Frequently Asked Questions Regarding 3 NYCRR 504
- What as of date should a Regulated Institution use for the “as of” date for its transaction monitoring and filtering program certification?
Regulated Institutions should submit the required certification covering the prior calendar year by April 15 of each year.
- May a Regulated Institution submit a certification under 3 NYCRR 504.7 if it is not yet in compliance with the requirements of Part 504?
The Department expects full compliance with the regulation. A Regulated Institution may not submit a certification under 3 NYCRR 504.7 unless the Regulated Institution is in compliance with the requirements of Part 504 as of the effective date of the certification.
- Should a Regulated Institution send additional documentation along with the certification proving that the system is in compliance?
The Regulated Institution must submit the compliance certification to the Department and is not required to submit explanatory or additional materials with the certification. The certification is intended as a stand-alone document required by the regulation. The Department also expects that the Regulated Institution maintains the documents and records necessary that support the certification, should the Department request such information in the future. Likewise, under 3 NYCRR 504.3(d), to the extent a Regulated Institution has identified areas, systems, or processes that require material improvement, updating or redesign, the Regulated Institution must document such efforts and maintain such schedules and documentation for inspection during the examination process or as otherwise requested by the Department.
- Does the Department require a pre-implementation testing for systems the Regulated Institutions used that that were operational prior to the Regulation?
The Department will not require full end-to-end, pre implementation testing of systems that the Regulated Institution uses that were operational prior to the effective date of the regulation, as is required when adopting new systems. However, under 3 NYCRR 504.3(a)(2), Regulated Entities’ systems and programs must “be reviewed and periodically updated at risk-based intervals” and thus Regulated Institutions are expected to conduct periodic risk based systems testing and data validation on all systems that support the transaction monitoring and filtering program.
- Does the Department require the Regulated Institution to conduct a vendor selection for the systems that are already in place prior to the Regulation?
The Department does not require a Regulated Institution to conduct a vendor selection process for vendors that were engaged prior to the effective date of the regulation, as is now required when hiring a new vendor to acquire, install, implement or test the transaction monitoring and filtering program. However, on an ongoing basis, 3 NYCRR 504.3(c)(7) requires Regulated Institutions to engage qualified personnel or outside consultants for these purposes and as such Regulated Entities should have processes in place to confirm that the personnel and vendors it has engaged to execute its transaction monitoring and filtering program are qualified and competent.
Submit your Certification of Compliance
In order to submit your certification of compliance, a NYS DFS portal account is required. Please use this link to create an account if you don’t already have one.