Regulators Banks

Federal investigative and regulatory authorities have urged banks to innovate on financial crime compliance programs, at the same time creating a tacit safe harbor for incubation by directly stating such efforts, successful or not, should be free from the withering gaze of examiners.

This is the second joint statement in as many months from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) and its regulatory banking partners, including the Office of the Comptroller of the Currency (OCC) and the National Credit Union Association (NCUA), this time tackling one of the most talked about subjects in anti-money laundering (AML): what, if and how banks should be innovating and how will examiners respond.

In October, the same cadre issued a joint statement focusing on smaller institutions, essentially giving their blessing for these operations to pool financial crime compliance resources to lower costs, improve efficiency and potentially get access to more expertise and greater independence – with certain caveats, including that one compliance officer can’t serve two banking masters.

The moves come as more global regulators, jurisdictions and vendors create fintech and regtech sandboxes to play with these new technologies themselves to both better identify and counter illicit finance but also more rigorously review financial institution AML programs to find banks with weak counter-crime controls.

The latest missive notes the strides the collective banking and compliance communities have made in testing out how technologies like machine learning, artificial intelligence and more advance algorithms and data analytics.

“As money launderers and other illicit actors constantly evolve their tactics, we want the compliance community to likewise adapt their efforts to counter these threats,” said Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence, in a statement.

“We are highly encouraged by innovative steps that financial institutions have taken recently to identify and report illicit financial activity related to North Korea, Iran, and other key national security and law enforcement priorities,” he said.

The communique was uncharacteristically direct on the issue of examiners dinging banks on testing new tech, urging caution, camaraderie and communication.

“The Agencies will not penalize or criticize banks that maintain effective BSA/AML compliance programs commensurate with their risk profiles but choose not to pursue innovative approaches,” the statement said.

“While banks are expected to maintain effective BSA/AML compliance programs, the Agencies will not advocate a particular method or technology for banks to comply with BSA/AML requirements.”

Moreover, the joint statement notes that “innovative pilot programs in and of themselves should not subject banks to supervisory criticism, even if the pilot programs ultimately prove unsuccessful.”

Likewise, pilot programs that “expose gaps in a BSA/AML compliance program will not necessarily result in supervisory action with respect to that program,” according to the statement.

‘Necessarily’ a good idea?

For example, “when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will not automatically assume that the banks’ existing processes are deficient.”

Moreover, in instances, regulators “will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot program,” the joint statement said. “Further, the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.”

While these words should generally fill compliance departments with confidence to test without fear of regulatory reprisal, there is a key term to also focus on: “necessarily.”

That opens the door for scenarios that an examiner just can’t ignore.

“So, if your pilot program identifies 500 funnel accounts that moved $1 billion over the last three years that your existing system failed to detect and the bank failed to report,” it’s unlikely an examiner will give those figures a pass and not connect a failure back to the legacy system, said a former compliance officer.

“Best of luck with that assessment of the adequacy of your existing program,” the person said.

What is still unknown?

Will the pendulum swing the other way, with examiners on the ground – given their own subjective interpretation of this statement – chastise banks for not more aggressively tinkering with new technologies? Only time will tell.

Can’t fall short on path to innovation

What is certain is that as banks evaluate new high-tech strategies, they can’t fall short of ongoing AML program requirements.

“Banks must continue to meet their BSA/AML compliance obligations, as well as ensure the ongoing safety and soundness of the bank, when developing pilot programs and other innovative approaches,” according to the statement.

Bank management “should prudently evaluate whether, and at what point, innovative approaches may be considered sufficiently developed to replace or augment existing BSA/AML processes,” regulators stated. “In making these evaluations, bank management should also consider and address other factors including, but not limited to, information security issues, third-party risk management, and compliance with other applicable laws and regulations, such as those related to customer notifications and privacy.”

The statement, however, is trying to change the, at times, dynamic between examiners and banks, moving from adversaries to allies.

“The joint statement also notes that the agencies are open to engaging with banks to discuss pilot programs for innovative BSA/AML approaches,” the regulators said, adding that, as banks “pursue innovative change, early engagement can promote a better understanding of these approaches by the agencies, as well as provide a means to discuss expectations regarding compliance and risk management.”