2004 Sep 01
PATRIOT Act Compliance Systems
David M. Raab
DM News
September, 2004

Government regulations to prevent money laundering and isolate enemies have been in effect for years. But their scope was extended significantly by the USA PATRIOT Act after September 11, 2001. Today, nearly every financial transaction in the United States is subject to review to ensure it is legitimate and does not involve a proscribed person or organization. Direct marketers who never considered themselves part of the financial industry are now obligated to perform such checks, under threat of severe penalties if they make a mistake.

(This is as good a place as any to point out that the actual regulations are very complicated. Businesses should rely on qualified professionals, and not DM News columns, for specific advice.)

The burden of surveillance falls directly on the businesses themselves. Other than making its various watch lists available and setting some basic rules, the government largely relies on each firm to execute the requirements as it sees fit. Only suspicious activities are reported to the authorities.

For people concerned about the government spying on them, this is a good thing. So long as they are not already on a watch list and don’t do anything unusual, the government never hears about them. Thus the threat to privacy is minimized. (The government’s ability to identify suspicious behavior is minimized as well. But the practical difficulties of doing this are so great that this probably doesn’t matter.)

Businesses, which have to do the work, may see fewer advantages to this approach. In a way, it’s amazing that the economy hasn’t ground to a halt with all the extra checking that’s supposed to be going on. Maybe the requirements are less burdensome than they seem. Or maybe a lot of businesses just aren’t complying and the government hasn’t insisted.

Most likely, it’s a bit of both. Although the government has been quite clear about the penalties for letting a forbidden transaction slip by, it has been considerably more vague about what constitutes an acceptable level of diligence in preventing such mistakes.

Basically, businesses must do two things: block attempted transactions by specific entities identified on a government watch list, and verify the identity of all new customers.

– Transaction blocking applies to all U.S. businesses and is separate from the PATRIOT Act. The primary watch list is the Specially Designated Nationals (SDN) List from the Treasury Department’s Office of Foreign Assets Control (OFAC). Depending on the situation, other lists and sanctions against entire countries may also apply.

Somewhat surprisingly, there are no standards for the quality of watch list checking. The government’s own Web site (www.treas.gov/offices/enforcement/ofac/faq) says that “users can search the PDF version of the SDN list using the ‘find’ feature of the Adobe Acrobat Reader. Most word processing programs also have a search function to scan OFAC’s ASCII versions of the SDN list.”

It’s hard to imagine that anyone familiar with the realities of name and address matching would believe this is an adequate approach. More to the point, it’s hard to imagine that the government would accept this as adequate should it discover your business has permitted a forbidden transaction.

Still, to put matters in perspective, the SDN List holds only 2,500 names and 2,100 aliases at 4,800 addresses. So the notion of an occasional manual search is not totally absurd.

– Identity verification, required in section 326 of the PATRIOT Act, is an extension of the pre-September 11 rules aimed at preventing money laundering. It is nominally limited to financial institutions, but these have been defined to include auto, boat and aircraft dealers, jewelers, real estate agencies, casinos, insurance companies, securities brokers, check cashing bureaus, credit card system operators, travel agencies, wire transfer agents, and currency exchanges. In short, any business involved transfer of significant assets could be covered.

The government’s rules for customer identification programs are somewhat more detailed than those for OFAC list matching. But they deal largely with the process of establishing a formal program, and touch just lightly on what that program must include. Beyond customer name, address, birthdate and government ID number (typically but not always Social Security Number), each institution decides what information to gather and how to verify it is correct. These decisions are supposed to be based on a risk assessment, but there are no standards for how to conduct the assessment or what proof is required for different risk levels. The basic principle is that each business must do whatever it needs to feel reasonably confident that customers are who they claim to be.

Despite, or perhaps because of, the ambiguity in OFAC and PATRIOT Act compliance requirements, there is no shortage of software vendors offering to help. Some provide a complete solution including identity verification, watch list searching, suspicious transaction identification, documentation and case management. Most provide only some of these functions. OFAC list search is a particularly common feature, in both vendor-hosted and client-run configurations.

Chances are that any of these vendors does a better job than your word processor’s ASCII text search. But it’s still worth noting that matching against the OFAC list is unusually challenging. The list contains many non-Western names and non-U.S. addresses, which cause big problems for matching sysstems tuned to U.S. consumer lists. False matches are costly to investigate and annoy legimate customers. Missed matches can result in negative publicity, legal penalties, and, in the very worst case, a successful terrorist attack.

Odd as it seems, the government has more stringent standards for applying Zip codes than identifying terrorists. So businesses looking for a solution–which is just about everybody–are very much on their own in selecting an effective product. Make sure that your matching system has the specialized reference tables, processing logic and experience to handle non-U.S. names and addresses. Make sure your solution checks existing accounts against additions to the watch lists. Above all, make sure you have a competent advisor review your compliance programs. However painful it is, the cost of failure is worse.

* * *

David M. Raab is a Principal at Raab Associates Inc., a consultancy specializing in marketing technology and analytics. He can be reached at draab@raabassociates.com.

Leave a Reply

You must be logged in to post a comment.