New technology brings opportunities, and headaches, for CCOS

The genie is out of the bottle. No longer are conversations among compliance officers about blockchain artificial intelligence, and applied robotics academic. The technologies are no longer radical; they are increasingly commonplace.

But not everybody fully understands these technologies, so how is a non-techie compliance officer going to embrace technology in a way that actually makes their job more effective? It all comes down to project management and training.

There is, for example, an increasing use of robotic process automation (RPA) across financial institutions, particularly in the area of anti-money laundering, says Vishal Ranjane, managing director in the risk and compliance practice at global consulting firm Protiviti.

Financial institutions are increasingly exploring the possibilities of using RPA in the area of AML compliance, where it can be used for both streamlining customer due diligence and transaction monitoring processes, Ranjane says. Automation can improve the efficiency of the transaction monitoring process, and reduce the likelihood of errors and avoid penalties.

“Robots are well-suited for spotting anomalies and flagging for the attention of their human counterparts,” he explains, adding that regulators are encouraging innovation.

“AML risks are definitely evolving and banks need to be dynamic in how they handle it,” Ranjane adds. “They have been successful with technology investments, but they have increased the cost of compliance, and the tools they have in place are not as sharp as they were intended to be.”

Banks, problematically, can “see an increase in the number of alerts and too many hits that are false positive,” he says. “Then they solve the problem by throwing more people and resources at it.”

On top of that are concerns about data integrity and accuracy. How do you know that the data feeding your AML program is accurate?

“It is a very simple question, but I’ve seen banks struggle to provide a reasonable answer,” Ranjane says

Artificial intelligence can be at least a partial solution. His initial suggestion applies to any new technology implementation: Start with an overall governance structure that sets the overall strategy for implementing any solution.

“Artificial intelligence should be no different,” Ranjane says. “Banks need to consider what their overall digitization strategy is. AI is just one component of that. Once you have your governance, consider the processes and business areas where you will get the biggest bang for the buck. Know what the benefits are, what the pros and cons are, and then move forward.”

Start with a pilot in a controlled environment if possible, so you know what your outputs will be, he says. Have a deployment strategy for how new solution could be rolled out in AML and other areas of the bank. Roll the project out it out in a controlled manner and involve external entities early on in the process.

“I would consider regulators among the external entities, so you can explain the rationale and perhaps remove any concerns up front as part of your pilot processes,” Ranjane says. “You don’t want to do that after the fact.”

“Banks need to consider what their overall digitization strategy is. AI is just one component of that. Once you have your governance, consider the processes and business areas where you will get the biggest bang for the buck. Know what the benefits are, what the pros and cons are, and then move forward.”
Vishal Ranjane, Managing Director, Risk and Compliance Practice, Protiviti

AML-related compliance activities are underscored by recent high-profile failings, says John Melican, global head of the financial crimes practice at Exiger, a global regulatory, financial crime, risk, and compliance company. 

He cites the recent Commonwealth Bank of Australia money laundering scandal as an example of how any defect in a bank’s defenses can be exploited. At least four separate money laundering syndicates were exploiting the weakness related to the bank’s cash acceptance through the new ATM machines, he explains.

“Once the weakness was recognized, the criminals then turned to exploiting the weakness by opening multiple accounts and spreading the activity to enable the movements of tens of millions over a single year,” he says. “This is a prime example of how even a bank, with AML processes in place, in a lower-risk country with a well-developed regulatory framework, can be exploited by persistent bad actors.”

“As banks breed new technology, they need to make sure that technology is effectively integrated into the control structure of the bank,” Melican says.

Integrating risk management. New research from global consultancy Accenture, found in its most-recent Global Risk Management Study, makes the proposition that risk professionals are failing to harness emerging technologies and struggling to integrate risk management across business lines.

Accenture surveyed 475 risk management executives in banking, insurance and capital markets sectors globally and found less than 25 percent have integrated finance and risk departments and only 15 percent are proficient in emerging smart technologies (robotic process automation, data analytics or cloud).

Other data points:

Only 24 percent of respondents say their risk management activities are coordinated across risk types, and just 19 percent are coordinated across specific lines of business.

The integration of risk and finance remains slow, with 23 percent pointing to strong integration between the two functions. This is happening in spite of technological advances that would allow for greater coordination and sharing of data.

Successful integrators outperform their counterparts across almost all risk key performance indicators (KPIs), such as risk/ return ratios, number and frequency of conduct issues, and volume of serious data breaches.

The volume of data undermines risk efforts and 73 percent said the increased velocity, variety and volume of data impede effectiveness of risk management programs.

Legacy technologies prove challenging, and 69 percent say they impede effectiveness.

Only 15 percent of respondents have high proficiency in at least one of three emerging smart technologies: RPA, data analytics or cloud.

Steve Culp, senior managing director for financial services management consulting, says that despite the findings, there have been advances in technology integration with risk functions.

“In 2009, when we started the survey, risk was still the department that said, ‘no’ and was brought in late in many business decisions,” he says. “I wouldn’t say there is a business partner mentality now, because that is not appropriate, but it is more of an inclusive relationship.”

“While we are definitely moving in the right direction, the pace of technology is just moving faster than the pace of skill and development,” he adds.

Like others, Culp sees the value of AI and other technologies in the fight against money laundering. “Banks will have thousands, if not tens of thousands of people who are going through and checking the information around those transactions to make sure they are not nefarious in nature,” he says. “Process and analytics need to be more consistent in the way they work. The more consistency you have, the more controls you can put in place.”

Culp also recommends, as technology evolves and pushed into risk and compliance, is making sure “their pace of evolution, and adaptability to the tool sets of todays environment, are moving at as rapid a pace as possible.”

“You can’t do it all overnight, but you can be very programmatic about lifting their skills and training,” he says.

Behavioral data. Neha Gupta, CEO of True Office Learning, sums up the training revolution in two words: behavioral data.

Her firm, formerly NYSE Governance Services, is a provider of interactive e-learning software and services, specializing in governance, risk, and compliance. Its signature products are based on a cloud-based adaptive training and analytics platform. The goal, it says, is to improve employee training while also providing data-based insight to executives.

That data can yield more than a few surprises. For example, looking across client data: 48 percent of financial services employees are unable to identify consequences of not keeping expenses and entertainment within the law or policy, compared to 41 percent of the general employee population.

The concept, Gupta says, is “bringing compliance education to a much more modern, interactive experience” so that the technology can extract behavioral insights.

“Companies rather than the ‘spray and pray’ approach to training and trying to teach people about everything that can be wrong with the world, should really be targeting what employees understand and what they don’t,” Gupta says.

The opportunity, rather than check-the-box training, is to develop insights that run deep into business lines. “What do I have to do with human trafficking? Go look at your end-to-end supply chain and then we will talk about what you may have to do with human trafficking,” Gupta says.

“You want to be able to have a dialogue with the board or your regulator that is not just saying ‘98 percent of our employees have completed training,’ because that means nothing,” Gupta says. You want to prove proficiency. You want to get into he granular aspects of why people make the mistakes they do.”

“Once upon a time it was not doable,” she adds. “The only way to get this data was to go sit in a room, do a focus group study, and hope they tell you the truth. Unfortunately, there was response bias. They like to tell you what they think you want to hear.”

The data extracted from training can be dangerous “if you are not doing real time remediation,” Gupta says. “Imagine being at a big bank and finding out that 20 percent of your people don’t really understand how to deal with government officials and are unaware that even offering a discount counts as a bribe. That’s potentially tens of thousands of people in your organization and could be a huge red flag of compliance liability.”

What firms need, she says, is “insight into where the employee fell off the horse and how to put them back on.” You need to not just test recall and retention, the traditional approach to training, and instead “teach employees effective decision-making.”

How do you move away from checking the box? “That is traditionally the way they taught people. ‘Here is what FCPA stands for and if you can regurgitate it you will understand what corruption is,’” Gupta says. “The truth is that the devil is in the application. It is not about fact or knowledge recall, it is actually about application and decision making.”

“The moment you get into decision-making areas, you start to see all these blind spots,” she adds. “They may understand the definition of a government official and that you are not supposed to bribe them, but they don’t know how to apply that information to be able to say what constitutes a bribe.”