Compliance laws vex IT

Computerworld - No matter how hard Wall Street firms try to dress them up with flowers and patriotic bunting, the concrete barricades outside their entrances are a constant reminder to Ravi Jethmal of the terrorist attacks that occurred two years ago just blocks from his Broad Street brokerage office.

Another reminder is the USA Patriot Act and its Oct. 1 deadline for compliance officers such as Jethmal to check the identities of new customers and monitor them to ensure that they're not laundering money for terrorists.

The Patriot Act, passed in the wake of the Sept. 11, 2001, terrorist attacks, requires financial services companies to verify customer identities, submit suspicious-activity reports to the U.S. Department of the Treasury's Financial Crimes Enforcement Network and check customers against crime databases established by law enforcement agencies.

"You get e-mails from FinCEN asking if this person is on your list of customers. Keeping up with all the FinCEN requests is a lot of work," said Jethmal, vice president of compliance at Abel/Noser Corp.

Avivah Litan, an analyst at Gartner Inc., said CIOs are "much more risk-management-focused since 9/11."

Under scrutiny by regulators, financial services firms are installing applications that perform risk-scoring and use complex algorithms to identify unusual customer trends within transaction activity.

Although the Patriot Act's Oct. 1 deadline applies to confirming the identity of only new customers, Scott Barton, compliance officer at Columbus, Ohio-based Huntington Bancshares Inc., said regulators gave the financial companies just enough "rope to hang ourselves." Barton pointed out that the act requires banks to have a reasonable basis for knowing the identity of existing customers, but "if we're going to be scrutinized after the fact, how do we prove that?"

TowerGroup in Needham, Mass., estimates that by 2007, the global financial services industry will have spent $523 billion on operational resiliency—technology upgrades for disaster recovery, business continuity and security. U.S. retail banks alone will spend $1.1 billion, or 4.4% of their IT budgets, in response to 9/11 between 2003 and 2007, TowerGroup predicts. Artificial intelligence systems for tracking customer activity will carry the highest price tags.

"What these systems do is examine transactions in context rather than looking at them individually. If there's any deviation from the norm, it flags it," said TowerGroup analyst Virginia Garcia.

Business Opportunities

Apart from putting pressure on compliance officers like Jethmal and Barton, who called the Patriot Act the "No. 1 issue right now," the terrorist attacks of Sept. 11 have spawned a cottage industry around digital records retention, security and protections against money-laundering.

For example, since the attacks, New York-based J.P. Morgan Chase & Co. has taken an internal digital data-retention service and made it into a business, said Bill Telkowski, chief technology officer at J.P. Morgan's I-Solutions group. The bank sells space on a pair of geographically dispersed 100TB redundant storage-area networks to 75 customers, who can retrieve their information over a virtual private network.