The Problem with AML Today & How to Fix It – Part 1: The AML Problem
Part I - The AML Problem
The latest discoveries around the massive scale of money laundering at Danske Bank and ING are just two of the most recent examples of an underlying problem with the Anti-Money Laundering (AML) discipline. Despite increasing efforts and investments focusing on the AML problem, money laundering techniques continue to evolve and evade the controls implemented by Financial Institutions (FIs). More and more industry voices decry the efficiency and effectiveness of the current AML approach – which entails running all transactions through a series of automated checks to spot anomalies based on a large set of pre-defined typologies provided by experts.
Groups such as FATF and state regulators worldwide publish guidelines that specify which transactions should be reported to them, or flagged as suspicious and analyzed by FIs before being reported to government authorities. But there is ample evidence that this approach fails to catch terrorists, criminals, and insiders who use the financial system to their benefit. Unfortunately, automated transaction monitoring has created sizable teams of costly staff and consultants. This increasing expense drives many FIs to discredit (or under-invest in) established AML practices, further weakening their system’s ability to prevent criminal abuse—while increasing regulatory and compliance risk.
Beware of the Buzzwords:
Lately, a slew of advanced technologies has been promoted as potential solutions to help FIs meet AML regulatory expectations without ‘breaking the bank’. These new AML technologies are often promoted with the same trending technology ‘buzzwords’ prevalent in general markets. In 2016, ‘Big Data’ became the supposed cure-all to every ineffective enterprise data management system. It was also pitched as the solution to reducing AML overheads. The hottest buzzwords of 2017-2018 have been ‘Machine Learning’ (ML) and ‘Artificial Intelligence’(AI), hotly promoted as game-changing technologies for the AML domain.
To date, however, no ML or AI solution has been declared to solve the core problem: lack of efficiency of current AML procedures and systems, that are highly expensive and perform poorly against their stated objective – finding money laundering and criminal usage of the financial system. But a more pragmatic solution has been proposed, in the shape of Robotic Process Automation (RPA).
RPA, Not Just Another Buzzword
Increasingly stringent AML regulations have necessitated the implementation of sophisticated monitoring systems at banks and other financial institutions (FIs). During the years, FIs have undertaken a variety of ‘process optimization’ initiatives to gain efficiency in the face of increasing data volumes and complex legacy systems – the latest being RPA. The innovation behind RPA is the creation of an automated process (Bot) that replaces resource-heavy staff activities, freeing existing workers to perform far more meaningful and productive work and investigations. Over time, RPA can help organizations build improvements upon previous progress to gain incremental savings. The more sophisticated and advanced an RPA program becomes, the greater the savings it can deliver. In some cases, RPA can even become a self-funding project by generating enough savings to cover the cost of implementing the program.
When deployed correctly, this solution has been proven to deliver substantial benefits to AML operations. RPA can optimize AML operations in one of two ways (or both):
Active – Helps users at point-of-investigation by automating some of the research activities at the front-end to significantly speed up resolution of suspicious events and alerts.
Passive – Works in the background, reducing the risk of missing important events (in real time) and automatically closes alerts that are deemed low risk.
It’s important to understand that RPA cannot solve all AML challenges on its own. There are two critical limitations to RPA:
1. RPA can’t cut alert volumes (on its own), although once alerts are generated, Bots can be deployed to process and manage alerts exponentially faster than manual procedures. But the generation of alerts is still linked to the logic embedded within the AML engine and the ‘red flags’ highlighted by regulators and global advisory groups.
2. RPA can’t reduce investigation intensity – to perform a successful and professional AML investigation, certain steps must be performed correctly and in the right sequence. This is a formal process embedded within an institution’s regulatory obligations and is one of the areas where ‘robotics’ has to be limited by human flexibility and ‘natural’ intelligence. Bots can help automate and make some of the steps more efficient, but the steps themselves and the intelligent decision making behind them must stay in the hands of humans.
It is entirely feasible (from a theoretical point of view) that robotics may sometime replace most human functions associated with AML. The most cited reason preventing end-to-end RPA application today is that regulators require a comprehensive audit of every decision regarding suspicious cases and blocked transactions. Auditing this decision logic is challenging when it comes to ‘fuzzy logic’ machine learning and AI algorithms, which are probabilistic by nature.
In this case, history is not on the side of robots. Intelligence operations in military and policing environments, even in the most hi-tech areas, have still not been completely automated. Is there any technological blocking factor that stops top-range intelligence services trying to stop terrorist funding (or any other action) from deploying AI to guide prevention efforts?
Likely, such powerful government agencies with access to the top talent and core technology of their respective nations (cyber-intelligence powerhouses like Israel, U.S. and UK) can devise methods to automate investigation and prevention activities. But today, these tasks are still entrusted to humans. Why?
Why Not Automat All Tasks?
Like all technology solutions, RPA, ML and AI all have their own shortcomings. More importantly, human decision makers sleep better at night knowing that ultimately, there are people who make the call to determine whether an individual is a terrorist or criminal. Computerized systems can significantly assist in the decision, and certainly speed the process of identifying suspicious activity. But at the end of the day, the Chief Compliance Officer would like to know that a human is the one making the decision who can report perpetrators to the authorities.
How a financial institution deploys RPA can make all the difference in whether the solution lives up to its capabilities, reducing risk, thwarting criminal activity in real time, and free up tangible resources, and even becoming a self-funding project.