As a result of the USA Patriot Act becoming law on Oct. 26, 2001, financial institutions are required to assist the U.S. government in combating terrorism at home and abroad. While there has been much libertarian controversy surrounding this law, it continues
The USA Patriot Act greatly expanded the regulatory framework designed to safeguard the U.S. financial system from illegal misuse, including the financing of terrorism. It not only upgraded the regulations about sharing information and customer identification programs (CIPs), it also gave the U.S. Treasury the authority to regulate various activities of financial institutions and required them to maintain anti-money laundering programs.
USA Patriot Act compliance challenges
Here are four challenges financial firms face:
1. Foreign privacy regulations
Canadian provincial governments think the broad powers the U.S. government has under the Act violate Canada's Personal Information Protection in Electronic Documents Act (PIEDA) and supporting provincial legislation.
Financial services firms are to closely monitor the breadth of privacy laws in the jurisdictions they operate in and define policies and procedures that control how information is to be managed and accessed across jurisdictions.
2. Applying security measures
The USA Patriot Act challenges financial services firms to identify and provide security screening around external foreign parties conducting transactions or are granted access to a client's personal information. A financial services firm needs to implement appropriate access rights and are to consider controls that address the following:
- System and application firewalls
- Authenticated and authorized information access (using PIN numbers or biometrics, etc.)
- Tamper-resistant tokens (e.g., smart cards)
- Data security (encryption, digital signatures, etc.)
- Authentication of the other components during the identity verification process
It is vital that institutions maximize protection of personally identifiable information (PII) and instill confidence among clients that their personal information is protected from inappropriate or illegal access -- while at the same time allowing the U.S. government access to information to support its investigations into fraud, money laundering, and terrorist financing.
Since 2003, financial institutions are required to develop their customer identification programs (CIPs) to implement reasonable procedures to:
- Collect identifying information about customers opening an account
- Verify that the customers are who they say they are
- Maintain records of the information used to verify their identities
- Determine whether customers appear on any list of suspected terrorists or terrorist organizations
This places a significant burden upon financial services organizations to validate the identity, as well as measure potential fraud risk, when clients open accounts.
U.S. Treasury examiners are concentrating on how financial services firms conduct risk analysis of customers and validation of their identities when they create their CIPs. The regulator focus is not only on written policies, but also on audit and training programs, computer systems, and implementation of USA Patriot Act, Section 326 regulations.
Financial institutions are required to monitor client data and transactions to identify illegal financial activities. They should have some way of identifying suspicious customers in order to identify suspicious transactions under the Suspicious Activity Reporting (SAR) monitoring and reporting rule. In addition, Federal law enforcement agencies investigating terrorist or money-laundering activities can solicit information from financial institutions, via the Treasury Department, which must then research their records and respond with specific personal information, while at the same time preserving confidentiality. This becomes a burden upon financial services organizations to have processes in place for regulatory reporting and interacting with regulators in their obligation to monitor client transactions.
5. Regulatory burden
Financial institutions are challenged with layers of complexity -- differing regulations from differing sources -- for compliance officers and managers to defend against fraud, terrorism and illegal drug activity.
There is significant concern that this burden of compliance is particularly overwhelming for smaller financial institutions; these firms will require time and money to update their systems to comply with the new rules, as well as larger financial firms who have more resources to spread the cost against.
Patriot Act compliance strategies
Best practice within financial institutions is to establish a central compliance officer to address the increasing legislative requirements by the USA Patriot Act, as well as other regulatory legislation.
As part of their compliance programs, financial institutions are to conduct a review of their existing processes, systems, and information architecture. This is done through using in-house staff, internal compliance groups as well as outside consultants. Existing policies, procedures and guidelines must be analyzed against the array of compliance requirements found within the USA Patriot Act as well as the legion of other regulations that financial service organizations face. As the evaluation occurs, the reports and changes to the existing infrastructure (policies, systems, personnel, etc.) are to be clearly recorded with sufficient detail.
As new laws are passed and old laws are defined and enforced, the U.S. government continues to provide more detailed guidance for financial institutions. As laws mature into regulations that have stood the test of time the details of how to comply and the process of compliance become easier. Financial services organizations also band together within associations such as the Financial Services Roundtable and the American Bankers Association to share experiences and strategies for compliance as well as provide an influence into new legislation. That should encourage financial institutions to realize they aren't in this alone.
About the authors:
Michael Rasmussen (firstname.lastname@example.org) and Michael Landers (email@example.com) are with Corporate Integrity, LLC. Corporate Integrity, LLC is a strategy & research advisory firm providing education, research, and analysis on enterprise governance, risk management, and compliance.
This was first published in April 2008