Targeting terrorist finances

Since Sept. 11, 2001, Americans have grown accustomed to a greater government presence in many aspects of their lives, from boarding airplanes and subways to gathering at crowded public events. One rather unlikely place where that presence has also increased is local banks, where, thanks to new government regulations, opening a checking account can be as laborious as writing a college term paper.

The reason: With 20/20 hindsight following the attacks, government officials uncovered connections between terrorists and the U.S. financial system, spurring a new era of government oversight at the country's financial institutions.

Measures such as the USA Patriot Act have extended and strengthened existing laws against money laundering, allowing federal officials to collect more data and be more aggressive in disrupting terrorist financing schemes. For example, the government fined Washington, D.C.-based Riggs Bank $25 million last spring for allegedly violating those laws in bank officials' handling of suspicious Saudi-controlled accounts.

Despite this high-profile action, do government officials have the necessary regulations and systems in place to allow financial institutions to easily share information and identify and report suspicious activity? And once they have the information, do officials have the means to access and analyze it effectively? At least one major information technology program is now under way to address these issues, though some experts question whether the approach being taken is the best one.

Unclear requirements

The Patriot Act, passed in 2001, is the latest in a series of legislative actions providing the framework for government programs against money laundering (see box, Page s20). Under the act, firms are required to institute Customer Identification Programs and submit Suspicious Activity Reports of questionable customer transactions to the Treasury Department's Financial Crimes Enforcement Network (FinCEN).

Officials at FinCEN, which was established in April 1990 to provide intelligence and analytics on money-laundering investigations, were given regulatory responsibilities in 1994. Although concerns such as drug trafficking took priority in the area of money laundering before the 2001 attacks, in the past few years, terrorism funding has grown in prominence.

Government officials have given financial institutions clear instructions about what information to collect from new customers as part of Customer Identification Programs, such as name, address and Social Security number. Officials have less guidance on Suspicious Activity Reports, leaving guidelines such as how often the reports must be submitted or their level of detail undefined. The Riggs fine was levied in large part because of bank officials' failure to monitor and report suspicious transactions.

Customer Identification Programs "are done every day," said Edith Farnham, the anti-money-laundering officer at the Florida-based brokerage firm GunnAllen Financial Inc. "On the back end of that, when there are situations where we have to investigate accounts further and bring in additional information, firms can possibly have huge volumes of data" to report.

All this data ends up at FinCEN, which acts as a liaison to law enforcement, regulators and the financial community to identify and prevent money laundering and financial crimes.

"A lot of other agencies are building data warehouses and systems that focus on their area of responsibility," said a technology executive at FinCEN who requested anonymity. "We're finding that the data we have can be the missing link for them."

Until recently, the process for getting Suspicious Activity Reports and other information to FinCEN officials was indirect and largely manual. Center officials relied on the Internal Revenue Service to annually collect and process about 13 million reports from more than 20,000 financial institutions.

FinCEN's executive said that this arrangement with the IRS has worked, but it is not ideal. "Increasingly, we're finding that with the IRS' many responsibilities, we can't respond as quickly to our internal and stakeholders' requirements" for information, he said. "It's also not convenient." He said that it takes 30 days from when reports are filed to when the information is available to FinCEN users.

As a result, Treasury officials recently launched a project called BSA Direct, a new data warehouse at FinCEN, under an $18.5 million, one-year contract with EDS. "BSA" comes from the Bank Secrecy Act.

BSA Direct will receive source data, cleanse it and load it into a database that can be accessed remotely or locally using secure online connections. Users will be able to query the data as well as analyze and mine it for their specific needs.

The data warehouse will use NCR's Teradata software and TeraMiner tools for data analysis. The products were selected in part because of their track record supporting many users and managing extremely large datasets, according to program officials. In fact, when BSA Direct launches in October 2005, FinCEN officials expect the warehouse to support 2,000 registered users and 200 concurrent users. It will eventually scale to 10,000 users, 400 concurrently.

The FinCEN executive said he hopes the solution will help improve data quality agencywide. "We have a data quality issue because of the nature of the way the data is collected," he said. "In BSA Direct, we're doing a data analysis to determine the extent of the data quality issues we face. We know we're going to be able to address that in a great degree with this tool."

In particular, BSA Direct has the ability to receive information electronically and directly from financial institutions, instead of the current requirement of passing through the IRS first. This will eliminate manual keying errors each time the data is transferred from one location to another. The ease of online filing also will encourage more online report filing, the FinCEN official said. Only 5 percent of the reports received now are electronic.

Although the project seems to be on the right track technologically, FinCEN officials have been careful to address cultural issues. The FinCEN executive said he has received various reactions to the system.

"The IT community here at FinCEN is used to using an older-generation system," he said. "We are working hard to describe to people what they are going to have in their hands, as opposed to what they have right now. They understand that they will need to be thinking outside of the box."

To alleviate some of the expected transition stress, FinCEN officials got users involved in the process early on, including during the preliminary requirement-gathering stage before the contract was even awarded.

Agency officials also have worked to match FinCEN users with EDS staff to enable them to become familiar with the technology as it is being implemented.

Other views

The move to improve FinCEN's data collection and analysis capabilities is a step in the right direction, but skeptics believe a single database project is an antiquated way to solve data-management problems.

"If I'm looking for financial information, it means that I only need to map to one database to get that part of the answer," said Dick Baer, an independent consultant who serves as the technical adviser to the director of the Washington, D.C./Baltimore High Intensity Drug Trafficking Area (HIDTA), which is part of the Office of National Drug Control Policy. "But if I'm a terrorism analyst looking for information from many sources, a distributed search becomes powerful."

Baer said HIDTA officials use a distributed database, where analysts can make an online query and access information in databases of HIDTA departments nationwide.

He points to the FBI as an agency where this type of technology would be useful for tracking money laundering. "The FBI is both a source and a user of multiple sources of databases," he said. "When they're looking for a problem, they might need more information than they'll find in their own holdings."

Poolesville, Md.-based Visual Analytics is one vendor that is offering this type of solution, and it counts the IRS as a customer, although not exclusively for information about money laundering. Company officials leave information in whatever data warehouse it is stored in, then query that warehouse based on a search's needs, said Chris Westphal, the company's chief executive officer.

"You're only accessing what you need, and getting information immediately," he said.

The company's model may soon get more attention, based on recommendations in the 9-11 Commission's report. The report's Unity of Effort in Sharing Information section states, "Agencies would still have their own databases, but those databases would be searchable across agency lines."

*ou Agosta, a principal analyst at Forrester Research, said the technology exists to meet the government's counterterrorism needs, but IT alone is not enough. "We now have technology that is capable of parsing large volumes of text," he said. "But there's still a lot of guesswork involved. There's a human aspect to analyzing data, so we're going to have to build a case for education."

Data sharing also is a stumbling block to taking on major data warehousing projects. According to a recent report from the Government Accountability Office, of the 34 major networks that support homeland security functions, only six share information with state and local governments, and four share information with the private sector.

Wayne Comer, a retired FBI agent who served as the associate special agent in charge of Philadelphia's field division, said information sharing is a cultural challenge that has not yet been conquered.

"You're trying to overcome decades of holding cards close to the vest," he said. "Every FBI office has a joint terrorism task force, and they're supposed to be sharing information with [DHS], the CIA and others. After spending 28 years as an FBI executive, I'm very speculative about that."

Comer has every reason to be doubtful, judging by the commission's report, which states, "The biggest impediment to all-source analysis — to a greater likelihood of connecting the dots — is the human or systemic resistance to sharing information."

Pallay is a New York-based writer who covers technology and business.

***

Key anti-money laundering legislation

According to the Federal Deposit Insurance Corp., the following are the key laws that seek to block companies — and terrorist organizations — from hiding the true nature of their financial transactions.

1970 Bank Secrecy Act

Required banks to report cash transactions of more than $10,000 via Currency Transaction Reports.

1986 Money Laundering Control Act

Criminalized the act of money laundering.

Prohibited structuring transactions to evade Currency Transaction Report filings.

Introduced civil and criminal forfeiture for violations of the Bank Secrecy Act.

1992 Annunzio-Wylie Money Laundering Suppression Act

Required Suspicious Activity Reports and eliminated criminal referrals.

Required verification and recordkeeping for wire transfers.

2001 USA Patriot Act

Required government institutions to share information and asked for voluntary information sharing among financial institutions.

Mandated creation of a program for verification of customer identities.

Required enhanced due-diligence programs.

Required the financial services industry to institute programs to block money laundering.

Info-sharing challenges

Homeland security-focused information sharing and analysis systems, including those that monitor financial transactions, have suffered from weaknesses. Among them:

* Systems are susceptible to single points of failure for analyzing and communicating information.

* Systems are designed mainly to flow information up, to senior officials, and not down, to operational entities, or out, to the edges of the network.

* Systems do not adequately support real-time operations.

* Many critical information repositories are not compatible with the analytical tools, and many still are not accessible online to analysts.

* It is difficult to sort the important signals of potential terrorist activity from the noise.

* Analytical tools are outdated and incapable of dealing with the current volume of data.

* State, local and commercial information is not well used.

* Many people are concerned about potential misuses of private information.

* Clear lines of authority and responsibilities for information sharing and analysis have not been established.

Source: Markle Foundation

BY Jessica Pallay
Published on Dec. 6, 2004

More Related Links

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above