ACFCS Thought Leader Spotlight: More pressure on AML teams to learn AI, better understand data, weave in cyber, says Julie Myers Wood

By Brian Monroe
bmonroe@acfcs.org
February 12, 2020

In her more than two decades in the field of fighting financial crime as a lawyer, prosecutor and compliance remediator covering both the public and private sectors, Julie Myers Wood has developed an intimate knowledge of the ways criminals try to game the system, the laws in place to stop them and the tactics investigators have used to follow the money.

From top leadership positions with the U.S. Departments of Homeland Security, Commerce, Treasury and Justice, she saw firsthand how organized criminal groups worked to outwit domestic and international anti-money laundering (AML) rules, critical insight she uses now to help institutions bolster their defenses against illicit infiltration.

As the Chief Executive Officer of Guidepost Solutions, Myers Wood acts as the critical nexus between what corporations are expected to do in terms of compliance countermeasures, what auditors and regulators have uncovered as gaps and addressing those identified vulnerabilities so institutions can better provide rich and relevant intelligence to law enforcement.  

In recent years, Myers Wood has noticed AML trends ebb and flow as federal regulators put more of an emphasis on the quality, accuracy and protection of data – the latter of which many fincrime compliance professionals may have not realized would be a core component of their convergence philosophy.

“Tomorrow’s compliance is embedded with Information Technology (IT) systems,” Myers Wood told ACFCS. “If you don’t understand IT, you can’t update the business rules and apply the right technology to your problems.”

She is also seeing the first trepidatious steps for some institutions to more openly live in an “era of innovation” as part of a relatively new effort by regulators announced in a joint statement in December 2018, broadly exhorting banks to more readily tinker with technology to improve effectiveness and results in identifying and stopping the flow of dirty money.

As a contextual point, experts, analysts and watchdog groups have bemoaned the fact that the billions upon billions of dollars spent by banks annually on AML compliance to uncover the estimated more than $1 trillion laundered annually results in less than one percent of sullied funds actually being seized, frozen and forfeited – a key reason why examiners are embracing institutions choosing to break paradigms to improve immediate outcomes.

So, if that’s the case, why haven’t all banks, large and small, jumped on board to innovate if regulators have given their tacit blessing?

“That answer depends on the culture of the institution,” Myers Wood said. “There can also be big differences in terms of a talent gap of compliance professionals who are comfortable with data and IT. If you are not comfortable with data, including data management and data governance, you will be falling behind.”

But enhanced technology around fincrime compliance – such as artificial intelligence, automation and machine learning, which hold the allure of dropping transaction alert false positive rates and better uncovering interlinked entities – must be paired with the human element: employees and analysts with deep experience and expansive, holistic training.

The December 2018 joint statement of innovation is “encouraging institutions to think about how to be more innovative, not just on the systems front, but on the human front as well,” Myers Wood said. “A bank championing innovation is also one of the most critical ways to hire employees with the unicorn skill set that bridges both areas.”

Banks are starting to “bring in individuals who are innovative,” she said. “And how do they do that? By breaking down separate compliance and IT divisions and requiring them to work together in new ways.”

Ironically, said Myers Wood, who has extensive experience tied to fincrime in the crypto world, she noted that the virtual value companies and exchanges many banks are branding as higher risk could offer fresh strategies in overcoming longstanding compliance conundrums.

Myers Wood was kind enough to share some of her insight with ACFCS VP of Content, Brian Monroe in this Thought Leader Spotlight. Here is an edited version of that conversation:

What trends are you seeing in financial crime and compliance?

One major area of focus that we see in both the US and internationally is an emphasis on cybersecurity. Insufficient cyber controls can take down a financial institution very easily.

For instance, we have seen regulators from the New York Department of Financial Services (DFS) issuing regulations causing financial institutions to exercise enhanced controls and lockdown on their programs and vendors. 

What do you think of regulatory calls for innovation in terms of AML compliance?

There is sometimes a conflict between successful compliance and innovation. Many of the [regtech firms] moving forward with artificial intelligence (AI) and dealing with compliance programs may not have the longest track record. They may be using the cloud or other technologies that are uncomfortable for FIs.

FIs are really grappling with how they embrace innovation, while continuing to meet the requirements to [identify and report on financial crimes] and the standardized requirements that are in place, [such as the technical requirements of the four-pronged AML compliance program]. There is a bit of a tension there.

We see that tension particularly with larger FIs, where the financial crime groups may want to pilot an innovative technology in a sandbox, but the information technology (IT) division is not as comfortable with doing that.

IT is concerned with the risk that the innovative technology has not been established for a long time or has a different kind of secondary framework and controls. There can also be parochial desires by IT to control and develop in-house solutions, rather than looking to use innovative, but unproven, vendor technologies. 

What do you think about industry efforts at convergence to break down silos between AML, fraud and cyber?

Certainly, that remains a big challenge. A lot of FIs are contending with how to bring IT and cyber controls into the compliance space more effectively. We have seen many different models to do that, but I don’t think any institution has found the perfect model yet.

Why? That answer depends on the culture of the institution. There can also be big differences in terms of a talent gap of compliance professionals who are comfortable with data and IT. If you are not comfortable with data, including data management and data governance, you will be falling behind.

Tomorrow’s compliance is embedded with IT systems. If you don’t understand it, you can’t update the business rules and apply the right technology to your problems.

The December 2018 joint statement of innovation is encouraging institutions to think about how to be more innovative, not just on the systems front, but on the human front as well. A bank championing innovation is also one of the most critical ways to hire employees with the unicorn skill set that bridges both areas.

What do you think of the December 2018 joint statement on innovation and do you see banks doing anything differently or starting to tinker with new technology?

Having a statement from the examiners is very important because FIs are very risk adverse. Just look at the de-risking movement. But even if there is a pattern with regulators using 20/20 hindsight, getting FIs to be innovative is tough.

The perspective of the banks tends to be using what they are familiar with, even if it doesn’t catch everything, because the institution will not be further penalized for unknown liabilities on untested innovative technologies.

FIs are worried about being penalized for taking risk-based chances. Innovation is a very important thing to do, but the culture of some FIs is not always to innovate. 

Despite these challenges we are seeing banks start to bring in individuals who are innovative. And how do they do that? By breaking down separate compliance and IT divisions and requiring them to work together in new ways.

That is important. A lot of compliance professionals have been at banks a long time and have seen banks get a penalty even while seemingly doing the right thing. 

They may not want to make changes because they believe that the risk of a large compliance fine or penalty when using standard industry software is pretty low compared to the risk when trying new technology or approaches.  

So overall when it comes to banks broadly innovating, I am not sure we are there yet. It also does add costs to institutions to innovate and keep things going to make sure there is no unknown vulnerability. But there is a large upside.

It’s also very important for examiners to embrace some of these innovations. Confirmation that examiners are open to new ideas and new ways of meeting traditional compliance objectives is a key piece in a bank’s willingness to consider innovation. 

Do you see examiners on the ground fostering innovation at banks and themselves being beholden to the risk-based approach?

For examiners, the proof of whether banks are innovating the right way will be in the results. Once we see that the examiners are applying the risk-based approach rather than simply unrealistic compliance expectations, that will allow banks to push back.

But with the current regulatory system it’s hard for FIs to trust that innovation will be credited by examiners. This hesitation was borne of years of regulators dinging banks on minor program issues, rather than overlooking those small stumbles and giving credit for overall effectiveness. 

In addition, exam consistency is also difficult because banks have a myriad of examiners with different areas of regulatory focus. 

Even if one group of examiners is fostering innovation, another group could be dealing with it differently. Banks must find a common denominator to see if their plans and their approaches are working [across multiple examiners and exam cycles].

It will be a while until institutions can trust that that is going to happen. But I am hopeful that examiners will more consistently focus not on form, but on substance. At the end of the day, if you are allowing criminals and cyber threats to get into your institution, no one wins. Focusing on what matters is really important, regardless of how your program looks or what tools you’re using.

Looking ahead, the increasing volume of [financial crime compliance innovation] can help address some of the problems banks are getting penalized for today. For instance, embracing a blockchain can reduce non-transparent payments and minimize opportunities for financial crime.

There will still be penalties for banks that make missteps, but regulators are also going to have to recognize and adjust those fines on a more risk-based approach and taking into account the good faith activities to improve compliance by those institutions.

When penalties start to be adjusted downward because banks are making a good faith effort to improve and test new technologies, other institutions will think hard about that. Making changes and investing in new technology is very difficult for them, so I think that FIs need continued encouragement and regulatory support.

Are you hearing about any success stories related to banks partnering with regtech and other compliance technology firms?

We certainly are seeing FIs partnering with fintechs because they are struggling with the effectiveness of the old methods to detect and prevent financial crime given the changing society. 

It’s very important that institutions think about the mindset of regulators when it comes to the next step of how [banks, regtech and crypto-related firms] can better prevent financial crime.

But I still see a great deal of skepticism from legacy financial institutions in, for instance, partnering with a crypto exchange, which is slightly ironic, because in some cases, the methods and practices are stronger than what you see in traditional institutions, given the transparency of the blockchain.

BIO: Julie Myers Wood

As the Chief Executive Officer of Guidepost Solutions, Julie focuses on helping corporations resolve problems with government agencies, ensuring they are proactively addressing compliance requirements.

Prior to joining the private sector, she held leadership positions with the U.S. Departments of Homeland Security, Commerce, Treasury and Justice.

This included serving as the Head of Immigration and Customs Enforcement, Homeland Security’s largest investigative component, as well as the Assistant Secretary for Export Enforcement and the Chief of Staff for the Criminal Division at the Department of Justice.

Throughout her government and private sector career, she has helped develop, implement and execute compliance programs and crisis management plans and responses across a wide range of industries for numerous companies.

Julie is nationally recognized as a speaker for her expertise on compliance, security, immigration and other law enforcement issues and has testified before Congress. 

Want to start a dialogue with Julie? Feel free to connect with her on LinkedIn and follow her on twitter @guidepostglobal, @myerswood