Category Archives: ALI Principles of Compliance, Risk Management and Enforcement

The NYDFS Plans to Impose Significant Obligations on Insurers Using AI or External Data

by Eric Dinallo, Avi Gesser, Erez Liebermann, Marshal Bozzo, Matt Kelly, Johanna Skrzypczyk, Corey Goldstein, Samuel J. Allaman, Michelle Huang, and Sharon Shaji

Top (from left to right): Eric Dinallo, Avi Gesser, Erez Liebermann, Marshal Bozzo, and Matt Kelly
Bottom (from left to right): Johanna Skrzypczyk, Corey Goldstein, Samuel J. Allaman, Michelle Huang, and Sharon Shaji (Photos courtesy of Debevoise & Plimpton LLP)

On January 17, 2024, the New York State Department of Financial Services (the “NYDFS”) issued a Proposed Insurance Circular Letter regarding the Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing (the “Proposed Circular” or “PCL”). The Proposed Circular is the latest regulatory development in artificial intelligence (“AI”) for insurers, following the final adoption of Colorado’s AI Governance and Risk Management Framework Regulation (“CO Governance Regulation”) and the proposed Colorado AI Quantitative Testing Regulation (the “CO Proposed Testing Regulation”), discussed here, and the National Association of Insurance Commissioners’ (“NAIC”) model bulletin on the “Use of Artificial Intelligence Systems by Insurers” (the “NAIC Model Bulletin”), discussed here. In the same way that NYDFS’s Part 500 Cybersecurity Regulation influenced standards for cybersecurity beyond New York State and beyond the financial sector, it is possible that the Proposed Circular will have a significant impact on the AI regulatory landscape.

The PCL builds on the NYDFS’s 2019 Insurance Circular Letter No. 1 (the “2019 Letter”) and includes some clarifying points on the 2019 Letter’s disclosure and transparency obligations. The 2019 Letter was limited to the use of external consumer data and information sources (“ECDIS”) for underwriting life insurance and focused on risks of unlawful discrimination that could result from the use of ECDIS and the need for consumer transparency. The Proposed Circular incorporates the general obligations from the 2019 Letter, adding more detailed requirements, expands the scope beyond life insurance, and adds significant governance and documentation requirements.

Continue reading →

The Federal Regulators New Statement on Risk Assesments

by Julie Copeland

On July 6^th, the Federal banking regulators[1] along with FinCEN issued a joint statement on the “Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence” (the “Statement”). The purpose of issuing the Statement was to remind financial institutions that a risk-based approach to due diligence should not automatically exclude a particular type of customer. “Not all customers of a particular type automatically represent a uniformly higher risk of money laundering, terrorist financing or other illicit financial activity” the Statement cautioned.

The Statement went on to list examples of customers whom financial institutions did not necessarily need to assess as high risk, including ATM owners or operators, non-resident aliens and foreign individuals, charities, professional service providers, non-bank financial institutions, cash intensive businesses and customers who might be considered politically exposed persons.

In this environment of heightened concerns about individuals or entities from, related to or doing business with Russia, many financial institutions may be taking a wide brush approach to due diligence on these clients and severing or limiting relationships. Furthermore, the turmoil in the crypto world may be causing a similar tightening of due diligence controls. There are many factors that are causing institutions to take an exceedingly rigorous and perhaps, too rigorous, an approach to customer due diligence, as the Statement seems to imply. The consequences to financial institutions can be great if they fail to prohibit particular customers or prevent transactions linked to illicit activities.

It is also possible that we are seeing the effects of automated decision-making (“ADM”) without the benefit of human oversight. An article previously published on the PCCE blog pointed out the issues that can arise if ADM is used with no or limited human review.[2] These issues can range from discrimination in decisions that are made because of biased data or artificial intelligence that does not work as intended resulting in harmful or unintended outcomes.

The Anti-Money Laundering Act of 2020 pointed out the risk of so called “de-risking” noting that such actions, among other results,” ultimately drives money into less transparent channels through carrying of cash or use of unlicensed or unregistered money service remitters, thus reducing transparency and traceability, which are critical for financial integrity, and increases the risk of money falling into the wrong hands.”[3]

The lessons that can be gleaned from these various pronouncements are several:

A financial institutions’ risk-based due diligence process must be a living/breathing control system that is reviewed and modified on a regular basis.
Human review of automated machine decision making is necessary in some form so that broad brushes of customers are not barred from the financial system based on what may be biased data..
Transaction monitoring systems should also be re-evaluated on a continuing basis to determine that the trip wires for transactions to be rejected do not unnecessarily prevent transactions from going through. A $2500 Venmo transaction for a customer with over $300,000 in a bank is not necessarily a suspicious transaction even if the customer has never preformed a Venmo transaction previously. At the very least, an inquiry is warranted before the transaction is blocked. At the very least, institutions should take a sample of rejected transactions or customers on a regular basis to determine if the algorithms need adjusting.

Financial institutions today must walk a fine line between appropriate due diligence but not overly restrictive controls that unnecessarily exclude customers with certain names or in certain businesses. This is not easy but the use of ADM – if deployed intelligently with human oversight – can assist in this difficult and delicate task.

[1] The statement was issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Controller of the Currency

[2] See, New Automated Decision-Making Laws: Four Tips for Compliance, NYU Law’s Program on Corporate Compliance and Enforcement Blog, June 29, 2022.

[3] Anti-Money Laundering Act of 2020 contained in the National Defense Appropriations Act of 2020.

Julie Copeland is the Executive Director of NYU Law School’s Program on Corporate Compliance and Enforcement.

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.

Compliance Mandates in Civil Settlement Agreements—a New Trend?

by Jacob T. Elberg

FinCEN Releases Frequently Asked Questions Regarding Customer Due Diligence and Beneficial Ownership Requirements

by David S. Cohen, Franca Harris Gutierrez, Sharon Cohen Levin, Jeremy Dresner and Michael Romais

Last week the Financial Crimes Enforcement Network (FinCEN) issued much-anticipated Frequently Asked Questions (PDF: 387 KB) (FAQs) that provide additional guidance to financial institutions relating to the implementation of the new Customer Due Diligence Rule (CDD Rule), set to go into effect on May 11, 2018.[1] In general, the FAQs clarify certain issues that have caused implementation challenges for financial institutions. While FinCEN’s earlier guidance provided a general overview of the CDD Rule—including the purpose of the rule, the institutions to which it is applicable, and some relevant definitions—the new FAQs provide greater detail for financial institutions seeking to comply with the CDD Rule. The FAQs are meant to assist covered financial institutions in understanding the scope of their customer due diligence (CDD) obligations, as well as the rule’s impact on their broader anti-money laundering (AML) compliance. While the guidance is helpful in clarifying some of FinCEN’s expectations, the implementation challenge lies in applying the CDD Rule to a financial institution’s specific products and services.

As financial institutions work to meet the CDD Rule’s fast-approaching May 11 compliance deadline, they should pay special attention to the following key areas summarized below. Continue reading →

Response to Professor Sepinwall’s Article on Sentencing Reforms

by Lee S. Richards

In a recent post to this blog, Professor Amy Sepinwall made a startling argument. Reflecting on the debate between liberals and conservatives over the Sentencing Reform and Corrections Act of 2016, she strongly suggested that the Act’s strengthening of the mens rea element in criminal cases should be limited to the disadvantaged and not extended to “the already advantaged.” She applauded the proposed bill for providing “deserved fairness for the disadvantaged,” but appeared to lament the fact that a more stringent mens rea requirement under that bill would be available for “some senior corporate management ‘fat cats,’” as well. This position is consistent with her defense of the “responsible corporate officer” doctrine, which does away with any mens rea requirement in certain cases against high level corporate officers. Continue reading →