Occasionally, I find a simple solution to a complex problem that works better than expected. Office of Foreign Assets Control (OFAC) compliance can be difficult. OFAC is the treasury department responsible for, among other things, enforcing the PATRIOT ACT and Terrorism Sanction Regulations regarding blocking financial transactions with suspected terrorists. Basically, OFAC requires you to compare your client list regularly to the published terrorist watch lists. If you find a match, you are required to stop doing business, freeze the money, and contact the Feds.

The hard part of OFAC compliance is matching your clients to the watch list. OFAC publishes a list on a regular basis, but the list is not exactly user friendly. Complicating matters is the fact that the list contains lots of Mohammeds, Usamas, and John Smiths. Most names on the list also have dozens of aliases. Obviously, not everyone named Mohammed doing business with you is a terrorist, so how do you distinguish the good from the bad?

Enter Bridger Insight from ChoicePoint. For about $6K per year, Bridger provides a simple software solution that lets you track your customers against the OFAC list, the Dept of Homeland Security Terrorist Watch List, the FBI Most Wanted List, and numerous international lists from the UK, the UN and Interpol. Bridger matches your customers based upon name, company name, address, phone number, social security #, driver’s license #, passport #, and account #s. The power of the Bridger match is that it creates a ranked score. You can filter your results down, based on a degree of sensitivity to reduce false-positives.

For example, if the list matches your customer named Paddy O’Leary to a Paddy O’Leary in Dublin, Ireland, but your customer lives in Dublin, California, the match might score an 85% probability. If you have set your filter to 90% probability, Bridger would filter the match from you. Bridger also allows you to flag false-positives that you have verified as false to an exception list. That way, you won’t be bothered with the same alert the next time you run your check.

Perhaps the best part of Bridger is that you can set it up to run in a mostly automated state. Each of the different sources of watch lists updates at different frequencies. Bridger will check on a daily, or even hourly basis, for updates and install them automatically. You can also map Bridger to your customer list data source, and then schedule it to run checks on whatever frequency you want. All that is left to you is to periodically review the results and take action if you think you’ve found a match.

OFAC applies to “All U.S. persons and entities (companies, non-profit groups, government agencies, etc.) wherever located,” so you can not simply ignore this compliance issue. For smaller companies that don’t deal much with foreign customers, the risk of non-compliance is fairly small. For larger companies, especially financial firms, OFAC compliance is not optional. If you do not already have a solution in place, Bridger may be the solution for you.

-Bill

In case you missed the news, today new Supreme Court rules went into effect regarding e-discovery. There were several good articles on the wires today: Yahoo; Washington Post; Investor’s Business Daily.

The problem with all these articles is that they don’t provide links to the actual rules published by the court. Since I have no life, I searched the Supreme Court’s website for the published rules. The new rules (http://www.supremecourtus.gov/orders/courtorders/frcv06p.pdf) were released by the Supremes last April. Based on my reading, there is both good and bad news in the rules with regards to e-discovery.

(Legal Disclaimer: I am not a lawyer; Do not rely upon my opinions; When in doubt hire a real lawyer and make sure he’s a good one; I am not responsible if you rely upon my analysis.)

These rules are good for two reasons:

First, there is now a potential release from e-discovery based upon “undue burden or cost.” As an example, if a company can show that it would be prohibitively expensive to search every pc in the company for a document that the other party suspects exists, but has no proof, this rule allows for the potential to have this request waived. Of course, if the requester can “show good cause,” the court can still order the discovery, but at least this rule provides a potential cost exclusion where it did not exist before.

Second, sanctions cannot be imposed for “information lost as a result of the routine, good-faith operation…” So if a company stores its archive tapes at a secure off-site storage facility, and that facility burns down, the loss of those tapes will not trigger court sanctions. This is a big change, but the key provision is “good-faith operation.” A company that doesn’t backup its data, or store it in a manner consistent with its data retention obligations is not operating in good-faith and could still be subject to sanctions if the data is not produce-able.

Rule 34 (a) expands the types of electronic data to include sound recordings, images, and other “data compilations.” This is being interpreted in the press to include things like instant messaging and text messages on cell phones and Blackberrys. If you have a VOIP system that integrates your voice mail system with your e-mail system, such as Cisco’s UNITY product, be prepared for your voice mail messages to become discoverable.

Rule 34 (a) also specifies data “stored in any medium from which information can be obtained.” This would appear to include cell phones, PDAs, and USB flash drives. Not withstanding the cost exclusion of Rule 26 (b)(2)(B), companies have an expanded duty to track where their data is stored, and how it is maintained.

Last September, I published a white-paper regarding designing an e-mail archive system for compliance. The topics discussed in that article are even more important under the new rules. To meet obligations under these new rules, companies must act in “good-faith” to identify their electronic data, establish policies regarding the storage and retention of their data, and then design systems to enforce the retention policies. Also, if you work for a public company, pay close attention to Sarbanes-Oxley section 802. SOX 802 crimializes the destruction of business documents.

The new Supreme Court rules apply to all companies involved in Federal litigation. Unfortunately, if you wait until you are involved in litigation, it is too late. You must prepare for these rules before they apply.

-Bill

Digg This Story!

If you are looking for a compliance solution for e-mail, I highly recommend Hewlett-Packard’s RISS/RIM product suite. Symantec’s Enterprise Vault is also a good product, although in my experience it does not scale well beyond 1 data center. If you find this paper useful, drop me a comment and let me know how you are dealing with e-mail & SOX.
«download here»

 Digg This Story!