As the U.S. Patriot Act and other controversial legislation threaten to make criminals of bankers, librarians, and others, those same people are hoping an old friend, software, will keep them out of trouble.
“The last thing these people want is to be on the front page for noncompliance,” explained Steven Lindseth, founder and Chairman of Axentis.
Axentis recently released the results of a six-month study; it indicates that most companies are still scrambling to implement operations to comply with legislation such as the Patriot Act, Sarbanes-Oxley, and the Health Insurance Portability and Accountability Act (HIPAA). And just as they’re figuring out that much, the Domestic Security Enhancement Act of 2003, or “Son of Patriot Act,” is coming soon.
As they scramble, they also realize the legislation is more than a little vague and comes with no guarantees. “There is no silver bullet,” said Jeff Guilfoyle, founding partner and vice president of e-security for Solutionary, Inc.
“There is nothing you can do that will guarantee you are fully compliant.”
That bitter fact was clear before President George Bush signed the Patriot Act in October 2001. The act broadly expanded law enforcement’s surveillance and investigative powers. It also, for the first time, made businesses responsible for seeking, detecting, and reporting computer trespasses. Banks, in particular, are expected to identify, discover, gather, amass, investigate, and report on financial activity to a far greater degree and depth than ever before.
“For example, they may need to verify not only the owner of an account but also the originator of a transaction involving that account, the individual at the bank who may have approved a transaction, and any other individuals who may have been involved in executing that transaction,” Lee Kidder, TowerGroup wholesale banking director, said in an interview released by Sun Microsystems. “If the transaction failed, they will need to know why it failed and how it was reconciled. In other words, every financial transaction has multiple tidbits of information associated with it, and the new regulations are forcing banks to be able to break down that transaction more and more finely so that the tidbits of information can be sorted and reassembled according to reporting requirements.”
Penalties and culpability
The penalties for not complying with the Patriot Act are steep. A bank could find itself hit with a $1 million fine for civil or criminal violation and complete forfeiture of any money that might have been loaned to an individual or group found to be questionable. Individual executives can also be fined. Then there’s the inevitable bad press about activities labeled not only criminal but traitorous.
“A lot of these transactions are handled completely over the Internet,” Guilfoyle pointed out. This means an account can be opened and money can flow in and out of it without any face-to-face contact between the financial institution and the account holder. It doesn’t take much imagination to realize how easy it could be for a terrorist or anyone else to open an account or compromise an existing one to launder money. And the thought of being held potentially culpable in that illegal activity is enough to keep any bank president up nights.
Businesses and business executives need to know what they’re going to tell law enforcement “or the jury” if the worst should happen, Lindseth warned. “If it happens and they don’t know about it and they don’t find out about it and they don’t report it, then they’ve broken the law,” he said.
It wasn’t long before companies like Axentis and Solutionary began hearing from banks, librarians, universities, and others covered by the act. “The question became, is there a way to apply software to this problem,” Lindseth said.
That’s no surprise, according to Guilfoyle. After all, the banking industry has long used software for accounting, security, online encryption, and day-to-day procedures that include separation of duties and need-to-know. It was only logical they would expect software to help them with the Patriot Act and other legislation.
“We take this very seriously,” Guilfoyle said. “And not just because this is our business, but because this concerns our economy, and this concerns our nation.”
Axentis has implemented in its own software, Axentis Enterprise (AE), the seven elements in the Governance & Compliance Management System, as determined by The United States Sentencing Commission and Office of Inspector General:
- Policies and procedures
- High-level oversight
- Decentralized administration and proper delegation
- Established communication channels
- Auditing, monitoring, and reporting
- Uniform enforcement
- Prevention of further offenses
While companies like Axentis and Solutionary have developed software to help with compliance, many of their customers and would-be customers are still mired in implementing solutions. Axentis recently issued a report on its study in which in-depth interviews were conducted Oct. 1, 2002, to March 12, 2003, with chief compliance officers and managers of Fortune 1000 companies. The study found that 92 percent don’t know how to implement operations to keep their companies in compliance. “While the companies we interviewed have implemented tools to assess risk and assess control objectives for a company within appropriate standards, most don’t have the operations in place to stay in compliance,” Lindseth said in a press release issued with the results of the study.
“If companies can’t get a stay-in-compliance program in place, they will be in a never-ending situation like a dog chasing its tail. They will never be in compliance; they will just be scrambling in perpetuity to get in compliance.”
And Lindseth isn’t kidding; more legislation is on its way. This past winter, a draft of the Domestic Security Enhancement Act of 2003 was leaked to the public. While it’s difficult to say what the final version of this new legislation will mean to private business and industry, it’s clear that the Bush Administration is developing a comprehensive package to give the government even broader, more sweeping powers aimed at domestic intelligence gathering, surveillance, and law enforcement.
The present Patriot Act and the next one both have their detractors. It’s said that it’s unconstitutional, and that it criminalizes acts that once were not illegal while decreasing judicial review and public access to information. It is sure to be challenged in the courts, industry watchers say. Even if the Patriot Act were someday overturned, it’s in place now, and private business and industry needs to be concerned about it. “Whether you agree with it or not, you have to comply with it,” Guilfoyle said. “The limits will be better defined as this goes on.”
You can find more information on the Patriot Act, compliance, and related issues from these sources: