Should regulators combine the oversight of regulated entities and technological third-party providers?

One of three questions that require further understanding before responding.

Fighting financial crime and specifically, the Anti-Money Laundering regulations has become a pond where the regulated entities efforts (and their obligations to comply) end up like the stone that fell into the water, it makes a splash and a few ripples on the surface, then it sinks to the bottom and there is nothing left of it to show its effect. The more stones you throw in the more there will be at the bottom.

Both the regulations and the financial services sector’s obligations need to be maintained equally. They need to work with each other, financial institutions cannot be the rock that actively gives all the time and the regulations cannot be the passive water that only receives.

Recently, I have been shown four different transaction monitoring packages and only one provider bothered to ask me about the business strategy, client/country risk profile or product risk relating to the company i was helping. It seems that just by saying “we use machine learning and artificial intelligence” should be enough for me to buy it. (hint… it isn’t)

I understand that RegTech is primarily aimed towards helping businesses comply with regulations but they need to be accountable for the services they provide and the financial institutions should be accountable for maintaining and keeping their data and typologies updated. Clear communication when things go wrong is essential for AI (artificial intelligence) to have a positive impact on reducing financial crime in the world as long as it is managed well. And therein lies the problem….

It is always the financial institution that gets fined when things go wrong and they issue the obligatory excuse that it failed to update its procedures etc.. (the third party provider is never mentioned).

Like tandem bikes, the Anti-Money Laundering Regulations are meant to be ridden by both sides, the burden should be shared and neither one should carry the other.

Is it time to reshape financial crime compliance and consider regulating those third parties that offer transaction monitoring systems?

Both the regulator and financial institutions need to have a better understanding of “what sits under the bonnet” of machine learning and artificial intelligence. Currently, the transaction monitoring methodology is like a dog guarding an empty house, it is a futile exercise of barn door and bolting horse proportions.

Financial institutions must understand that transaction monitoring systems are not a panacea for anti-money laundering, they should not expect to buy them off the shelf. Too often they have little or no knowledge of how it is expected to work but, hey the regulations say they must have it. This has resulted in a continual failure of companies to implement adequate AML systems and controls.

Machine learning methods work on the principle that the information provided is relevant at the time the data is collected. Therefore, if the money laundering typologies change it is essential that new data is included in order to remain accurate.

“It is a capital mistake to theorise before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.” — “A Scandal in Bohemia” (1891) The Adventures of Sherlock Holmes.

Our minds tend to jump to conclusions as fast as possible and that is exactly what happens when we are given data to solve problems. As humans we start forming theories(wrong ones most of the time) with incomplete data or knowledge and we will stick to our theories and we will try to accommodate the facts to prove our theories are right instead of making theories to fit all the facts clearly.

For me, AI is a world of lifeless abstraction when compared to the human brain which has an intuitive mind, is fast, unconscious, emotional and responsible for 90% of our decision making. AI on the other hand, has a rational mind which is slow, conscious and logical primarily based on precedent.

Dr. Oliver Sacks in his book “The man who mistook his wife for a hat”, tells us about an old man who can recognise Einstein from a picture but not his own friends or family members. And the same patient when shown a rose was later able to describe its features but was unable to map this to his memory of a rose flower. That, for me, is how i understand AI in its current form.

I have been reading about the use of “Automated Suspicion Algorithms (ASA)” as a concept for machine learning within the criminal justice system. It is not the holy grail but understanding its potential for fighting financial crime is important . For an idea of this concept and its limitations see article written in 2016 by MICHAEL L.RICH https://www.pennlawreview.com/wp-content/uploads/2020/04/164-U-Pa-L-Rev-871.pdf

to illustrate this point he states:

“imagine an ASA targeting the selling of narcotics on street corners. The ASA has access to information from a variety of inputs, such as closed-circuit cameras, license-plate readers, and facial recognition technology. Based on both historic and real-time data from these sources, it predicts when specific individuals are engaging in hand-to-hand drug transactions. One day it issues an alert predicting that an individual is more likely than not selling narcotics on a street corner. A patrol officer in uniform is dispatched to investigate and witnesses the suspect and passers-by briefly exchanging items by hand. As she approaches the suspect, the officer makes two observations. First, she notes that the suspect sees her and does not change his behavior. Second, she sees a passer-by drop an item recently received from the suspect on the ground, picks the item up, and notes that it is a flyer for a church event. Both observed facts tend to diminish the likelihood that the suspect is engaged in criminal activity, but neither are captured in the ASA dataset. A totality-of-the-circumstances analysis of individualised suspicion must account for these facts, however, and our ASA has failed to do so. But now that we know the identified facts matter, the ASA can be programmed to incorporate them in future predictions. Yet this does not resolve the underlying problem that the ASA must consider every fact that might impact the existence of individualised suspicion. To do so the ASA must either be able to process all known information or have been programmed in advance to “know” all potentially relevant information. Neither is feasible: the former requires more processing power than is currently available and the latter requires impossible foresight. Thus, a person trained in making individualised suspicion determinations must be the final assessor of the totality-of-the-circumstances, including both the ASA prediction and any other relevant available data, in order to decide whether the probable cause or reasonable suspicion standards are met.”

Nigel Morris-Cotterill also wrote in relation to the Deutsche Bank “software glitch” in 2019.

“…. While there’s good reason to point the finger at the bank, there’s an even better reason to point it at those who sell tech as a solution. It isn’t. It never has been and it never will be. It’s a tool. And, as this case shows, if you mess it up at the design or implementation stage it stays messed up. And because people trust computers, it stays messed up for a long time until someone with sufficient authority, or a willingness to be branded a trouble maker, takes a proper, cynical, look at it.” see https://www.pleasebeinformed.com/publications

Should we look at how Formula one is regulated?

Can the UK Regulator learn a lesson from formula one?

Formula One regulation falls under the FIA (Fédération Internationale de l’Automobile), they have only one official tire supplier and have clearly defined what parts can and cannot be used in the building of a car fit for Grand Prix racing.

There have two classifications for the components that make up a car: prescribed parts and open-source parts. Prescribed parts are parts everyone must design to the letter. These include parts of the wheel aerodynamics, wheel hubs, and the front floor tea-tray. Open-source parts are parts that may be designed by a collective, and can be made available for all. That includes the DRS(drag reduction system) mechanism, brakes and steering wheels.

There are also what they call “scrutineering standards” that everyone within formula one has to adhere to. Each team has to submit its CAD (computer aided design) developments of their cars, and the FIA can monitor whether it fits within the defined reference spaces or reference volumes. During scrutineering, the cars can be scanned and measured against the CAD files, meaning that any rule transgressions can be immediately detected and determined whether a car is legal or not.

As a model the formula one governing body (FIA) may not be perfect, however it has improved the standards and safety of all cars and their drivers by insisting on only using approved and licensed parts and third parties which has eliminated dangerous practices within the sport.

Supervisors and regulators must have the ability to monitor and assess the quality and functioning of algorithms within transaction monitoring systems to enable responsible innovation and better transparency. If anything has been learnt from the Wirecard scandal of 2020, it is that there was a complacent presumption that its operations were exempt from effective oversight and enforcement and its unregulated technological services, used by many financial institutions, did not constitute a threat because they were “third party providers”.

Therefore we should consider the possibility that instead of the financial institutions being fined by regulators because failings have resulted in breaches of rules, and the regulators statutory objectives, the outsourced service providers should be within the remit of regulatory oversight also.