Regulators give nod to AI, emerging tech for AML programs

The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, FinCEN, the National Credit Union Administration, and the Office of the Comptroller of the Currency recognized “that private-sector innovation, including adopting new technologies and finding new ways to use existing tools, can help banks identify and report money laundering, terrorist financing, and other illicit financial activity.”

“New technology, such as artificial intelligence and machine learning, can provide better strategies for banks of all sizes to better manage money-laundering and terrorist-financing risks, while reducing the cost of compliance,” FDIC Chairman Jelena McWilliams said in a statement.

Financial institutions are becoming increasingly innovative and sophisticated in their approaches to BSA/AML compliance, commensurate with their risk profiles, the regulators wrote. For example, some banks and credit unions are experimenting with digital identity technology to enhance their programs.

In response, each of the federal banking regulators has established, or will establish, programs to support the implementation of responsible innovation and new technology in the financial system. “While bank management should continue to follow existing protocols for communication with their respective regulators, these projects and offices may serve as points of contact to facilitate communication related to innovation and new technology,” they wrote.

The joint statement, issued on Dec. 3, is the second statement resulting from a working group formed by the agencies and Treasury’s Office of Terrorism and Financial Intelligence that focuses on improving the effectiveness and efficiency of the BSA/AML regime. On Oct. 3, they issued a joint statement that gave situational consent for inter-bank data sharing.

In the latest guidance, released on Dec. 3, regulators added that they “will not penalize or criticize banks that maintain effective BSA/AML compliance programs commensurate with their risk profiles but choose not to pursue innovative approaches.” While banks are expected to maintain effective BSA/AML compliance programs, they will not advocate a particular method or technology.

The statement stressed that the implementation of innovative approaches in BSA/AML compliance programs will not result in additional regulatory expectations.

“Pilot programs undertaken by banks, in conjunction with existing BSA/AML processes, are an important means of testing and validating the effectiveness of innovative approaches,” the multi-regulator statement says, adding that while they may provide feedback, pilot programs in and of themselves “should not subject banks to supervisory criticism even if they ultimately prove unsuccessful.”

Likewise, pilot programs that expose gaps in a BSA/AML compliance program will not necessarily result in supervisory action with respect to that program. “When banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, [we] will not automatically assume that the banks’ existing processes are deficient,” it added. In these instances, regulators will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of any results from the pilot program.

Nevertheless, banks must continue to meet their BSA/AML compliance obligations and ensure the ongoing safety and soundness of the institution.

“Bank management should prudently evaluate whether, and at what point, innovative approaches may be considered sufficiently developed to replace or augment existing BSA/AML processes,” the regulators wrote.

Management must also consider and address other factors including, but not limited to, information security issues, third-party risk management, and compliance with other applicable laws and regulations, including those related to customer notifications and privacy. Bank management should be prepared to discuss these evaluations with their respective regulators.

To the “extent necessary and appropriate,” FinCEN says it will consider requests for exceptive relief “to facilitate the testing and potential use of new technologies and other innovations, provided that banks maintain the overall effectiveness of their BSA/AML compliance programs.”

Compliance expectations

Treasury Department Under Secretary Sigal Mandelker provided additional commentary on the push for AML technology upgrades during a Dec. 3 speech at the American Bankers Association’ Financial Crimes Enforcement Conference.

When responsibly deployed, institutions experimenting with artificial intelligence and digital identity technologies are seeing increased efficiencies and improved effectiveness. “They have helped us identify potential front companies acting for North Korea and Iran,” he said. “I have also heard encouraging reports that new technologies are helping banks reduce the rate of false positive alerts, which can free up resources to focus on more impactful activities.”

The recent regulatory statement recognizes “the value of trial and error,” Mandelker added, reiterating that innovative pilot programs in and of themselves should not subject banks to supervisory criticism, even if those ultimately prove unsuccessful. Likewise, pilot programs that expose gaps in an AML compliance program “will not necessarily result in supervisory action with respect to that program.”

The Treasury Department is also encouraging its international partners “to take urgent action to strengthen their AML/CFT frameworks for virtual currency and other related digital asset activities,” he said. “The lack of AML and Combating the Financing of Terrorism (CFT) regulation of virtual currency exchangers, hosted wallets, and other providers—and, indeed, of the broader digital asset ecosystem—across jurisdictions exacerbates the associated money laundering and other illicit financing risks.”

While the United States “regulates, supervises, and brings enforcement actions relating to virtual currency and other digital asset financial activity, many more countries must follow suit,” he said, adding that this is a priority of international outreach, including through the Financial Action Task Force.

Clarity of expectations in enforcement actions

Mandelker took the opportunity to address how new technology will be considered in an enforcement context.

“I know from my time in the private sector that the compliance community parses every single word that comes out of a government agency, especially as part of an enforcement action,” he said. “That is a good thing. It means that compliance professionals care about getting it right. At the same time, it is incumbent upon us as regulators and policymakers to help you in that effort by making our expectations clear.” 

For example, to aid the compliance community in strengthening defenses against sanctions violations, Treasury’s Office of Foreign Assets Control will be detailing the hallmarks of an effective sanctions compliance program. Among those qualities:

• ensuring senior management commitment to compliance;
• conducting frequent risk assessments to identify and mitigate sanctions-specific risks within an institution and its products, services, and customers;
• developing and deploying internal controls, including policies and procedures, to identify, interdict, escalate, report, and maintain records pertaining to activity prohibited by OFAC’s regulations;
• testing and auditing to identify and correct weaknesses and deficiencies; and
• ensuring all relevant personnel, particularly those in high-risk areas or business units, are provided tailored training on OFAC obligations and the compliance program.

“Going forward, these types of compliance commitments will become an essential element in settlement agreements between OFAC and apparent violators,” Mandelker said. “Implementation of these commitments will ensure that companies are aware of their OFAC obligations and dedicating sufficient time and resources towards compliance. These resources must go far beyond merely screening the Specially Designated Nationals and Blocked Persons List.”

Moving in the right direction

The multi-regulator policy on technology improvements to AML programs was an “unprecedented step” and “great news for banks, who until now have been forced to use antiquated detection systems that generate tens of thousands of alerts each month with 90-plus percent false positive rates, and often fail to identify real crimes,”  says James Heinzman of ThetaRay, a global cyber-security and big data analytics company that offers an AI solution for financial crime and fraud detection.

“I think the regulators clearly acknowledged that the existing systems just aren’t working, and they have to do something different,” Heinzman says. The new guidance, he says, will encourage new technology by making it clear that adoption will not necessarily trigger new liabilities for executives in general, and CCOs specifically.

“A concern banks had was if they bring in this new technology, and it finds a bunch of bad stuff that they can’t find with existing systems, were they going to get in trouble? Were they going to come in and say, ‘Well, you should have found this stuff earlier?’ I think the regulators really understood those concerns,” Heinzman says. “That is why this is really important guidance. They have recognized that banks struggle with legacy technologies that are not working.”

Heinzman notes that the regulatory stance regarding enhancing existing controls with new technologies offers a path for banks to test emerging technologies “to find the ones that really work and leverage them to replace the legacy technology over time.”

“Banks are transforming their back offices and moving on to digital platforms,” he adds. “When they do that, are they going to carry a 20-year-old legacy system that gets bolted onto a very shiny new digital platform? Probably not. There’s a lot of compatibility issues.”

Regulators have “given banks some latitude to try different approaches for achieving compliance,” Heinzman says. Legacy systems “are flooding banks with false positives and SARs, but a large portion of them are not relevant.”

“Compliance isn’t the number of Suspicious Activity Reports that you file. Compliance is about finding the bad guys and stopping the activity,” he adds, touting the benefits of cutting-edge technology. “We are selling technology, but it’s not about the technology. It’s not about math. It’s not about algorithms. It is really about how we stop human traffickers, terrorists, and drug cartels. How do we stop them from exploiting our financial institutions to launder money and finance financial crime? That’s the bottom line.”