a sponsor bank that is itself a covered institution, all sit within scope directly or indirectly.

Transaction-monitoring program

Section 504.3(a) requires a transaction-monitoring program reasonably designed to detect and report transactions suspected of violating BSA/AML or facilitating terrorism. The regulation enumerates eight design requirements – the most prescriptive set in U.S. AML law:

• Based on the institution's risk assessment
• End-to-end documentation of detection scenarios
• Validation of the technology, including data integrity and model performance
• Sources of relevant data are accurate, complete, and timely
• Logic, parameters, and rules are appropriate to the institution's risk profile
• Performance against false-positive and false-negative rates is monitored and tuned
• Investigative protocols and disposition standards are documented
• Sufficient staff and resources are dedicated to the program

Vendor defaults without institution-specific calibration do not meet the standard. Black-box scoring without documented logic does not meet the standard. The program has to be auditable end-to-end.

Watchlist-filtering program

Section 504.3(b) requires a watchlist-filtering program reasonably designed to interdict transactions prohibited by OFAC, including the SDN List and the 50% Rule, plus any institution-specific watchlists. Design requirements mirror the transaction-monitoring program – data integrity, validation, fuzzy-matching tuning, change governance, performance monitoring – with the added complexity of OFAC's real-time interdict expectations.

Static-list ingestion without fuzzy-matching tuned against the institution's actual customer base is the most-cited design failure. Quarterly list updates against an OFAC list that changes weekly is the second.

The annual certification

Section 504.4 requires each covered institution to submit an annual certification – signed by the board of directors or a senior officer – stating that the institution maintains a Transaction Monitoring and Filtering Program that complies with Part 504. The certification is due April 15 each year covering the prior calendar year.

Personal accountability is the point. False or misleading certifications expose signers to NYDFS enforcement and, in extreme cases, criminal referral. Boards and senior officers therefore push for evidence packs that justify the certification – walking the audit trail, sampling alert dispositions, reviewing tuning history, and documenting model validation.

What examiners want in the evidence pack

• Risk assessment mapping customer types, products, geographies, and channels to AML and sanctions risks
• Detection-scenario inventory with logic, thresholds, and tuning history per rule and model
• Validation test results with sign-off
• Change-control records: who changed what rule when, and why
• Alert disposition records with the rationale per disposition
• Watchlist tuning analysis – false-positive rates, near-miss reviews, and re-tuning decisions
• Board minutes showing governance attention
• Vendor oversight records for every third-party monitoring or filtering tool

How FinQub supports Part 504

FinQub gives the program a single substrate. Every workflow event that touches a transaction or onboarding decision records the rule, threshold, vendor signal, and disposition rationale to a hash-chained audit trail. Watchlist screens including OFAC SDN, 50% Rule logic, PEP, and adverse-media are orchestrated across vendors with consistent tuning records. Alerts and dispositions are first-class events. Change control to detection rules is logged with the version diff and the approver.

At certification time, the evidence is a query, not a six-week assembly. Filter the audit trail by transaction-monitoring tag for the calendar year, sample dispositions, walk a few alert chains end-to-end, and the pack writes itself. FinQub does not replace the program – the institution still owns the design, governance, and the certification – but it removes the manual evidence assembly that consumes most of the cycle.