This is the accessible text file for GAO report number GAO-06-947R entitled 'Information Technology Management: Observations on the Financial Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval and Sharing (BSA Direct R&S) Project' which was released on July 17, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. July 14, 2006: The Honorable Christopher Bond: Chairman: The Honorable Patty Murray: Ranking Minority Member: Subcommittee on Transportation, Treasury, the Judiciary, HUD and Related Agencies: Committee on Appropriations: United States Senate: Subject: Information Technology Management: Observations on the Financial Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval and Sharing (BSA Direct R&S) Project: FinCEN's primary function is to support and strengthen domestic and international anti-money laundering efforts through coordination and partnerships. Since its creation in 1990, FinCEN has been responsible for overseeing the management, processing, storage and dissemination of Bank Secrecy Act (BSA) data.[Footnote 1] In 2004, FinCEN embarked on a major initiative intended to improve the sharing of information reported under the Bank Secrecy Act. BSA Direct is an umbrella project intended to provide secure, user-friendly, web-based tools for accessing, analyzing, and filing BSA data. It is part of a broad effort to reengineer data management responsibilities and transition them from the IRS. During the early spring of 2006, it became clear to FinCEN that the Retrieval and Sharing component of the BSA Direct project (BSA Direct R&S) was not going to meet the critical implementation deadline of June 30, 2006. Objectives: Because FinCEN has experienced problems with development and implementation of the BSA Direct R&S, you asked us about the project's current status and to provide observations on FinCEN's IT investment management practices. Our objectives were to (1) describe BSA Direct R&S and the project's current status; (2) examine FinCEN's application of information technology (IT) investment management processes to the BSA Direct R&S project; and (3) describe, at a high level, the range of options FinCEN may consider as it reexamines the BSA Direct R&S project. We are sending copies of this report to the Secretary of Treasury, the Director of FinCEN, and interested congressional committees. We will also provide copies to others on request. Scope and Methodology: To provide observations on FinCEN's BSA Direct R&S project, we reviewed and analyzed BSA Direct planning and implementation documents, interviewed agency officials at FinCEN, the Internal Revenue Service (IRS), and some users of BSA information such as federal law enforcement agencies. We also examined FinCEN's application of IT investment management processes to the BSA Direct R&S project using GAO's guide, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity,[Footnote 2] as our criteria. We did not conduct a comprehensive review of FinCEN's investment management practices. We focused on critical processes associated with Stage 2 of the five-stage framework because they represent the practices needed for basic project-level control. We reviewed project documents such as the Office of Management and Budget Exhibit 300, the original BSA Direct R&S contract and revisions, progress reports, interim briefings, and project assessments conducted by MITRE. We also interviewed FinCEN officials responsible for investment management and the BSA Direct R&S project, the contractor conducting the BSA Direct R&S project, and MITRE officials involved in the project. We conducted our review according to generally accepted government auditing standards between May and July 2006. In late June 2006, we provided a detailed briefing to your staff on the results of this work. The briefing slides are included as Enclosure I. The purpose of this letter is to publish the briefing slides and to transmit our recommendations to the Director of FinCEN. Results in Brief: On March 15, 2006 the director of FinCEN placed the Retrieval and Sharing component of the BSA Direct project under a temporary "stop work" order because of significant cost, schedule, and performance issues. For example, phase one of the project was planned for completion in 250 days but was actually completed in 373 days. Judging against the criteria of GAO's framework for information technology investment management , GAO found that FinCEN did not always apply effective investment management processes to oversee the BSA Direct R&S project. This, in part, contributed to the problems experienced by the project, because issues that occurred at the project management level continued and compounded, yet were not addressed at the executive level. For example, MITRE--the organization assisting FinCEN with project monitoring--identified multiple occasions where FinCEN did not take action to mitigate project risks or address significant de-scoping of project functionality. FinCEN is considering three basic options in determining whether or not to continue the BSA Direct R&S project. These include reestablishing a modified contract; finding a new contractor to take over the project; or terminating the contract and assessing needs and plans for new capabilities. FinCEN's inadequate application of sound information technology investment management processes and controls to the BSA Direct R&S project contributed to the cost, schedule, and performance issues that have plagued the project from its inception. FinCEN plans to determine the future direction of BSA Direct R&S in mid-July 2006. Regardless of what decision is made, FinCEN runs the risk of having similar problems and similar results in the future unless better investment management processes and procedures are put in place. Recommendation for Executive Action: In light of the issues experienced on the BSA Direct R&S project, we recommend that the Director of FinCEN direct the Chief Information Officer (CIO) to develop a plan for improving the agency's capabilities for overseeing the BSA Direct project. The plan should focus in particular on establishing policies and procedures for executives to regularly review investments' progress against commitments and take corrective actions when these commitments are not met. In addition, the plan should (1) specify measurable goals, objectives, and milestones; (2) specify needed resources; (3) assign clear responsibility and accountability for accomplishing tasks; and (4) be approved by the Director of FinCEN. In implementing the plan, the FinCEN CIO should report progress against expectations to the FinCEN Director and take appropriate actions to address deviations. Agency Comments: In commenting orally on a draft of this report, the Acting Deputy Chief Information Officer stated that FinCEN concurred fully with our findings and recommendation. If you or your staff have any questions, or wish to discuss this material further, please call me at (202) 512-5594 or whitej@gao.gov. We are sending copies of this report to the Secretary of Treasury, the Director of FinCEN, and interested congressional committees. The letter is also available on GAO's home page at [Hyperlink, http://www.gao.gov]. We will also provide copies to others on request. GAO staff who made major contributions to this report are listed in Enclosure II. Signed by: James R. White: Director, Strategic Issues: Enclosures (2): Enclosure I: Observations on the Financial Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval & Sharing Project: Briefing to Senate Appropriations Subcommittee on Transportation, Treasury, the Judiciary, HUD and Related Agencies: June 22, 2006: Purpose and Outline: Purpose: To describe the status of the Retrieval and Sharing component of the BSA: Direct project (BSA Direct R&S)[Footnote 3] and provide our observations on the project and its future. Outline: Objectives. Scope and Methodology. Results in Brief. Background. Status of BSA Direct R&S. Observations on BSA Direct R&S. Potential Options for the Future of BSA Direct R&S. Conclusions. Recommendation for Executive Action. Objectives: Describe BSA Direct R&S and the project's current status. Examine FinCEN's application of information technology (IT) investment management processes to the BSA Direct R&S project. Describe, at a high level, the range of options FinCEN may consider as it reexamines the BSA Direct R&S project. Scope and Methodology: For objectives 1, 2 and 3 we reviewed and analyzed BSA Direct R&S planning and implementation documents, interviewed agency officials at FinCEN, the Internal Revenue Service (IRS), and some users of BSA information such as federal law enforcement agencies. In addition, for objective 2 we also examined FinCEN's application of IT investment management processes to the BSA Direct R&S project using GAO's guide, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity[Footnote 4], as our criteria. We focused on critical processes associated with Stage 2 of the five-stage framework because they represent the practices needed for basic project-level control. We reviewed project documents such as the Office of Management and Budget Exhibit 300, the original BSA Direct R&S contract and revisions, progress reports, interim briefings, and project assessments conducted by MITRE. We also interviewed FinCEN officials responsible for investment management and the BSA Direct project, the contractor conducting the BSA Direct R&S project, and MITRE officials involved in the project. Results in Brief: On March 15, 2006 the director of FinCEN placed the retrieval and sharing component of the BSA Direct project under a temporary "stop work" order because of significant cost, schedule, and performance issues. For example, phase one of the contract was planned for completion in 250 days but was actually completed in 373 days. Judging against the criteria of GAO's framework for information technology investment management, we found that FinCEN did not always apply effective investment management practices to oversee the BSA Direct R&S project. This, in part, contributed to the problems experienced by the project, because issues that occurred at the project management level continued and compounded, yet were not addressed at the executive level. For example, MITRE-the organization assisting FinCEN with project monitoring-identified multiple occasions where FinCEN did not take action to mitigate project risks or address significant de-scoping of project functionality. FinCEN is considering three basic options in determining whether or not to continue the BSA Direct R&S project. These include reestablishing a modified contract; finding a new contractor to take over the project; or terminating the contract and assessing needs and plans for new capabilities. Background: Legislative and Statutory Authorities: The Bank Secrecy Act (BSA), enacted by Congress in 1970, authorizes the Secretary of the Treasury to issue regulations requiring financial institutions to retain records and file reports that are determined to have a significant degree of usefulness in criminal, tax, and regulatory investigations[Footnote 5]. Following the September 11th terrorist attacks, Congress passed the USA PATRIOT Act, which among other things, amended the BSA to allow information collected under the BSA to be used in the conduct of intelligence or counterintelligence activities and to protect against international terrorism. The BSA charged the Secretary of Treasury to designate "a single officer or agency of the United States to whom suspicious activity reports shall be made."[Footnote 6] The agency designated for BSA compliance is responsible for overseeing the administration of the BSA. Overall authority for enforcement and compliance of the BSA has been delegated to the Assistant Secretary of the Treasury; which further delegated responsibility to the Director of the Financial Crimes Enforcement Network (FinCEN), a bureau of the Department of Treasury[Footnote 7]. BSA Data Management Responsibilities: FinCEN's mission is to support and strengthen domestic and international anti-money laundering efforts through coordination and partnerships. Since its creation in 1990, FinCEN has been responsible for overseeing the management, processing, storage and dissemination of BSA data. FinCEN is the overall administrator of the Bank Secrecy Act and thus is ultimately responsible for the management of BSA data. However, the Department of the Treasury, historically, has relied upon the Internal Revenue Service (IRS) to assist FinCEN in the management of BSA information. Under a longstanding cooperative arrangement with FinCEN, the IRS collects and stores all the data reported under the BSA. IRS's Detroit Computing Center (DCC) is the central point of collection and housing of all BSA data in a single repository. DCC maintains the infrastructure needed to collect the reports, convert paper and magnetic tape submissions to electronic media, correct errors in submitted forms through correspondence with filers, and store the data on its Currency and Banking Retrieval System (CBRS). FinCEN's BSA Direct R&S Project Description: BSA Direct is an umbrella project intended to improve the sharing of information reported under the Bank Secrecy Act. FinCEN characterizes it as a major initiative intended to provide secure, user-friendly, web- based tools for accessing, analyzing, and filing BSA data. It has several components, including electronic filing, secure access, and retrieval and sharing. BSA Direct is part of a broad effort by FinCEN to transition from the IRS, and reengineer, BSA data management responsibilities. FinCEN entered into a contract with EDS in June 2004 to develop the retrieval and sharing component of BSA Direct. FinCEN's BSA Direct Project Status: On March 15, 2006, the director of FinCEN placed the retrieval and sharing component of the BSA Direct project under a temporary "stop work" order because the project had repeatedly failed to meet performance milestones, was experiencing significant issues with both functionality and stability, and was not going to meet the critical implementation deadline of June 30, 2006. This "stop work" period, originally for 90 days, was extended by the director for an additional 30 days to July 15, 2006. During this period all work on the project by both FinCEN employees and the project contractor have been halted. Meanwhile FinCEN is coordinating with the IRS-who currently and historically has collected and maintained BSA data-in an effort to ensure users do not experience an interruption in service. FinCEN has also assembled an assessment team that has been charged with assessing the BSA Direct R&S system, conducting an alternatives analysis, and recommending a course of action moving forward. FinCEN's BSA Direct R&S Project IRS's Current Role: After FinCEN recognized BSA Direct R&S would not be implemented before the critical June 30, 2006 deadline, it determined the need to coordinate with the IRS to ensure users of BSA data do not experience an interruption in service. Meeting the June 30, 2006 deadline was critical to the project's success because that is when IRS is shutting down the legacy system (CBRS) containing all BSA data. IRS no longer needs this legacy system because they have developed a new system, called WebCBRS, to store all BSA data and then disseminate it to internal (IRS) customers. Meanwhile, BSA Direct R&S was intended to provide non-IRS users with access to BSA data once the legacy system was discontinued. Since FinCEN halted work on BSA Direct R&S, agency officials have been working with IRS to identify a way to provide non-IRS users with access to the WebCBRS system in the same way that they had access to CBRS. Observations on BSA Direct R&S IT Management: There are many areas that are important to successfully managing IT, including investment management, system/software development and acquisition management, enterprise architecture management, information security, and human capital management. In each of these areas there are numerous policies and procedures that can be applied. Of particular relevance to FinCEN's BSA Direct R&S project are investment management and system/software development and acquisition management. Investment management focuses on the selection and management oversight of an agency's or division's IT investments. Whereas, system/software development and acquisition management focuses on process management and quality improvement at the project management level. The Office of the Inspector General for Treasury is conducting a review of the BSA Direct R&S project and the system/software development and acquisition management processes and procedures that were in place. Therefore, for the purposes of this briefing, the focus is to provide our observations on FinCEN's application of some investment management processes and procedures to the BSA Direct R&S project. Observations on BSA Direct R&S ITIM Overview: The Information Technology Investment Management (ITIM) framework focuses on the selection and management oversight of an agency's or division's IT investments. Built around the select/control/evaluate approach described in the Clinger-Cohen Act[Footnote 8], the ITIM framework provides a method for evaluating and assessing how well an agency is selecting and managing its IT resources. Agencies can also use the framework as they work to improve their processes. The maturity stages, depicted in figure 1, represent steps toward achieving a stable and mature IT investment management process. Organizations implementing Stages 2 and 3 of the framework have in place the investment selection, control, and evaluation processes that are required by the Clinger-Cohen Act. Observations on BSA Direct R&S The Five Stages of Maturity within ITIM: Figure 1: Five Stages of Maturity within ITIM: [See PDF for image] Source: GAO. [End of figure] Observations on BSA Direct R&S Characterization of ITIM Stages 1 & 2: Stage 1 of the ITIM framework is characterized as IT spending without disciplined investment processes: In Stage 2 basic selection capabilities are driven by the development of project selection criteria, including benefit and risk criteria, and an awareness of organizational priorities when identifying projects for funding. Executive oversight is applied on a project-by-project basis. The five critical processes of investment management at Stage 2 are: Instituting the investment board, Meeting business needs, Providing investment oversight, Capturing investment information, and Selecting an investment: Table 1 describes the critical ITIM processes at Stage 2 and our observations on how these processes have been applied to the BSA Direct R&S project. Observations on BSA Direct R&S Application of Critical Stage 2 Processes: Table 1: Observations on FinCEN's Application of Stage 2 ITIM Processes to the BSA Direct R&S Project: Stage 2 ITIM Processes: Instituting the investment board: entails creating and defining the membership and guiding policies, operations, roles, responsibilities, and authorities for one or more IT investment boards within the organization; Observations on Application to BSA Direct R&S: FinCEN chartered a Technology Review Board in June 2005 that is responsible for managing capital planning investment control processes and overseeing the use of technology. However, in practice, this review board did not have jurisdiction or final decision-making authority over the BSA Direct R&S project. Stage 2 ITIM Processes: Meeting business needs: entails ensuring that IT projects and systems support the organization's business needs and meet users' needs. It involves identifying business and users' needs for each IT project and having users participate in project management throughout the project's life cycle; Observations on Application to BSA Direct R&S: Users did not consistently participate in BSA Direct R&S during the project life cycle. Specifically, FinCEN involved users in conducting a requirements analysis to document business and users' needs before the BSA Direct R&S contract was awarded. However, after the contract award, every FinCEN user we spoke with stated they had not participated in the process since that time. Stage 2 ITIM Processes: Providing investment oversight: entails monitoring the progress of all IT projects and systems relative to cost, schedule, risk, and benefit expectations and taking corrective action when these expectations are not being met; Observations on Application to BSA Direct R&S: FinCEN project managers met regularly with the BSA Direct R&S contractor and occasionally with MITRE to discuss the project's progress. They were provided reports documenting issues impacting the cost, schedule, and performance of the BSA Direct R&S project, however, it is unclear what information was provided to FinCEN executives, when it was provided, or how it was used in decision-making. Stage 2 ITIM Processes: Capturing investment information: involves identifying IT assets and creating a comprehensive repository of investment information for decision makers to use to evaluate the impacts and opportunities created by proposed (or continuing) IT investments; Observations on Application to BSA Direct R&S: FinCEN has made efforts to capture information on its IT assets. However, this information was not always used effectively to evaluate the impact that interfacing BSA Direct R&S with other IT systems would have. For example, nine months after the BSA Direct R&S contract was awarded significant modifications had to be made to address system incompatibility issues. Stage 2 ITIM Processes: Selecting an investment: entails ensuring that a well-defined and disciplined process be used to select new IT proposals and reselect ongoing investments; Observations on Application to BSA Direct R&S: We did not examine the process used to select the BSA Direct R&S proposal. Since the stop-work order on BSA Direct R&S, FinCEN has also developed an assessment team to reselect-i.e. determine whether to continue funding-this project. Source: GAO analysis: [End of Table] Observations on BSA Direct R&S Importance of Internal Control Techniques: One important focus in Stage 2 of the ITIM framework is the attainment of repeatable successful IT investment control techniques at the project level. For an organization to develop a sound IT investment process, it must first be able to control its investments so that they finish predictably within established schedule and budget ranges. In addition, it must be able to identify potential exposures to risk and put in place strategies to mitigate that risk. In the absence of predictable, repeatable, and reliable investment control processes, selected investments will be subject to a higher risk of failure despite rigorous analysis of the estimates used to justify them. Further the absence of repeatable control processes will result in ineffective evaluation processes and contradictory efforts at process improvement. Observations on BSA Direct R&S Application of Internal Control Processes: In FinCEN's case, the BSA Direct R&S project lacked sufficient investment control techniques. This, in part, contributed to the problems experienced by the project, because issues that occurred at the project management level continued and compounded, yet were not addressed at the executive level. For example, MITRE found that the project: was not fully baselined from inception in July 2004 until February 2005; lost the baseline 3 months later and could not be fully recovered, in part, because of: * contractor staffing issues thru September 2005, * ongoing schedule slippages, without risk mitigation activity, and * project de-scoping, meaning certain functionalities in the original contract would not be provided; lacked system acceptance criteria, known as a Service Level Agreement. These, and other, issues were significant and had a major impact on the project, yet they remained for months and often were never adequately addressed. Figure 2 illustrates how these, and other, issues impacted the project from a chronological perspective and table 2 provides a month-by-month accounting of many of the issues identified by MITRE. Observations on BSA Direct R&S Schedule Slippages: Figure 2: BSA Direct R&S Project Schedule Slippages: [See PDF for Image] Source: GAO. Note: Updates and revisions were made to the BSA Direct R&S project schedule on an ongoing basis; however, we selected the following three revision dates to illustrate how the schedule changed over time: Revision 1 - March 21, 2005; Revision 2 - September 19, 2005; Revision 3 - February 22, 2006. Note: Phases 1, 2, and 3 denote critical milestones established by FinCEN and the contractor for the BSA Direct R&S project. [End of Figure] Observations on BSA Direct R&S Chronology of Issues Identified: Table 2: Chronology of Some Issues Identified by MITRE during the BSA: Update: July 2004 (Project launched); Issue Identified: [Empty]. Update: August 2004; Issue identified: Project schedule not baselined, Project understaffed. Update: September 2004; Issue Identified: Project schedule not baselined, Project understaffed. Update: October 2004; Issue identified: Project schedule not baselined, Project understaffed. Update: November 2004; Issue identified: Project schedule not baselined, Project understaffed. Update: December 2004; Issue identified: Project understaffed. Update: January 2005; Issue identified: February 2005. Update: February 2005; Issue identified: Project understaffed. Update: March 2005; Issue identified: Project understaffed. Update: April 2005; Issue identified: Project understaffed. Update: May 2005; Issue identified: Project understaffed, Project baseline lost. Update: June 2005; Issue identified: Project understaffed, Project baseline lost. Update: July 2005; Issue identified: Project understaffed, Project baseline lost. Update: August 2005; Issue identified: Project understaffed, No business continuity plan, MITRE not consistently included in project discussions and meetings. Update: September 2005; Issue identified: Project understaffed, Lack of project baseline, Need for system design change, MITRE not consistently included in project discussions and meetings. Update: October 2005; Issue identified: Contractor project manager resign. Update November 2005; Issue identified: Schedule slippage with no risk mitigation activities. Update: December 2005; Issue identified: Schedule slippage with no risk mitigation activities. Update: January 2006; Issue identified: Loss of project baseline. Update: February 2006; Issue identified: Project de-scooping, Schedule slippage with no risk mitigation activities. Update: March 2006; Issue identified: Temporary stop work order issued. Source: GAO Summary of MITRE data: [End of table] Observations on BSA Direct R&S Critical Aspects of Improvement: Critical to maturing project-level IT investment control processes is the ability to recognize the need for and to take swift corrective action when a project is having trouble meeting its schedule expectations and cost estimates. As it moves through Stage 2, an organization develops robust methods to collect data from the project-level management processes and aggregate it appropriately to provide executive management with the information it needs to execute its oversight responsibilities. As the organization matures, it also learns from past decisions and better manages the causal factors that created past problems, thus improving the performance results of ongoing projects. Beyond investment control processes, the organization also begins to implement basic selection processes. The core business needs for each IT project are identified and the basic portfolio development processes are used to select new IT proposals. BSA Direct R&S Project Options: Since the director of FinCEN issued a stop-work order on BSA Direct R&S on March 15, 2006, FinCEN has established a reassessment team to determine the future of the project. According to FinCEN officials, they are considering three basic options during this reassessment period. These include: reestablishing a modified contract with EDS; developing a new request for proposal, enabling a new contractor to take over the project; or: terminating the contract and assessing agency needs and plans for new capabilities: Potential Options for BSA Direct R&S Project Options and Reasons for Selection: Table 3: BSA Direct R&S Options and Potential Reasons for Selection: Option: FinCEN reestablishes a modified contract with EDS; Potential Reason for Selecting: After nearly two years working on the project, EDS has developed significant knowledge of the working environment. Option: FinCEN develops new request for proposal for a new contractor to take over the project; Potential Reason for Selecting: Brings a fresh approach that builds on the nearly functional aspects of the system. Option: FinCEN terminates the contract, assesses agency needs, and plans for new capabilities; Potential Reason for Selecting: The IRS's WebCBRS system is deemed sufficient to provide the capability needed for the short-to intermediate-term. This also provides FinCEN the time to reevaluate its long-term strategy for reengineering and transitioning data management processes. Source: FinCEN and GAO: [End of table] Conclusions: FinCEN's inadequate application of sound information technology investment management processes and controls to oversee the BSA Direct R&S project contributed to the cost, schedule, and performance issues that have plagued the project from its inception. FinCEN plans to determine the future direction of BSA Direct R&S in mid- July 2006. Regardless of what decision is made, FinCEN runs the risk of having similar problems and similar results in the future unless better investment management processes and procedures are put in place. Recommendation for Executive Action: In order to improve FinCEN's ability to manage its IT investments, we recommend that Director of FinCEN direct the CIO to develop a plan for improving the agency's capabilities for overseeing the BSA Direct project. The plan should focus in particular on establishing policies and procedures for executives to regularly review investments' progress against commitments and take corrective actions when these commitments are not met. In addition, the plan should: specify measurable goals, objectives, and milestones; specify needed resources; assign clear responsibility and accountability for accomplishing tasks; and: be approved by the Director of FinCEN. In implementing the plan, the FinCEN CIO should report progress against expectations to the FinCEN Director and take appropriate actions to address deviations. Enclosure II: GAO Contact and Staff Acknowledgments: GAO Contact: James R. White, (202) 512-5594 or whitej@gao.gov: Acknowledgments: In addition to the person named above, Timothy Hopkins, Robyn Howard, Brian James, Signora May, Donna Miller, Sabine Paul, David Powner, and Katrina Taylor made key contributions to the report. (450500): FOOTNOTES [1] The Bank Secrecy Act, enacted by Congress in 1970, authorizes the Secretary of the Treasury to issue regulations requiring financial institutions to retain records and file reports that are determined to have a significant degree of usefulness in criminal, tax, and regulatory investigations or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism. Pub. L. 91-508, codified as amended at 12 U.S.C. 1829b,12 U.S.C. 1951-1959 and 31 U.S.C. 5311-5332. [2] See U.S. GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity GAO-04-394G (Washington, D.C.: March 2004). [3] BSA Direct is an overall umbrella project with several components, including: electronic filing, secure access, and retrieval and sharing. This briefing focuses on the retrieval and sharing component of BSA Direct. For purposes of clarity and to prevent confusion with the broader BSA Direct project we use the term--BSA Direct R&S throughout this briefing. [4] See U.S. GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity GAO-04-394G (Washington, D.C.: March 2004). [5] Pub. L. 91-508, codified as amended at 12 U.S.C. §1829b,12 U.S.C. §§1951-1959 and 31 U.S.C. §§5311-5314;5316-5332. [6] 31 U.S.C. §5318(g) (4) (A). [7] 31 CFR103.56 subpart (e). [8] The fiscal year 1997 Omnibus Consolidated Appropriations Act, Pub. L. 104-208, renamed both Division D (the Federal Acquisition Reform Act) and E (the Information Technology Management Reform Act) of the 1996 DOD Authorization Act, Pub. L. 104-106, as the Clinger-Cohen Act of 1996. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: