Wave Systems Corp. (fka WAVXQ)

[dude_danny]

O.T.Sloppy Software? Banks Are Being Held Accountable
September/October 2005 issue
BY JOSHUA KENDALL

http://www.bai.org/bankingstrategies/2005-sep-oct/sloppy/index.asp
Heightened Scrutiny Aims to Instill Discipline in Software Selection.

| SYNOPSIS | Since the passage of the Patriot Act in 2001, federal regulators have increasingly turned their attention to monitoring banking software. Late last year, FDIC exams began to discover record-keeping that was not in compliance because of the software used. The consequence: Software is now the subject of more rigorous scrutiny, presenting one more challenge for financial institutions and their software selection teams.

One of the many repercussions of the war on terror has been the imposition of added legislative and regulatory burdens on America’s banks. The government has reached beyond financial institution policies and procedures to impose requirements even on the software used to comply with the anti-money laundering (AML) detection regulations.

Over the past year, in their determination to prevent suspected terrorists from wiring or laundering money, federal banking regulators have become much more vigilant about enforcing the regulatory requirements concerning computer software due diligence. That’s because the functionality and reliability of the software is essential to the success of an AML detection effort.

Related Sidebar
Background on the Crackdown

“Bank examiners had looked at banking software even before the Patriot Act, but banks haven’t always done their part. So, the Federal Deposit Insurance Corp. (FDIC) recently felt a need to underscore the seriousness of these regulations by sending banks a reminder of their responsibilities,” says Breffni McGuire, a senior analyst with Tower Group Inc., based in Needham, Mass.

This reminder took the form of a Financial Institution Letter (FIL), or regulatory guidance, published by the FDIC last November. The guidance did not contain new requirements for implementing anti-terrorism legislation, but rather provided a brief summary of the applicable regulations and laws (see sidebar).

As part of this summary, the FIL stated that banks must “use a documented methodology” when selecting software — either commercial-off-the-shelf or in-house products. In addition, banks must make sure that their software is in compliance with laws such as the Bank Secrecy Act (BSA) and the USA Patriot Act and update their software whenever these laws change.

Although the guidance noted that banks should insert a regulatory requirement clause in their contracts with vendors and service providers, it also made clear that banks are ultimately responsible for the quality of their software. “This FIL stresses that banks can’t blame their software if they are not in full compliance,” says Leonard Steinmetz, a senior manager in the AML practice of Deloitte Financial Advisory Services, based in New York City.

The regulatory guidance provides a unique set of challenges for bankers. Since the end of last year, financial institutions have had to devote considerable time to double-checking that all their software is in compliance and if not, update it or replace it. But the main effect of the increased regulatory scrutiny has been to transform the purchase of all software, but particularly AML software, into a multi-layered endeavor.

Banks can no longer simply just select a software product off the shelf that appears likely to fit a need, experts say. Computer software due diligence requires an elaborate selection process in which quality and functionality is evaluated. For example, banks must determine the risks associated with each new product and come up with a strategy for mitigating those risks. Banks also need to take a closer look at the financials of vendors and their track record in providing support services. These compliance activities typically demand a team effort involving dozens of executives from throughout the bank, not just compliance and technology officers.

Vendors’ livelihoods depend on their assurances that their products are in compliance, with some considering this an opportunity to establish a niche in the marketplace. “Our industry is used to dealing with new laws and regulations such as the Patriot Act. But we now have a chance to distinguish ourselves by developing new products that can make compliance easier for our customers,” says George Ravich, a senior vice president at Fundtech, a vendor based in Jersey City, N.J. Ravich cites the example of his company’s new software program, Payment Archive Manager, which enables banks to keep detailed archives of all payment activity.

SMALL BANK RESPONSE

The new software regulations have tended to have more of an impact on small banks. To comply with the regulations of the Patriot Act, large banks have typically updated the systematic, centralized controls they developed in the wake of the Bank Secrecy Act, which was originally passed in 1970. Though large banks must devote extensive resources to engaging in computer software due diligence, they already have teams in place that have long been addressing various compliance and technology issues.

“But small and mid-tier banks often lack these same formalized processes to ensure that their software is in compliance with new regulations,” says TowerGroup’s McGuire.

Although there are exceptions, experts say, the average community bank had not computerized its compliance activities until required to by the passage of the Patriot Act in 2001. That’s when “small banks were forced to give up many age-old manual processes,” says Ravich of Fundtech. For example, Ravich notes, only in the last few years have small banks begun to use software to check their payments against the Specially Designated Nationals and Blocked Persons List kept by the Department of Treasury’s Office of Foreign Assets Control.

Another difference is that large banks generally run software on their own systems, while many community banks outsource. For very small banks, software evaluation often translates into monitoring their service-level agreements rather than commercial or in-house software.

Though community banks may face a less complex task than big banks, they often experience a relatively bigger burden because they usually lack the resources to hire technology or compliance specialists. “The compliance officer at a very small bank is typically wearing a few hats,” says Viveca Ware, director of payments policy for the Independent Community Bankers of America, who describes BSA/AML compliance as “very challenging” and “a necessary evil.”

Consider, for example, Cambridge Trust Company, a mid-tier community bank that has nine retail branches and a full service trust department in the greater Boston/Cambridge metropolitan area. Cambridge Trust relies on Milwaukee-based Metavante Corp. for most of its software needs. Last year, the bank, which has $750 million in assets, renewed its seven-year contract with Metavante.

For Cambridge Trust, computer software due diligence largely takes the form of an annual review of the Metavante contract. According to Lynne Burrow, the bank’s chief information officer, this includes a review by the bank’s management committee of the software functionality, service-level agreement performance and compliance with regulatory requirements. The committee consists of five senior bank managers, including Burrow.

Occasionally, the bank needs to buy additional software to supplement core processing. When that happens, the vendor is selected by a project team, with representatives from the business lines, Information Technology (IT), Risk Management, Audit, Information Security and Marketing. Several vendors are usually asked to make presentations to the team, which requests documentation regarding company financials, software compliance with regulatory requirements, business resumption, confidentiality and information security. The team also conducts interviews with a sampling of the vendor’s current customers. A recommendation is then forwarded to the management committee to obtain ’s quite an undertaking for the 200-employee bank.

LARGE BANK RESPONSE

The more comprehensive large bank efforts can be seen at First Horizon National Corp., which is based in Memphis and has $37.2 billion of assets. The operations risk committee, which includes 20 operations officers from compliance, bank operations, loan operations, risk evaluation and human resources, meets every other month. While the entire group focuses on risk and compliance issues, a subcommittee, composed of the bank’s chief financial officer, the executive vice president and other senior executives, reports back to this committee on its evaluations of new products.

“The Patriot Act didn’t change anything. Our processes work the same way to achieve compliance with any new law,” says chief technology officer Patrick Ruckh, who supervises 450 IT professionals. Generally, about 70% of the bank’s software is commercial and the other 30% is developed in-house. Nearly all of the AML software is off the shelf, Ruckh says.

In assessing software options, the subcommittee considers functionality, cost, technology fit and risks. It also factors in the worthiness of the vendor. Each subcommittee member scores the proposed software on a matrix and the product with the highest score wins. Ruckh says the selection process can take from a few days to six months, depending on the size of the project. The bank recently selected some new AML software after a three-month approval process.

BB&T Corp., based in Winston-Salem, N.C., also conducts an in-depth request-for-proposals process when it considers buying new software, according to Paul Johnson, the bank’s chief information officer. Like First Horizon, BB&T, which has $105.8 billion in assets, relies primarily on commercial software (70%), and all AML software is bought off the shelf.

When analyzing new software products, the bank looks at both the financial and operational strength of vendors. Various regulatory requirement clauses come up during these negotiations, but the bank does not take the vendor’s word for it. “We do our own testing to see if regulatory compliance has been achieved,” Johnson says.

For AML/BSA software, the bank tests performance under certain scenarios. Johnson, who has been at BB&T for about six years, notes that the consumer identification program piece of the Patriot Act “was particularly complicated and took the most work to address. We needed to make some system-level changes so that we could capture more information about our customers,” he says.

Questions or comments about this article? Post them at the Banking Strategies blog.

Mr. Kendall is a freelance writer based in Boston, Mass.

dude_danny