Money laundered through the banking system is estimated to be over 2 trillion dollars a year. A recent study by BAFT (Bankers Association of Finance and Trade) estimates that 1% of the proceeds from financial crimes are intercepted. Meanwhile, nine out of ten suspicious activities flagged by AML software in banks are false alarms.
Let’s put these numbers in perspective. 99% of laundered money is not caught. 90% of the resources spent catching suspicious actors are wasted. 100 % of US banks have known this for years.
The bottom line is that 70 billion dollars are spent every year in compliance costs by banks to intercept less than 25 billion in illicit funds.
How did we get here? Modern technology, specifically data analytics, is well-suited to address this problem. Why hasn’t this problem been solved?
Let’s look at what happened over the last few decades.
Most banks use process automation software for Anti-Money Laundering. This software was designed many years ago based on abstracting human tasks and automating them to be more efficient. This seemed like a very good idea at that time when AML/BSA/CFT compliance was a matter of running through a checklist.
This was a very efficient solution until the stakes for non-compliance became very high. The business process was no longer effective and there was no provision in the software to change it. Meanwhile, financial crimes posed a clear and present danger to banks. Banks did the only thing they could do to solve the problem – they created manual workarounds to process automation and hired more people to implement them.
Bank compliance teams are well-aware of the limitations of the process and use their judgement to execute their functions while staying within guidelines. However, exercising sound judgement does not necessarily free them from the tyranny of a process designed for a different time.
It is not unusual to see a bank increased its staff ten-fold in five years. Many people in banks have been deployed to manually (and intelligently) intervene where the software fell short. As banks continue to be fined for AML related activities, staffing continues at a frantic pace. Today, banks are actively looking at hiring more compliance people. Some are also moving compliance teams to low-wage geographies to reduce the burgeoning cost for compliance. Others are looking for outsourcing firms to manage this business process.
What is a banker to do?
Here are a few things to consider.
#1 There is No “App for That”
A risk-based business process is not something you buy. It’s something you do.
The FFIEC manual on AML/BSA says “The first step of the risk assessment process is to identify the specific products, services, customers, entities, and geographic locations unique to the bank.”
Sadly, this requirement is in direct conflict with the specifications of packaged enterprise software. This software was created as a solution that works for all banks. It caters to the “least common denominator” requirement of a large number of banks. It is very unlikely that a business process built into an enterprise solution will be optimized to a bank’s unique risk profile.
Today, when you buy a traditional AML software application you tacitly commit to a business process that goes with it. If the business process does not suit the risk profile of your bank, you need to deal with it. You can follow the process anyway even though it is neither efficient nor effective and rationalize it as an industry standard solution. You can also manually override the process and customize it to your needs. The first is not sustainable and the second requires manpower and resources, the extent of which depends on the amount of customization.
A third choice is to re-design the business process. This requires re-examining the objectives of the process and the underlying technology. It also means convincing your bank examiners that an updated process is more effective, efficient and minimizes risk.
A risk-based process can be broken down in terms of the 4 M’s – Measure, Monitor, Manage and Mitigate. There is some skill involved in deploying the right combination of human intelligence and machine intelligence in deploying such a process. As a bank, you have a unique understanding of your risks. These risks will determine your business process and the allocation of resources to that process.
An important question to ask a technology vendor in implementing a risk-based process – will the technology drive process, or will the process drive technology? If the process drives technology, will it let the bank change its business process when the risks change?
The question to ask yourself – how are the vendors’ incentives aligned with those of the banks’? Do they get paid for the success of a risk-based process, or for selling a software license and billable hours irrespective of the outcome?
#2 Understand the Modeling Math
Mathematical models can make your AML process more effective and slash your costs if (and only if) they are implemented judiciously.
George Box, a British statistician, is credited with the quote “all models are wrong, but some are useful”. A model cannot guarantee or predict an outcome, but it can provide a metric for its accuracy. Understanding model accuracy is a key input to designing a risk-based process.
Let’s take an example.
Current models used by AML software are wrong 90% of the time. Which means when they call out 100 suspicious actors, only 10 of them are suspicious enough to require a SAR (suspicious activity report) to be filed with FinCEN. A better model may produce 80% false positives for those 10 SARs. The second model is an obvious improvement. What is not so obvious is that the second model will produce a 100% increase in productivity because it produces only 50 alerts for the same 10 SARs – and only needs 50% of the resources.
Both models have a finite possibility of being wrong and letting some bad actors slip through the cracks. However, the second one is more useful. A model’s usefulness can be measured in mathematical terms which can be the basis for allocating resources to the business process.
The important question to ask a vendor who provides a model is – how can a model’s performance metrics be used to modify the business process?
The question to ask yourself is – do I clearly understand the trade-offs of using a risk-based approach powered by a mathematical model? Can I explain this approach to a regulator during a bank examination?
#3 Regulatory guidance is global. Bank exams are local.
The long-term impact of policy changes is often underestimated. The short-term impact of these changes is often overestimated.
Bank regulators are encouraging banks to adopt new technology to make it easier to manage AML processes. A recent report from the US Dept. of Treasury says “Regulators should not impose unnecessary burdens or obstacles to the use of AI and machine learning and should provide greater regulatory clarity that would enable further testing and responsible deployment of these technologies by regulated financial services companies as the technologies develop.”
This is a welcome change from the past. Implementing this change will need alignment with the rank and file of all regulatory organizations. Regulators understand that this entails a process of education and training of bank examiners to familiarize them with the technology.
Much as we would like changes to be immediate, banks and regulators have a history of being deliberative in adopting new ways of doing things. There is a natural gestation period between policy changes and gaining familiarity with new approaches by bank examiners and compliance officers.
Recent guidance from regulators indicates that the stage is set for pilots to deploy in a manner where bankers will get some relief from regulatory scrutiny. This will make it easier for banks to try new technologies.
The important question to ask a vendor who provides a new technology is – can they help you through the transition to the new way of doing things?
The question to ask yourself is – can my bank define a path from the current situation to a future where new technology can be used to work with regulators?
In the science fiction film, The Matrix, Neo, played by Keanu Reeves, is given a choice between the blue pill of comfort coupled with ignorance and the red pill of reality that has an uncertain future. The rebel leader’s closing words to Neo are – “Remember, all I am offering is the truth. Nothing more.”
Here are our truth offerings on AML for bankers:
Shirish Netke is president and CEO of Amberoon Inc., a provider of solutions to measure, monitor and manage risk and compliance for banks and financial institutions using contemporary technologies. Shirish has led companies in the area of software, services and electronic entertainment. He was one of the first evangelists for Java when it was launched by Sun Microsystems. Follow him on Twitter.