Money Laundering Bulletin: Step by Step – AI into AML
This article originally appeared in Money Laundering Bulletin, September 2018.
Compliance cost escalation, notably around customer due diligence and alert management, is driving exploration of how advances in computing might yield efficiency gains while not compromising or, still better, enhancing existing anti-money laundering (AML) productivity. Sarah Gibbons reviews some state of the art financial crime RegTech.
RegTech firms are pushing new artificial intelligence (AI) solutions for customer due diligence (CDD) but AML reporters and regulators are wary about integrating them with legacy systems. Such reluctance is a pity, said Dan Adamson, DDIQ president and global head of cognitive computing at New York-based Exiger, given the increasingly vast amount of data generated by existing non-AI IT. DDIQ is an AI-based due diligence solution.
Enhance or replace?
Exiger offers AI and machine learning-based systems to assimilate information from multiple big data and third-party sources, sold as standalone operations capable of overlaying existing processes without duplication. Exiger’s DDIQ cognitive computing product, said a company note, is "an AI-based automated solution that accelerates and enhances risk assessment...automating tasks that bog down compliance professionals”. It searches open and deep web sources, including watch, sanctions and politically exposed persons (PEP) lists, regulatory sites and company registries to produce a comprehensive profile in minutes, ranking and categorising risks suitable for auditing by regulators: "DDIQ uses AI to read, understand, and analyse content with the same approach and cognitive reasoning as a human... without the constraints. Compliance professionals are left to do what they do best: assess risk”. The product also acts as an early warning system, flagging accounts with potential adverse changes so efforts can be focused on early review and escalation.
The need to utilise such tech is clear. Regulations are becoming increasingly demanding. On 11 May 2018, the US Department of the Treasury's Customer Due Diligence (CDD) final rule came into force, strengthening the Bank Secrecy Act (BSA) which authorises regulator FinCEN to impose AML programme requirements on US financial institutions.
The new legislation makes explicit the requirement of an institution to identify and verify customers and the beneficial owners of companies opening accounts, understand the nature and purpose of customer relationships to develop a customer risk profile, and ensure ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information. That could mean a lot of new systems.
The need to handle such upgrades with care was underlined last March 2017 in a report by the UK's Financial Conduct Authority (FCA): 'New technologies and anti-money laundering compliance'.  It said recent reforms to AML rules, such as beneficial ownership and financial information sharing legislation, had often forced institutions to design new onboarding processes "in haste", being too expensive and inefficient as they were developed in response to regulatory change rather than designed with operational efficiency in mind.
Some have been trying to bolt AI and big data analysis onto legacy systems, some dating back to the 1970s, causing "significant challenges”, the report said. This has created knock-on problems, with companies fearing compliance fines if their tech upgrades do not work, said Jonathan Symonds, chief marketing officer at California-based Ayasdi, an AML solutions provider currently working with HSBC. But he says this is the wrong response – rather companies should be bold and invest in a comprehensive AML tech makeover that uses the latest innovations: "There are no slaps on the wrist anymore – there are very far-reaching penalties, real money” he said. "It costs a lot less to solve the problem than to take the fine.
New and emerging technologies, including machine learning, natural language processing (NLP) and blockchain, have the potential to have a "transformative impact" on AML capabilities”, the report concluded.
And tech can help reduce the risk of upgrades. Solutions, such as DDIQ, offer real time analysis of risk at onboarding, part of a package of ongoing monitoring of system performance.
Also, if AML regulators and reporters are careful, Ayasdi's Symonds said, they can upgrade existing AML systems piecemeal rather than as "a forklift upgrade on their existing AML systems", targeting key AML processes and applying machine learning and AI to these areas. If done right, this can "often dramatically, the performance of these legacy systems”. He cited one major global bank reducing false positives by more than 20% with Ayasdi's customer segmentation solution operating "upstream of the traditional transaction monitoring system and [having] required no other software changes”.
Software can also make it easier for customers to help AML reporters conduct CDD checks, said David Crack, from CDD Services, based in Manchester, UK, which is about to launch an app that organisations will download to complete initial CDD checks before passing on data that can be entered into legacy systems automatically.
Adamson agreed, indicating the industry "has learned from its mistakes" of trying to bolt know your customer (KYC) transformation programmes onto existing systems, instead moving to "lightweight integrations and stepwise transformations that focus on optimising one area at a time".
Ultimately, being smart about regulatory change saves a lot of expense and hassle, said Adamson. "When the regulatory changes occur faster than your ability to implement new systems, we get where we are today – a lot of ‘throwing bodies’ at the problem” he said. "This isn't sustainable in the long run”.
Looking ahead, if teething troubles are overcome then for reporters and regulators, AI promises great benefits, handling roles previously undertaken by human operatives, and speeding up processes: for instance, scenarios that trigger an investigation might be detected automatically, reducing subjectivity; and AI can work with data duplication rather than drowning in replica information thrown up by legacy systems.
Ayasdi uses mathematical formulae to analyse 'topology' or the shape of data in its technology which automatically assembles self-similar groups of customers and customers-of-customers. "This allows the bank's subject matter experts to tune the thresholds within each scenario but from a principled starting point”, said a company note, which added: "A critical, often overlooked step in AML workflows is the ability to explain what has driven the creation of these groups...”, highlighting what actionable concerns might have driven such segmentation and the ranking. The system produces a complete documentation workflow, including potential decisions that can flow from this information which can be shared with internal model governance boards and external regulators. It constantly assesses newly arriving data, identifying changing patterns and suggesting updates to segments and rankings, tweaking behavioural characteristics that may flag concerns and prompting ID checks that are at the heart of CDD.
The right blend
Ultimately, an alliance of skilled humans and appropriate machines works best: "When there's a sea of false positives it's critical that you can filter out that amount of noise and concentrate on the 5% that matters which is what our system allows” said Exiger's Adamson. "Because the work is more focused spending time on specific issues rather than a sea of hits, efficient technology doesn't necessarily affect headcount – people are generally reallocated”.
Symonds agreed, saying: "People aren't very good at putting together 100 tiny factors, so it's a man and machine solution that's required. Systems help with things people aren't very good at, but humans will always be in the loop”.
Indeed, a spokesperson for the World Bank has warned: ''Money laundering and terrorist financing activities are precisely conducted with the intent to 'fool' CDD systems by presenting a façade of compliance. As a result, CDD systems can only assess probabilities that need to be verified by human analysis. In short, CDD will always need to have a human component to complete the work of automated systems”.
To make this really work though, regulators need to be upskilled in technological advances so that regulations and their policing of such controls work effectively, said both Crack and respondents in the FCA report.
Crack, for instance, noted that regulators often did not help the development of effective data systems, by creating rules without effective consultation with IT developers, who then have to design technology around these rules, rather than being able to anticipate them: "The difficulty is analogue regulators trying to create regulations for digital migrants. Regulators don't have the vision to allow digital migrants to develop real solutions”.
The Financial Action Task Force (FATF), at least, is aware of the need for dialogue, holding regular discussions with FinTech and RegTech providers "with the overall objective to support innovation in financial services, while addressing the regulatory and supervisory challenges posed by emerging technologies", said a note from the global body. FATF has been assessing the benefits of using digital identities within CDD systems, and potentially integrating such solutions into FATF recommendations to support the growing use of digital IDs in onboarding by reporting entities.