AI Applications in Banking Compliance by Regulation – An Executive Guide

Compliance workflows across financial services are no strangers to AI. Noncoding enterprise leaders are often awash in reports on how robust the AI vendor market is for AML and KYC or KYCC (know your customer’s customer) compliance. Celent estimated that spending in the financial services sector on AML/KYC compliance tech and operations would reach $37.1 billion last year, an increase of 13.7% from 2020. 

What these leaders might need to realize, however, is why these laws are exceptionally compatible with AI applications. Moreover, they should understand why the rules-based system that is the Banking Secrecy Act of 1970 is particularly well suited for AI enhancement, less as a law than a set of modern banking practices.

These are all worth keeping in mind when their organizations consider AI adoption in the future, either in the form of a vendor or an in-house early AI deployment project.

In this executive guide from Emerj Artificial Intelligence Research, we outline the general areas of regulatory compliance for banks where AI has wide or prominent application and list them based on regulatory categories, including:

• Privacy of personal information, including international and industry-specific standards, as well as a focus on BSA-related fraud detection (AML/KYC/KYCC compliance) and cybersecurity compliance analysis.
• Banking administration, including ADA, HIPAA, and other administrative-related compliance, with a focus on regulatory AI leveraging with regards to the Community Reinvestment Act and COVID-19 relief-related fraud detection. 
• Insider trading and general risk.

We will outline high-level context throughout in describing how these regulations intersect with an authentic and sober assessment of relevant AI capabilities as they stand today. For more on the intersection between AI applications and broader financial services compliance activities from Emerj, click here.

Information Privacy-Related Banking Compliance

There are two principal US federal laws that concern AI application in banking compliance, 

the Sarbanes-Oxley Act of 2002 (or “SOX”) and the Gramm-Leach-Bliley Act (GLBA) that lay the groundwork for enterprise transparency requirements across all US-based consumer-, employee-, and shareholder-based relationships. 

Specifically, SOX outlines the best security practices for banks to avoid fraudulent financial transactions through systems of internal checks, which the law assesses.

Vendors in the space for SOX-related banking compliance include:

• Saifr 
• UpGuard
• Microsoft 
• PwC

Commentators in SOX and general regulatory spaces like professor Gary A. Bolles of eParachute find SOX compliance to involve such robust activity from banks that it can warrant an entire AI platform, but that niche market has yet to develop in our research.

The Financial Modernization Act of 1999, or the Gramm-Leach-Bliley Act (GLBA)—allows the US government to ask how customers’ private information is being shared and safeguarded by financial institutions. It also gives customers the right to opt-out of certain information-sharing practices and requires FinServs to provide regular disclosures of said practices.

The law is enforced by eight separate US federal agencies, including the FTC and individual states.

Other Privacy-Oriented US Federal Banking Regulations

Other privacy-oriented US federal regulations for banks include:

• The E-Sign Act [pdf] concerning electronic signatures
• The Right to Financial Privacy Act of 1978 regulates the timing of disclosure of customer information by FIs in tandem with state, local, and federal governments.
• The Unfair, Deceptive, Abusive Acts, or Practices Act (UDAAP) prohibits any banking functions that are unfair, deceptive, or abusive to consumers.

The potential applications of UDAAP are many, according to the ICBA, including:

• Overdraft protection programs
• TRID/RESPA disclosures
• Fees
• Debit cards practices and pricing

International Regulations

In US federal law, most international banking regulations with broad AI functionality in automating concerns the Foreign Corrupt Practices Act enforced by the Office of Foreign Assets Control.

Many international banking regulations with AI-adaptable compliance workflows consist of The European General Data Protection Regulation (EU-GDPR) and its UK counterpart in the Brexited United Kingdom.

Areas of banking compliance further AI application in financial services include international tax and transfer pricing. According to the American Banking Association, other international transaction banking rules include the NACHA International ACH Transaction rule, expanding the definition of cross-border ACH and requiring additional information with each payment.

Industry-Specific Domestic and International Standards

The NIST 800-53 sets security and privacy controls across all US federal government agencies. In tandem with The International Organization for Standardization (ISO) and the International Electrotechnical Commission’s (IEC) published rules, known as the 27001:2013 rules, exists the broad framework of international standards for establishing and maintaining information security management systems within their organization’s context. 

The ISO-IEC:27001:2013 also establishes requirements for risks and how they are addressed based on the needs of their organizations. It is based on ISO 20022, the organization’s global messaging standard for financial business transactions (specifically payments), used by many multinational companies as part of accounts payable functions. 

Other international industry-specific standards with broad AI applications include Payment Card Industry Data Security Standards (PCI DSS). Every business – large and small, but very much including all kinds of banks, community to multinational – that processes customer credit card information must comply with PCI DSS, including merchants and payment solution providers.

The PCI DSS is an international standard, but its EU regulatory equivalent is the Payment Services Directive (PSD 2) EU directive on banking sector competition. It is an official part of the PCI DSS for financial data security.

Ensuring EU-based banking activities promote security, the PSD 2 sets standards for safeguarding online payments, enhancing customer data security, and strong customer authentication, like multi-factor.

You can learn more about the breadth of AI applications to payment card industry compliance from Emerj here.

BSA-Related Fraud Detection (AML/KYC)

In US federal banking law, the Banking Secrecy Act of 1970 (BSA) sets all the relevant standards for financial institutions in the United States to assist federal government agencies in detecting and preventing money laundering. The broad application of AI in banking compliance concerns the law’s regimented rules on money laundering and fraud.

The Financial Crimes Enforcement Network (FinCEN) administers the BSA, enforcing standards on financial transaction filing and reporting data possibly indicative of money laundering – looking closely at transactions over $10,000 for any suspicious activity. In the 2019 fiscal year, more than 20 million BSA reports were filed by more than 97,000 U.S. FIs, providing agencies with data revealing criminal activity across BSA-related banking operations. 

Earlier in the 21st century, the USA Patriot Act morphed the BSA and began requiring banks to identify customers through specifically programmed regimens. According to the Independent Community Bankers of America (ICBA), the law’s sections 314 a and b also require FIs to share information with law enforcement agencies and each other.

Section 311 is implemented through various orders and regulations but ultimately authorizes the US Treasury Secretary to require FIs to take certain measures against foreign jurisdictions, foreign FIs, transactions, and accounts. 

BSA-related compliance for banks extends to broad international theaters of interest when it comes to AML efforts for the ends of identifying terrorism and international breaking sanctions. Closer to home, real estate, in particular, is a robust and financial services-adjacent area of AI-related AML software solutions with broad AI/machine learning applications. 

Cybersecurity Compliance

Banking regulations with cybersecurity compliance concerns include:

• The EU and UK General Data Protection Regulations
• The International Organization for Standardization (ISO), the International Electrotechnical Commission’s (IEC) 27001:2013 rules, and the American equivalent (NIST 800-53)
• The Sarbanes-Oxley Act of 2002 (SOX) and the Gramm-Leach-Bliley Act
• Bank Secrecy Act (BSA), anti-money laundering (AML), and know your customer (KYC) compliance, which are typically associated by the similarity of data involved – often requiring international verification.  
• Industry-based requirements standards like the Payment Card Industry Data Security Standards (PCI DSS), the EU’s Payment Services Directive (PSD-2) therein, and organizations like the Financial Industry Regulatory Authority (FINRA).
• Bill C-11 in Canada, which will enact the Consumer Privacy Protection Act

Administrative Compliance

AI applications in administrative compliance for banking are usually found in all-in-one customizable platforms enhanced with AI-specific capabilities. These tend to be more general accessibility and healthcare-oriented laws like the American Disabilities Act (ADA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 

As AI is used in delivering compliance for banks for ADA rules, the US federal agency tasked with enforcement (US Equal Employment and Opportunity Commissioned) leverages AI to assist with enforcing compliance. So does the Department of Justice in assessing possible disability discrimination in hiring practices for banks. 

One more segmented law of banking administrative compliance with growing and singular AI application surrounds the Community Reinvestment Act (CRA), which according to the ICBA, requires FIs to help meet the credit needs of the local communities in which those organizations are located. Fairplay.ai is a prominent AI vendor dealing in CRA compliance. 

Deposit/Operations Compliance

US federal banking regulations dealing with deposit operations compliance include:

• Garnishment of Account Containing Federal Benefit Payments
• Federal Reserve Act
• Electronic Funds Transfers Act
• Expedited Funds Availability Act
• Truth in Savings Act
• Unlawful Internet Gambling Enforcement Act
• Portions of the SOX as mentioned above, or the Sarbanes-Oxley Act
• SOC 1-3 

Lending Compliance

US federal regulations dealing with how banks conduct and manage loans include:

• Flood Disaster Protection Act (FDPA)
• Equal Credit Opportunity Act (ECOA)
• Credit Card Accountability Responsibility and Disclosure Act
• Home Mortgage Disclosures Act
• Electronic Fund Transfer Act
• SAFE Mortgage Licensing Act (Federal Registration of Loan Originators)
• The Consumer Leasing Act
• Loans to Insiders
• Fair Credit Reporting Act & Fair and Accurate Credit Transactions Act (FCRA)
• Real Estate Settlement Procedures Act
• Truth in Lending Act
• Fair Debt Collection Practices Act
• Military Lending Act
• Servicemembers Civil Relief Act
• CARES Act (COVID-19 Response)

The Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions (FACT) Acts govern consumer reports, including credit and deposit account reports. Provisions impacting banks include disputes about what banks report, prescreened credit offers, affiliate sharing, risk-based pricing notices, adverse action and credit score notices, and identity theft. 

The uniformity established for identity theft provisions in FCRA focuses on areas also covered in the FACT Act. It does not address identity theft-related topics outside the scope of its legislation.

In the advent of the COVID-19 pandemic, AI capabilities have emerged on the regulatory side of lending compliance from banks in fighting fraud related to pandemic assistance under the Consumer Financial Protection Act. Specifically, provisions in the law are being enforced to protect public interests from black-box credit models. 

Insider Trading and Risk

Banking insider trading practices are banned under US federal law through the Securities and Exchange Commission’s Rule 10b-5.

The Federal Financial Institutions Examination Council (FFIEC) is a US interagency regulatory body that sets standards for principles and reporting forms through audits and guidance for FIs. Regulators from the FFIEC review the overall effectiveness of project management standards for financial services organizations, procedures and controls regularly.

The council’s Cybersecurity and Critical Infrastructure Working Group is focused on the financial services sector’s cybersecurity preparedness. They also identify and provide training to prevent gaps in the regulators’ examination procedures. To those ends, the agency introduced a Cybersecurity Assessment Tool to help banks and other users measure risk and preparedness for external and insider threats.

The individual agencies involved in FFIEC include:

• Federal Reserve System (FRB)
• Federal Deposit Insurance Corporation (FDIC)
• National Credit Union Administration (NCUA)
• Office of the Comptroller of the Currency (OCC)
• Consumer Financial Protection Bureau (CFPB)
• PCI Security Standards Council (PCI SSC)
• The State Liaison Committee (SLC), including representatives from:
  • Conference of State Bank Supervisors (CSBS)
  • American Council of State Savings Supervisors (ACSSS)
  • National Association of State Credit Union Supervisors (NASCUS)

Other aforementioned international and domestic federal regulations dealing with insider trading practices include:

• The EU and UK General Data Protection Regulations
• SOX and GLBA 
• PCI DSS
• The Financial Conduct Authority (FCA)

Internationally, the Financial Conduct Authority (FCA) is the UK-based entity that regulates the conduct of 58,000 financial services organizations as outlined in the Financial Services and Markets Act of 2000. The FCA also serves as a prudential regulator for more than 18,000 businesses therein.