Experts: Don't panic over Patriot Act, Sarbanes-Oxley

FRAMINGHAM (09/26/2003) - Increased litigation among corporations and new regulatory requirements are taxing IT departments, which are being asked for information without having been involved in the business process that produced it, lawyers and analysts say.

Still, many banks and securities firms are taking a go-slow approach when it comes to buying technology to address requirements of the USA Patriot Act, which requires financial companies to know the identities of their new customers as of this coming Wednesday. By contrast, firms seem to be more focused on the Sarbanes-Oxley Act's corporate accounting requirements, which are still a year away and, for the most part, don't even apply to them.

A slew of new regulations have been put into place by the U.S. Congress in the wake of corporate accounting scandals and terrorist attacks.

Donald Skupsky, an attorney and president of consulting firm Information Requirements Clearinghouse in Greenwood Village, Colorado, emphasized that most of the Sarbanes-Oxley requirements apply only to public accounting firms. And if those companies have been following standard accounting practices all along, they have nothing to worry about.

For financial services firms, outside of forming a board of directors' audit committee and having the chief executive officer sign off on financial statements, there is no additional technological burden created by Sarbanes-Oxley, Skupsky said.

"All these (regulations) deal with data, so there's going to be an IT implication. But I think it's a pragmatic response at this time for organizations not to overreact. No one wants to go overboard and then realize they did too much," said John Hagerty, an analyst at AMR Research Inc. in Boston.

Hagerty said the government will need to hash out the specifics of the Patriot Act, signed by President Bush in October 2001 after the Sept. 11 terrorist attacks. It requires financial services companies to develop improved capabilities to identify customers and flag suspicious transactions. Any comprehensive response to new regulatory requirements will require the chief information officer to be heavily involved in implementing any recommendations coming from a compliance office, he said.

One issue companies face is extrapolating data requested by attorneys and regulators from multiple e-mail, document and storage systems.

Most companies have proprietary formats for storing e-mail, documentation and other data on disk drives and tape cartridges. But when the regulators come in, companies will be required to provide them access to that data in a single format, Skupsky said.

The concern is that any catch-all application that could sit on top of a corporation's data network and extract specific data from multiple systems would be so expensive and convoluted that it would cost millions of dollars to implement and be too cumbersome to work efficiently, said Tim Stevens, a corporate and securities lawyer who formerly worked at the law firm of Wilson, Sonsini Goodrich & Rosati in Palo Alto, California.

Far more important for corporate officials is familiarity with a company's technology infrastructure. Knowing which applications create data, where that data is stored and the most efficient way to access that data is far more valuable than gee-whiz technology, Stevens said.

Another major issue in corporate IT organizations is the overaccumulation of data that, in many cases, is 10 or even 20 years old. For financial services organizations, financial data need be kept for only seven years, Skupsky.

"Organizations have been really remiss in cleaning house. If they did, with the same resources they already have, they'd be able to respond to legitimate requests for information with less trouble," he said.

Join the newsletter!

Error: Please check your email address.

More about AMR Research

Show Comments
[]