Main Content

AML: The Tech Factor

Tensions between the law and technology will only deepen, posing challenges to banks.

By Gary Shiffman

Rapid technological advancements often outpace the ability of decision makers to form policies. This is an age-old problem now besetting bankers, regulators, and law enforcement, and can be seen, for example, in the recent public battles between Apple and the FBI over encrypted iPhones seized in criminal cases. Tensions between legal guidelines and technological advancements are not new, and the law has consistently lagged behind new technology for centuries in cases as diverse as railroads and export controls on supercomputers. As the current unparalleled surge of technological growth in “big data” demonstrates, this tension will only deepen, posing challenges to financial institutions as they attempt to meet regulatory requirements. 

Following the attacks of September 11, 2001, the U.S. federal government implemented the USA Patriot Act, which, among other things, strengthened 1970’s Bank Secrecy Act (BSA) by instituting increased regulatory requirements and information sharing between the government and financial institutions. Aiming to address concerns over terrorist financing, Section 312 of the Patriot Act “amends the Bank Secrecy Act by imposing due diligence & enhanced due diligence requirements on U.S. financial institutions that maintain correspondent accounts for foreign financial institutions or private banking accounts for non-U.S. persons.” As a result, banks are legally obligated to report to law enforcement agencies any information that indicates suspicious behavior. 

The entire system suffers when law enforcement and technologists don’t participate in the bank-to-regulator-to-bank discussion.
However, the high costs of BSA compliance as well as the triangulation of the relationship between banks, regulators, and law enforcement (see Figure 1) lead to misunderstandings and misaligned efforts that struggle to meet needs, resulting in a system that’s both expensive and inefficient. Fortunately, we can see a path to efficient compliance and high-quality data for public safety and security. 

Banks spend significant resources on BSA compliance, often becoming overburdened as a result and losing shareholder value. A Harvard Kennedy School report stated that BSA reporting requirements were among the most cumbersome for community banks. These costs have begun to weigh on larger financial institutions as well, and in 2013 JPMorgan Chase reported increasing its spending by an additional $1.5 billion to manage risk and comply with regulations, “including a 30% increase in risk-control staffing” in 2013. In 2015, Citigroup reported that 59% of the institution’s recent expenses savings were “being consumed by additional investments that [the bank was] making in regulatory and compliance activities.”

Beyond rising costs, the entire system suffers when law enforcement and technologists don’t participate in the bank-to-regulator-to-bank discussion. Banks tend to follow one another when it comes to compliance technologies for an obvious reason: A banker reduces risk by mirroring the actions of peers. The risk they reduce, however, is the risk of failing to satisfy the regulator and not the risk of failing to satisfy law enforcement by helping them to apprehend criminals. 

For example, if Bank Z chooses Vendor C for automated compliance solutions, while the majority of the Bank Z’s peers use either Vendor A or Vendor B, then Bank Z will increase the risk of perceived poor judgment from the regulator. Moreover, this risk becomes more pronounced to the extent and degree that the regulator has limited knowledge of the technology marketplace. 

This herd mentality can be great or terrible. If the technologies resident in the incumbent vendors provide great value – low cost and highly efficient at providing information related to the BSA to law enforcement – then the market works. However, if the existing market technologies, those embedded in Vendors A and B, fail to provide good information at reasonable costs, then the system of incentives can reasonably be described as failing. To be clear: Banks spending considerable resources on technologies do not advance the BSA’s legislative goals, while technological evolution provides lower-cost and higher-value solutions. This article seeks to point out the need for attention to this issue.
Future policy efforts must take into account new technological developments in order to craft legislation that works in line with emerging innovations.
Ultimately, we have a breakdown in communication among banks, law enforcement, regulators, and technologists, requiring a reassessment of both law enforcement needs as well as banks’ technological ability to meet them. Banks want to comply and want their significant investments made in compliance to actually help protect public safety and security, especially as law enforcement investigations continue to increase. Regulators want to help the banks comply while also protecting public safety and security, and law enforcement officials want to do their job with the benefit of the data required by the BSA. All sides maintain good intentions, and this story lacks a villain. We simply need the system of rules and enforcement governing the banks to encourage behaviors to increase efficiency – more deterrence at a lower cost. 
The Clearing House
This brings us back to the core problem of technology outpacing legal requirements. Future policy efforts must take into account new technological developments in order to craft legislation that works in line with emerging innovations. This requires regulators to better understand technologies for financial institutions. Technologies exist that can drive the cost of compliance and risk management down and improve the quality of data for law enforcement intended by the post-9/11 legislative initiatives.

The simplest solution is to invest in technological solutions by rewarding innovation through a layered approach to compliance. Regulating bodies such as the Office of the Comptroller of the Currency should discourage the herd mentality by awarding only partial credit to banks that use older solutions. On the other hand, financial institutions that prioritize new, innovative technological reporting tools should be rewarded. This layered approach allows regulators to force banks to adapt their behavior by demonstrating that they need to innovate rather than stagnate in order to meet their compliance needs. 

Emerging technologies already on the market can help strengthen this process by improving the government’s ability to regulate banks, furthering banks’ access to relevant data, and providing a tool for law enforcement officials to accurately identify suspicious activity. Technological innovation, especially in big data and analytics, is advancing at a blistering pace, providing consistent opportunities to drive down the cost of compliance and increase efficiency in advancing national security. These tools should strengthen the relationship that ties together regulators, banks, and law enforcement, ensuring regular interaction and a positive feedback loop to further effectiveness. 
Technological innovation, especially in big data and analytics, is advancing at a blistering pace, providing consistent opportunities to drive down the cost of compliance and increase efficiency in advancing national security.
At the same time, compliance bodies should also reward financial institutions that maintain an ongoing dialogue with law enforcement agencies and provide useful information to law enforcement in investigating money laundering, terrorist financing, and other crimes. Similarly, compliance officials must improve their communication channels with law enforcement. Part of the communication problems stems from the disconnect between agencies, leading regulators to set reporting requirements around what they think law enforcement needs rather than based on direct input from law enforcement. Instead, all corners of the triangle need to better communicate on requirements, appropriate regulations, and potential reporting tools to ensure improved efficiency on all sides. For example, the recent Mid-Atlantic Money Laundering Conference, held in late July 2016, brought together regulators, financial experts, and law enforcement officers to jointly discuss current shortcomings and ways forward. Maintaining opportunities for dialogue such as this conference will prove critical in ensuring continued progress. 

Technology underlies all of these topics and can provide massive improvements to the system, but only to the extent policymakers and regulators maintain awareness of innovation and reward responsible adoption of new technologies. For example, GOST was developed in conjunction with DARPA and federal law enforcement, and it’s now available commercially to banks so they can support negative media search requirements. Many other agile technologies sit ready for deployment today, waiting for the market to reward efficiency across all corners of the triangle. 

Although the system may seem broken, these opportunities provide hope that working together will lead to a smarter and more sustainable framework.