Recent money laundering scandals have exposed weaknesses in banks’ technology, among other compliance failures. When it comes to anti-money laundering (AML) technology, do artificial intelligence and machine learning hold the key to fighting financial crime? Jane Cooper reports
Regulatory pressure is increasing to fight financial crime, and recent lapses in banks’ anti-money laundering (AML) efforts show how not having the right technology in place can have serious consequences.
In November 2019, the Australian regulator AUSTRAC alleged that Westpac had breached AML laws, which included a number of failures such as not assessing risks among its correspondent banks.
Each of its 23 million breaches could potentially incur A$21m ($13.8m), bringing the potential fine to a staggering and business-ending A$483trn. Aside from this, there was reputational damage: the bank had failed to stop transactions that were “indicative of child exploitation risks”, or, as Australia’s Home Affairs Minister Peter Dutton described it, Westpac had “given a free pass to paedophiles”.
Deficient bank technology
Customers with no family ties to the Philippines and Southeast Asia, who are sending small amounts to multiple beneficiaries within a short period, should have been flagged as suspicious. However, according to AUSTRAC, Westpac’s technology did not adequately filter out these kinds of payments.
Westpac CEO Brian Hartzer, before he stepped down, said: “Like many banks around the world, we have been heavily investing in a programme of work to improve and bolster the management of financial crime risks including strengthening our policies, data feeding systems, processes and controls.”
Deficient technology was also a feature of the Danske Bank scandal, the details of which were revealed in 2018 after a thorough investigation. When Danske acquired the branch in Estonia in 2006 – where €200bn ($220bn) was eventually laundered for non-resident customers – it never migrated the Estonian operations onto its group IT platform.
It was deemed too expensive. With little oversight at the group level, the AML risks in Estonia only came to light after someone blew the whistle. To rectify the issues, Danske Chairman Ole Andersen said in 2018 the bank was investing in “new and robust IT systems” and increased automation with its AML.
Does technology hold the answers?
“The current approach has not really worked too well,” says Taavi Tamkivi, CEO of Salv, a fintech firm that specialises in AML. “People [at banks] may say their intention is to fight crime but when I see their working procedure there is no way this can be effective against crime,” says Tamkivi. He adds that banks have been focused on complying with the regulatory requirements but have missed the overall objective of fighting crime.
“Banks are constantly worried about trying to do things right, rather than doing the right thing,” says Philip Creed, Director of compliance consultancy fscom. “They are trying to follow whatever processes and make sure they do not get fined; they need to take a step back and think how to combat financial crime.”
When asked if the technology that banks are using for AML is sophisticated enough, Creed says, “The easy answer is no. But we have seen banks spend millions on technology and not implement it properly so it is pointless.”
Banks have become burdened by legacy systems, and Tamkivi argues they have lost sight of the original idea of what AML regulations are addressing – something that fintech firms are more likely to grasp. This plays into the growing popularity of regulation technology – or regtech – which is expected to grow further. KPMG estimates the proportion of regtech spending will grow from 4.8% in 2017 of all regulatory spending to 34% by 2022.
Young fintechs teething problems
Craig McLeod, financial services expert at PA Consulting, notes a trend where banks are keener to buy specialised technology from individual providers and stitch the components together themselves, rather than going to a one-stop-shop vendor that provides a range of solutions. This approach, however, is not without its challenges. Young fintech companies have had to scale rapidly, says McLeod, which leads to teething problems. “It’s a challenge for banks to put faith in young fintech firms,” to ensure they have compliant, robust, AML protection, he says.
The environment that banks are working in has also become more challenging. With newer, faster ways to make payments, “money changes hands more rapidly and it is much harder, because of the complexity, for banks to keep up with that pace of change within their customer base” notes McLeod.
Also, the predictability of customers has changed. In the past customers would have phoned their bank if they went abroad. “Now people don’t do that, the world is a smaller place; people are travelling to more interesting and exotic places” he says.
Instead of fixed rule-based screening, or backward-looking risk models, now banks have an array of technologies to choose from that don’t rely so much on manual labour.
For example, machine learning detects patterns as it goes along, teaching itself new rules, and technology like network analytics can spot relationships and connections that would have been previously hidden in transactions.
Regulators have encouraged banks to explore the latest technologies. In the UK, for example, the Financial Conduct Authority has encouraged businesses to play in its ‘sandbox’ and test innovative ideas in a controlled environment. And in December 2018, a number of US regulatory agencies publicly stated they encouraged banks to take innovative approaches to meet their AML obligations. Also, Loo Siew Yee, Assistant Managing Director at the Monetary Authority of Singapore, said in a speech in late 2019, “We are heartened to see that [financial institutions] have made good progress on this front over the last two years, by increasingly using automation, data analytics and artificial intelligence (AI) to enhance the effectiveness and efficiency of their AML [and counter financing terrorism] controls.”
Machine learning: a ‘blackbox’
Even though technologies like machine learning may be better in detecting financial crime, regulators are hesitant to engage in advanced technology, says Andreas Kremer, Partner, McKinsey & Company’s Risk Practice. “These new methodologies are much less transparent to regulators as to how they work.” With a scenario-based methodology, it is easier to see which kind of transactions would be filtered out. Machine learning, on the other hand, is something of a “black box” with complex algorithms that make it more difficult to demonstrate what is actually happening with the model, says Kremer. “Regulators have encouraged banks to explore modern technology, in the UK, for example – but when it comes to replacing existing methods, they are more conservative,” Kremer says.
In terms of new technologies, such as artificial intelligence and machine learning for AML, Kremer says they are “by far not the whole answer to the challenges financial institutions face”.
McLeod at PA Consulting notes that because regulation has moved away from rules and become more risk-based, it is now more difficult to operationalise. “How to assess financial crime risk indicators – this is a really tricky aspect of regulation,” he says.
In the onboarding process, for example, operationally the people making judgments are much more junior than the people who are accountable for making sure they are complying with regulations – and often there is a disconnect between the two. In applying a risk-based approach, “It is extremely difficult in the operational context. Banks need to support their people by empowering them through better processes, and get more effective governance and oversight.”
AML needs to be embedded in bank culture
Kremer at McKinsey says, “AML needs to be embedded in the culture of the institution as a key risk that needs to be managed,” adding that similar processes of training, onboarding and governance should be applied that would be used for managing credit risk – which banks do have deeply embedded. “AML needs to be embedded way beyond technology,” says Kremer. Although he gets asked a lot about what a quick fix would be, he says, “There is no magic bullet. This is a transformational activity where you need to embark on a journey.” He advises institutions to connect AML to other elements of financial crime, such as fraud and cyber risk. Fraud is similar in that banks need to protect their customers by monitoring transactions: “Leveraging these synergies is crucial,” says Kremer.
Also, notes McLeod at PA Consulting, looking to the future and having all the latest technology will not alone solve banks’ AML problems. “Banks are trying to reduce the costs of compliance; they are looking ahead, but they also need to have an eye on the past,” he says.
From the regulators’ perspective, he notes, you can have all the latest technology, such as AI and machine learning, but there is no point pushing forwards if they have ignored their legacy issues and past failures.