Information Technology Management: Observations on the Financial 
Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval and 
Sharing (BSA Direct R&S) Project (14-JUL-06, GAO-06-947R).	 
                                                                 
The Financial Crimes Enforcement Network's (FinCEN) primary	 
function is to support and strengthen domestic and international 
anti-money laundering efforts through coordination and		 
partnerships. Since its creation in 1990, FinCEN has been	 
responsible for overseeing the management, processing, storage	 
and dissemination of Bank Secrecy Act (BSA) data. In 2004, FinCEN
embarked on a major initiative intended to improve the sharing of
information reported under the Bank Secrecy Act. BSA Direct is an
umbrella project intended to provide secure, user-friendly,	 
web-based tools for accessing, analyzing, and filing BSA data. It
is part of a broad effort to reengineer data management 	 
responsibilities and transition them from the IRS. During the	 
early spring of 2006, it became clear to FinCEN that the	 
Retrieval and Sharing component of the BSA Direct project (BSA	 
Direct R&S) was not going to meet the critical implementation	 
deadline of June 30, 2006. Because FinCEN has experienced	 
problems with development and implementation of the BSA Direct	 
R&S, Congress asked us about the project's current status and to 
provide observations on FinCEN's IT investment management	 
practices. Our objectives were to (1) describe BSA Direct R&S and
the project's current status; (2) examine FinCEN's application of
information technology (IT) investment management processes to	 
the BSA Direct R&S project; and (3) describe, at a high level,	 
the range of options FinCEN may consider as it reexamines the BSA
Direct R&S project.						 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-947R					        
    ACCNO:   A57021						        
  TITLE:     Information Technology Management: Observations on the   
Financial Crimes Enforcement Network's (FinCEN's) BSA Direct	 
Retrieval and Sharing (BSA Direct R&S) Project			 
     DATE:   07/14/2006 
  SUBJECT:   Information management				 
	     Information technology				 
	     Internal controls					 
	     IT investment management				 
	     Program evaluation 				 
	     Schedule slippages 				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-947R

     

     * Results in Brief
     * Recommendation for Executive Action
     * Agency Comments
     * Enclosure I
          * Acknowledgments
     * PDF6-Ordering Information.pdf
          * Order by Mail or Phone

July 14, 2006

Chairman

The Honorable Patty Murray

Ranking Minority Member

Subcommittee on Transportation, Treasury,

the Judiciary, HUD and Related Agencies

Committee on Appropriations

United States Senate

Subject: Information Technology Management: Observations on the

FinCEN's primary function is to support and strengthen domestic and
international anti-money laundering efforts through coordination and
partnerships. Since its creation in 1990, FinCEN has been responsible for
overseeing the management, processing, storage and dissemination of Bank
Secrecy Act (BSA) data.1 In 2004, FinCEN embarked on a major initiative
intended to improve the sharing of information reported under the Bank
Secrecy Act. BSA Direct is an umbrella project intended to provide secure,
user-friendly, web-based tools for accessing, analyzing, and filing BSA
data. It is part of a broad effort to reengineer data management
responsibilities and transition them from the IRS. During the early spring
of 2006, it became clear to FinCEN that the Retrieval and Sharing
component of the BSA Direct project (BSA Direct R&S) was not going to meet
the critical implementation deadline of June 30, 2006.

Objectives

Because FinCEN has experienced problems with development and
implementation of the BSA Direct R&S, you asked us about the project's
current status and to provide observations on FinCEN's IT investment
management practices. Our objectives were to (1) describe BSA Direct R&S
and the project's current status; (2) examine FinCEN's application of
information technology (IT) investment management

1 The Bank Secrecy Act, enacted by Congress in 1970, authorizes the
Secretary of the Treasury to issue regulations requiring financial
institutions to retain records and file reports that are determined to
have a significant degree of usefulness in criminal, tax, and regulatory
investigations or in the conduct of intelligence or counterintelligence
activities, including analysis, to protect against international
terrorism. Pub. L. 91-508, codified as amended at 12 U.S.C. 1829b,12
U.S.C. 1951-1959 and 31 U.S.C. 5311-5332.

processes to the BSA Direct R&S project; and (3) describe, at a high
level, the range of options FinCEN may consider as it reexamines the BSA
Direct R&S project.

We are sending copies of this report to the Secretary of Treasury, the
Director of FinCEN, and interested congressional committees. We will also
provide copies to others on request.

Scope and Methodology

To provide observations on FinCEN's BSA Direct R&S project, we reviewed
and analyzed BSA Direct planning and implementation documents, interviewed
agency officials at FinCEN, the Internal Revenue Service (IRS), and some
users of BSA information such as federal law enforcement agencies. We also
examined FinCEN's application of IT investment management processes to the
BSA Direct R&S project using GAO's guide, Information Technology
Investment Management: A Framework for Assessing and Improving Process
Maturity,2  as our criteria. We did not conduct a comprehensive review of
FinCEN's investment management practices. We focused on critical processes
associated with Stage 2 of the five-stage framework because they represent
the practices needed for basic project-level control. We reviewed project
documents such as the Office of Management and Budget Exhibit 300, the
original BSA Direct R&S contract and revisions, progress reports, interim
briefings, and project assessments conducted by MITRE. We also interviewed
FinCEN officials responsible for investment management and the BSA Direct
R&S project, the contractor conducting the BSA Direct R&S project, and
MITRE officials involved in the project. We conducted our review according
to generally accepted government auditing standards between May and July
2006.

In late June 2006, we provided a detailed briefing to your staff on the
results of this work. The briefing slides are included as Enclosure I. The
purpose of this letter is to publish the briefing slides and to transmit
our recommendations to the Director of FinCEN.

                                Results in Brief

On March 15, 2006 the director of FinCEN placed the Retrieval and Sharing
component of the BSA Direct project under a temporary "stop work" order
because of significant cost, schedule, and performance issues. For
example, phase one of the project was planned for completion in 250 days
but was actually completed in 373 days.

Judging against the criteria of GAO's framework for information technology
investment management , GAO found that FinCEN did not always apply
effective investment management processes to oversee the BSA Direct R&S
project. This, in part, contributed to the problems experienced by the
project, because issues that occurred at the project management level
continued and compounded, yet were not addressed at the executive level.
For example, MITRE-the organization assisting FinCEN with project
monitoring-identified multiple occasions where FinCEN did not take action
to mitigate project risks or address significant de-scoping of project
functionality.

2 See U.S. GAO, Information Technology Investment Management: A Framework
for Assessing and Improving Process Maturity GAO-04-394G (Washington,
D.C.: March 2004).

FinCEN is considering three basic options in determining whether or not to
continue the BSA Direct R&S project. These include reestablishing a
modified contract; finding a new contractor to take over the project; or
terminating the contract and assessing needs and plans for new
capabilities. FinCEN's inadequate application of sound information
technology investment management processes and controls to the BSA Direct
R&S project contributed to the cost, schedule, and performance issues that
have plagued the project from its inception. FinCEN plans to determine the
future direction of BSA Direct R&S in mid-July 2006. Regardless of what
decision is made, FinCEN runs the risk of having similar problems and
similar results in the future unless better investment management
processes and procedures are put in place.

                      Recommendation for Executive Action

In light of the issues experienced on the BSA Direct R&S project, we
recommend that the Director of FinCEN direct the Chief Information Officer
(CIO) to develop a plan for improving the agency's capabilities for
overseeing the BSA Direct project. The plan should focus in particular on
establishing policies and procedures for executives to regularly review
investments' progress against commitments and take corrective actions when
these commitments are not met. In addition, the plan should (1) specify
measurable goals, objectives, and milestones; (2) specify needed
resources; (3) assign clear responsibility and accountability for
accomplishing tasks; and (4) be approved by the Director of FinCEN. In
implementing the plan, the FinCEN CIO should report progress against
expectations to the FinCEN Director and take appropriate actions to
address deviations.

                                Agency Comments

In commenting orally on a draft of this report, the Acting Deputy Chief
Information Officer stated that FinCEN concurred fully with our findings
and recommendation.

James R. White

Director, Strategic Issues

Enclosures (2)

Enclosure I

Enclosure II

GAO Contact and Staff Acknowledgments

GAO Contact

James R. White, (202) 512-5594 or [email protected]

Acknowledgments

In addition to the person named above, Timothy Hopkins, Robyn Howard,
Brian James, Signora May, Donna Miller, Sabine Paul, David Powner, and
Katrina Taylor made key contributions to the report.

(450500)

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548
*** End of document. ***