There is wide recognition from business and regulators alike that technology, in particular artificial intelligence (AI), will become increasingly important to combat financial crime. Notably, the Financial Conduct Authority in the UK, as well as the Australian Transaction Reports and Analysis Centre, have worked with financial institutions through TechSprints, Codeathons and the Fintel Alliance to enhance their joint objectives. Yet, despite this, the volume and complexity of regulation has made it increasingly difficult for compliance and legal teams to manage this risk. Furthermore, this has been exacerbated by the rise in large monetary fines, the impact of reputational damage, personal liability and even prison sentences. However, it remains essential that RegTech and AI is not seen as the only answer to addressing all financial crime risk, but rather a tool that, if harnessed correctly, can drive greater efficiency in in the management and mitigation of money laundering, bribery and corruption, fraud and sanctions risk.
Acknowledging the benefits and challenges that technology poses
Almost all people specialising in risk and compliance today would have heard of buzz words such as AI, blockchain, machine learning and smart contracts. However, a bit like the dotcom boom in the early 2000s and the more recent speculation on digital currencies, businesses make decisions, and often with significant implications, with only a cursory understanding of the technology. Most commonly we see:
- Mistaking investment with compliance: Senior management and boards will highlight to the market or a regulator significant investment made in RegTech and AI in an effort to improve compliance. Despite this, there is little practical understanding of what has been invested in or how it will tangibly reduce risk (if not increase it). Regulators will not look kindly on investment in technology if its impact and potential adverse consequences are not adequately considered.
- Not understanding the fundamentals of the technology: Many entities have the tendency to purchase a product with the perceived view that it is market leading, without truly understanding what risk they are looking to address. For example, is it a screening tool or is it a system to record a risk assessment? Does it identify beneficial ownership or assess solvency? Consequently, entities are left with a number of different tools and platforms that do not necessarily integrate well together from an IT perspective and may result in compliance obligations being missed.
- Failure to align technology with legal requirements and the customer experience: Technology advancement is increasing at an exponential rate. Regulated firms have a challenge not only to stay ahead of criminals, but also new entrants who can reduce risk by focussing on individual products or targeting specific customers such as a virtual bank. In this context, there is often a rush to introduce new technology and continue to improve the experience of customers. This can result in adverse consequences if legal and compliance requirements are not considered in development, or not adequately addressed in implementation. Increasingly, simple coding errors are resulting in non-compliance when interdependent systems such as threshold transaction reporting and transaction monitoring are not adequately considered.
Demystifying RegTech and AI
Recently at a conference, a senior banking executive revealed in conversation that, as she is nearing retirement, she felt she did not need to keep up with developments in technology. The comment took us all aback, but we were heartened when an employee reporting to her said that she disagreed. She contended: “No matter our role, we are all in IT now.” This exchange signified the problem, but also highlighted the solution.
Critical to addressing the above challenge is to:
- Involve all relevant stakeholders such as customer facing roles, IT, legal, compliance and senior management in the selection, development or implementation of RegTech and AI.
- Ensure that end-to-end testing of any new product occurs before it is made operational. This should include both testing from a technical and systems standpoint, as well as how the end user would experience it.
- Seek an independent third party review of its compliance and operational effectiveness. This should occur through testing and implementation, as well as part of regular audit procedures.