The USA Patriot’s Act (“USAPA”), a response to September 11, changes 15 federal statutes designed to thwart money laundering and financing of terrorist activities. While the purpose is laudable, the effectiveness is questionable and the measure conflicts with a key federal law on financial privacy.

Enacted last October, USAPA is directly at odds with the Gramm-Leach-Bliley Act, a federal financial privacy law, because it requires banks to share customer information without telling them. Financial institutions must now identify and report suspicious transactions to the Financial Crimes Enforcement Network (“FinCEN”) a sub-agency within the U.S. Treasury Department. This information can be shared with other governmental agencies. The regulations also “encourage” financial institutions to share this information with other financial institutions—all without the customer’s knowledge.

Requests for information from FinCEN must be responded to within 120 hours (five calendar days). Strict confidentiality requirements regarding the handling of these information requests have also been imposed. Customers may not be informed that they are the subject of an inquiry—a dramatic change from the previous provisions of the Bank Secrecy Act and the Right to Financial Privacy Act which mandated that customer information not be disclosed absent a proper warrant, subpoena or other legal process.

Complying with USAPA forces financial institutions to renege on commitments made to customers in their privacy policies and to violate obligations imposed by other laws and regulations to safeguard customer information. No attempt has been made to reconcile these conflicts. Many more financial institutions not previously subject to the Bank Secrecy Act will now find themselves subject to USAPA.

By the end of this summer, broker dealers, money service businesses, the local check cashing store and even casinos will be within the reach of this law. Many will be forced to incur costs not previously contemplated to establish compliance programs, institute employee education, designate an individual or individuals whose job it is to comply with the Act, and institute independent audit processes to insure compliance, all in the name of enhancing procedures against money laundering.

Financial services companies are expected to spend approximately $120 million on technology related projects this year, and that number is expected to increase by at least 15 percent next year with much of the increase allocated to USAPA-related projects. Proposed customer identification and authentication regulations have been published for comment and will be finalized by October 25, 2002.

All financial institutions will need to have procedures in place to verify the identity of any person, firm, or entity seeking to open an account; maintain records for at least 5 years of the information used to identify the person, firm or entity; and determine whether any prospective customer is on any list of suspected terrorists or terrorist organizations. As they implement these regulations, financial institutions will also be expected to comply with all the federal equal-opportunity laws.

Every financial institution needs to be prepared to report when requested by FinCEN or its regulatory partners (Federal Reserve Board, OCC, FDIC, SEC, etc.) on the customer identification information in its records, payment and transaction details, and any other correspondent or business relationships related to the transactions in question.

The new retention and retrieval requirements will demand enhanced databases and appropriate filters to spot the types of money laundering transactions that must be reported to FinCEN and its regulatory partners. Reputation risk concerns will mandate compliance. No institution will want to suffer the ignominy of having suspicious transactions pass through its books.

The effectiveness of these new regulations in catching terrorists is open to question. Sometimes gathering too much data renders it useless. The computing and analytic power needed to make sense of all the data that government agencies require will be immense.

But there can be no question that compliance with USAPA will be tricky, potentially onerous, and expensive, not to mention somewhat inappropriate.

Financial institutions are not run by detectives, but soon they will take on a new spy job on behalf of government bureaucracies at the same time as being held accountable for privacy responsibilities to their customers. Legislators need to strike a better balance between the customer’s need for privacy and the security measures required to combat terrorist activities.

Marc Loewenthal is President of Phoenix Funding Group LLC. He is the former Chief Privacy Officer for Providian Financial Corporation.