The USA PATRIOT Act affects more than traditional financial institutions like banks, securities dealers, investment banks and insurance companies. The law, which aims to root out sources of terrorist funding, includes tough compliance provisions for everything from the largest international financier down to the corner travel agent.
Indeed, the U.S. Postal Service doesn't fit the classic definition of a financial institution. Yet the USPS has been specifically designated a financial institution in the USA PATRIOT Act, along with casino operators, auto dealers and jewelry merchants.
The good news is that both old and "new" financial institutions will not have to undergo USA PATRIOT Act changes on their own. Financial industry groups such as BAFT and BITS, the technology arm of the Financial Services Roundtable, have stepped into the fray, identifying potential risk areas and offering best practice solutions. Technology vendors are also doing their part, such Information Builders, a New York-based enterprise software firm that developed a compliance system for the U.S. Postal Service.
Furthermore, the U.S. government intends to work hand-in-hand with financial institutions to ensure the security of the international financial system. The government's point man for the fight against terrorist funding is Jimmy Gurule, under secretary for enforcement at the U.S. Treasury. The objective of his campaign: an ubiquitous international financial intelligence network.
The war on terrorism will be won with information, not military might, said Gurule at the Executive Technology Forum, recently held in New York City. "Ultimately, we will win, but only if we work closely and cooperatively to build a partnership of unprecedented dimensions."
However, with the expanded universe of financial institutions, the Treasury could soon find itself drowning in information. Its financial crimes enforcement unit, FinCEN, already receives an average of 12 million currency reports per year, many of them superfluous. "Unfortunately, upwards of 40 percent of the transactions that are received by FinCEN have little or no value to law enforcement," said Gurule. "It's frustrating for both of us."
Financial institutions tend to file suspicious activity reports on ordinary business activities, even when they involve well-known, blue-chip companies. "Those types of businesses or transactions are exempt, and there are statutory exemptions from disclosing those," said Gurule. "But nonetheless, we receive them."
Instead of raw information, what the Treasury really needs is intelligence and insight. "We need to think creatively, in an effort to identify the very devious, complex schemes that are used by terrorist organizations and terrorist sympathizers to raise money domestically and internationally," said Gurule.
Terrorists also recognize the importance of the banking community to the war effort. "The financial industry is very much a target, including the payment and settlement systems," said Catherine Allen, CEO of BITS. "We do believe there will be another event. It's likely to be a combination cyberattack and physical attack, and we do believe that we're the targets."
BITS has come up with the financial services industry equivalent of the Worst-Case Scenario Survival Handbook, a best-seller describing how to cope with comparatively mundane scenarios such as fending off sharks and escaping from killer bees.
The worst-case scenarios for the banking industry include a physical attack on multiple institutions in a geographic area; a concentrated cyberattack (e.g., denial-of-service); an attack on financial utilities or clearinghouses; an attack on non-financial utilities such as the telecom or energy grid with ripple effects on financial institutions; a combination of a cyber- and physical attack; and an attack on a "dominant company" impacting a wide swath of the economy.
Should a worst-case scenario occur, companies must plan for a rapid recovery. "If you don't get out of a crisis in the first 10 days, you have a lot of problems coming back," said Joseph LaFleur, senior vice president of the crisis management consulting practice at Marsh, Inc., New York.
Aside from direct attacks, banks also have to defend against more subtle forms of intrusion. "Hacking activity can often be focused on getting names, addresses, telephone numbers and Social Security numbers," said Greg Schaffer, director of the cybercrime prevention and response practice at PricewaterhouseCoopers in New York.
Theft of personal information constitutes one of several ways to establish false credentials. "False identification is the essence of financial crime," said Brendan Hewson, senior vice president of international corporate security for Bank of America, and a former Scotland Yard investigator. "In all money laundering, there is a fraud somewhere."
Banks already incur heavy financial losses as a result of stolen identities. Twenty-nine percent, or $640 million, of the $2.2 billion in check fraud-related losses reported by ABA-member banks in 1999 were due to identity theft. Now, with the added threat of terrorist funding, even more stringent tests are needed to identify and authenticate individuals using the financial system.