The Future of AI and Compliance in Finance – with Experts from UBS, HSBC, BMO and More
The finance industry has evolved quite a long way since the days of the SAC scandal and after being diagnosed with an insider trading epidemic in 2014 by academic studies from McGill and New York University – learning countless lessons along the way.
More recently, the climate of insider trading looks more like the end of the global financial crisis. Last month, the SEC fined eight major financial institutions (FIs) nearly $2 billion for not sufficiently monitoring employees’ communications over “off-channel” private messenger apps like WhatsApp.
The compliance landscape throughout the financial sector continues shifting drastically, being pulled in different directions by several extraneous factors.
Among them is a compliance perimeter that “now covers new areas such as board governance and third-party risk management, along with detailed requirements in prudential risk management such as capital and liquidity management,” as summarized in the introduction of a recent Deloitte report on the outlook for banking regulations in 2022.
For the most part, the fintech market and traditional FIs are locked in competition with complementary advantages and disadvantages: fintech startups have versatile models and nimble capabilities – while finserv organizations, FIs, and banks are armed with legacy relationships and data resources.
However, compliance is increasingly becoming an area where traditional financial enterprises and newer fintech solutions may find themselves potential partners.
According to another report on banking compliance from McKinsey, fines and other penalties have risen to an increasingly more significant portion of banks’ earnings and credit losses in the decade since the financial crisis:
On top of these penalties eating an increasing slice of the pie, compliance itself represents a cat-and-mouse game of rule writing that boils down to the realities of dealing with an adversarial system.
In other words: compliance, like regulation overall, is an arms race of capabilities between those reinforcing the integrities of a rules-based approach and those trying to break it – or the adversarial side of the system.
On the AI in Business podcast, we regularly hear from financial leaders and compliance professionals worldwide about these various challenges and the emergence of AI technologies to help their organizations find solutions.
Despite the many differences between the banking and financial services sectors — among them, that banking is a vastly older industry — they each have many lessons to share between them in addressing regulatory compliance challenges and minimizing insider risk.
This article will examine three distinct use cases in compliance for large-scale financial enterprises described by our podcast guests across the banking and financial services industries. These examples demonstrate the broad application of AI capabilities in the compliance space for FIs and what they mean for the future of the sectors therein:
- Communications surveillance detecting insider trading-related risks: Using natural language processing (NLP) to detect malignant trader behavior in text or recorded audio faster.
- Making legacy systems more intelligent: Using data analytics and machine learning to reduce time spent verifying false positives and leverage the massive data trove from the convergence of legal and regulatory requirements.
- Market surveillance beyond typical language-based communications: Obtaining a 360 view of employee activity in the context of compliance and the realities of the larger market by going beyond the literal meaning of communications being collected through traditional means.
Much of our sourcing for these use case descriptions come directly from feedback from our expert guests shared on their respective episodes of the AI in Business podcasts. We will, however, incorporate outside sources to corroborate and contextualize their testimonies.
We will begin by examining how communications surveillance of audio and text-based conversations are used to disclose financial criminality and insider risk.
Use Case #1: Detecting Insider Trading-Related Risks Through Communications Surveillance
Historically, there have been two primary drivers for enterprises looking for value in AI to address compliance challenges in the financial space: legal and regulatory.
In terms of regulation, financial services firms are required by regulators around the world to do the following in the name of keeping markets and their organizations free from criminality:
- To gather and consolidate their communications data
- Store and archive that data according to rigorous protocols
- Then analyze that data in search of misconduct
Simultaneously, the risk of litigation and other legal exposure forces firms to put communications on a legal hold as they conduct internal investigations.
These dual obligations working in tandem over the last three decades bring us to the situation today where companies are stockpiling massive troves of both legacy (i.e., letters, paper documents) and digital age communications data (i.e., emails, cell phone calls, online transcripts, etc.).
In the past and up through the age of email communications twenty years ago, compliance professionals were reduced to engaging in time-consuming ad hoc searches, trying to find proverbial needles in tall haystacks.
As communications volumes have increased with new technological advances and communications mediums (including a 50 – 100 % increase in volumes in the post-pandemic era) — the amount of communications to surveil is simply too much for humans to accomplish on their own.
Adding to the array of challenges is the rarity of actual insider misconduct, which is often infinitesimally more infrequent than incidents of fraud – a behavior that is also quite infamous in the compliance field for producing false signals in detection methods.
The traditional workflow for detecting insider risk includes the following:
- Compliance professionals begin with keyword searching through communications for terms indicative of misconduct (“fixing LIBOR” or “pumping,” as examples)
- Machines scanning through communications for these keywords would generate a wide volume of alerts, the vast majority of which are false positives
- Compliance professionals then assess a portion of these alerts that are most likely to be indicative of criminal behavior, deciding which are relevant or not with human judgment
- If an incident that triggered an alert is decided to be relevant, they enter an escalation workflow to judge whether to proceed with an investigation
Given the multifaceted nature of present challenges, banks and FIs are looking for efficient, comprehensive solutions in communications surveillance that can:
- Compensate for the lack of general oversight in compliance risk
- Guarantee their risk reduction
- Ensure compliance across all or as many communications channels as possible
Of all AI capabilities, machine learning-based solutions appear particularly well suited for streamlining compliance workflows in finance.
“The key invention with [machine learning] technologies has been the ability to really improve the signal-to-noise ratio, to filter out a lot of the noise, and to actually focus in on finding new forms and new types of misconduct,” says Smarsh EVP of Product Management Brandon Carl on the AI in Business podcast.
According to Director of AML and Risk Reliance for the Bank of Montreal Thomas Mangine, workflows in communications surveillance are especially plagued with repetitive workflows ripe for AI application:
“The best resource that you have in investigative work is your individual experience, trained investigator, the creativity of that person, and the depth of their experience is the most effective thing that you have in prosecuting cases or moving cases forward and determining what’s going on what’s a real problem from what’s not a real problem. And I say that because artificial intelligence is designed to largely replicate the creativity and the capacity of the human brain. Your AI should be focused on going through those smaller, more repetitious tasks, almost like meditation that allows your investigator to focus on the more complex issues.”– Thomas Mangine, Director of AML and Risk Reliance for the Bank of Montreal
In streamlining communications surveillance workflows, AI-powered banking compliance solutions allow compliance teams to:
- Filter out the evident noise
- Find the specific language of interest that may be concerning
- Have certainty that behavior is happening in a specific context of misconduct ahead of a possible investigation
Other advantages of AI-enhanced banking compliance solutions include helping compliance professionals:
- Stay better prepared to handle surges in the volume of communications data
- Lay the groundwork for investigations in addressing bias and fairness
- Adjust to new communications channels and expand regulatory surfaces
Use Case #2: Making Legacy Systems More Intelligent
Few organizations are better familiar with the challenges of legacy systems than the Bank of Montreal – an institution that predates Canadian independence by almost half a century. These challenges can include the following:
- Maintenance costs
- Security loopholes
- Constant updates and patchwork fixes
- Incompatibility of outdated data systems with outside/third-party systems and vendors
- Unstructured data that cannot be updated
- Repetitive workflows
- High volumes of false positives in compliance
Bank of Montreal’s Thomas Mangine described at length what every organization should do to address these challenges on a recent episode of the AI in Business podcast. The first and most crucial step is coordinating an introductory meeting with IT, information security, and/or cybersecurity teams within the organization about:
- Where data is stored
- What data is available for ready access
- What infrastructure is needed to create increased accessibility of old data and security for new data
Mangine tells Emerj that American FIs especially will need to focus on drawing data out of their archives to compensate for the increased traffic of larger AML, cybersecurity, and compliance teams being in the pipeline.
Making sure the IT team is on board with handling the increased traffic, leadership is clearly communicating their needs, and that infrastructural demands are met ahead of that traffic are all essential, Mangine tells Emerj. In many cases, budgetary and workforce concerns mean these changes will need to be phased over time and usually require an interim solution to handle short-term problems.
Respecting the subject matter expertise of IT and cybersecurity professionals in particular — rather than expecting them to meet idealistic expectations uninformed by technical context — will mean valuable feedback and maximum value for time spent:
“If you come to an engineer, and you tell him specifics of what you want, you will get very focused questions based on getting greater resolution, and he will tell you [not only] what he can do and what he can’t do but [also] what he might be able to suggest, based on what you’ve said you want it and he can’t do.
If you come in and say, ‘Well, I want to be able to access more data in a very generic manner,’ then you’re going to burn a lot of time, and you’re going to probably burn a lot of patience. As you guys go back and forth with a ‘Well, I need you to explain to me more of what you want.’ Starting those conversations upfront is critical.”– Thomas Mangine, Director of AML and Risk Reliance for the Bank of Montreal
Among AI capabilities in the current tech landscape, machine learning and data analytics-based solutions stand the best chance of overcoming legacy system challenges, particularly in addressing problems in workflows and the high volume of false signals.
As Brandon Carl of Smarsh further explains on the AI in Business podcast, these solutions make a world of difference in the banking compliance space with its enormous volume of false positives that can arise from simply never having enough context:
“So historically, when reviewers would go through things, and you can imagine almost an Orwellian world with this, oh, yeah, 99 out of 100, or 999, out of 1,000 of these alerts would actually be irrelevant. And so there have been people whose job was effectively the majority of the day just to click irrelevant. And what we’ve been able to do with some of these AI technologies is actually filter out so much noise that they have a lot more signal they can focus in on.”– Brandon Carl, EVP of Product Management at Smarsh
As Brandon further explains in his featured episode, there are three primary features of a system designed to best negate false positives:
- A keen understanding of human behavior off-line and their ability to consciously work around evolving rules-based systems
- How humans act before and after misconduct in online or surveillance environments
- How these patterns typically appear regarding traceable misconduct in market surveillance
However, a poignant challenge for legacy banks in integrating third-party systems and vendors is that outside influences can throw a wrench in the initial phase of addressing IT and internal security team concerns.
As Emerj even advisors to vendors working in a sales capacity: it’s not in IT’s foremost priorities to function as a decision making in purchasing solutions and will always defend against the adoption of new technology.
And when vendors pitch their solution to leaders with no background in coding, the sometimes arm’s-length relationship between vendors and IT teams inhibits the ability of these organizations to meaningfully address the challenges in legacy systems.
According to Thomas Mangine, the best way to address the conflict of interests therein is for business leaders to make cooperation between vendors and IT teams their top priority. Yet most of all, leaders must ensure internal teams’ concerns in tailoring the overall approach to the specific challenges of their legacy systems supersedes vendor ambitions.
Use Case #3: Market Surveillance Beyond Typical Language-Based Communications
As regulations expand with technological advances, compliance expectations and “regulatory surfaces” are expanding far past text- and audio-based digital communications.
Market and trade surveillance in these contexts generally includes both e-communications and that behavior taking place outside the contexts of individual FIs and their communications channels. Specifically, the term tends to frame events in the greater realms of competitors, the larger markets, and the everyday life of financial professionals not taking place on their company-registered chat and texting apps.
With the expansion in regulatory surface, our expert guests tell Emerj that these more extensive areas of market and trade surveillance are becoming an increasingly higher priority for legacy banks and a fertile terrain for early AI applications at these organizations.
Among them, Head of Market Surveillance for the U.S. at HSBC Arcangelo Grisi attests to the impact of present trends in supply and demand:
“For trade surveillance, though, for many reasons – yes, we are lagging a bit behind compared to communications [surveillance]. This is at the industry level, the entire industry — I’ve seen multiple vendors with incredible products. But when it comes to trade surveillance, we are again lagging way behind. What we are seeing throughout the industry is an adoption of advanced statistics — some more, say, complex systems.
There is one interesting thing that is happening to market surveillance. It’s that, beyond the typical market abuse detection that we just mentioned — right before insider trading, spoofing and front running beyond the typical inner market – that is detection. There are actually AIs that are built around trading behavior. Imagine that these AIs will just look for outliers in your trading behavior, or they will look for an outlier in the trade life cycle and will flag an alert. And then the analyst, of course, will need to look at this in conjunction with everything else and to make a determination.”– Arcangelo Grisi, Head of Market Surveillance for the U.S. at HSBC
Never having enough trade surveillance context is a problem keenly felt by compliance teams for legacy FIs. Thomas Mangine tells Emerj that is because regulatory expectations for compliance go much further than the surface information banks have on their clients and reach know-your-customer levels of complexity.
Thomas Mangine specifically cites a compliance risk example of tracking sanctions violations in cross-border shipments, especially in the intense geopolitical environment of the ongoing war in Ukraine.
Market and trade surveillance also entails the complicated and somewhat awkward requirement of sharing information with competitors.
The substance of that back-and-forth between competing FIs and other entities is articulated in the context of compliance challenges by Global Head of Transaction Monitoring at UBS Kai Schrimpf in his appearance on the AI in Business podcast. He refers to host and Emerj CEO Daniel Faggella as an example:
“Our entry into finding if we have a bad guy on our hands is always ‘follow the money.’ Now, if I’m sitting in institution a and I get a transaction coming in from Dan Faggella, right? I only see … okay, Dan Faggella is sending Person B money, right? I don’t know where Dan Faggella got his money from, and I don’t know where Person B is sending the money to.
Now, if I could call up the other bank and say, ‘Hey, listen, I’ve got suspicions about Dan. You know, there’s some information about him that we found during our research that makes us wonder. Can you tell us where the money is coming from that he has?’ And then the other bank can network that together.
And if you do this a couple of times, you then have a trace to either say, ‘Well, no, this is legitimately Dan, and Dan’s money is legitimate.’ Or you have to trace where a bank at the origin of the transaction may say that we’re not sure there was a cash deposit coming here and another cash deposit coming here. That then it got pooled, and then it ended up in Dan’s account, and now he’s transacting.”– Kai Schrimpf, Global Head of Transaction Monitoring at UBS
The inevitable solution for banking leaders is moving their organizations from rules-based to risk-based systems. The latter accounts for the fact that, ultimately, compliance as a discipline is a game of cat-and-mouse with digital age arms-race dynamics. In other words, you can have rules, and financial criminals will only invent 21st-century tools, methods and beyond for the ends of evading them.
On the other hand, risk-based compliance systems are better able to recognize that inherent lack of stasis in the very nature of the kind of misconduct they’re trying to find and ultimately prevent.
Our expert guests attest that the AI tools in market and trade surveillance are best-suited for helping organizations transition from rules- to risk-based systems:
- Involve some degree of data analytics and machine learning
- Are constantly fed new and unique forms of data to help these tools draw conclusions outside of typical communications surveillance
Putting a finer point on the open-ended nature of the data input problem in risk-based systems, Arcangelo Grisi discusses at length an example involving crude oil futures in his AI in Business podcast episode.
Alone, there are numerous inputs involving crude oil benchmarks (Brent and WTI, to name just two) to establish liquidity of contracts versus liquidity cross-market – and that’s just for illiquid exchange-traded instruments. Then there’s liquidity cross-venue (involving the intercontinental exchange or “ICE” and NYMEX benchmarks).
“After you’re done all of this, hopefully, your system picks up – in a good way – what’s the liquidity of the futures on oil. But then you look at fixed income, and you have all these different platforms because the market is trained mostly OTC,” says Grisi. “So there are clearly different challenges here. And if you don’t have your inputs, you can’t expect too much on the outputs.”