ACAMS Today: The Regulators Have Spoken - Technology Leads to Effective BSA/AML Compliance
Innovation and Technology Will Boost the Effectiveness and Affordability of BSA/AML Compliance
A U.S. Treasury working group consisting of top regulatory agencies, including the Financial Crimes Enforcement Network, the Federal Reserve’s Board of Governors, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the National Credit Union Administration, has put out a call for Bank Secrecy Act/anti-money laundering (BSA/AML) compliance to become more effective, affordable, and sustainable. To drive this positive change, according to the working group, banks need to, as the old Apple ad exhorted, “think different”—and think technology.
In a written statement issued on December 3, 2018, the five agencies urged banks to consider, assess, and, where appropriate, “responsibly implement innovative approaches to meet their . . . BSA/AML compliance obligations,” including finding “new ways of using existing tools and adopting new technologies.” The statement offers helpful illustrations of what the regulators have in mind. For example, it notes that some banks are already building internal financial intelligence units (FIUs) to identify “complex and strategic illicit finance vulnerabilities and threats,” while others are experimenting with artificial intelligence (AI) and digital identity technologies. Importantly, the agencies made clear that banks will not be punished for unsuccessful attempts at BSA/AML innovation; regulators will refrain from subjecting banks to supervisory criticism in such cases. And pilot programs that expose gaps in a firm’s BSA/AML compliance program—gaps not otherwise identifiable under existing processes—will not form the basis for supervisory action.
This reassurance addresses a common concern among bank management: the prospect that powerful new regulatory technology (or so-called “RegTech”) might unearth unmitigated financial crime risk lurking in a firm’s customer book, thus inviting greater, not less, government scrutiny. The regulators’ message is loud and clear: They will not sanction banks for using technological innovation to bolster BSA/AML controls. Instead, as underscored in the public statement, these agencies will continue to assess the adequacy of a bank’s suspicious activity monitoring processes independent of any pilot program, and the use of innovative approaches will not yield additional regulatory expectations.
A driving force behind the Treasury’s policy statement is the increasingly unsustainable cost of compliance. The paper hints as much when noting that technological innovation will not only better protect the U.S. financial system, but also “maximize utilization of banks’ BSA/AML compliance resources.” This taps into a harsh but very real truth: BSA/AML compliance has become expensive, bloated, and not always particularly effective. For large banks, this manifests in the often frustrating inefficiency of key controls that underpin an AML program.
Take automated transaction monitoring or “TM,” for instance. Virtually every large financial institution uses scenario-based TM systems to identify suspicious activity by customers and counterparties. Current TM systems, though, are both costly and exceedingly complex. And not only are they onerous to build and properly maintain, but TM systems nearly always “over-monitor.” That is to say, they cast too wide a net in surveilling for illicit activity, which results in a disproportionately low conversion rate of TM alerts to suspicious activity reports (SARs). In other words, financial institutions invest in lots of expensive and complicated equipment—and the resources necessary to understand and run that equipment, and then to analyze its output—with not enough payoff in terms of identifying bad actors, mitigating financial crime compliance and regulatory risk, and protecting the financial system.
Another bedrock BSA/AML control is know your customer (KYC) information, which includes gathering due diligence that is adequate to support a reasoned analysis and management of a customer’s financial crime risk. Many banks still rely on manual, search engine-driven due diligence that is consumer (not risk) focused, difficult to audit, and subject to jurisdictional data protection laws, while producing a deluge of time-consuming hits focused on the wrong context. The upshot is a key BSA/AML control that falls well short of delivering a full and informative risk picture of a customer or party. Moreover, financial institutions continue undertaking enterprise-wide BSA/AML risk assessments that are based on tools of the past—spreadsheets, tables, email, and instant messaging—which are manual, time-intensive, and error prone.
The Treasury’s public statement is a tacit nod to these painful industry realities. But it’s also a welcome invitation for banks and other financial institutions to boost their BSA/AML effectiveness and cost savings—and compliance sustainability—with some innovative thinking. The regulatory agencies are practically shouting from the rooftop that they will not stand in the way of innovation. Fortunately, superior, technology-enabled BSA/AML solutions already exist.
Indeed, arguably the most promising involves AI and machine learning. Some technology and compliance firms are using machines to overcome the constraints of human-based research, automating routine tasks that bog down BSA/AML professionals and enabling risk-based decisions more quickly and accurately. AI can minimize noise in the indexed web and proprietary databases by understanding language and context, navigating results like a human researcher. FCC experts can actually train AI to read, understand, and analyze content with the same approach and cognitive reasoning of a human. The pay dirt is an automated tool that can identify, classify, and rank risk-based information, while removing duplicates and false positives along the way. Operations and compliance personnel are freed up to do what they do best: assess risk.
Yet BSA/AML RegTech is not just confined to futuristic thinking machines. As noted, the Treasury working group references how some large organizations are already developing internal FIUs that, in essence, function as private sector analogues of FinCEN. FIUs ordinarily use intelligence gathering and human-driven, proactive data analytics to supplement the more passive surveillance capabilities of scenario-based TM systems. Opportunity for innovation also exists by simply applying web-based technology to foundational financial crime compliance (FCC) practices. Consider enterprise-wide BSA/AML risk assessments: Many organizations continue to complete these risk assessments through Excel spreadsheets that are handed down from year to year. But organizations need risk assessments that are repeatable, auditable, and not highly manual—everything a spreadsheet is not. Administering risk assessments using a web-based application, rather than a spreadsheet, can centralize and automate process administration, data collection, analysis, and reporting. This offers a simplified and streamlined approach to a basic BSA/AML process that not only helps ensure a more accurate assessment of money laundering risk, but also saves time and money. In other words, exactly the kind of innovation that can “maximize utilization of banks’ BSA/AML compliance resources,” as encouraged by the Treasury working group.
Ultimately, nearly endless spending on BSA/AML compliance is simply not sustainable for banks and other financial institutions. The message from the top U.S. financial regulators is clear as day: Firms should think different, and think technology, to make BSA/AML compliance more effective and affordable.