Patriot Act Compliance Systems
Government regulations to prevent money laundering and isolate enemies have been in effect for years. But their scope was extended by the USA Patriot Act after 9/11. Today, nearly every financial transaction in the country is subject to review to ensure it is legitimate and does not involve a proscribed person or organization.
Direct marketers who never considered themselves part of the financial industry now are obligated to perform such checks, under threat of severe penalties if they make a mistake. (This is as good a place as any to note that the regulations are very complicated. Businesses should rely on qualified professionals, and not DM News columns, for specific advice.)
The burden of surveillance falls directly on the businesses themselves. Other than making its various watch lists available and setting basic rules, the government largely relies on each firm to execute the requirements as it sees fit.
Only suspicious activities are reported to the authorities. For people concerned about the government spying on them, this is good. So long as they are not already on a watch list and don't do anything unusual, the government never hears about them. Thus, the threat to privacy is minimized. The government's ability to identify suspicious behavior is minimized as well, but the practical difficulties of doing this are so great that this probably doesn't matter.
Businesses, which have to do the work, may see fewer advantages to this approach. In a way, it's amazing that the economy hasn't ground to a halt with all the extra checking that's supposed to be going on. Maybe the requirements are less burdensome than they seem. Or maybe a lot of businesses just aren't complying and the government hasn't insisted. Most likely, it's a bit of both.
Though the government has been clear about the penalties for letting a forbidden transaction slip by, it has been vague about what constitutes an acceptable level of diligence in preventing such mistakes. Basically, businesses must do two things: block attempted transactions by entities identified on a government watch list and verify the identity of all new customers. Transaction blocking applies to all U.S. businesses and is separate from the Patriot Act.
The main watch list is the Specially Designated Nationals list from the Treasury Department's Office of Foreign Assets Control. Depending on the situation, other lists and sanctions against entire countries also apply. Somewhat surprisingly, no standards exist for the quality of watch list checking.
The government's Web site (www.treas.gov/offices/enforcement/ofac/faq) says that "users can search the PDF version of the SDN list using the 'find' feature of the Adobe Acrobat Reader. Most word-processing programs also have a search function to scan OFAC's ASCII versions of the SDN list." It's hard to imagine that anyone familiar with the realities of name and address matching would think this is adequate.
More to the point, it's hard to imagine that the government would accept this as adequate should it discover your business has permitted a forbidden transaction. Still, the SDN list holds only 2,500 names and 2,100 aliases at 4,800 addresses, so the notion of an occasional manual search is not totally absurd.
Identity verification, required in section 326 of the Patriot Act, is an extension of the pre-9/11 rules aimed at preventing money laundering. It is nominally limited to financial institutions, but these have been defined to include auto, boat and aircraft dealers, jewelers, real estate agencies, casinos, insurance companies, securities brokers, check-cashing bureaus, credit card system operators, travel agencies, wire transfer agents and currency exchanges. Any business involved in transfer of significant assets may be covered.
The government's rules for customer identification programs are more detailed than those for OFAC list matching. But they deal largely with the process of establishing a formal program, and touch just lightly on what that program must include. Beyond customer name, address, birth date and government ID number (typically but not always Social Security number), each institution decides what information to gather and how to verify it is correct.
These decisions are supposed to be based on a risk assessment, but no standards exist for how to conduct the assessment or what proof is required for different risk levels. The basic principle is that each business must do whatever it needs to feel reasonably confident that customers are who they claim to be.
Despite, or perhaps because of, the vagueness in OFAC and Patriot Act compliance requirements, there is no shortage of software vendors offering to help. Some provide a complete solution including identity verification, watch list searching, suspicious transaction identification, documentation and case management.
Most provide only some of these functions. OFAC list search is common in both vendor-hosted and client-run configurations. Chances are that any of these vendors does a better job than your word processor's ASCII text search. But it's worth noting that matching against the OFAC list is unusually challenging.
The list contains many non-Western names and non-U.S. addresses, which cause big problems for matching systems tuned to U.S. consumer lists. False matches are costly to investigate and annoy legitimate customers. Missed matches can bring negative publicity, legal penalties and, in the worst case, a successful terrorist attack.
Odd as it seems, the government has more stringent standards for applying ZIP codes than identifying terrorists. So businesses looking for a solution - which is just about everybody - are on their own in selecting an effective product.
Ensure that your matching system has the specialized reference tables, processing logic and experience to handle non-U.S. names and addresses. Ensure your solution checks existing accounts against additions to the watch lists. Above all, ensure you have a competent adviser review your compliance programs. However painful it is, the cost of failure is worse.