Loading…

FinCrime FinTech Hype, Hubris, and Subject Matter Enthusiasm

Two very recent fincrime fintech start-ups recently published marketing papers – one a self-styled “Report” the other a blog – that should serve as reminders that, although innovation and change are critical to financial institutions’ financial crimes risk management programs, fincrime fintechs are not. Or, put another way, those fincrime fintechs need to understand what they are and what they are not. Most important, they are not “solutions”: they are tools that could be deployed, in whole or in part, by true financial crimes experts who bear the statutory and regulatory responsibility for – and personal liability for – designing, developing, implementing, maintaining, and enhancing their programs. And U.S. banking agencies are embracing the idea of responsibly implementing innovative approaches to financial crimes risk management. The U.S. banking agencies’ December 3rd joint statement is a very positive step to encourage private sector innovation in fighting financial crime. But they don’t limit those innovative approaches to just adopting new technologies: they also encourage “testing new ways of using existing tools”. For those banks that are considering replacing their existing tools with “modern era technologies”, I would caution them to first look at how they are using their existing tools, whether they have the data and in-house expertise to even deploy modern era technologies, and consider whether they are better off improving and augmenting their existing tools.

Let’s take a look at the report and blog.

Feedzai – “the market leader in fighting financial crime fraud with AI”

The first report is from Feedzai, which, according to its website:

Feedzai is AI. We’re coding the future of commerce with a leading platform powered by artificial intelligence and big data. Founded and developed by data scientists and aerospace engineers, Feedzai has one critical mission: make commerce safe. The world’s largest banks, payment providers and retailers use Feedzai’s machine learning technology to manage risks associated with banking and shopping, whether it’s in person, online or via mobile devices.

[and …]

Feedzai is the market leader in fighting financial crime fraud with AI. But even a leader needs partners. To maximize our impact, we partner with top tier financial institutions, consultancies, system integrators, and technology providers to create win/win/win scenarios for the marketplace.

Feedzai’s report is titled “A Guide for Financial Institutions – Augmenting Your AML with AI: See The Risk Signals in the Noise”

https://assets.sourcemedia.com/01/2a/181664d6497aae451c6911ebb6f4/feedzai-aml-report-v106.pdf

This “report” is really a marketing document from Feedzai, used to convince financial institutions that if they’re not deploying machine learning and AI – indeed, if they’re not deploying Feedzai’s machine learning and AI – they’re at risk of what they refer to as “The Six Pains of Money Laundering” which can only be addressed if the buyer “flips the script with Feedzai anti-money laundering.”

Let’s look at those six pains. First, and foremost, none of them are actually pains of money laundering, but of complying with government-imposed legislative and regulatory requirements and expectations.  Some aren’t even pains, or pains related to the technology solutions that Feedzai is selling, but simple observations.

The first “pain” is regulatory fines. Feedzai notes that “In the past decade, compliance fines erased $342 billion in profits for top US and European banks. This figure is expected to exceed $400 billion by 2020.” And then they list what is implied to be AML-related fines for 11 banks and 1 non-bank telecom manufacturer. Going through those, every one of them is solely, or primarily, an OFAC or sanctions-related penalty, with AML either not part of the penalty or, in the case of the hybrid OFAC/AML penalties, a small part.  At best Feedzai’s list is sloppy and incomplete: at worst it is deceptive. If they’re going to write a paper touting their AML capabilities that includes regulatory fines as the first pain point, they could at least use AML-related regulatory fines.

The second “pain” is organizational burden. They write: “Financial institutions might employ upwards of 5,000 employees in sanction screening alone. As transaction volume keeps growing, so do alerts, false positives, and compliance teams, all at unsustainable rates.” Again, they’ve confused AML with sanctions. Economic sanctions programs are related to AML programs, just as fraud programs are related to AML programs. But they are very different disciplines and require very different programs, technologies, staffing, and reporting. And a phrase such as “might employ upwards of 5,000” is weak (the word “might”) and ambiguous (does “upwards of 5,000” mean 4,900? 1,000?).

The third “pain” is that “current transaction monitoring solutions lack context”. Feedzai writes:

A PwC report states that transaction monitoring for AML often generates false positive rates of over 90%. The rule based systems that monitor these transactions do what they were supposed to: point to incidents where money movement exceeded certain thresholds. However, compliance teams cannot go deeper to provide additional context that would substantiate or refute the actual money laundering risk. Current solutions are unable to connect the dots between multiple seemingly unrelated alerts in order to contextualize and visualize suspicious movement patterns that point to broader AML risk.

First, the reason that there are false positives is that compliance teams must, can, and do go deeper than the alert generating monitoring systems to provide additional context to substantiate (apparently in 10% of the cases) or refute (in 90%). But those teams don’t substantiate or refute “the actual money laundering risk” as Feedzai writes. What financial institutions are charged with is making a determination that certain activity is suspicious, not that it is, in fact, money laundering.  And as all experienced AML professionals know, it is the job of the analyst or investigator to take the alert or referral and to determine whether the activity has no business or apparent lawful purposes or is not the type  of activity that the particular customer would normally be expected to engage in, and to conclude that there is no reasonable explanation for the activity after examining the available facts, including the background and possible purpose of the transactions and activity. It is fair, though, that analysts and the entire financial services industry would be better served if AML transaction monitoring, interaction monitoring, and customer surveillance applications could produce alerts that led to SARS in more than 10% of the cases. But as I will write in an upcoming article, addressing the false positive issue is more about, or at least as much about, cleaning up a bank’s data and regulatory reform, than it is about deploying new technology.

Second, if a bank’s current solution is “unable to connect the dots between multiple seemingly unrelated alerts in order to contextualize and visualize suspicious movement patterns that point to broader AML risk”, then that bank is not using the data it has available to it in any reasonable way. A simple Scenario Analysis tool, such as the one I first developed in 1999 (and the subject of a July 2018 News post on this site), was used to run sophisticated, segmented customer surveillance models using basic relational database tools. That, coupled with a rudimentary case management system that allowed grouping and de-duplicating of related alerts and referrals into consolidated case packages, connected the dots in two different multi-national financial institutions. Connecting AML dots does not require banks to rip-and-replace existing tools: it requires them to creatively use their existing tools.

The fourth “pain of money laundering” that Feedzai identifies is manual SAR reporting. But their description of this manual reporting pain point doesn’t really address the manual nature of the process nor offer a technology solution. They write:

Typically as little as 7% of all filed SARS are deemed by the regulator as worthy of further AML investigation, which means that 95% of the effort of these teams goes to waste. As SAR reporting is still a highly manually intensive task, the end result is that most of the AML resources allocated by FIs and the regulator are busy clearing their own “noise,” created in the first place because they are unable to substantiate true money laundering risk. Today’s compliance-focused systems use limited legacy technologies and reward quantity over quality, sending millions of dollars to waste.

First, regulators (at least US regulators) don’t examine banks on whether their SARs are “worthy of further AML investigation”. It may be that the 7 per cent figure used by Feedzai reports to the largest banks anecdotal statements that they get some sort of law enforcement response to roughly 7% of their SARs, with responses being a follow up subpoena, a formal request for supporting documentation, or a national security letter. That doesn’t mean that the other 93% of SARs “go to waste”. I recently wrote that law enforcement (in the case of the FBI) can conservatively say that at least 20% of BSA filings have tactical or strategic value to law enforcement. We would all like to see that percentage go up, and that is a noble task for Feedzai, other fintechs, the financial sector, regulators, and law enforcement.

Second, I’m not sure what Feedzai means by writing that “most of the AML resources allocated by FIs and the regulator are busy clearing their own ‘noise,’ created in the first place because they are unable to substantiate true money laundering risk.” Including regulators in this statement is confusing (to me) and it suggests that regulators are allocating resources (Q. their own resources or compelling banks to allocate bank resources) because regulators cannot substantiate true money laundering risk.

The fifth “pain” is disconnected business units, and Feedzai impugns siloed AML and fraud units, and disconnected investigations and analytics teams. Both are, indeed, pain points for any program, but both are easily overcome without deploying any new technology. They are organizational problems overcome with organizational solutions.

The sixth and last “pain” is the “barrier to digital transformation.” Feedzai describes this pain not as a barrier to digital transformation but because of digital transformation, because this digital transformation across the bank’s businesses and operations “can harbor new waves of financial crime with criminals hiding behind large new sets of distributed and disconnected data.” The solution? “The magnitude of the detection complexity calls for new technologies to take the helm as legacy systems simply don’t scale up to the task.”

With these pains, Feedzai concludes that banks must “flip the script with Feedzai anti-money laundering”. They announce “the dawn of machine learning for AML” with Feedzai’s machine learning and advanced automation, etc.

Unfortunately, it’s not the dawn of machine learning for AML.  It may be the dawn for some banks that have allowed their programs and technologies to stagnate and become obsolete. But for five to ten years there have been banks (Wells Fargo) and fintechs (Verafin) using machine learning, artificial intelligence, and visual (geographical, temporal, relational) analytics to “replace the manually tedious parts of existing AML processes with insights that are specific to money laundering” to “separate meaningful risk signals from noise, ensuring that manual investigation resources are applied using a validated risk-based approach” and to allow FIU analysts to “understand suspicious patterns and more precisely allocate their manual investigation resources”, all using advanced financial crimes-specific case management applications to ingest, triage, de-duplicate, risk-score, package, decision, and route alerts and referrals; triage, risk-score, and make SAR decisions; automate and write narratives; manage and report to external and internal stakeholders; and feed all of this back into the system to learn and adapt, tune and adapt models, and revise customer risk ratings.

So Feedzai: if you believe you are the best, or want to be the best, AML systems provider in the industry, your marketing materials such as “A Guide for Financial Institutions – Augmenting Your AML with AI: See The Risk Signals in the Noise” should be the best. They’re not. Your subject matter enthusiasm is to be commended; your subject matter expertise needs work.

Tookitaki – intending to transform the way organizations do predictive modeling

According to its website …

Tookitaki is building an intelligent decision support system (DSS) to help businesses take smarter decisions. Built on an effective AI system, our DSS intends to transform the way organisations do predictive modeling. Most businesses globally use consultants, build ad hoc predictive models on sample data and take decisions. The current process offers neither efficiency nor scale – rather becomes obsolete in the world of big data.

Our DSS will empower businesses go beyond the barriers of existing statistical packages creating one-off solutions by offering production-ready, automated predictive modeling. Clients can call our REST API for live feedback and take actions accordingly.

Tookitaki’s CEO, Abhishek Chatterjee, published a blog on December 14, 2018 titled “Modern Tech to Reshape US AML Compliance with Regulators’ Recent Handshake.” Let’s take a look at that blog.

Mr. Chatterjee begins with his synopsis of the Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing:

On December 3, The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the Financial Crimes Enforcement Network (FinCEN), the National Credit Union Administration, and the Office of the Comptroller of the Currency issued a joint statement encouraging banks to use modern-era technologies to bolster their Bank Secrecy Act/anti-money laundering (BSA/AML) compliance programs. The agencies ask banks “to consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their Bank Secrecy Act/anti-money laundering (BSA/AML) compliance obligations, in order to further strengthen the financial system against illicit financial activity.

Actually, the agencies did not issue a statement encouraging banks to use modern-era technologies to bolster their BSA/AML programs. The agencies’ statement encouraged banks to “consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their” BSA/AML compliance obligations”. And, in the very next sentence following the quote above, the Joint Statement provides, “[t]he Agencies recognize that private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks …”.

Notably, the Agencies are not limiting innovative approaches to the adoption of new (“modern-era”) technologies (and by implication, replacement of not-so-modern-era technologies), but including new ways of using existing tools. This is critically important to those banks that are facing increasing pressure from fincrime fintechs to rip-and-replace existing AML systems with new, and often untested, technologies.

They are of the view that private sector innovation, involving new technologies such as artificial intelligence and machine learning, can help banks identify and report money laundering, terrorist financing and other illicit activities.

The Agencies provide two examples of innovative approaches: the use of innovate Financial Intelligence Units (FIUs) and “artificial intelligence and digital identity technologies”. Notably, bank FIUs have been in existence since the late 1990s (I know, I deployed the first large bank FIU at FleetBoston Financial in 1999). The concept of a bank FIU is twenty years old, and almost every large financial institution now has an FIU that is continually implementing innovative approaches to fighting financial crimes. The success of an FIU is equal parts data, technology, tools, courage, imagination, compassion, empathy, cynicism, collaboration, hard work, patience, and luck.

Mr. Chatterjee next describes the “assurances” the agencies give:

In addition, the regulators assured that they will not penalize those firms who are found to have a deficiency in their existing compliance programs as they run pilots employing modern technologies. The statement reads: “While the Agencies may provide feedback, pilot programs in and of themselves should not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful. Likewise, pilot programs that expose gaps in a BSA/AML compliance program will not necessarily result in supervisory action with respect to that program.” They have added that “the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.”

This is a reasonably accurate description of the assurances – although I would not use the word “assurances” given the qualifiers attached to it. The first three “assurances”, and two more, are clear cut:

  1. “The Agencies recognize that private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks identify and report money laundering, terrorist financing, and other illicit financial activity by enhancing the effectiveness and efficiency of banks’ BSA/AML compliance programs. To assist banks in this effort, the Agencies are committed to continued engagement with the private sector and other interested parties.”
  2. “The Agencies will not penalize or criticize banks that maintain effective BSA/AML compliance programs commensurate with their risk profiles but choose not to pursue innovative approaches.”
  3. “While banks are expected to maintain effective BSA/AML compliance programs, the Agencies will not advocate a particular method or technology for banks to comply with BSA/AML requirements.”
  4. Where test or implemented “artificial intelligence-based transaction monitoring systems … identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot program
  5. “… the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.

Note the strong, unqualified language: “the Agencies are committed to continued engagement”, “the Agencies will not penalize or criticize”, “the Agencies will not advocate …”, “the Agencies will assess”, and “the implementation of innovative approaches will not result in additional regulatory expectations”.

The qualified “assurances” come in the paragraph about pilot programs (with emphasis added):

Pilot programs undertaken by banks, in conjunction with existing BSA/AML processes, are an important means of testing and validating the effectiveness of innovative approaches.  While the Agencies may provide feedback, pilot programs in and of themselves should not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful.  Likewise, pilot programs that expose gaps in a BSA/AML compliance program will not necessarily result in supervisory action with respect to that program.  For example, when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will not automatically assume that the banks’ existing processes are deficient.  In these instances, the Agencies will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot program.  Further, the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.

Here there are the qualified assurances (which are not assurances): “should not”, “will not necessarily”, and “not automatically assume”.  These are important distinctions. The Agencies could have written something very different:

“… pilot programs in and of themselves will not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful.  Likewise, pilot programs that expose gaps in a BSA/AML compliance program will not result in supervisory action with respect to that program.  For example, when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will not assume that the banks’ existing processes are deficient …”

But the author of the blog also uses an interesting qualifier by writing that the joint statement “largely clears the air for modern AML solutions, especially those based on artificial intelligence and machine learning”. I agree: the joint statement largely, but not entirely, clears the air or provides some comfort to banks who implement innovative approaches, including machine learning and AI. But as the Agencies remind us, any innovative approaches must be done responsibly while the bank continues to meet its BSA/AML program obligations and, if in doing so any gaps in that program that are identified will not necessarily result in supervisory action, but the Agency will assess those gaps to determine whether the program is, in fact, meeting regulatory requirements.

Finally, I disagree with Mr. Chatterjee’s statement that we are in an “era of sophisticated financial crimes that are impossible to detect with legacy systems.” I trust that this is simply a marketing phrase, and the use of the absolute word “impossible” is puffery and salesmanship. The statement is false.

Like Mr. Chatterjee and his firm, I also am “both happy and excited at the US regulators’ change of tone with regard to the use of modern technologies by banks and financial institutions to combat financial crimes such as money laundering.” But we need to be as realistic and practical as we are happy and excited about embracing new technologies without fully utilizing the existing technologies. Modern era technologies will be no better than the existing technologies if they are deployed against incomplete, outdated, stale, poorly labeled data by people lacking courage, imagination, and financial crimes expertise.

The U.S. banking agencies’ December 3rd joint statement is a very positive step to encourage private sector innovation in fighting financial crime by testing new ways of using existing tools as well as adopting new technologies. For those banks that are considering replacing their existing tools with “modern era technologies”, I would caution them to first look at how they are using their existing tools, whether they have the data and in-house expertise to even deploy modern era technologies, and consider whether they are better off improving and augmenting their existing tools.  A bank’s data and personnel are the “rails” upon which the AML technology rides: if those rails can’t support the high-speed train of machine learning and AI-based systems, then it’s best to fix and replace the rails before you test and buy the new train.