Well I found out today that the article I was asked to write over Easter for Law Office Computing was rejected because it violates their editorial guidelines concerning “touting your own stuff” as a vendor (except that we’re not actually selling anything, the app is free). It was intended to be published in their May edition under the “Consultant’s Challenge” column but after going back and forth with their editor, we determined that given the nature of the issue, it made more sense for them to publish a news story on it rather than in the column for which I had written. Rather than scrap the article I figured I’d post it here – it is an pressing issue confronting lawyers right now and from the survey of our clients I conducted over the holidays, not many lawyers are even aware of it. The bottomline is that I wrote a simple application called Sentinel that greatly reduces the work involved for attorneys in maintaining compliance and my company is (for the time being) donating the service free to the legal community. Here is the article:
Solving OFAC Compliance for Attorneys
Sentinel provides an elegant solution for a daunting task
By Sean Tierney
In the wake of national crises like 9/11 and Enron, the government introduces legislation and creates regulations to reduce the likelihood of such disasters occurring in the future. Acts like Sarbanes-Oxley and the Patriot Act are implemented, businesses adapt to ensure they meet compliance and life goes on. In October, however, I had my ear to the rail and began hearing the rumblings of a new issue called “OFAC compliance” and the ” SDN list .” This type of compliance apparently was familiar to the financial sector but was a new concern for law firms. Cursory searches of the major search engines yielded no de facto solution for attorneys and with penalties as steep as $10mm in fines per violation, it was clear that this issue demanded attention. I began a rapid research project to gain an understanding of the problem and the potential solutions.
Background on the OFAC
The Office of Foreign Assets Control (“OFAC”) is a branch of the US Department of the Treasury tasked with the responsibility of enforcing sanctions against certain entities deemed to be “enemies of the United States .” It operates by freezing monetary assets in domestic jurisdiction to thwart activities of these entities thereby achieving foreign policy and national security goals. OFAC is the successor to the Office of Foreign Funds Control which was established at the onset of WWII for the purpose of blocking financial transactions that would otherwise have assisted the Axis powers. It functions today by publishing a list of approximately 5000 Specially-Designated Nationals and Blocked Entities (“SDN list”) and levying stiff penalties against anyone who conducts business with these entities. And “stiff” means “seven and eight-figure” stiff… Unknowing acceptance of monies from a entity on the SDN list is punishable by a $1mm fine per instance. Knowingly engaging in a financial transaction with one of these entities can result in a whopping $10mm fine and up to thirty years imprisonment for the individual responsible for the transaction.
Technical Challenges of Meeting Compliance
Okay, they had my attention with the part about the $10mm fines. The trouble now was that nowhere was there a clear definition of what constituted “proper compliance.” From reading the FAQ on their web site it appeared that it was a “don’t get caught” type of attitude. You have to be able to prove that you have taken “reasonable steps” to ensure on a continual basis that you are not dealing with clients who appear on the SDN list. But you could still scrutinize your client list daily and, if you end up accidentally taking on a bad client that happened to be using a pseudonym or spelled his/her name differently, you would have exposure. This challenge of vetting client names against the SDN was further compounded by the fact that most entities on the list were foreign names and had multiple aliases (about twenty each) and different permutations of spellings with odd characters (ever had to type the “schwa” character?). On top of all this, law firms’ client lists were evolving at the same time as the SDN list was changing. The OFAC provides no software searching tools to simplify the process of comparing names. According to their web site, their idea of “automation” for this task consisted of bookmarking their web page in Internet Explorer and monitoring for updates to the list via browser synchronization. To actually compare your client names against the list, OFAC recommends downloading a 1.5MB Adobe PDF file containing all the names and using the built-in “find tool” with each of your clients’ names and business names to scan one-by-one against the document, EACH time the SDN list is updated. The analogy here is that law firms are standing on a moving platform using a bow and arrow to shoot at a moving target and are expected to have laser-precision accuracy. At best, this SDN list review process could be considered cumbersome – more than likely, it could be considered entirely unrealistic and dysfunctional.
The Existing Options
Shunning the advice of the OFAC web site for manually comparing client names against the SDN list, I researched the other automated software solutions in existence. I came across Bridger Insight which is a subsidiary of ChoicePoint (the company that was recently in the news for accidentally selling 150,000 of its clients’ names to criminals). They offer a piece of software which runs on Windows that claims to (among other things) scan a client list against names on the SDN. It sounded promising so I downloaded their demo version and tried it out for myself. I was able to get it working immediately and it did, in fact, offer the ability to search specific names against the SDN from my desktop. Its interface, however, was less-than-intuitive and the steps required to scan a full list of clients against the SDN proved to be a perplexing task even for someone who is adept at using hundreds of different software programs. It ended up being a pretty involved hack that their tech support guided me through over the telephone to get it to scan my contacts. With a hefty price tag and recurring service fees associated with their product, I continued looking to see what other options were out there.
I came across another company called Attus Technology that made a product called ” Watchdog ” which sounded like it might be the answer. Unfortunately, I was never actually able to demo their product. I asked some difficult questions of their sales guy and mentioned that I was considering developing my own solution if I didn’t find one that I liked. I think he viewed me as a potential competitor because I was never given an evaluation version of their software. At any rate, their price tag was comparable to Bridger Insight’s and by this point I was beginning to think that for the features these products offered, they were severely over-priced and that with my programming background I might be able to solve this issue in a manner that lawyers would find more intuitive.
The “Sentinel” Solution
Arthur C. Clark once said “any sufficiently advanced technology is indistinguishable from magic.” Having written software myself, I share this ideal that good software is the kind that you never notice – it does its job transparently and you simply derive the benefits without having to alter your routine and learn new tricks to make it work. I set about writing an application that would run anywhere and allow any attorney to check his or her client list against the SDN and receive a concise report any potential matches it found. I had the following three goals:
1. The whole process should take no more than one minute from start to finish
2. Steps should be comprehensible to anyone with common sense
3. It should work with any operating system and the “lowest common denominator” format in which most attorneys store their client lists.
I chose the web as a delivery platform instead of creating a desktop application because it offered the advantages of being easier to maintain and averted OS compatibility issues. It’s also an easier sell to a security-conscious Network Administrator for an attorney to view a web page rather than install a downloaded binary executable on their PC. From my experience, nearly all law firms use Outlook for their email, contacts and calendaring. Outlook supports all types of import and export formats making it an attractive “hub” to target for this project (if people didn’t currently store their contacts in Outlook, it wouldn’t be terribly difficult to import them). Its pervasiveness and versatility of import formats made it the logical choice for the “common denominator” storage format for contacts.
Under the hood the Sentinel web application runs ColdFusion application server and a souped-up version of the Verity search engine called K2 . The web site that hosts the Sentinel application resides on a php-based opensource content management system called Mambo. I wrote a brief two-minute video tutorial that walks the visitor through the steps of how to check your Outlook contacts against the SDN using Sentinel. Basically, Sentinel grabs a fresh copy of the SDN each night, indexes the list in a database and awaits you to upload your client list. When you upload your clients, Sentinel scans each individual name and company name against its indexed copy of the SDN and reports back with your client list highlighting any potential matches in red. You can then drill down on offending records to get details on the matching records to investigate if it is in fact a true match. Searching is very fast – Sentinel can assimilate and compare a 1000 person client list against every SDN entity and each of its aliases under two seconds. The results page can be printed from the browser with the timestamp and archived for hardcopy proof of “reasonable” steps taken to ensure compliance. Best of all, Sentinel is currently offered free as a service to the legal community by my company, Legal Technology Consulting .
Room For Improvement
This one-minute process is clearly a major improvement over OFAC’s suggested method of screening names, however it still requires manual intervention on the part of the attorney and therefore doesn’t yet meet the “indistinguishable from magic” litmus test for advanced technology. Ideally this scan would occur automatically at a predefined interval and intelligently converse with a centralized billing and conflict management system behind the scenes and alert the appropriate person only when it finds a problem. Depending on the demand for such a tool, my company is prepared to allocate my time towards development of this system and to make it available for a reasonable fee. In the meantime Sentinel is currently offered free of charge on www.SDNCompliance.com . There is a concern I have heard voiced before that I wanted to address here “in order to use Sentinel client information must be transmitted in clear-text over HTTP to our server – isn’t that insecure?” To this objection I would respond by saying that it’s no more insecure than lawyers using unencrypted email to conduct sensitive communications with their clients. Unless you are currently using PGP for all email communications, this would be an unfounded complaint. Using SSL to encrypt the transmission of the client list to our server is certainly an option and one we will implement if the market demands it.
I welcome your feedback on the OFAC compliance process and the Sentinel service in particular and hope you find this free tool useful in your efforts to maintain compliance. To take part in an ongoing discussion of Sentinel-related questions, visit my personal blog at www.ScrollinOnDubs.com .