One of the first real world tests of U.S. regulators’ approach to innovation in Anti-Money Laundering (AML) has now yielded insights into how—and how fast—the financial services industry will be able to scale up its use of artificial intelligence, machine learning, and other advanced technologies for financial crimes compliance.
In September 2019, the Office of the Comptroller of the Currency (OCC) published Interpretive Letter #1166,[i] responding to a written request from an unnamed bank seeking approval to automatically file Suspicious Activity Reports (SARs) on matters involving cash structuring.
The request sought clearance for the bank to use software to eliminate manual (human) investigation in suspected cases of cash structuring.
It appears the bank is planning to implement software to cull through cash activity, pinpoint structuring transactions, and create SAR narratives. No doubt this effort seeks to reduce manual investigation work, to save time and expense.
The request looks like a good example of banks responding to U.S. financial regulators’ 2018 Joint Statement[ii] on Innovation Efforts to Combat Money Laundering and Terrorist Financing, in which the agencies encouraged financial institutions to try new approaches to AML compliance.
We see the bank’s request and the OCC’s response as a positive example of the industry and regulators working together to modernize AML compliance. Taken together, they raise the following implications for AML officers, software providers, regulators, and financial industry executives to consider:
- The innovation and implementation of modern software to update AML compliance processes will be slow.
- Regulators are supportive of well-thought-out approaches to modernization, but they remain focused on their oversight responsibility and accountability to policymakers.
- Modern computing technology such as machine learning and natural language processing are now playing an actual role in AML compliance—they’ve moved beyond marketing fluff.
- The integration of modern software creates operational challenges and short-term obstacles that necessitate additional work and procedures.
- Integration also requires AML leaders to develop and implement new management systems and governance procedures.
- AML innovation may end up reducing compliance costs at some point, but in the short and medium term, costs will actually increase.
Overview of Request and OCC Response
In the proposal, the bank self-imposes a number of restrictions on its trial program. Notably, only alerts relating “solely to potential structuring activity” would be automated.
Responding that the bank’s proposal is consistent with SAR regulation under current Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements, the OCC did not prevent the automation effort from moving forward. Still, the agency emphasized that the effort must be governed strictly with strong controls, frequent testing, and timely adjustments as needed.
Overall, the bank’s request is evidence that AML programs are developing, testing, and seeking to implement innovative approaches to persistent problems of inefficiency. The OCC’s approval demonstrates that regulators are willing to facilitate such efforts.
However, the OCC rejected the bank’s request that by using a “regulatory sandbox” approach trial work and outcomes would be protected from matters requiring attention, violations of law, or financial penalties.
Some early AML community reactions to the OCC’s letter have expressed frustration that the bank’s pilot efforts are not immune from regulatory action. Of course, all AML professionals would like their modernization efforts to occur in a space protected from regulatory findings. But it is unrealistic to expect federal (or state) agencies to forgo their obligations to protect the soundness of the financial system, no matter how well-intended a modernization pilot may be.
The bank’s request and the OCC’s response show positive movement, albeit slowly, toward better AML approaches that incorporate modern software capabilities.
The Bank’s Request
In February 2019 the bank submitted a proposal to “streamline the filing of suspicious activity reports (SARs) by automating the process for identifying and reporting potential structuring activity.” The letter sought the OCC’s opinion on whether the approach is consistent with SAR regulations. More specifically, the bank sought the agency’s view on the following:
- Whether it can automate the generation of SAR narratives;
- Whether it can file a SAR based solely on an alert without having to conduct manual investigation;
- Whether automated SAR filing of the nature the bank described is consistent with OCC regulation; and,
- Whether regulatory relief could be granted when piloting this new automated approach (in essence, to be protected from adverse regulatory findings during a trial period of the new software).
In seeking these opinions, the bank explained that its proposal to automate investigation would focus only on alerts where no other activity beyond cash structuring was present. For example, if there is a structuring alert, and that alert (or the account on which the alert triggered) included wire transfers for the cash deposits or withdrawals, such alerts would require manual, or human-driven, investigation. Additionally, alerts involving customers on whom a prior SAR was filed or customers subject to a law enforcement inquiry would also require manual investigation.
The bank also made clear that it will implement a testing program to manually review a sample of the automated work product and validate the SAR or no-SAR decision. This information will be used by the bank to adjust the system(s) and processes as needed.
The OCC Response
The OCC responded that auto generation of SAR narratives is consistent with BSA regulation as long as the narratives contain all required elements outlined in the SAR Form Instructions and applicable guidance from the Financial Crimes Enforcement Network (FinCEN). In short, the guidance[iii] directs SAR writers to include, “the five essential elements of information—who? what? when? where? and why?” and also “the method of operation (or how?).”
The OCC conditioned its opinion on the bank’s self-imposed limitations. Specifically, the bank will not be permitted to automatically file SARs if any non-structuring alert activity is present, if within 90 days of the first alert another alert is produced, if there have been prior SARs filed on the customer(s), or if the investigation is responding to a law enforcement request.
In addition to the bank’s own limitations, the OCC said, “automated filing of structuring SARs is only permissible to the extent that it is supported by strong risk governance.”
Finally, the OCC declined “to offer regulatory forbearance as requested,” meaning that whatever process is undertaken by the bank to automate SAR filing is not immune from regulatory review and consequences, should any be deemed necessary by the examining agency.
AML Progress Will Be Slow
The OCC’s statement signals the pace of AML innovation to come, and it underscores the ongoing tension between regulation and innovation.
“Move fast and break things,” the popularized ethos of startup software developers, doesn’t work in banking and compliance. Thomas Edison’s famous quote, “I haven’t failed—I’ve just found 10,000 ways that don’t work,” inspires creators and innovators. It doesn’t inspire regulators.
Breaking things and thousands of failures are not suitable approaches for improving AML compliance. Rather, improving AML compliance in a regulated environment moves slowly. Nevertheless, as this initiative to automate structuring SAR activity shows, progress is underway.
How fast? It is reasonable to assume that from planning to full adoption, this particular initiative will take three to four years. It likely took up to two years to select, develop, test, improve, and retest the software needed for the bank to submit its request. We can also assume that it took the bank several months just to draft the request. Seven months passed from the date of the request (February 2019) to the response (September 2019). Now that the request is granted, the bank will operate its pilot program in parallel with its manual process for up to a year to gather enough information, refine the approach, tune the software, test, retest, conduct an internal audit review, and then present findings to the regulators.
Of course, early efforts take longer than subsequent efforts, but keep in mind, this is one effort involving a small subset of one type of suspicious activity.
Regulators Must Regulate
Regulators cannot give AML pilots a free pass. Federal bank regulators are bound by law to ensure that financial institutions comply with all applicable regulations. Regulators must act as required by law whenever serious compliance deficiencies are discovered, whether by the institutions, auditors, or examiners—and regardless of the circumstance in which they are discovered, whether through customer complaints, exam findings, law enforcement, or by the institution itself.
Perhaps the idea of a “regulatory sandbox,” as proposed by the bank, will be approved in some form at a future date. This would likely take agreement among policymakers in Congress, an unimaginable number of government attorneys, and consumer advocates. It is hard to imagine that happening quickly.
Modern Software Is Finally Here
About six years ago, AML compliance officers began to hear that artificial intelligence was going to change compliance. AML workers would be turned into Cyberdyne System Model 101 Terminators acting with robot-like precision, eliminating false positives, reducing staff, and saving millions of dollars in cost.
As with all technology hype bubbles, however, the fantastical claims of futuristic AML software collided with reality. In 2019, no one is yet wiping out all false positives, reducing large numbers of staff, or saving millions of dollars. What is happening, is that banks like the one that submitted the OCC request are implementing a new “technology stack” of applications that do use machine learning and natural language processing.
When the bank said it will use the output from its pilot program to update the software that automates the detection of pure structuring, it will do so by using examples to “teach” its computers how to better identify cash activity. This “supervised learning” involves humans deciding what is a good outcome and what is a bad outcome—and then using these examples to improve the systems. This takes the time and expertise of AML investigators and software developers.
In automating the writing of SARs, we can assume that the bank will use natural language processing software. This enables machines to read and create text that humans understand. It converts 0’s and 1’s to read, “The customer withdrew $9,000 on three consecutive days.”
Like all software, machine learning and natural language processing continue to improve. As these technologies are calibrated to understand the characteristics and language of AML compliance, we can expect the pace of improvement to quicken and the benefits for AML compliance to increase.
Modern Software Has Limits and May Create More Work, Not Less
Machines are good at doing things that are rote, monotonous, and take humans a few seconds to perform. In AML, this means tasks like copying and pasting screenshots, or logging into numerous systems to retrieve data. Machines are not AML investigators, and the bank’s request reveals the limits of confidence AML leaders have in today’s available software.
Exempt from automatic SAR filing are alerts (or investigations) where activity other than structuring is present. This would include wire transfers or other deposit and withdrawal activity (e.g., checks) that could be construed as related to the structured transactions. For example, a basic structuring scheme involves multiple cash deposits below $10,000 followed by a wire transfer or check that moves the money closer to its final purpose—use by the criminal. As the OCC’s response reads, this simple scheme is not permitted to be investigated automatically. It appears alerts where there is no activity other than cash deposits or withdrawals are the only permissible matters to be automated. In every structuring investigation don’t investigators look for potentially related activity occurring prior and subsequent to the deposits or withdrawals? Afterall, even in the simplest structuring cases investigators need to see whether they can determine the source or use of funds.
In its opinion, the OCC underscored the need to distinguish between the most basic cash structuring and structuring with related activity. The OCC letter states that SAR filings result when the bank “knows, suspects, or has reason to suspect that … the transaction is designed to evade any regulation promulgated under the Bank Secrecy Act.”. The OCC goes on to say inherent in this concept is due diligence, which “as a general matter … requires greater scrutiny and more involved judgments for higher risk and more complex transactions and accounts.”
It is reasonable to conclude that the OCC is wary of machines attempting to decide which matters require more involved judgment. And since machines are not capable of rendering investigative judgment, most AML investigations will still require human involvement.
Yes, modern software will accelerate information gathering and documentation (thank goodness), but this should then serve as a way to free up more investigator time to analyze and make better decisions about suspicious activity. It’s important to remember that using existing AML technology, institutions detect very little of the couple trillion dollars laundered each year. It seems likely—even certain—that once detection software improves, institutions will discover more suspicious activity, not less. These additional discoveries will actually increase AML compliance work.
In the meantime, as the bank deploys the system it described in its request, it will need to develop processes and have people assigned to create a constant “feedback loop” that examines results, determines effectiveness (or lack thereof), decides which modifications are needed to improve the automatic detection and reporting software, makes those changes, tests those changes, document those changes, and then re-starts the loop once again. The level of work involved in this process should not be underestimated. Regulators and internal audit teams will expect this process to be airtight.
New Policies and Procedures Are Required
New systems and processes require AML teams to write new policy and procedures. The OCC said several times in its response that the bank’s automated structuring SAR filing must be “supported by strong risk governance.” Emphasizing this point the OCC wrote:
“However, even if the bank files all minimally required structuring SARs, it is possible that the automated process may not be ‘reasonably designed’ to achieve compliance with its reporting obligations. … For example, if the automated process were not regularly overseen, evaluated, and updated to ensure that it is reasonably designed to produce useful information to law enforcement, this could raise issues under the BSA/AML Compliance Program regulation. Moreover, if the system materially fails to identify instances of structuring or results in alert backlogs, then these could be issues under both the SAR and BSA/AML Compliance Program regulations. Accordingly, the OCC expects that, after implementation, the bank will regularly review and update these processes to ensure that the automated SAR filing process remains reasonably designed to achieve compliance with the OCC’s BSA/AML Compliance Program regulation.”
Adhering to this direction from the OCC requires AML officers to ensure the creation and implementation of new governance policies that would include, as an example, requirements to regularly review results of the automated system, a process to evaluate these results, a process for how results are used to modify the software, a process for testing these new modifications, and requirements for these and all other new policy requirements to be thoroughly documented and ready for scrutiny by the internal audit team and examiners. All this must occur while existing controls are maintained until new processes are implemented, tested, validated as effective and are sustainable.
Additionally, AML officers need to regularly update key executive management and the board of directors on any new initiative such as automatic SAR filing. Obviously, initiatives like this show promise for improving AML compliance but they also come with risk. The board and executive management are ultimately responsible for ensuring that risk is properly managed.
Innovation Likely Ends Up Increasing Costs
Often, it’s assumed that new technology lowers costs. Over the long term (many years) this may be the case.
A monthly subscription to Spotify or Netflix certainly lowers the cost of music and movies compared to 30 years ago. But the eventual savings are only realized after a period of design, development, starts and stops, small successes and small failures, and continual iteration. This process for consumer applications appears to move fast, but in reality, it takes many years and a lot of upfront investment and time. And applications like Spotify and Netflix do not operate in a heavily regulated environment and their reward for success is arguably more motivating—large profits rather than regulatory compliance.
Financial institutions are heavily regulated and as the OCC response shows, regulators expect institutions to move cautiously when developing and implementing new software and approaches to AML. In this instance the bank is seeking to improve one small aspect of AML—SAR filing for alerts were only cash structuring activity is present. The additional costs from this effort include, at minimum, investing in new software; hiring developers to refine, test, and maintain the software; writing new policy and procedures; and running the new system in parallel with existing systems (necessitating additional personnel to either maintain existing work and/or oversee the new work).
At some point, many of the current inefficient parts of AML alert and investigation work will improve. Getting to that point will take large investments and significant time. And often the outcome of better technology and greater efficiency is that you get more of something. In the case of Spotify and Netflix, we now have more music and more movies. For AML, better software means more suspicious activity detection and with that, more work.
[i] “Interpretive Letter #1166,” Office of the Comptroller of the Currency; https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2019/int1166.pdf
[ii] “Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing,” Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Financial Crimes Enforcement Network, National Credit Union Administration, and Office of the Comptroller of the Currency; https://www.occ.gov/news-issuances/news-releases/2018/nr-occ-2018-130a.pdf
[iii] “Guidance on Preparing a Complete and Sufficient Suspicious Activity Report Narrative,” Financial Crimes Enforcement Network; https://www.fincen.gov/sites/default/files/shared/sarnarrcompletguidfinal_112003.pdf