Is ML/TF risk a technology problem?

Whenever I used to visit India and meet my nieces and nephews (they are all grown up now), I would take toys as gifts for them (while they were still young kids). They were always excited by the next “new” toy they got hold off and, in most cases, would keep the old toys aside. On being asked why they did not play with the old toys, a simple answer was “new one is so much better as it has…” and a long list of bells and whistles. The strange thing was, the toys which were just as great a few months back, became irrelevant as soon as the new one arrived. You may be wondering why am I bringing this up in a post related to our favorite topic of ML/TF risks 😉. So let me jump to the world of grown-ups where every day we are doing our best in fighting Financial Economic Crime.

I am almost certain that in your long careers within the AML/CFT space, you may have seen several transitions from one nice product A to another, even better, product B. If you are new in this space and are on the front line, trust me when I say this… as soon as you get comfortable with a supposedly good product, which does what you want it to do, a brand new product is thrown at you and the cycle starts over again. It has become a common practice at FI’s (primarily the Tier-1, Tier-2) that after a few years running a perfectly stable and well performing solution, decide to move to a new technology solution. This tool change can happen in any area such as Name screening, Sanction screening, Transaction Monitoring or Case Management etc. I call this a “luxury problem”. Let me explain. Apart from being in this field for over 18 years, lately I have been attending a few meetings on vendor selection for some prominent FI’s. One common issue I have noticed is that there is no definite reason for a change, apart from the fact that the IT organization is looking to “standardize/optimize/.. other ize” the IT landscape. There is no to minimal “business” rationale for such a change apart from the obvious “reduce false positives”. As these FI’s have moved from the core problem of not having any tool, this new phase is more of a good to have.

Let me try to elaborate what I mean by this “luxury problem”. Almost every Tier-1/Tier-2 FI has an automated solution to perform one or all the AML/CFT controls. The signals/alerts, whatever you call it, may not be perfect but the tool does the job as it was configured. Now imagine, you (as a FI) implemented a tool 3 years back (with an additional 1-1.5 years in implementing it before going live). Give or take after 4-4.5 years things do change - your client/product portfolio, client profile, data sourcing engines etc. The change can be positive or negative depending on the change itself, but be certain there will be a change nonetheless. There is another very important factor. What you “assumed” back then (while implementing the tool) may or may not be the right assumption as new insights bring new ideas and new ways of solving the same problem. All these changes will have their own impact on the results from your tool and this is how we end up in the classical “false positive” problem. In this fast paced technology world where you can control satellites from a few lines of code, things are changing and changing fast. IT organizations at such large FI’s have to bring every other tool in the organization under on roof, organize them and make sure they talk to each other and work together. This automatically translates (in the AML space) to an urge for finding a new tool which could fit in the overall strategy.

So…?

I have written a few articles in the past (AML risk assessment to monitoring rules or tips/tricks for AML rule builder) where I highlight how you can take into account the changing situations on your business side of things. If you adapt/configure your tooling, train resources, enhance your detection/screening engines, there won’t be a need to invest in a new tooling at all. All these are business/compliance challenges and should be solved as such and not as a IT challenge. Moreover, look where the IT landscape is heading in today’s times. Even large IT organizations are not re-inventing the wheel but leveraging the best from the industry and integrating. Check the last word, I want to emphasize on it. It’s better to integrate with best in class tools with your existing tools and build a ecosystem which will help deliver what you require rather than keep on changing from one tool to another.

Combining the changing business environment as well as the change in IT landscape strategy, ultimately leads to a brilliant idea… change the tool used for AML controls ! The organization is made to agree on a dream scenario where all problems will automatically be resolved by implementing a new tool. This dream scenario is mostly presented by the IT organization, as such an approach fits in their “future IT landscape”. I have seen this so many times that it feels a bit sad how a business/compliance risk is many a times solely driven by IT related requirements. The issue here is that you don’t tackle the root cause of the problem, but just delay the current problem to a future stage. As I mentioned earlier, it’s absolutely normal to have an increase in false positives, increase in alert volumes etc. over time and is expected too. A better way to deal with this issue is by understanding why it happens and not immediately trying to find a fix. If you have capable BA’s who can dig deeper to find a root cause, the solution will be much easier than spending another 2-3 years investing time/money/resources on a new tooling. Such kind of insights and knowledge is, in most cases, not present in the IT organization. From an IT perspective “problem” means IT support/IT software/alignment with target stack etc. which has nothing to do with the ML/TF risk itself. In all fairness to them, they do not see any other problem to be solved. More and more organizations are giving way to such IT focused decisions which is not only a bit risky but unfortunate as well.

I would like to conclude now and go back to where I started. For kids it’s wonderful to play with new toys and ignore the old ones, but as adults, particularly in this highly important ML/TF space we do not have that kind of liberty. I hope in this piece I was able to raise awareness on where to look for the problem and not immediately jump to a solution, particularly IT oriented solution. Please do share your experience and ideas on how you view such “luxury problems”.