Brokerages face big IT bills to comply with USA Patriot Act

Computerworld - A report released last week estimates that the U.S. brokerage industry will spend as much as $700 million through 2005 on technology and outsourcing services in order to comply with the antiterrorism and anti-money-laundering regulations of the USA Patriot Act.

The report by Needham, Mass.-based TowerGroup says brokerages spent $117 million on Patriot Act compliance measures last year and will invest about $404 million this year, when most of the Patriot Act's provisions become law. The report also indicates that some large brokerages expect to spend up to $30 million each. But after that, budgeting for compliance initiatives drops off sharply.

"I don't want to say they're not taking it seriously, but of 5,500 registered [securities] dealers in the country, I'd estimate that 1,000 or less are actively building or buying solutions," said Bob Iati, a research director at TowerGroup.

The Patriot Act, which was signed by President Bush in October 2001 in response to the Sept. 11 terrorist attacks, requires financial services companies to develop improved capabilities to identify customers and flag suspicious transactions.

Where the Money Goes

According to TowerGroup, about 39% of compliance budgets is being spent on integrating back-end systems, and 35% is going toward new software. Another 24% of the money is being used to upgrade IT infrastructures, such as hardware and storage, the report says. The remaining 2% is paying for outsourcing services with operators of customer databases, such as Regulatory DataCorp International LLC (RDC) in New York.

RDC was launched in July by The Goldman Sachs Group Inc. and other firms to develop a database for screening suspected criminals. Companies use a secure Web portal to send individual names or lists of customers to RDC, which then runs the names through an Oracle database installed on Unix servers.

Bill Catucci, CEO and president of RDC, said the company has about 25 clients in addition to its 20 original investors, who included Merrill Lynch & Co. and Citigroup Inc. But he noted that the stipulations of the Patriot Act are fuzzy at best.

"When [federal regulators] say you should have a compliance system that meets due diligence, you don't know what that means," Catucci said. "The issue is that if you don't meet the requirements, they'll sanction you."

Regulators are first checking to make sure that companies have established the required anti-money-laundering and antiterrorism programs, and then they're examining the actual compliance procedures, said Breffni McGuire, a TowerGroup analyst. "And after that, they're looking to see if you have the technology in place and are using it effectively," McGuire said.

Eric Friedberg is a former federal regulator who is now executive vice president and general counsel at Stroz Friedberg LLC, an IT services and consulting firm in New York. Friedberg said that although most large banks and brokerages are on their way to Patriot Act compliance, many smaller companies don't intend to get there because they don't think it's worth the cost.