Pop quiz – what do these people have in common: members of an Al Qaeda cell in Lackawanna, New York; a cruise ship passenger who left threatening notes in a bathroom of the Royal Caribbean's Legend of the Seas; a child pornographer in Indiana; a kidnapper in West Virginia, and hackers in California who had launched DoS attacks against ISPs?
All have been investigated and convicted thanks to Patriot Act provisions.
Confused? Join the club.
On October 26, 2001, President Bush signed into law the Patriot Act. It comprises ten elements providing stronger surveillance powers and criminal laws against terrorism, improving intelligence, and combating money laundering by requiring industry to monitor suspicious transactions.
In a nutshell, the Act mandates that affected businesses improve how they protect and control the systems within the enterprise and across partner, supplier and customer chains.
The underlying philosophy is that if organizations can enhance accountability, ensure data integrity, mitigate risk and streamline operations, they will be in a much better position to identify suspicious transactions or inform law enforcement during a criminal investigation.
Whatever your personal opinion on the matter, one thing is certain – the law personifies the phrases "vague" and "difficult to follow."
The Act amends dozens of existing laws, making it necessary to cross-reference multiple acts to make sense of it. So who needs to comply?
"Affected industries" might include financial institutions, ISPs, libraries, educational institutions, and/or any business transacting money.
Companies that fail to comply with the Act face criminal penalties of up to $1 million per incident. Civil fines of up to $250,000 per incident may also be levied. Executives may be personally fined or even imprisoned, depending on the severity of the violation.
But where is it going?
It is reasonable to assume that most of the Patriot Act will remain in force, or be renewed intact.
The best course to steer seems to be to start by knowing who your customers are, and what they do:
- Verify the identity of any person or enterprise seeking to open an account;
- Maintain accurate records that document how each identity was verified;
- Check each account against the government's interdiction lists, such as the Office of Foreign Asset Control (OFAC);
- Scrutinize the accounts of "politically exposed persons" (such as foreign politicians) to verify the source of funds;
- While affected industries are not responsible for pro-actively investigating criminal activity, you must be able to reliably detect, investigate and report abnormal or unlawful customer behavior;
- Identify whether your customer is doing business with an interdicted party.
You must also investigate suspicious activities and file suspicious activity reports:
- Suspicious activity reports must be filed if you "know, suspect or have reason to suspect" that a transaction involves funds that arise from illegal activities of any kind;
- You are also responsible for reporting if your customer is engaged in "suspicious behavior" relevant to any possible violation of law or regulation (not just money laundering);
- Ensure all information collected regarding your customer and their activities can be searched, retrieved and reported expeditiously.
You must be able to answer requests for information pursuant to the Act within 120 hours (five days) of receipt. Written requests from law enforcement agencies must be fulfilled within seven days.
Can technology solve this problem? Unfortunately, there is no such thing as a comprehensive solution.
My advice is to analyze and assess your weaknesses in meeting the above, and seek a technology that best meets the tactical problems.
Choose the technology that best reduces your risk of non-compliance, and wait for the market to catch up with you.
Kristin Lovejoy is chief technologist and vice-president of technology and services at Consul Risk Management, Inc.