The war on terrorism is hitting financial-service companies hard. For more than a year, the government has pressured banks and other financial institutions to report suspicious activity that might indicate money is being funneled to terrorists or laundered to hide its origins. Every couple of months, the Treasury Department proposes rules that force banks to collect more data, dig deeper into databases, and refine their analyses, increasing the regulatory burden on an industry struggling to comply with existing rules. Last week, Treasury extended anti-money-laundering rules to jewel traders and opened discussions on applying them to auto dealers and travel businesses, all industries that handle large monetary transactions.
Many financial-services companies now use IT to spot possible criminal activity. Larger banks, especially, spend millions on software that watches for suspicious transactions and unusual patterns. Small wonder some of those-Wachovia Corp., for example-are looking for ways to squeeze more value out of compliance tools, which provide extensive information on customer behavior, by extending their use across the business.
Before 2001, banks had to closely monitor only high-risk areas, such as private banking, for suspicious activity and report transfers of more than $10,000. The USA Patriot Act, passed in October 2001, added extensive anti-money-laundering rules, requiring financial institutions to report a wider range of suspicious activities. Now a customer transferring $100 a thousand times can be tagged as suspicious, as can two accounts with different names and addresses but the same phone number. And it isn't just data on individuals that's targeted. Mutual funds, corporate accounts, insurance policies, hedge funds-all financial accounts-are being examined closely. Complicating the picture: There are no agreed-upon definitions of what constitutes evidence of money laundering, and no technologies have been designated as satisfying compliance requirements.
Automating this tracking and analysis can cost $100,000 to $10 million, depending on how extensive the effort. U.S. banks and insurance and securities companies will spend $11 billion by the end of 2005 to comply with anti-money-laundering regulations, predicts Celent Communications LLC, a financial-services research company. More than a third of that will go to software, hardware, and IT maintenance.
Wachovia is looking for other ways to use the data and analysis that regulatory-compliance tools generate, says the bank's chief compliance officer, Langley.
Technology is the key to compliance, Langley says. "We've been asked to ferret out transactions that might be money laundering," he says, and with nearly 30 million customers, that's a lot of transactions. It's important that compliance software be able to handle volume, look at every kind of transaction, offer several interfaces, and come with good reporting tools, says Langley, who's working with director of IT Dwayne Allen to evaluate products. Allen's staff will make sure the software meets performance standards and is compatible with existing systems.
At least a dozen vendors, including SAS Institute, Sybase, and Sun Microsystems in partnership with Mantas, have tools that help with compliance. SAS, one of the vendors on Wachovia's shortlist, has data-mining tools that Langley says will identify abnormal transactions. SAS entered the anti-money-laundering software market last year with data-gathering and reporting software that lets customers modify and prioritize the logic that determines what data gets collected and how it's assessed. The software refines business rules and formulates new ones to increase the accuracy of its automatic detection engine. Analytics help weigh rules violations and rank suspicious behavior.
Using one system to analyze customer transactions across all parts of a business is essential as criminals find ways around new rules. Mantas Corp.'s anti-money-laundering system runs on Sun's computers and performs link analysis, examining all transactions for suspicious behavior. That paid off for one of Mantas' clients when the system flagged a bunch of small, seemingly unconnected perfume companies in Texas that were making frequent transactions with a large Northeastern manufacturer. "On the surface, they all looked like fine firms, but looking at the aggregate behavior, there were problems," says Jeffrey Jones, head of Mantas' business development. That case has been turned over to law-enforcement officials.
Langley's ultimate vision is that the technology will provide returns in other parts of Wachovia's business, such as customer service. And vendors are picking up on ways to turn the compliance effort into business opportunities. Ten-year-old Searchspace Corp.'s transaction-monitoring system has an application to identify possible money-laundering activity. But other apps address business needs, such as detecting fraud and monitoring sales practices. For example, a brokerage firm could use the system to monitor for internal abuses, such as insider trading, or track brokers' sales performance. "If you have a solution that can look at every transaction across the organization, can understand the behavior of every customer transaction on every product in real time, then why would you only use that platform for money-laundering detection?" says Searchspace CEO Konrad Feldman.
Searchspace clients use the system to identify any bad-apple customers, Feldman says. Eventually, businesses will "leverage this infrastructure purchase to better understand good customers," he says. Searchspace can be integrated with an existing CRM system, so it can exploit underlying analytics in order to make better decisions, Feldman says.
The SAS system, too, can pull data from sources throughout a company-such as existing CRM, market-optimization, or fraud-detection systems-analyze the data, and provide reports for a range of uses. That might include highlighting "suspicious activity or who's my most profitable customer," says Mark Moorman, VP of SAS's financial-services practice.
Many compliance officers, though, don't have the resources, or the inclination, to stay current with the laws and also find ways to deliver ROI to the business. "You've got people scurrying to get the technology to meet the requirements for monitoring bad behavior," says Cathy Allen, CEO of BITS, a technology and strategy group whose members are the 100 largest financial institutions in the United States. What's more, compliance units frequently do the buying, with advice from IT. Because the money isn't coming from IT or line-of-business budgets, it's less likely ROI metrics will be applied.
Some banks, particularly small ones, are waiting to see the full scope of the remaining Patriot Act requirements before investing in tools. "We're waiting until the whole thing is enacted and anticipating a lot more work to go along with it in both back-room and front-end operations," says Bobby Swearengin, VP of operations for Arvest Bank, which has $4.8 billion in assets and provides financial services in Arkansas, Mississippi, and Oklahoma. The bank is able to comply with current regulations using existing software, including a payment-processing system from Fundtech Corp. that automatically scans transactions and compares data with Treasury Department information on suspected terrorists. Arvest also has a custom-developed system that generates daily reports on cash transactions.
Many provisions of the Patriot Act have yet to be finalized, but banks have six months from the time a new provision is passed to get systems and technology in place to handle compliance. Once all the provisions are in place, Arvest will put money into compliance tools and "then maybe we can see if its ad- vantages can go elsewhere," Swearengin says.
The regulatory burden could balloon sooner and faster than many people expect, given the Treasury Department's proposal last week to extend anti-money-laundering rules to other businesses, and the expectation that as early as April Treasury could issue new rules on customer identification. If that happens, financial-service and possibly other companies will have another huge and expensive compliance task to digest and share with other parts of their businesses.