New York Department of Financial Services revises vetting rules for CCOs

“A compromised director, officer, or manager can threaten an organization’s safety and soundness at any time during an individual’s service”.

These were the words of the New York Department of Financial Services’ (the Department) Superintendent Adrienne Harris, when announcing new guidance on the vetting of senior leaders on May 9, 2023. In an announcement that befits other recent regulatory messaging, Superintendent Harris has announced proposed guidance that will see stricter processes introduced when assessing the soundness of senior leaders, including Chief Compliance Officers.

In light of recent events, the Department has published new guidance that will “ensure New Yorkers can have confidence in the management of our state’s financial institutions”.

What is the new guidance, and who will it apply to?

The Department’s new guidance looks to update the current expectations it holds regarding the assessment of the fitness and character of directors and senior officers. After a recent review, the Department found that although financial institutions generally investigate the background of a designated person when hiring, those review processes may now be outdated and in need of modernization.

Moreover, these often only occur during the onboarding process and do not continue across the span of an individual’s career. This new guidance looks to ensure that processes meet current-day expectations, with senior managers subject to a robust initial vetting process and then consistently vetted throughout the length of their tenure, in case of changing circumstances. In particular, it aims to ensure that firms are continuously assessing whether new conflicts of interest or negative circumstances have come to the fore, and prevents them from going undiscovered.

The updated guidance would apply to a specific group of “Covered Institutions”, which are chiefly New York State-regulated banking organizations and regulated non-depository financial institutions chartered under the New York Banking Law.

These Covered Institutions would be charged with vetting the suitability of a “Designated Person”, defined broadly as directors and senior officers. Examples of such roles would include Chief Executive Officers, Chief Legal Officers, Chief Compliance Officers, and Chief Risk Officers – among others.

How can firms comply with the new guidance?

The new guidance, according to Superintendent Harris, “identifies character and fitness standards as a policy priority”. In short, the weight that firms place on their assessment of the character and fitness of certain individuals will need to be increased.

In order to meet new regulatory guidance, firms should look to develop an “appropriate framework” which defines sensitive issues, warning signs, and other indicators that would warrant additional scrutiny. The Department has said that it will encourage firms to take a “risk-based and proportionate approach” ensuring that their vetting processes are tailored to meet their specific business needs, operations, and risks.

In the event that a firm determines that a person who had previously been vetted is now no longer fit to perform their current function, then they should act swiftly to update the Department of their findings. The same is true where a firm finds that, through character and fitness reviews, a Designated Person is now better suited to another position or team.

When onboarding a new Designated Person, the firm should look to ensure that the individual is vetted at the time that they become a Designated Person within their new role, regardless of whether they were previously assigned as a Designated Person at a different organization. This extends to instances where an organization goes through merger or acquisition, in which case an individual who had been serving as a Designated Person at one Covered Institution joins the other Covered Institution through the M&A deal.

When will the guidance come into effect?

The Department is encouraging firms to comment on the newly proposed guidance by June 30, 2023. If approved, the Department will incorporate into its regular examination framework a review of Covered Institution’s policies, procedures, and adherence to the new vetting guidance.

What is the significance of the Department’s new guidance?

The New York Department of Financial Services’ proposals may prove onerous for financial institutions, if approved. As well as adhering to strict onboarding vetting and checks, firms will need to implement new policies, procedures, and controls to ensure this vetting is frequently reassessed to a standard that would meet regulatory scrutiny.

This proposed guidance is the latest in a string of regulatory proposals that enhance the expectations placed on senior managers, not least the C-suite. By example, the U.K’s Prudential Regulation Authority (PRA) recently issued a Chief Information Officer with an £80k fine for the part he played in a failed data migration.

Similarly, in 2022, the U.S. Department of Justice (DOJ) introduced new CCO Certification Requirement which places a burden on CCOs and other Chief Executives to certify the capabilities of a company’s compliance program. As well as this, the New York City Bar has issued proposals and frameworks for the increased liability of both senior managers and chief compliance officers.

All of these are indicative of a shifting tide for those who manage compliance and risk – a tide which will place the liability for failure at the feet of the individual, as well as the organization. While this might be a weight lifted for consumers, it is a significant burden for CCOs and CROs who already grapple with meeting regulatory requirements, keeping up with innovation, and trying to run a tight ship for compliance.

As well as this, the new guidance suggests a renewed focus on surveillance and monitoring, with regulators looking at how firms are assessing their employees’ soundness to carry out their functions. Communications monitoring tools may prove a useful tool in the ongoing vetting process, allowing firms access to how Designated Persons are interacting and operating within their role.