Artificial Intelligence and Machine Learning in Financial Services
SUMMARY
The Compliance Committee released a report that it hopes will serve as a useful resource tool for compliance officers operating in the complex legal and regulatory environment focused on anti-money laundering (AML) and combatting the financing of terrorism (CFT). The compliance officers and other independent risk managers of financial services companies and financial institutions serve as essential gatekeepers to prevent, detect, and remediate violations of laws, regulations, and internal policies and rules. This is particularly true with compliance officers and independent risk managers who are responsible for AML and CFT compliance. The U.S. has long determined that the fight against money laundering and terrorist financing is critically important, and under U.S. federal laws and the laws of several U.S. states, money laundering and terrorist financing are criminal offenses punishable by significant fines and imprisonment. Under federal law, prudential supervisors also make certain institution-affiliated parties subject to fines and penalties in certain egregious cases, where they have played a significant role in the financial institution’s failure to detect and prevent money laundering or terrorist financing. In fact, the roles and responsibilities of AML/CFT Compliance Officers are so important that they may become the subject of a government agency enforcement action when the government determines that an AML/CFT Compliance Program is flawed, and the flaws are attributable to the AML/CFT Compliance Officer.
This report may serve as a resource for financial services companies and financial institutions and AML/CFT Compliance Officers who are implementing or considering implementing AI/ML systems into their AML/CFT Compliance Programs. The report (1) summarizes the definitions of AI/ML used by different regulatory agencies; (2) provides examples of how AI/ML may benefit a financial institution’s AML/CFT Compliance Program; (3) describes the material risks and challenges with implementing AI/ML in AML/CFT Compliance Programs, and strategies for overcoming some of those risks and challenges; (4) discusses certain trends in AI/ML in AML/CFT Compliance; and (5) ends with a conclusion and some observations.
REPORT
ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING IN FINANCIAL SERVICES:
OPPORTUNITIES AND CHALLENGES IN ANTI-MONEY LAUNDERING AND COMBATTING THE FINANCING OF TERRORISM
The compliance officers and other independent risk managers[1] of financial services companies and financial institutions[2] serve as essential gatekeepers to prevent, detect, and remediate violations of laws, regulations, and internal policies and rules.[3] This is particularly true with compliance officers and independent risk managers who are responsible for AML and CFT compliance[4] (collectively, AML/CFT Compliance Officers).[5] The U.S. has long determined that the fight against money laundering and terrorist financing is critically important,[6] and under U.S. federal laws and the laws of several U.S. states, money laundering[7] and terrorist financing[8] are criminal offenses punishable by significant fines and imprisonment. Under federal law, prudential supervisors[9] also make certain institution-affiliated parties[10] subject to fines and penalties in certain egregious cases, where they have played a significant role in the financial institution’s failure to detect and prevent money laundering or terrorist financing. In fact, the roles and responsibilities of AML/CFT Compliance Officers are so important that they may become the subject of a government agency enforcement action when the government determines that an AML/CFT Compliance Program is flawed, and the flaws are attributable to the AML/CFT Compliance Officer.[11] Affiliated parties may also become subject to an enforcement action if they were a part of undermining or creating deficiencies in the AML/CFT Compliance Program.
The U.S. Anti-Money Laundering Act (AMLA) of 2020 has strengthened the AML/CFT laws and directed the appropriate authorities to modernize the AML/CFT laws to address new and emerging threats and encourage technological innovation and the adoption of new technology by financial institutions.[12] In seeking to ensure compliance with AML/CFT laws, and strengthen AML/CFT Compliance Programs, in many cases, AML/CFT Compliance Officers have turned to or are considering the use of advanced technologies (e.g., proprietary software, systems, and third-party support), including, artificial intelligence (AI) and machine learning (ML) (collectively, AI/ML).[13] To date, financial institutions are in different stages regarding AI/ML. Some of the largest have invested heavily in AI/ML or the exploration of AI/ML. Most smaller financial institutions have not invested heavily in either due primarily to the costs involved and the uncertainty regarding how much, if any, credit prudential supervisors and law enforcement would grant.[14] While the use of technology to support AML/CFT Compliance Programs (especially software and systems) is not new, and AML/CFT Compliance Officers have used technology for many decades, current forms of AI/ML and the promised solutions for important use cases may present more opportunities and challenges than older technologies.[15]
The use of AI/ML is particularly important today to potentially increase efficiencies for historically labor intensive and unevenly effective compliance programs. Labor intensity has derived in part from the vast amounts of both structured and unstructured data that is generated and that must be considered.[16] The overwhelming majority of financial institution transactions are not suspicious or do not require the filing of a suspicious activity report (SAR). Given the volume of transactions, identifying the right suspicious activity is exceedingly difficult. Furthermore, historically available algorithms and other mathematical or statistical models are more basic than present day AI/ML systems.
Today, AI/ML is substantially more complex and therefore requires knowledge and skill sets that many traditional AML/CFT Compliance Officers may not have unless they have kept up to date on the uses of AI/ML in AML/CFT. In addition, it may be a bridge too far to expect such AML/CFT Compliance Officers to tackle complex AI/ML issues directly such as explainability and model bias and ensuring the right use of the AI/ML model’s outputs. These AML/CFT Compliance Officers also may not have the experience to explain why they are using specific AI/ML systems and how such specific AI/ML systems help the financial institutions achieve their AML/CFT Compliance goals without causing other issues for the financial institutions and their customers. For some financial institutions, especially the largest financial institutions that have heavily invested in AI/ML, this may be less an issue because AML/CFT Compliance Officers at those financial institutions might have a long history of working with advanced technologies, including technologies that use mathematical and statistical modelling, especially with respect to determining risk ratings of customers and transactions, investigating and identifying suspicious activity, eliminating false positives or false negatives on OFAC sanctions monitoring; and conducting other forms of due diligence.
Data is foundational to enabling models powered by AI/ML. Further, as stressed by the Bank of England (BoE) and the United Kingdom’s Financial Conduct Authority (FCA) “[d]ata is at the core of financial services… [f]rom customer services to consumer credit, AML and anti-fraud analytics to investment management, financial services firms use AI for a range of business services.”[17] Notwithstanding the risks and challenges, the transformative nature of AI/ML, and the increasing pace at which these technologies are adopted and improved, will continue to influence how AML/CFT Compliance Officers perform their responsibilities, while continuing to improve their AML/CFT Compliance Programs for financial services companies and financial institutions. The use and effectiveness of AI/ML will also influence the approaches and responses to AI/ML by regulatory agencies, law enforcement, policymakers, industry participants, data specialists, technologists, ethicists, and other stakeholders across the world.
This report[18] may serve as a resource for financial services companies and financial institutions and AML/CFT Compliance Officers who are implementing or considering implementing AI/ML systems into their AML/CFT Compliance Programs. The report (1) summarizes the definitions of AI/ML used by different regulatory agencies; (2) provides examples of how AI/ML may benefit a financial institution’s AML/CFT Compliance Program; (3) describes the material risks and challenges with implementing AI/ML in AML/CFT Compliance Programs, and strategies for overcoming some of those risks and challenges; (4) discusses certain trends in AI/ML in AML/CFT Compliance; and (5) ends with a conclusion and some observations.
Click “Download PDF” to read the whole report.
Footnotes
[1] In the case of this report, a compliance officer or other independent risk manager is independent of line management, the sales force, and revenue generators and has stature and authority to provide objective and independent assessments.
[2] For purposes of this report, a financial institution is regulated if it meets the definition of financial institution within the meaning of the regulations of the Financial Crimes Enforcement Network (FinCEN). See 31 C.F.R. 1010.100(t) (2021), which defines a financial institution as (1) A bank (except bank credit card systems); (2) A broker or dealer in securities; (3) A money services business as defined in 31 C.F.R. 1010.100 (ff); (4) A telegraph company; (5) certain casinos; (6) certain card clubs; (7) A person subject to supervision by any state or federal bank supervisory authority; (8) A futures commission merchant; (9) An introducing broker in commodities; or (10) A mutual fund. Financial services companies are included alongside of financial institutions because even if some are not subject to the requirement to comply with FinCEN’s regulations (such as investment advisers; certain insurance companies; and insurance brokers), they are often directly or indirectly required to comply with many of the anti-money laundering (AML) and combatting the financing of terrorism (CFT) laws (AML/CFT laws) by financial institutions, investors, third-party service providers, and other market participants. Frequently used acronyms are listed at Schedule B.
While registered investment advisers are not financial institutions under current law, on February 15, 2024, FinCEN published a Notice of Proposed Rulemaking in the Federal Register on Financial Crimes Enforcement Network: Anti-Money Laundering/ Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers https://www.govinfo.gov/content/pkg/FR-2024-02-15/pdf/2024-02854.pdf. (All websites last accessed on March 1, 2024.) The lack of a regulation covering investment advisers, and other reasons, explain why the Financial Action Task Force (FATF) continues to criticize the U.S. regarding its failure to comply fully with FATF Recommendation 10 (R.10.). “However, a few minor technical gaps remain, including the lack of explicit Beneficial Ownership (BO) requirements, mainly in relation to other trust relevant parties for legal arrangements. Limited measures have been taken to improve the occasional transaction threshold of USD 3,000 for Money Services Businesses (MSBs) and to improve gaps with regard to life insurance companies. In addition, Investment Advisers (IAs) are still not directly covered by the Bank Secrecy Act (BSA) obligations. Overall, the U.S. has addressed a number of the key identified deficiencies, but deficiencies (especially in relation to all types of legal arrangements) still remain. The U.S. is therefore re-rated as Largely Compliant with R.10.” See FATF, Anti-Money Laundering and Counter-Terrorist Financing Measures United States 3rd Enhanced Follow-up Report & Technical Compliance Re-Rating, at p. 3 (Mar. 2020), https://www.fatf-gafi.org/en/publications/Mutualevaluations/Fur-united-states-2020.html.
FATF is the global money laundering and terrorist financing watchdog. It is also an inter-governmental body that sets international standards that aim to prevent illegal activities and the harm they cause to society. As a policy-making body, FATF works to bring about national legislative and regulatory reforms in these areas. FATF sets international standards to ensure national authorities can effectively go after illicit funds linked to drugs, trafficking, the illicit arms trade, cyber fraud, and other serious crimes. In total, more than 200 countries and jurisdictions have committed to implement the FATF’s Standards as part of a coordinated global response to preventing organized crime, corruption, and terrorism. FATF was established in 1989 and is based in Paris.
[3] See N.Y. City Bar Assoc. Compliance Comm., Chief Compliance Officer Liability in the Financial Sector, N.Y. City Bar(Feb. 2020), https://s3.amazonaws.com/documents.nycbar.org/files/NYC_Bar_CCO_Framework.pdf.
[4] Many of these requirements are imposed by a combination of federal and state regulatory agencies and law enforcement. See Federal Financial Institutions Examination Council (FFIEC), BSA/AML Examination Manual Appendix A: BSA Laws And Regulations, https://bsaaml.ffiec.gov/manual/Appendices/02 [hereinafter FFIEC BSA/AML Examination Manual].
[5] For certain financial institutions and other U.S. Persons, the failure to detect and prevent money laundering and terrorist financing could lead to significant criminal and civil fines and penalties, as well as loss of a license granted by a licensing authority or prudential supervisor or revocation of a registration that has been accepted by a government agency. See 12 U.S.C. §1818(s); 31 C.F.R. Chapter X. The distinction between certain financial institutions and other U.S. Persons is necessary because certain financial institutions are required to comply with certain sections of 31 C.F.R Title X, but all U.S. Persons are required to comply with the requirements of the Office of Foreign Assets Control (OFAC) in 31 C.F.R. Chapter V. Criminal penalties exist for willful violations of the AML/CFT laws under 31 U.S.C. § 5322 and for structuring transactions to evade AML/CFT reporting under 31 U.S.C. § 5324(d).
[6] On June 30, 2021, FinCEN issued the AML/CFT National Priorities, which included eight categories of priorities: corruption; cybercrime; foreign and domestic terrorist financing; fraud; transnational criminal organization activity; drug trafficking organization activity; human trafficking and human smuggling; and proliferation financing. These priorities must be incorporated into AML/CFT Compliance Programs. See Anti-Money Laundering and Countering the Financing of Terrorism National Priorities, FinCEN (June 30, 2021), https://www.fincen.gov/sites/default/files/shared/AML_CFT%20Priorities%20(June%2030%2C%202021).pdf [hereinafter FinCEN AML/CFT Priorities].
[7] See 18 U.S.C. § 1956 and 18 U.S.C. § 1957; See also N.Y. Penal Law Article 470 (LexisNexis 2022).
[8] See 18 U.S.C. § 2339A–C and 21 U.S.C. § 960a; See also 50 U.S.C. § 1701–05, which criminalizes conduct in violation of executive orders prohibiting transactions with, among other things, nation-states that support international terrorism, designated terrorists, and terrorist groups. OFAC administers many of the CFT laws, and OFAC has issued regulations governing the activities of US Persons when it comes to these laws. 31 C.F.R. Chapter V. OFAC defines a U.S. Person as any U.S. citizen, permanent resident alien, entity organized under the laws of the U.S. or any jurisdiction within the U.S. (including foreign branches), or any person in the U.S. See 31 C.F.R. § 560.314; see also N.Y. Penal Law Article 490.
[9] For these purposes, a prudential supervisor at the federal level includes the Board of Governors of the Federal Reserve System (Federal Reserve), the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC). Prudential supervisors at the state level include governmental agencies that supervise banks and MSBs such as the New York State Department of Financial Services (DFS) and the California Department of Financial Protection and Innovation (DFPI). In the U.S., certain MSBs are required to register with FinCEN and obtain licenses from state prudential supervisors such as DFS and DFPI. In the case of financial institutions subject to federal prudential supervision, the federal prudential supervisors are required to impose a cease-and-desist order against the financial institution for certain AML/CFT Compliance failures, typically referred to as “program failures.” See 12 U.S.C. § 1818(s)(3).
[10] See 12 U.S.C. § 1813(u). An “institution-affiliated party” includes (1) any director, officer, employee, or controlling stockholder (other than a bank holding company or savings and loan holding company) of, or agent for, an insured depository institution; (2) any other person who has filed or is required to file a change-in-control notice with the appropriate federal banking agency under 12 U.S.C. § 1817(j); (3) any shareholder (other than a bank holding company or savings and loan holding company), consultant, joint venture partner, and any other person as determined by the appropriate federal banking agency (by regulation or case-by-case) who participates in the conduct of the affairs of an insured depository institution; and (4) any independent contractor (including any attorney, appraiser, or accountant) who knowingly or recklessly participates in (A) any violation of any law or regulation; (B) any breach of fiduciary duty; or (C) any unsafe or unsound practice, which caused or is likely to cause more than a minimal financial loss to, or a significant adverse effect on, the insured depository institution.
[11] For instance, FinCEN imposed a $450,000 civil money penalty. See In the Matter of: Michael LaFontaine, Saint Croix County, WI, Number 2020-01 (Mar. 4, 2020), https://www.fincen.gov/sites/default/files/enforcement_action/2020-05-21/Michael%20LaFontaine-Assessment-02.26.20_508.pdf. FinCEN concluded that LaFontaine participated in the violations of the BSA and its implementing regulations. LaFontaine is a former Chief Operational Risk Officer (and, before that, Deputy Risk Officer, and Chief Compliance Officer) at U.S. Bank National Association. The OCC also imposed a $50,000 civil money penalty against LaFontaine. See In the Matter of: Michael S. LaFontaine, Former Chief Operational Risk Officer, U.S. Bank, N.A., Cincinnati, Ohio, AA-EC-2019-94 (Feb. 26, 2020), https://www.occ.gov/static/enforcement-actions/ea2020-011.pdf See also, In the Matter of Lia Yaffar-Pena, Order Instituting Administrative and Cease-and-Desist Proceedings, Pursuant to Sections 15(b) and 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing Remedial Sanctions and a Cease-and-Desist Order, Release No. 79124, Securities and Exchange Commission (SEC) (Oct. 19, 2016), https://www.sec.gov/litigation/admin/2016/34-79124.pdf; FINRA Fines Raymond James $17 Million for Systemic Anti-Money Laundering Compliance Failures, Former AML Compliance Officer Fined and Suspended, Fin. Industry Regul. Auth. (May 18, 2016), http://www.finra.org/newsroom/2016/finra-fines-raymond-james-17-million-systemic-anti-money-laundering-compliance; In the Matter of Charles Sanders, Consent Ord., AA-EC-2015-92, OCC (Mar. 15, 2016), https://www.occ.gov/static/enforcement-actions/ea2016-038.pdf. FinCEN Assesses $1 Million Penalty and Seeks to Bar Former MoneyGram Executive from Financial Industry, Fin. Crimes Enforcement Network (Dec. 8. 2014), at https://www.fincen.gov/news/news-releases/fincen-assesses-1-million-penalty-and-seeks-bar-former-moneygram-executive; U.S. Dep’t of Treasury v. Haider, No. 15-1518, 2016 WL 107940, at 3 (D. Minn. Jan. 8, 2016); and U.S. Dep’t of Treasury v. Haider (S.D. N.Y. Dec. 18, 2014), https://www.fincen.gov/sites/default/files/shared/USAO_SDNY_Complaint.pdf.
[12] See The Bank Secrecy Act (BSA) the Anti-Money Laundering Act, 31 U.S.C. § 5311, https://www.fincen.gov/anti-money-laundering-act-2020 [hereinafter AMLA].
[13] There are many questions to be answered when considering whether to use AI/ML to strengthen AML/CFT Compliance. See Federated Machine Learning in Anti-Financial Crime Processes Frequently Asked Questions, FinRegLab (Dec. 2020), https://finreglab.org/wp-content/uploads/2020/12/FAQ-Federated-Machine-Learning-in-Anti-Financial-Crime-Processes.pdf.
[14] See AML and AI: How AI is Changing the AML Landscape, ComplyAdvatage, https://complyadvantage.com/insights/aml-ai-how-ai-is-changing-the-aml-landscape/ (last visited Nov. 17, 2022). Some commentators have concluded that the use of AI/ML in AML/CFT Programs is a game changer. See The Fight Against Money Laundering: Machine Learning is a Game Changer, Mckinsey & Co., (Oct. 7, 2022), https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/the-fight-against-money-laundering-machine-learning-is-a-game-changer#/.
[15] This report aspires to help AML/CFT Compliance Officers understand and appreciate the opportunities and challenges related to AI/ML, especially with respect to AML/CFT Compliance Programs. In doing so, the report highlights some of the existing liabilities to AML/CFT Compliance Officers and their financial institutions under the AML/CFT Laws. The report has not focused on legal liability that might flow from the use of AI/ML because such liability is less clear and uncertain. However, it is worth noting and highlighting that others have focused on that issue. For instance, on February 6, 2023, the House of Delegates of the American Bar Association adopted Resolution 604, https://www.americanbar.org/content/dam/aba/directories/policy/midyear-2023/604-midyear-2023.pdf. Among other things, Resolution 604 provides that: (1) Developers, integrators, suppliers, and operators (Developers) of AI systems and capabilities should ensure that their products, services, systems, and capabilities are subject to human authority, oversight, and control; (2) Responsible individuals and organizations should be accountable for the consequences caused by their use of AI products, services, systems, and capabilities, including any legally cognizable injury or harm caused by their actions or use of AI systems or capabilities, unless they have taken reasonable measures to mitigate against that harm or injury; and (3) Developers should ensure the transparency and traceability of their AI products, services, systems, and capabilities, while protecting associated intellectual property, by documenting key decisions made with regard to the design and risk of the data sets, procedures, and outcomes underlying their AI products, services, systems and capabilities.
[16] See IBM, Structured vs. Unstructured Data: What’s the Difference? A Look into Structured and Unstructured Data, Their Key Differences and Which Form Best Meets Your Business Needs, https://www.ibm.com/blog/structured-vs-unstructured-data/. While it is true that AML/CFT Compliance Officers have historically had to deal with vast amounts of data, today there are more laws and more government agencies and other stakeholders requiring AML/CFT Compliance Officers to create and review data, and government agencies now treat AML/CFT Compliance Officers as gatekeepers with potential liability that AML/CFT Compliance Officers have not been exposed/subject to in the past.
[17] See Bank of England & Financial Conduct Authority, Final Report Artificial Intelligence Public-Private Forum (Feb. 2022), https://www.bankofengland.co.uk/-/media/boe/files/fintech/ai-public-private-forum-final-report.pdf?la=en&hash=F432B83794DDF3F580AC5A454F7DFF433D091AA5 [hereinafter, the AIPPF Report].
[18] Schedule A identifies the professionals and City Bar committees that drafted or reviewed the report.
