News

07:15 AM
Eileen Colkin Cuneo, InformationWeek
Eileen Colkin Cuneo, InformationWeek
News
Connect Directly
RSS
E-Mail
50%
50%

Beyond Compliance

Banks spend millions on software that watches for suspicious transactions and unusual patterns. That's why Wachovia seeks ways to squeeze more value out of compliance tools by extending their use across the business.

The war on terrorism is hitting financial-service companies hard. For more than a year, the government has pressured banks and other financial institutions to report suspicious activity that might indicate money is being funneled to terrorists or laundered to hide its origins. Every couple of months, the Treasury Department proposes rules that force banks to collect more data, dig deeper into databases, and refine their analyses, increasing the regulatory burden on an industry struggling to comply with existing rules. Last week, Treasury extended anti-money-laundering rules to jewel traders and opened discussions on applying them to auto dealers and travel businesses, all industries that handle large monetary transactions.

Many financial-services companies now use IT to spot possible criminal activity. Larger banks, especially, spend millions on software that watches for suspicious transactions and unusual patterns. Small wonder some of those-Wachovia Corp., for example-are looking for ways to squeeze more value out of compliance tools, which provide extensive information on customer behavior, by extending their use across the business.

Before 2001, banks had to closely monitor only high-risk areas, such as private banking, for suspicious activity and report transfers of more than $10,000. The USA Patriot Act, passed in October 2001, added extensive anti-money-laundering rules, requiring financial institutions to report a wider range of suspicious activities. Now a customer transferring $100 a thousand times can be tagged as suspicious, as can two accounts with different names and addresses but the same phone number. And it isn't just data on individuals that's targeted. Mutual funds, corporate accounts, insurance policies, hedge funds-all financial accounts-are being examined closely. Complicating the picture: There are no agreed-upon definitions of what constitutes evidence of money laundering, and no technologies have been designated as satisfying compliance requirements.

Automating this tracking and analysis can cost $100,000 to $10 million, depending on how extensive the effort. U.S. banks and insurance and securities companies will spend $11 billion by the end of 2005 to comply with anti-money-laundering regulations, predicts Celent Communications LLC, a financial-services research company. More than a third of that will go to software, hardware, and IT maintenance.

Given the high price, finding other uses for these tools makes sense. "We have to look holistically across the company to see if there are other partners that would benefit from this, and if the customer is better off if we involve other parts of the company in this," says Bill Langley, Wachovia's chief compliance officer. He's faced with keeping the financial-services company-the fifth largest in the country with $342 billion in assets-in line with ever-evolving rules, and he knows that noncompliance can be costly. Broadway National Bank in New York was fined $4 million in November for failing to establish a federally mandated anti-money-laundering program, among other lapses.

Technology is the key to compliance, Langley says. "We've been asked to ferret out transactions that might be money laundering," he says, and with nearly 30 million customers, that's a lot of transactions. It's important that compliance software be able to handle volume, look at every kind of transaction, offer several interfaces, and come with good reporting tools, says Langley, who's working with director of IT Dwayne Allen to evaluate products. Allen's staff will make sure the software meets performance standards and is compatible with existing systems.

At least a dozen vendors, including SAS Institute, Sybase, and Sun Microsystems in partnership with Mantas, have tools that help with compliance. SAS, one of the vendors on Wachovia's shortlist, has data-mining tools that Langley says will identify abnormal transactions. SAS entered the anti-money-laundering software market last year with data-gathering and reporting software that lets customers modify and prioritize the logic that determines what data gets collected and how it's assessed. The software refines business rules and formulates new ones to increase the accuracy of its automatic detection engine. Analytics help weigh rules violations and rank suspicious behavior.

Using one system to analyze customer transactions across all parts of a business is essential as criminals find ways around new rules. Mantas Corp.'s anti-money-laundering system runs on Sun's computers and performs link analysis, examining all transactions for suspicious behavior. That paid off for one of Mantas' clients when the system flagged a bunch of small, seemingly unconnected perfume companies in Texas that were making frequent transactions with a large Northeastern manufacturer. "On the surface, they all looked like fine firms, but looking at the aggregate behavior, there were problems," says Jeffrey Jones, head of Mantas' business development. That case has been turned over to law-enforcement officials.

Langley's ultimate vision is that the technology will provide returns in other parts of Wachovia's business, such as customer service. And vendors are picking up on ways to turn the compliance effort into business opportunities. Ten-year-old Searchspace Corp.'s transaction-monitoring system has an application to identify possible money-laundering activity. But other apps address business needs, such as detecting fraud and monitoring sales practices. For example, a brokerage firm could use the system to monitor for internal abuses, such as insider trading, or track brokers' sales performance. "If you have a solution that can look at every transaction across the organization, can understand the behavior of every customer transaction on every product in real time, then why would you only use that platform for money-laundering detection?" says Searchspace CEO Konrad Feldman.

Searchspace clients use the system to identify any bad-apple customers, Feldman says. Eventually, businesses will "leverage this infrastructure purchase to better understand good customers," he says. Searchspace can be integrated with an existing CRM system, so it can exploit underlying analytics in order to make better decisions, Feldman says.

The SAS system, too, can pull data from sources throughout a company-such as existing CRM, market-optimization, or fraud-detection systems-analyze the data, and provide reports for a range of uses. That might include highlighting "suspicious activity or who's my most profitable customer," says Mark Moorman, VP of SAS's financial-services practice.

Many compliance officers, though, don't have the resources, or the inclination, to stay current with the laws and also find ways to deliver ROI to the business. "You've got people scurrying to get the technology to meet the requirements for monitoring bad behavior," says Cathy Allen, CEO of BITS, a technology and strategy group whose members are the 100 largest financial institutions in the United States. What's more, compliance units frequently do the buying, with advice from IT. Because the money isn't coming from IT or line-of-business budgets, it's less likely ROI metrics will be applied.

Some banks, particularly small ones, are waiting to see the full scope of the remaining Patriot Act requirements before investing in tools. "We're waiting until the whole thing is enacted and anticipating a lot more work to go along with it in both back-room and front-end operations," says Bobby Swearengin, VP of operations for Arvest Bank, which has $4.8 billion in assets and provides financial services in Arkansas, Mississippi, and Oklahoma. The bank is able to comply with current regulations using existing software, including a payment-processing system from Fundtech Corp. that automatically scans transactions and compares data with Treasury Department information on suspected terrorists. Arvest also has a custom-developed system that generates daily reports on cash transactions.

Many provisions of the Patriot Act have yet to be finalized, but banks have six months from the time a new provision is passed to get systems and technology in place to handle compliance. Once all the provisions are in place, Arvest will put money into compliance tools and "then maybe we can see if its advantages can go elsewhere," Swearengin says.

The regulatory burden could balloon sooner and faster than many people expect, given the Treasury Department's proposal last week to extend anti-money-laundering rules to other businesses, and the expectation that as early as April Treasury could issue new rules on customer identification. If that happens, financial-service and possibly other companies will have another huge and expensive compliance task to digest and share with other parts of their businesses.

For the complete version of this story, visit http://informationweek.com/story/

This article originally appeared in InformationWeek, a weekly magazine that combines the goals of business with technology to help you make the strategic decisions that affect your company's bottom line. Visit InformationWeek at: http://www.informationweek.com/

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.