Artificial intelligence - the next development in KYC compliance
Nigel Nicholson, GreyList Trace, CEO, Twickenham, 17 October 2020
Few industries are immune to the power of algorithms to transform the way in which they do things. This article predicts their effect on the work of compliance officers and money-laundering-reporting officers who strive to 'know their customers' effectively.
As a chartered accountant and regulatory compliance man who has traced financial assets and facilitated corporate finance for decades, I deeply admire the diligence, dedication and professionalism of compliance folk in organisations large and small. Far from being a necessary evil, the compliance officer safeguards the reputation and integrity of his organisation and creates a platform upon which it can grow and thrive.
I do not see compliance as a defensive job. If a financial firm complies with its regulatory obligations swiftly and efficiently, it can make itself powerful and compete well in a crowded marketplace.
I often muse about whether compliance is a mechanical process governed by forms and procedures and beset by frustrating delays that occur when vital pieces of the jigsaw take forever to materialise or can never be located, or whether it is an art form in which people have to be creative as they pick their way through an ever-expanding maze of information, both written and digital, using the tools and mechanisms at their disposal. At any time they might reach a dead end because somebody has not disclosed enough information or because laws designed to protect the information and assets of the righteous have proven to be just as protective towards the undesirable or the criminal. Everyone is chasing favourable results, but these results can often take a very long time to materialise.
The time, cost and complexity of the compliance process has long been both significant and unpredictable. More and more information is stored in digital format and it should be easier to access than it was before. In many situations it is relatively easy to spot information in one's 'home' jurisdiction, but it is a real effort to trace connections and transactions that cross borders – especially since these international transactions are becoming more numerous and are moving faster all the time.
Although there is ever-more information to find and ever-more places in which to find it, it is also becoming easier to miss crucial information and this can cause trouble. The environment is fluid and the compliance process needs to have a long reach and be well-thought-out and adaptable. Any technique that can lead to an early conclusion has to be welcome.
The other very real challenge that faces a compliance officer who tries to interrogate digital data is to stay 'legal.' The compliance process has to obey the right laws and be ethical. This can be frustrating when vital data is “out there” but the compliance officer cannot obtained it legally. However, despite the fact that every organisation wants to 'onboard' clients and do business with them, the compliance function cannot be frustrated or corrupted. It must find a legal way to gather valuable information that can make the difference between onboarding a client and not.
The good news is that the sector is always benefiting from advances in technology. Artificial intelligence (AI) tools are going to change it greatly. Using sophisticated algorithms, AI can now achieve far better results than previous software in terms of speed, cost and accuracy, while also removing much of the complexity, secrecy and unpredictability that people used to associate with the job of locating information.
Artificial intelligence
More and more AI platforms are entering the compliance and "know your customer" (KYC) market. Rapid technological change is the order of the day, but there is still a long way to go. For example, when a bank acquires another bank, along with its customer and loan portfolio, the time and resources that it has to spend to bring the KYC files up-to-date can be prohibitive. Its teams of people (internal and external) struggle to cope. Often the process involves many changes in its approach and methods. This is an area in which human labour is vital, but it nonetheless cries out for more effective technology.
AI might turn much of compliance from an art form into a science. Software can already “tick the boxes” when the routine onboarding of “respectable” customers is taking place. AI, however, can spot potential clients who have undesirable or criminal proclivities by digitising the methods that psychologists might use to profile them.
This job is getting harder. Criminals are becoming smarter and smarter at hiding connections and assets of dubious provenance. Any national law-enforcement agency will tell you that fraudsters are using more and more institutions in more and more jurisdictions to hide their assets and the task of cross-border tracking is growing exponentially. While the UK’s Serious Fraud Office might be able to find monies hidden in the UK fairly easily, once assets cross borders it finds this tough. Criminals are getting more and more adept at using privacy and banking secrecy laws to help them conceal connections and hold on to assets, leaving the compliance and investigation industries with a big task on their hands.
AI is rising to the challenge. For example, the GreyList Trace platform can establish within just a few weeks, and totally legally, whether there has ever been any contact between the email address, or addresses, of a person of interest and the account management and operation functions of the 220,000+ banks and branches in the world. By combining algorithms with a sophisticated bank database, and without ever infiltrating a bank’s systems, GreyList can identify, with a very high degree of accuracy, all of the banks where a certain HNW individual has a bank account, or has had one in the recent past. Other AI techniques can scrape information from the Web, regulatory databases and social media accounts to fit together the pieces of a jigsaw puzzle and predict the images that might be on the missing pieces even though the investigator does not necessarily know what the full picture looks like.
In cases of money laundering, AI can spot connections between HNW individuals and sanctioned and blacklisted banks or sanctioned and undesirable organisations. It is often possible to keep a name out of the headlines in such situations, but it is much more difficult to suppress details of email addresses or other digital identifiers. AI can also spot patterns of communication among groups of people. GreyList has the technology to do this. Others have as well.
How it works
There are two broad types of AI technology that wealth management firms are deploying in the compliance and KYC industry. The first follows the strict dictionary definition of doing by machine what a human being can do, but much faster and more efficiently. This includes sweeping the entire Web for visible and direct information and evidence of communication between two or more parties. This can entail mining social media or trawling websites, but it is an activity that a human being, given long enough, could do. However, a vast amount of data now exists in many languages, so the human could take many months and years to investigate even a single case. By using a machine, he can often complete the process in a matter of minutes, allowing him to evaluate the output and prioritise the areas that can fruitfully be probed further. This is a perfect use of technology because it lets the machine do the “grunt” work and empowers the compliance officer to take informed decisions and act on them.
The second type of AI goes further and involves technology capable of doing more than any human being could do. GreyList, for example, works by converting the email address of a person of interest into a piece of code whose interaction with a bank’s spam filters can be tracked and measured in milliseconds, at the same time adjusting for the highly variable speed and quirks of the global Internet. No individual equipped with a digital stopwatch could ever invade cyberspace to do this.
One of the reasons why such a process is feasible is the fact that, despite the ever-evolving nature of communications technology, wealth management firms still rely heavily on the use of something relatively old-fashioned: an individual’s email addresses. Banks, for regulatory and operational purposes, rely on hierarchies to filter incoming email communications and know whether those email addresses belong to customers or not. When they are trying to spot connections, desirable or otherwise, the email address remains the primary source of identification and verification. In fact, it is becoming even more integral to banking relationships than ever before.
AI in action
Compliance and KYC are such a broad subject that you will have to forgive me for looking at the use of AI in just one segment of the whole. This is a segment in which I have detailed and recent experience - the job of establishing whether the subject of a compliance/KYC check has connections with sanctioned financial institutions or other sanctioned organisations. This includes the job of finding out whether two persons of interest have been in communication by means of the same methodology.
Technology (and the GreyList algorithm) ensures that it now takes only a few seconds of processing time to prove conclusively, and totally legally, whether any two email addresses have ever communicated with each other, in one direction or in both. This is a rather useful thing to know if the two owners of those email addresses have denied, perhaps even to a court, that they have ever communicated with each other. It might also come in useful if the compliance officer suspects that a former partner or employee has breached a "standstill agreement" and is already trying to poach former customers or employees. Within a few weeks, this kind of AI can find every bank in the world in which an individual, or any of that individual’s proxies, has an account. If it reduces the set of all banks and branches from 220,000 to a subset of several hundred (sanctioned banks, or any bespoke combination of banks or countries) it can reduce the timescale to mere days or even hours or minutes. When it is deployed to look for connections that an applicant for business has with this-or-that bank, we are down to just a few seconds. This is of immense use to the compliance officer, raising "red flags" which immediately disqualify an individual or organisation and/or suggest the need for more detailed investigation.
In a case earlier this year, the GreyList algorithm was used in a situation where the former prime minister of a country denied knowing or having any communication with a prominent businessman in an adjacent country. GreyList Connect established that two of his email addresses had communicated in both directions with three of the businessman’s – six positive pairs of connections, each of which was established at in excess of 98% probability. Needless to say, the results had major repercussions.
The AI algorithms know no borders and this is a very important fact. The job of tracing connections between people in Japan, Ecuador, North Korea or Wales (OK, now you know where I was born!) is no more difficult than tracing them within the borders of one country, because the technology is testing communications in a way that cuts through any and all physical and legal barriers. We are all familiar with cases that involve a company established in an initial jurisdiction that becomes a director and shareholder of a company in a second jurisdiction, with that company in turn becoming a director and shareholder of another company until the ownership of the asset or of the bank account has travelled through 30 companies in 30 countries, many of which still have secrecy rules at some level or another.
It is company 30 that has the bank account where the money resides. If this bank is an unacceptable one, up goes the red flag. Using conventional techniques, the job of finding that connection would entail the pursuit of an incredibly complex chain of ownership, probably ending in failure. With AI, the technology finds the answer straight away, pinpointing the connection at the end of the chain. If there is a need to reconstruct that chain, the good news is that other AI programmes can help in that process.
The KYC process transformed
Today's compliance methods are effective but constrained by many problems that can render them frustrating and slow. AI has the potential to speed up many different parts of the KYC process. It is inevitable that the future will bring more automation, more technology more electronic investigation with it because our world is becoming more cyber-centric and pieces of paper are ceasing to matter.
Human beings will continue to play a crucial part because they can inject common sense, insight and experience into the process. Nevertheless, the toolkit available to the compliance industry is becoming far more sophisticated and this is something we should all embrace.
* Nigel Nicholson can be reached at nigel.nicholson@greylisttrace.com