COLUMBIA, S.C. – Credit unions' most visible technology providers, their core data processors, are gearing up to help their clients meet the requirements of the new USA PATRIOT Act. Implementation of the new law has been delayed from its original Oct. 26 effective date, but financial institutions know they'll soon fall under its requirements – including Section 326. Credit Union Times checked with six representative core processors – CUSA Technologies, EDS, Harland Financial Solutions, Liberty FiTECH, Open Solutions Inc. and USERS Inc. – and found that all, in various ways, were involved with helping credit unions handle the coming requirements. Of course, so are compliance specialists like Bankers Systems Inc., Bridger Systems and eFunds Corp's ChexSystems. Whether it's with third-party or in-house solutions, the fix is on. And just like the war on terrorism, the task is not expected to be simple, swift or cheap. "Section 326 requires that a financial institution implement risk management procedures to ensure that to the greatest extent possible it knows its customers and has a reasonable belief in its identities," says Breffni McGuire, senior analyst for global payments with TowerGroup. And while the details are still being worked out, McGuire says, at a minimum credit unions will be required to: * Verify the identity of any person opening an account (including all signatories) to the extent that is reasonable and practicable. * Maintain records of the verification information. * Determine if the person is listed on any government-supplied list of suspected or known terrorists or terrorist groups. A soon-to-be-familiar acronym is emerging from this – the CIP, the customer identification program. McGuire says the CIP will be the "cornerstone of the new regulation." "Financial institutions have done some level of customer identity checking for years, but the new requirement for a CIP casts in concrete how FI's must do this going forward, and emphasizes verification of identity over simply checking identification data," says McGuire, author of a new research report on the topic. "As the U.S. has no national verification standard, an institution must use a range of data and methods to ensure it has a reasonable belief that the prospective customer is who he or she claims to be," McGuire says. The credit union industry's two major trade groups, CUNA and NAFCU, have sought to delay implementation but support its passage and its intent. "At this point, we're educating our members as to what the act requires and how to do verifications," says Eric Envall, NAFCU regulatory compliance counsel. "The tools are out there to help with verifications, and I'm not surprised the major vendors are getting involved in providing software to help with this," Envall says. "I'm sure we'll see more of these kinds of services developing to meet that need." The CIP has three requirements, identity verification (including standards of minimum information), recordkeeping and consulting government terrorist lists. These can be costly and complicated. So what's a credit union to do? "A baseline familiarity with the act's requirements and its own account opening process are good first steps," says McGuire, the TowerGroup analyst. "From this, an institution can assess where there are gaps or changes to be made in its account-opening processes and develop a checklist of action items, including not only internal steps but also issues that may need resolution with a regulator," McGuire says. She also suggests that credit unions consider getting its business units involved by tying performance to operational and staff metrics to help ensure that CIP procedures are actually implemented. "Once the program is in place," McGuire says, "technology can provide tangible benefits – the draft regulation actually recommends IT usage. "Technology also provides automated proof of compliance and risk management, which is regarded favorably by regulators and government agencies." Besides pleasing regulators, such thorough, automated checks of member lists can save money from being lost to evil-doers without political agendas: those who simply are interested in stealing. That's according to Sue Pogatschnik, credit union market manager for compliance specialists Bankers Systems Inc., which says one of three credit unions in the country has used its services in the past two years. The company has a new identity-verification software program called IDFlag, which enables credit unions to perform Internet searches, in real time and in batches, that will meet Section 326 requirements, Pogatschnik says. BSI says one potential client recently asked the company to run a check on a list of member names. Three members were identified as potential high risk, and those three members had indeed already been costly. "If they had been using IDFlag, they could have prevented the credit union from losing thousands of dollars," Pogatschnik says. Most credit unions will be able to use BSI products on their existing software, and Web-based solutions like IDFlag have the added advantage of being updatable without in-house installations into systems core processors are servicing at individual credit unions, BSI says. Here's what those above-mentioned six core processors, representing about 3,500 credit union DP clients, had to say about helping with Section 326: * CUSA Technologies: The Utah-based core processor is coordinating its efforts through an in-house department – The Resource Group. "As soon as there are definitive requirements set by the Treasury Department, CUSA Technologies will issue a `Statement of Direction' to our clients, listing steps required by credits unions to comply with the regulations," says Adrienne Wilson, vice president for The Resource Group. "If the client is using The Resource Group to perform checks against published lists (like the OFAC money-laundering list), then there will be no technology demands made on the client," Wilson says. "We will transmit a copy of the client's membership base on a monthly basis and perform scrubs every time the list changes. She says the only action required by the credit union will be to perform new member matches against the published list accessible through CUSA's Web site. CUSA clients not using The Resource Group will have to do it themselves or hire a third party to do it at "considerably more cost," Wilson says. * EDS: The Texas-based technology giant has several systems in place to help keep track of new account openings and old members alike, and more on the way. "We intend to automate the process as much as it makes sense to automate it," says Kay Leaks of EDS' Credit Union Industry Group's Financial Services Regulatory Compliance. "We will continue to watch the practical implementation of the regulation and see how we can best support our customers via system development on our end," Leaks says. The Section 326 compliance effort will likely follow the technology trail being established by EDS' newly introduced OFAC product, which compares member lists with the government list. Leaks says clients "were anxiously awaiting it and are signing up rapidly. There is both a batch and real-time component to this effort. It will be critical for us to help in both areas to ensure full coverage of credit union activities." She adds: "Financial institutions have been identifying customers, at new account opening at least, for ever." The increased liability this time for a credit union to be able to prove it has assessed the risks and establish a reasonable belief that it knows the true identity of a member raises the bar, however. * Harland Financial Solutions: Clients of California-based HFS, including ULTRADATA users, can use an HFS-supplied interface to third-party software such as Bridger Systems' Homeland Tracker to comply with existing and upcoming OFAC and PATRIOT Act requirements, says Pamela Harris, HFS product manager. "Some of our customers also employ services such as ChexSystem and Equifax to assist them in screening and identifying account applicants. This information can be stored on the ULTRADATA host application using a program available for maintaining member/consumer derogatory files," Harris says. And, to help prove that extensive measures are taken, "our OnBase document imaging solution, integrated with ULTRADATA, provides a feature for member ID generation and storage and signature capture that provides another opportunity to identify and verify member information," the HFS product manager says. Harris also says that because "we began our communication and education process early, in October of 2001, our customers are in good shape moving forward and feel prepared and ready." * Liberty FiTECH: Liberty FiTECH's parent company, Minnesota-based Liberty Enterprises, is using its relationship with ChexSystems to provide account-opening verification services. Liberty and eFunds Corp. (ChexSystems' owner) inked a deal in June to provide direct, Web-based access to ChexSystems to Liberty's client list of 5,200 credit unions, including the couple hundred who are core processing customers of Liberty FiTECH. Along with USA PATRIOT Act compliance, users can use anti-fraud and OFAC screening features. Liberty was the first to sign up for the direct Web service, which also uses XML as the messaging standard, to save on the telecommunications costs if a traditional mainframe connection had to be used. A typical look at prices for this kind of service was provided by eFunds. For instance, the charge for a check against OFAC's most current list was 2 cents per name for 50,000 to 250,000 names, 1.5 cent for the up to 1 million names and 1 cent for additional names over 1 million. There's a $950 minimum charge for less than 50,000 names. * Open Solutions Inc.: At Connecticut-based OSI, compliance will be an internal affair. "The Complete Credit Union Solution platform inherently has the tools that will help credit unions meet these demands," says Lizette Nigro, OSI's product manager for retail delivery. "Our person-centric relational database and platform allow the credit union to assign information-gathering rules for each new member. A member representative would not be able to add a new person to the system if the credit union rules are not followed," Nigro says. Those rules, set by the credit unions, can include address, official identifications and government list verifications. "It has always been a priority at OSI to provide clients with these types of person-centric information retention capabilities, so technology demands will not be an issue," Nigro adds. She notes that gathering data is not new for credit unions. The new CIP requirements to be able to prove those efforts are. "It will primarily be a strategy and process change for them," she says. * USERS Inc.: "It's important to keep in mind that complying with the PATRIOT Act isn't solely a technology issue. It will likely require changes in how the credit union operates on many levels." That observation comes from Sal LaBricciosa, vice president of core services for Pennsylvania-based USERS Inc. He adds: "It's also important to remember that the PATRIOT Act is still very broad and lacks specific details . For instance, it specifies that financial institutions need to be sure they know who they are transacting business with, but it's entirely up to the credit union to decide how to accomplish that goal." LaBricciosa says USERS is helping its clients meet the rules by providing easy access to member data in its core DataSafe system, which itself is based on the open, post-relational Cache database from InterSystems. That allows the credit unions to easily use third-party solutions "for `scrubbing' their member data by comparing it against federally provided databases." Or they can do it themselves. "Because our core system is SQL-compliant, those clients can use SQL queries to extract the data they need and import it into other specialty applications," LaBricciosa says. -

[email protected]