Christine Bucy of Protiviti’s Risk and Compliance practice joins Steven Stachowicz in this latest podcast to discuss the next frontier in AML compliance — artificial intelligence. Also hear Steven’s take on the latest in consumer protection activity from the Consumer Financial Protection Bureau. This discussion is in addition to what you’ll find in the complete July issue of Compliance Insights, available for download here.
In-Depth Interview, Compliance Insights [transcript] July 27, 2017 at 10:09 AM
Kevin Donahue: Hello. This is Kevin Donahue, Senior Director with Protiviti, welcoming you to a new installment of Powerful Insights. Today, we’re going to be discussing some of the highlights from the July issue of Protiviti’s Compliance Insights newsletter. I’m pleased to be joined today by Steven Stachowicz, a Managing Director with Protiviti’s Risk and Compliance practice, and Christine Bucy, an Associate Director with Protiviti’s Risk and Compliance group.
Steven, it’s great to speak with you today.
Steven Stachowicz: Thank you, Kevin. Good to talk to you again.
Kevin Donahue: Christine, thanks very much for joining us.
Christine Bucy: Yes. Thanks for having me.
Kevin Donahue: In this month’s issue, we talk about a couple of new developments from the Consumer Financial Protection Bureau. There’s also some news from the OCC regarding third-party risk management, but I first want to dive into AML compliance and, specifically, artificial intelligence. Christine, we’ll start this discussion with you. In the newsletter, we suggest that artificial intelligence has already helped banks reduce costs and manage large volumes of customer and transaction data, but when it comes to AML sanctions obligations, the issue for banks goes well beyond costs and reducing inefficiencies. In fact, there are additional legal and reputation risks. Christine, my first question to you is: How would an AI approach, as opposed to a rules-based approach, improve AML compliance programs?
Christine Bucy: Thanks, Kevin. I think that’s a really interesting point. As you had mentioned, there are significant risks facing banks today that really go beyond the cost of meeting compliance and the cost of staying efficient within your compliance programs and, as you said, specifically as it relates to AML and sanctions compliance programs, these are risks that have really heavy associations with legal ramifications and potential reputational challenges. So, for achieving ongoing compliance using a risk-based approach, that’s not necessarily an approach that doesn’t work today but the introduction of AI really begs the question of “Can we make this approach more optimal?” So just for a little bit more context on what we mean by rules-based approach, because we didn’t really go into this in the newsletter, but this is something that’s already widely being used within banks. For instance, when you’re looking at your transaction monitoring system, there are rules that are created within those systems. For example, you may have rules that have been developed using heavy data analysis to identify cash transactions over a certain dollar amount or a threshold amount, or certain transaction types that are being identified at a particular velocity, meaning that they’re coming in at a certain frequency within a short or pre-defined amount of time, or even transactions that are coming at a different amount, such as a round dollar amounts or other obscure amounts. So, rules-based approach is able to detect these types of transactions coming in. That being said, this rules-based approach is not always the most nimble approach. I think there are ways to make your approach to AML compliance a bit more flexible and adapt to the way that fraudsters and criminals are really changing their behaviors to launder money.
For instance, if you look at an AI approach, this is the next frontier in AML compliance. This is the way that you can train your systems to identify potential transactions through a number of different factors, and I think this is really interesting because as you bring in more data points into your AI programs, the more enriched your outcomes and your outputs will be. So, there are a lot of different types of data points that you can start bringing into these AI platforms in different payment characteristics. For example, you can try and determine the amount of time between the transactions that’s taking place. Where has the transaction been initiated? Maybe it was a mobile device used as part of this transaction. Maybe it’s where the account was originally opened. All these different types of factors you’re able to pull in in an AI approach that you maybe wouldn’t be able to pull in as part of a rules-based approach.
In the end, what I think this is really going to help an AML compliance program do is, again, enrich your output, identify potentially suspicious activity in a much more accurate and efficient way, and so at the end of it, this will help the resources that are reviewing your alerts review more productive alerts and also potentially review even fewer alerts, which further down the line may produce a need for a different type of skill set. So you don’t necessarily need somebody sitting there, reviewing alerts over and over again that aren’t producing any value but maybe you can transfer those skill sets to another part of your department.
Kevin Donahue: Christine, let me transition this a bit to OFAC compliance. I want to know how would an artificial intelligence-based approach improve OFAC compliance programs but first, what are some of the unique challenges around OFAC compliance that AI could help with?
Christine Bucy: Sure. I think it’s a very similar story. Lots of financial institutions are using systems that detect sanctioned entities or sanctioned individuals before a payment is going out or before you’re engaging with a party. Again, the story is somewhat similar, where you would potentially start obtaining additional inputs into your AI platform that would enrich your alert generation mechanism and that would also produce potentially a richer output as well. I think what’s a little bit different for OFAC is that banks are strictly liable for these transactions and parties associated with sanctioned entities. I think the risk and reputation around OFAC is just as severe as any, and, I think in the end, with artificial intelligence, the goal here would be able to detect when sanctions controls are intentionally being circumvented, and when criminals are really trying to evade these types of rules and regulations.
Kevin Donahue: Great. Now, you’ve walked us through some of the benefits around an AI-based approach for both AML and OFAC compliance. What are some of the inherent risks involved in adopting or accepting artificial intelligence into these processes and programs?
Christine Bucy: Sure. I had mentioned it before. Your output is only as good as your input, and I think we see that now when we’re performing risk assessments, when we’re establishing the types of thresholds and rules that we’re putting into our rules-based programs right now. I think for AI, the risk really is you’re relying on the inputs that you’re getting. So similarly, are you getting the right inputs? Can you trust the inputs that you’re getting? Is the source system where you’re getting your inputs trustworthy? I think that reliance on the input is a big risk and, additionally, how are we training our system? One of the great benefits of AI is, “Okay, great. They can learn.” “Okay, we can train them.” “That’s great. They’re able to make inferences on their own. These AI systems are eventually going to be able to make judgment calls and improvise on their own.” But I think there’s going to be that huge risk in, “Are we training them appropriately?” “Are we programming them appropriately?” So, going forward, I think it’ll be this balance between “Is the information coming in correct?” and also “Are these systems behaving appropriately and behaving as intended and are they learning the way that we want them to learn?”
Kevin Donahue: Thanks, Christine. Steven, let’s bring you into the conversation to talk a little bit about some of the developments from the Consumer Financial Protection Bureau. Why don’t you summarize some of those actions for us and maybe, more importantly, what else might be on their agenda in the near future?
Steven Stachowicz: Sure. Thank you. There’s a couple of items related to the CFPB specific to their prepaid card rule, which is a rule that has already been finalized and will be implemented soon enough, but in response to some feedback points from the industries and concerns that the industries raised with respect to the new prepaid rule, the CFPB is proposing some amendments to make compliance a little clearer and/or simpler. It’s a big rule because it extends many existing protections in the Bureau’s Regulation E for electronic funds transfers to prepaid cards that you see in the grocery stores, for instance, at the kiosks when you’re checking out. And they extend also some different protections and additional disclosures to those types of products that consumers should get when they purchase them, and also how consumers might deal with disputes and liability for errors, et cetera.
The prepaid rule amendments that are being proposed are important because they make compliance a little bit more straightforward in a couple of cases. So, with respect to error resolution, there’s a concern that institutions had about how to deal with error resolution claims from customers when that prepaid card isn’t registered and they can’t verify a customer’s identity. So the Bureau clarified that it intends to extend those types of requirements to cards that are registered, for instance. There’s also some clarifications related to digital wallets and whether the rule really truly extends to digital wallets as well, so a very important thing to keep in mind.
We see also from the CFPB letters that were provided to some of the top retail credit card companies in June that address the concept of deferred interest promotion. All of us are familiar with these. These are the furniture store advertisements or the electronic store advertisements of, “Buy this TV” or “Buy this couch” and “Zero percent financing for 12 months.” Those can be great but there is a number of reasons the Bureau has concerns related to those types of offers in terms of whether customers truly understand how interest is deferred on those particular products. Particularly, in situations where customers don’t make all of their payments within that 12-month period or that six-month period, what-have-you. It’s an important item, the Bureau will do this from time to time, where they will ask for the industry to consider changing a practice or maybe making a practice more consumer-friendly or clearer to consumers. It is not a regulatory requirement, there’s no rule here that says, “Deferred interest programs are no longer permissible for whatever reason,” but it is a noteworthy indication of another area of CFPB concerned under their broader construct to evaluate unfair, deceptive or abusive acts of practices, or what we call UDAP.
These are just two items, they are similar. We’ll talk about this in future Compliance Insights. There are similar things on the horizon in terms of CFPB’s Home Mortgage Disclosure Act rule, which is something that’s changing and it’s going to be significant in 2018. There are some clarifications they’re proposing around that rule. We do have an indication that on their agenda continue to be some of the payday loans and the debt collection rules and then the Small Business Lending Data Collection rules as well, some of which we’ve talked about in previous Compliance Insights and I expect will be topics that we discuss further this year as the CFPB starts to fulfill its regulatory agenda.
Kevin Donahue: Steven, Christine, thanks very much for joining me today to discuss some of the highlights from the July issue of Compliance Insights. I want to invite our audience to visit Protiviti.com/compliance-insights where you can find our latest newsletter as well as prior issues.
– End of Recording –