NYDFS Part 504 — AML Transaction Monitoring & Filtering Rule

What is NYDFS Part 504?

NYDFS Part 504 is the New York State Department of Financial Services rule formally titled Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications, codified at 3 NYCRR Part 504. Effective 1 January 2017, it requires every NY-regulated financial institution to maintain a risk-based transaction monitoring program to detect potential money-laundering activity reportable under the Bank Secrecy Act, and a sanctions filtering program to identify transactions prohibited by OFAC and other applicable watchlists.

Part 504 is widely regarded as the most rigorous state-level AML rule in the United States. Where federal BSA/AML guidance focuses on outcomes, Part 504 dictates the technical and governance attributes a monitoring and filtering program must possess — and ties those attributes to a personally-signed annual certification by a senior officer or the board, with potential individual liability for a false certification.

Why NYDFS Part 504 matters

The rule emerged in response to a series of high-profile enforcement actions in which NY-licensed institutions were found to have weak, miscalibrated, or untuned monitoring and filtering systems. Rather than continue case-by-case enforcement, NYDFS codified a baseline: every institution must demonstrate that its systems are designed, calibrated, validated, governed, and certified. The certification mechanism was the critical innovation — it created direct senior-management accountability and aligned incentives towards continuous, evidence-based program management. For institutions with large cross-border operations, correspondent banking, or US-dollar clearing flows, Part 504 has effectively become the de facto standard, even where federal regulators stop short of mandating equivalent specificity.

Who must comply with NYDFS Part 504

Part 504 applies to Regulated Institutions under New York Banking Law and Regulated Non-Bank Financial Institutions. The covered population includes New York-chartered banks and trust companies, branches and agencies of foreign banks licensed by NYDFS, savings banks and savings and loan associations, money transmitters, check cashers, and (since 2018) NY-licensed virtual currency businesses operating under the BitLicense regime. The rule reaches an institution's monitoring and filtering programs covering both New York operations and any other operations whose activities flow through the New York entity.

Core requirements: transaction monitoring program

The Transaction Monitoring Program must be risk-based and reasonably designed to detect activity reportable as suspicious under federal AML laws. Part 504 sets specific design attributes: monitoring must be informed by the institution's BSA/AML risk assessment; detection scenarios must be appropriate to the institution's products, services, customers, and geographies; thresholds, parameters, and rules must be periodically tested, validated, and calibrated; and the program must be subject to ongoing analysis, model validation, and governance. Investigation protocols must be defined, alerts must be cleared with documented rationale, and SAR decision-making must be timely. NYDFS expects institutions to maintain a clear audit trail demonstrating that scenarios are not just running, but generating meaningful signal — and that under-tuned or duplicative scenarios are identified and remediated.

For background on how monitoring systems are designed and tuned in practice, see our guide to transaction monitoring in AML. Many institutions partner with transaction monitoring platforms specifically engineered for this level of governance and traceability.

Core requirements: sanctions filtering program

The Filtering Program must be reasonably designed to interdict transactions prohibited by OFAC and any other sanctions lists applicable to the institution. Part 504 requires that the system match data based on the institution's risk profile, that end-to-end coverage of relevant payment messages, customer data, and counterparty data be demonstrated, and that matching algorithms (including fuzzy logic and scoring) be tested and tuned. Like the monitoring program, the filtering program must be subject to ongoing model validation, performance testing, and governance.

For a deeper primer on screening logic, list coverage, and false-positive handling, see our sanctions screening AML guide. Combined sanctions, PEP, and adverse-media AML screening is now common practice for institutions seeking a single, validated control surface that satisfies both Part 504 filtering expectations and broader BSA/AML screening obligations.

Annual certification and senior-officer liability

The most distinctive feature of Part 504 is the Annual Certification — a written attestation that the institution has a Transaction Monitoring Program and Filtering Program that comply with the rule's requirements. The certification must be filed with the Superintendent by 15 April each year and must be signed by either the board of directors or a senior officer designated to make the certification. NYDFS has been explicit that knowingly or recklessly making a false certification can expose the certifying individual to personal liability — including civil and, in egregious cases, criminal consequences. This personal-accountability mechanism has reshaped how institutions document, test, and govern their programs throughout the year, not just at certification time.

Documentation and evidence expectations

Part 504 is, in practice, a documentation rule. Institutions must retain comprehensive evidence to support the Annual Certification covering several distinct domains. First, program design — the scenarios, thresholds, list-coverage, and data-flow architecture chosen, and why. Second, risk linkage — how each scenario and filtering rule traces back to a specific risk identified in the institution's BSA/AML risk assessment. Third, model validation — independent testing of the underlying detection logic, performance metrics, and tuning history. Fourth, governance — committee minutes, escalation memos, change-control records, and approvals for material program changes. Fifth, operational evidence — alert volumes, clearance times, SAR conversion rates, and false-positive rates over time. Without these artefacts, an institution cannot meaningfully defend its certification under regulatory scrutiny.

Common findings and lookback reviews

NYDFS examinations frequently surface a recurring set of findings: scenarios that have not been re-tuned for years; coverage gaps between the risk assessment and the deployed scenario library; sanctions filters with unjustified false-positive auto-clearance rules; missing evidence of independent model validation; and weak governance over program changes. Where deficiencies are material, NYDFS may require an AML lookback review — a retrospective re-monitoring of historical transactions to identify activity that should have generated alerts under a properly designed program. Lookbacks are expensive, time-consuming, and often disclosed publicly through enforcement orders, making preventive program hygiene materially cheaper than remediation.

NYDFS Part 504 vs federal BSA/AML

Part 504 does not replace federal BSA/AML obligations — it layers on top of them. The BSA, administered by FinCEN and supervised through the FFIEC member agencies, sets the baseline AML program requirements that every covered US institution must meet. Part 504 adds a New York–specific overlay focused on the technical quality of monitoring and filtering, the governance around those systems, and the personal certification of compliance.

Aspect	Federal BSA/AML	NYDFS Part 504
Issuing authority	US Congress (BSA), administered by FinCEN	New York State Department of Financial Services
Geographic scope	All covered US financial institutions	Institutions licensed or supervised by NYDFS in New York
Focus	Baseline AML program (CIP, CDD, SAR, recordkeeping)	Technical design, validation, and governance of monitoring & filtering
Annual certification	Not required as a separate filing	Required by 15 April; signed by board or senior officer
Personal liability	Limited; primarily entity-focused	Direct individual exposure for false certification
Model validation	Not explicitly mandated	Explicitly required, with documented testing and tuning
Examination focus	Outcome-based against examiner manual	Outcomes plus technical and governance attributes

An institution that satisfies the federal baseline can still fall short of Part 504, particularly on calibration, validation, and documentation. Conversely, a robust Part 504 program typically exceeds federal expectations on these dimensions, which is why many non-NY institutions voluntarily align to Part 504 standards as good practice.

Practical steps to maintain Part 504 compliance

Institutions that consistently certify under Part 504 share a few habits. They run a scenario-to-risk traceability matrix that is reviewed each year against an updated risk assessment. They schedule independent model validation at least every 12–18 months and remediate findings on a defined timeline. They maintain a single source of truth for thresholds, tuning history, and change approvals. They track leading indicators — alert volumes, false-positive rates, SAR conversion, clearance latency — and act on outliers before regulators do. And they treat the certification as the output of a year's evidence, not as a year-end project. Selecting platforms that produce this evidence natively makes the difference between defensible certification and last-minute scramble — Signzy's overview of the best AML software for regulatory compliance covers the criteria most relevant to Part 504-grade environments.