Anti-Money Laundering, Data Lineage and DFS 504

In June 2017 we posted an article entitled “Anti-Money Laundering – Where to Next? A View On Both Sides of the Atlantic”. This was followed by a post in August 2017 entitled “Data Provenance, Distributed Systems and Regulatory Pressure”. This article brings those two earlier posts together.


In 2014/15 the New York State Department of Financial Services conducted a review of the anti-money laundering and watch-list filtering systems, processes and procedures being used by regulated institutions[1] within the State.

This review revealed significant weaknesses resulting in the release of what is now called Part 504 NYDFS Superintendent’s Regulations or DFS 504. This new regulation comes into effect in January 2018.

Core Principles

The central principle of DFS 504 is that it requires a senior officer or the Board of Directors of a regulated entity, to annually certify that the monitoring and filtering systems in use are compliant with the Superintendent’s regulations.

A senior officer is defined as an individual responsible for general management, operations, compliance, or risk management – and for the removal of doubt, this is not a “rubber stamping” certification. Although criminal sanctions for providing a false certification do not apply, individual liability and other sanctions may be imposed for up to 5 years post certification, being the period each institution is required to maintain all records, schedules, and data supporting the provided certificate.

Other provisions of DFS 504 include:

Transaction monitoring and watch-list filtering must be enterprise-wide

This is a far reaching requirement covering all services, products, operations, clients, customers and counterparties serviced by a regulated institution in all geographical locations.

This “enterprise-wide” approach has been specifically adopted to address one of the central failings revealed in the 2014/15 review. This review found that virtually all organisations were using multiple, fragmented, siloed, non-consistent anti-money laundering and watch-list filtering processes and procedures. By imposing the requirement of an “enterprise-wide” certification, the regulator is seeking to address this core failing and ensure a consistent approach is used across each regulated entity.

Continuous assessment, periodic reviews and regular updates to be introduced

Although this is not a new requirement, for the first time this becomes a written requirement in the Superintendent’s regulations, indicating the importance the NYDFS is placing in compliance with DFS 504.

Pre- and post-implementation testing to be included in the validation process

End-to-end pre- and post-implementation testing, validation, data mapping, model efficiency, data input / output metrics and details of the system’s design and assumptions must be fully documented and such documentation regularly updated.

Testing is required to include detailed detection scenarios with threshold volumes, amounts and other data fields designed to detect suspicious activity, potential money laundering transfers and other illegal transactions.

Although generally these are standard requirements, the NYDFS specifically requires these to be applied to transaction monitoring and watch list filtering systems. This may, in turn, may require some organisations to overhaul their model assessment regimes to ensure compliance with DFS 504.

Data Quality

This pivotal requirement may present many organisations with a significant regulatory hurdle. DFS 504 specifically requires “validation of the integrity, accuracy and quality of data …. to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems”

In other words, regulated entities must be able to interrogate the integrity of all data values as this data migrates across co-operating systems and processes[2].

This presents a non-trivial process monitoring challenge to even the largest organisations. Anti-money laundering data is typically extracted from multiple sources often in multiple formats. Once extracted, the lineage of this data must be documented together with changes to the data structure(s) as it migrates across sets of co-operating services or systems.

Further, DFS 504 requires the extracted data to be enhanced with additional information to ensure transaction monitoring and watch-list compliance. Often this additional information will be held in siloed repositories. Ensuring this additional information is properly provisioned may in turn require the introduction of a data governance layer to ensure the required data fields are correctly completed.

Alert generation, activity reporting and ongoing analysis is required

DFS 504 requires all regulated institutions to document their protocols for altering data, investigations and response escalations. Such documentation must detail roles, responsibilities and the decision making processes employed at each stage of the procedure.


DFS 504 represents a significant strengthening of anti-money laundering, transaction monitoring and watch-list filtering regulations. Although only applicable in the State of New York, the importance of this financial centre coupled with the enterprise-wide applicability of the regulations means that DFS 504 has a far reaching impact on all New York State regulated organisations.

DFS 504 comes into effect in January 2018, with the first certifications of compliance due to be filed in April 2018. Given the complexity and volume of transactions to be monitored together with the size of complexity of the watch-lists to be filtered, compliance with DFS 504 can only be achieved via automation.

The HELIXsystem Process Assembler is perfectly suited to this task. This technology, agnostic to data source and structure, fully automates the task of mapping and documenting the transfer of data from multiple sources to the transaction monitoring and watch-list filtering systems. The HELIXsystem Process Assembler is pre-packaged with user configurable alerting functions, analysis capabilities and activity reporting functionality. This patent protected software is only available from Hat Trick Software Limited.

[1] Meaning all banks, trust companies, savings and loans associations, and all branches and agencies of foreign banking corporations licensed to operate in New York

[2] See August 2017 “Data Provenance, Distributed Systems and Regulatory Pressure

← Return to News