We have talked about Agile Compliance as the future of AML. It challenges the process automation legacy of software vendors that dictate the business processes. The software also limits the scope of governance. The promise of Agile Compliance is that governance and business process drive the systems and not the other way around.
One of the key enablers for Agile Compliance is AI and machine learning. This is used to create predictive models which are better than rules engines in both accuracy and versatility. However, transitioning from a rules engine to a machine learning model requires an understanding of how they work.
What Would a Human Do?
In a traditional AML process, compliance officers make decisions based on a set of rules. With supervised machine learning, the system makes up a set of rules based on compliance officers' decisions.
Rules engines from software vendors represent the collective wisdom of feedback collected by the vendor after talking to compliance managers and experts over an extended period of time. They may also involve some mathematical modeling. These inputs have been painstakingly synthesized and codified to be included as an automated process in AML software. As new AML threats emerge, the vendors go back to the experts to update the rules to incorporate them into their rules engines.
These rules represent the state of the art in Artificial Intelligence a few decades ago.
Machine learning models are very different. In the supervised model of machine learning, the system reviews hundreds of thousands of decisions made by compliance managers. The machine then makes up rules that can explain these decisions made by compliance officers. Unlike the rules engine, the machine does not ask why the decisions were made. It tries to figure that out from the data and makes up the rules in response to them. When new risks emerge, the machine observes the new decisions and updates the rules.
This is the state of art in Artificial Intelligence in 2020.
How Can AI help a Bank Manage Unique Risks?
The FFIEC BSA/AML Examination Manual says, “The first step of the risk assessment process is to identify the specific products, services, customers, entities, and geographic locations unique to the bank.”
Traditional AML software begins with a set of rules that are applicable to all banks based on capturing the distilled wisdom of experts. This is a one size fits all approach. These engines are manually customizable. However, banks often prefer to use the default rules. These rules typically produce 90% or more false positives.
By contrast, the machine learning approach reviews data on hundreds of thousands of decisions made by humans that are unique to a bank's risk profile. False positives from machine learning system can be as low as 60%.
A well-designed risk based approach needs to be flexible to adapt to changing risk patterns. Smart crooks experiment with different ways to launder money without getting detected. They also target banks where illicit activity can go undetected. When these patterns are discovered, a rules engine may take months before it is updated. Machine learning system can update rules as soon as they observe new patterns that are validated by compliance officers.
Which Model Should a Bank Use ?
Does the bank use the rules engine with the distilled knowledge of experts or the machine learning approach which captures the wisdom of thousands of decisions made by compliance officers?
The right answer is to use what matches the risk profile of the bank at any point of time. A bank may want to consider the software vendor's expertise better than their own compliance officers and use their models out of the box. They may also want to consider both models before making a risk decision.
Flexibility is one of the key values of Agile Compliance. Agile Compliance gives banks the ability to use a combination of models to triage high-risk accounts and alerts. This means that they can design processes that respond to current needs and modify them when required.
Agile Compliance is the basis of designing a risk-based approach that is tailored to the unique risks of the bank and can change it when these risks change.
What Do Regulators Think?
Federal and State regulators have recognized the value of machine learning in managing risk.
Governor Lael Brainard of the Federal Reserve spoke at the Philadelphia Stock Exchange about a year ago. Her speech is often cited as a reference point for the adoption of AI models in risk management. In her speech, she talked about AI systems having "superior ability for pattern recognition" by identifying variables that are not revealed by traditional modeling. AI can also produce results more cheaply and without reduction in performance.
While citing the modeling risks associated with AI, she mentioned that these risks "may be offset by mitigating external controls like circuit-breakers or other mechanisms". Agile Compliance enables a bank to implement machine learning models with guardrails defined by humans. These guardrails can be removed after establishing that the banks risks are within governance guidelines.
An overarching message from regulators mentioned by Gov. Brainard was "models should always be interpreted in context". A bank may use a risk-based approach using a model or a combination models. However it must interpret the model based on its unique risk profile.
Building a process tailored to the bank's unique risk profile requires looking at governance, process and systems.This is enabled by Agile Compliance. Unique models can not come from a software vendor.
A risk-based process is not something you buy. It is something you do.