The Price of Protection

The USA Patriot Act has spawned niche markets for software and service

Avoiding involvement in money laundering and other activities that enable terrorists has become a more formal, stringent, and complicated endeavor for businesses since the U.S. Congress passed the USA Patriot Act in Oct. 2001. Almost two years later, the full effect of the hastily passed legislation is still unknown, but rules interpreting the Patriot Act continue to roll out.

The next milestone, Oct. 1, 2003, is the deadline for banks and other financial institutions to finalize a customer identification program (CIP) mandated by the Treasury Department. Vendors of niche data services and rules-based alert systems have seized on this and other Patriot Act requirements as a selling point.

The Financial Crimes Enforcement Network (FinCEN) of the Treasury Department, per section 326 of the Patriot Act, requires financial institutions to:

• "Collect identifying information about customers opening an account
• "Verify that the customers are who they say they are
• "Maintain records of the information used to verify their identity
• "Determine whether the customer appears on any list of suspected terrorists or terrorist organizations."

Moving Target

The last requirement is probably the most difficult. But many businesses, such as dealers in tangible goods, are already familiar with this challenge. Darren Maynard is chief operations officer of NextLinx Corp., a provider of automated global trade management. He says that, for as long as anyone can remember, the U.S. has published a Denied Parties list of entities that U.S. companies were prohibited from engaging in business deals. The list used to change only sporadically.

"Now, there's almost a daily change," Maynard says. "Hundreds of names are added at a time. There are now more lists, too." Some of those other lists are from the United Nations and its individual member countries, for example. Lists include Denied Persons, Embargoed Countries, and International Traffic in Arms Debarment.

The U.S. General Accounting Office (GAO) agrees that these lists of suspected or known terrorists create an undue burden on those bound to heed them. In a summary of its report GAO-03-322, the GAO wrote, "Nine federal agencies — which prior to the creation of the Department of Homeland Security spanned the Departments of Defense, Justice, State, Transportation, and the Treasury — develop and maintain 12 watch lists. These lists include overlapping but not identical sets of data, and different policies and procedures govern whether and how these data are shared with others."

While businesses are responsible for knowing the contents of these lists, the GAO further reports that federal agencies are much better at sharing information with each other than with private entities. But that's not saying much. Efficient rationalization and integration of these lists among agencies is impeded by differences in their systems architectures.

Companies like NextLinx, CyberSource, and Kott Software capitalize on this chaos by staying on top of the changes and providing their clients a way to automatically screen prospective customers.

Earlier Requirements Also Intensive

Similarly complex, but for different reasons, are earlier Patriot Act mandates to detect certain types of suspicious banking activities and file reports with FinCEN. Nefarious banking customers have skirted Bank Secrecy Act provisions in the past by clouding their activities. For example, they might break up large transfers to one person over several days and several bank branches.

Exposing this behavior requires integrated data and automated detection. Companies from diverse backgrounds, such as enterprise infrastructure company Sybase and funds processing bureau RemitPro sell their ability to detect actions reportable under the Patriot Act amendments to the Bank Secrecy Act.

— Jeanette Burriesci

In this Issue: