US agencies bang the drum for AML innovation
Chris Hamblin, Editor, London, 4 December 2018
The US Federal Reserve System, the Federal Deposit Insurance Corporation, the Financial Crimes Enforcement Network, the National Credit Union Administration and the Office of the Comptroller of the Currency are urging financial firms to use innovative IT to tackle money laundering.
A joint statement by the regulators mentions no rules that apply to IT at all, but nonetheless contains a stand-alone command to firms to evaluate their own attitudes towards the adoption of the new generation of IT and then to tell their regulators about the results of such evaluations.
The communiqué praises private sector 'innovation,' encouraging the development of new ways of using existing IT tools or adopting new technology that can help banks identify and report money laundering, terrorist finance and other illicit financial activity.
Although they are at pains to say that they will not advocate any particular method or technology that banks should use to comply with the Bank Secrecy Act 1970, the regulators enthuse about the next generation of AML IT in glowing terms: "Innovation has the potential to augment aspects of banks’ BSA/AML compliance programmes, such as risk identification, transaction monitoring and suspicious activity reporting. Some banks are becoming increasingly sophisticated in their approaches to identifying suspicious activity, commensurate with their risk profiles, for example, by building or enhancing innovative internal financial intelligence units devoted to identifying complex and strategic illicit finance vulnerabilities and threats. Some banks are also experimenting with artificial intelligence and digital identity technologies [which] can strengthen BSA/AML compliance approaches, as well as enhance transaction monitoring systems. The agencies welcome these types of innovative approaches to further efforts to protect the financial system against illicit financial activity."
FinCEN et al express their insistence on every bank evaluating its IT thus: "Bank management should prudently evaluate whether, and at what point, innovative approaches may be considered sufficiently developed to replace or augment existing BSA/AML processes. [They should consider] information security issues, third-party risk management and compliance with other applicable laws and regulations, such as those related to customer notifications and privacy. Bank management should also discuss their evaluations with the bank’s respective regulators."
The rationale for the command to think about new innovation and tell the regulators about the results is as follows. There is such a thing as an IT system or software package that is not 'commensurate' with the AML risks that a bank runs. The regulators say nothing about the features of such a system or software package, but they insist that it exists. If they find a bank using it, they will punish it. Their chosen means of expressing this is soft and obfuscatory: "The agencies will not penalise or criticise banks that maintain effective BSA/AML compliance programmes commensurate with their risk profiles but choose not to pursue innovative approaches."
Another threat lies in wait for banks that want to take on AI, machine learning etc. but want to test these innovations out by means of pilot projects first. There is always the deadly danger that their pilot projects will expose yawning deficiencies in their existing systems; the regulators are keen to punish them whenever they tell them - as they apparently must - that this has happened. Even if a bank's existing systems are perfectly adequate for the present day but much less efficient than the new techniques, this is always bound to trigger off a regulatory inspection of those existing systems: "When banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the agencies will not automatically assume that the banks’ existing processes are deficient. In these instances, the agencies will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot programme."
As the phrase "not necessarily" implies, the regulators are not even willing to set aside the threat of punishing a bank for having an existing system that is not as good as the next-generation one that it is testing.
As a further encouragement to firms to spend millions more on AML software, FinCEN says that it will consider requests for exceptive relief under 31 CFR 1010.970 to facilitate the testing and potential use of new technology and other innovations, as long as banks maintain the 'overall' (term unexplained) effectiveness of their BSA/AML compliance programmes. 31 CFR 1010.970, however, leaves FinCEN no discretion at all to bend the rules; such activity is solely a matter for the Secretary to the Treasury. He and he alone may (by written order or authorisation) make exceptions to or grant exemptions from the requirements of Chapter X of Schedule B of Title 31, where FinCEN's rules have resided since 2011. CFR is the US Code of Federal Regulations.
Somewhat irrelevantly, the regulators proclaim themselves open to discussing pilot projects for innovative BSA/AML strategies with senior bankers. They do, however, offer banks one crumb of comfort: "the implementation of innovative approaches in banks’ BSA/AML compliance programmes will not result in additional regulatory expectations."
The note was published yesterday. The regulators intend to make their 'expectations' clearer than this in future, although many US compliance officers are probably already of the opinion that enough is enough for the time being.