USA Patriot Act, Take Two: Compliance Systems for Section 326

Over the past year, America's financial institutions have been participating in the waves of sectional implementation of the USA Patriot Act. Passed on October 23, 2001, the Act is being implemented in phases to address money laundering, enhanced reporting on suspicious customer activity and customer verification in an effort to curtail global money laundering and terrorist financing. Section 326 is next in line for implementation. Although still pending final implementation from US Treasury, financial institutions must consider how this specific section will impact day-to-day business and begin to develop a corporate compliance program immediately.

Section 326 requires financial institutions - defined as banks, insurance companies, credit card companies, money service businesses, mutual funds broker/dealers and casinos - to establish minimum procedures for identity verification when new customers and others open accounts. This section also requires cross checking account holder and/or requester names against all government lists of known or suspected terrorist organizations (also known as Restricted or Denied Party Lists). With a number of separate lists controlled and updated frequently by Treasury, US Commerce, the United Nations and several other world nations, the total number of names to be checked stands at approximately 9000 - give or take a few on any given day. About ten percent of these names are for terrorists. The remaining names represent fronts of embargoed governments such as Iraq, entities of proliferation concern (they develop missiles, nuclear weapons, or chemical or biological weapons), narcotics traffickers, firms that have violated U.S. export controls, and others. While smaller institutions may attempt to check lists manually on an as-needed basis, larger institutions opening and closing hundreds of accounts each day will require an automated system to ensure compliance.

If not automated, an employee would need to check the Federal Register at least daily for updated names and related information for each list, and then throughout the day as needed to square account requestor names against all Restricted Party Lists. The amount of time this daily checking, updating and crosschecking will take, coupled with the fact that monetary penalties for non-compliance are $25,000 per day, equals significant expenses over time. If automated, the process of checking Restricted Party Lists will eliminate the potential for costly human error and can be seamlessly integrated with the competitive pace of the financial market.

All that said, simply dropping in a system will not address the organizational complexities of weaving new regulations into institutional business processes. Before beginning to evaluate automated systems for section 326 compliance, every institution should undertake an assessment of where it stands today with respect to customer identification and verification processes.

Knowledge: A new mindset must be established within all financial institutions, since all financial institutions are subject to the rules regardless of size. Do all employees understand the basic requirements of section 326 and do they understand the implications of non-compliance?

Organization: Institutions must assign a specific individual the task of overseeing this compliance program (i.e. become an expert on the customer verification process). While implementing a compliance program, include incentives to encourage the process owner to continually educate the organization throughout the compliance program implementation. Establishing the importance of customer verification at the executive level heightens awareness around its importance and helps share the burden of spotting suspicious activity in new account openings.

Technology: Does your current system infrastructure provide identity verification? Does the institution have systems to flag suspicious account requests or transaction activities? Can your customer and transaction databases be integrated to enable list checking efficiently? In order to thoroughly monitor customer transactions, new account openings, as well as relationships and timing between account transactions, large institutions will need scalable tools capable of handling high volumes of transactions.

After assessing available technology and procedures for customer verification, compare these systems and procedures against what is required by section 326. The competency gaps that are identified through your analysis will serve as a road map when evaluating identity verification systems and procedures across the organization. This roadmap can also serve as a component of the institution's compliance program and keep systems in line with business processes during the evaluation period.

In general, a package software solution is less expensive to maintain and upgrade than a custom-built solution, particularly where the role of the software is to keep the institution compliant with federal regulations. Regulations can change quickly and call for short implementation cycles, so software vendors can focus more resources at staying current on all the regulatory details than an organization that develops its own solution internally. Investments made in solutions to ensure compliance with section 326 need to be made with this type of flexibility in mind. Names that must be checked under section 326 will change frequently in the foreseeable future.

Once the final regulations are passed, financial institutions will be notified on the length of the compliance grace period allowed. Typically, Treasury allows 30 to 90 days to comply with new regulations, but the American Bankers Association has been lobbying aggressively for a 12-month grace period. Many inside the industry believe that the grace period for compliance will be extended due to the lack of proper infrastructure on which to build required customer verification systems. For compliance officers, this means they must start the requirements-gathering process now, begin to evaluate software solutions and plan for time to integrate customer and transactions systems with the new system to check Restricted Party Lists.

Both the monetary and reputation risk of non-compliance with all sections of the Patriot Act can be very high. In this environment where the President has declared the war on terrorism to include interdiction of funds to terrorists, compliance with the law is worth the investment. Compliance is not an option. The regulations will mandate procedures and processes. In this environment compliance with the law is worth the investment.

Larry Christensen currently serves as Vice President, International Trade Content at Vastera Inc in Dulles, VA, where he manages the collection, interpretation and dissemination of critical trade rules and regulations to Vastera's clients.