Why is AML Compliance Broken đź’”

Why is AML Compliance Broken đź’”

"Don't worry, their Compliance stack looks like it was built in C++"

I started my career in Financial Services with a realist view of the financial world — the goal is to make money. After the Global Financial Crisis (GFC), things changed A LOT — the pendulum swung towards regulatory controls and stricter financial scrutiny, which left people confused if the goal was to make money or to protect consumers and markets. Many financial professionals lost hope, quit the trading floor and saw compliance as a more lucrative career. More on that below.

In practice, the regulatory burden has been spiralling for a while, and Europe has been leading the pack. Since 1991, Europe has introduced six, yes 6, Anti Money Laundering Directives that aim to combat the changing game of financial crime.

Regulations have also been a money spinner for Regulators, with fines globally hitting over $55bn since the GFC, with the US being the biggest benefactor with $37bn of fines distributed, and European at $11bn. Maybe a lesson for Europe — it isn’t the number of Directives that counts.

How do you spend $213M on Compliance

The result of this has meant firms have had to bulk up their compliance costs. After Binance was recently fined $4bn in the US, they quickly introduced further controls taking their annual compliance costs to $213M.

How on earth you reach $213M in compliance costs may sound mind-boggling, but I’ll try to break down the two big components of this:

  • People

A lot of people. So many people you forget why you bothered calling yourself a FinTech. People reviewing documents, remediating, analysing cases, writing reports…There is a concept in Compliance called 4-eyes review, this means two sets of eyes need to look at every onboarding. This broadly translates to what ever you are paying, double the cost.

  • Compliance Software

Today the amount of data you need to analyse is unsurmountable. In the past regulators would give compliance teams a waiver for what they call a “Risk-Based” approach. This means focus your energies on higher risks and let the lower level risks solve themselves.

However, this mindset has since shifted to “If you don’t have manpower, then get software to help you.” This isn’t an ask, it is an absolute. Regulators will scrutinise your compliance software as part of regulatory licence applications.

Compliance SaaS looks like Oracle

What kind of software does an aspiring tech-driven Compliance professional expect to have in the 2020’s?

  • Sanctions/PEP/Adverse Media Screening tools

  • ID verification software

  • Address verification

  • Case management systems

  • Transaction monitoring

  • Risk Scoring

  • Fraud detection tools

  • and many others.

There is a deep fragmentation of tools and software, most of which do not speak to each other, and revolve around a person manually moving data between systems to get a true picture of someone you are onboarding.

Many software companies claim they have a one-stop shop for this, and to date none of them deliver on this promise. They either lack a key component or require compliance people to manually validate information.

But the problems run deeper than this, namely:

  • Who owns Compliance data internally? You would think this is something that is owned by the Compliance team, but in reality Compliance plays a niche role is a wider data infrastructure. If you need bespoke reporting (e.g. you received a regulatory request) expect to spend the next 2–3 weeks building out an SQL query with a developer that asks you “what is KYC?”

  • There is no defined system of record. Compliance teams are constantly reconciling data from different sources, emails and systems. This can be very tricky when your regulatory reporting MUST be consistent year on year.

  • Systems are clunky, built using legacy software, and have not been able to keep up with the ever-changing world of regulation. A great example of this is that most Compliance system do not solve for the basic need of Risk Scoring.

The overarching view point in the market is that there isn’t something that solves for everything, but it is better than nothing.

In fact, we are somewhat in a better place than we were 10 years ago. You can now find in-depth screening tools, self-service biometric checks and corporate registers from multiple jurisdictions. This means, if orchestrated together properly, you can solve for 50% of the problem set (simple onboarding that can be automated), whilst throwing personnel at the other 50% more complicated onboarding. Then pray that you move company before the next periodic review (periodic reviews are regular checks you do on your investor base).

Compliance is a linear problem — your growth funnel is limited by the size of your compliance team.

The problem with this is that is that Compliance is a linear problem — your growth funnel is limited by the size of your Compliance team. At scale, this means you are THE chokepoint of your entire value chain, or you valiantly attempt to outsource to jurisdictions like the Philippines or India for 2 years before bringing back the work due to lower than expected results or a Regulatory Action against you.

Not all Compliance people are born equally

The other troubling piece of the puzzle is talent. Compliance careers are a relatively new path, with few people at the very top starting their careers in Compliance. Talent acquisition also has its challenges.

Compliance in its purest form is a problem solver coupled (in the words of a fellow compliance professional, not mine!) with “a skeptical moth******** lens”. However, the vast majority of the work conducted by these people is eyeballing a utility bill. As you can imagine the day-to-day doesn’t inspire greatness.

A lot of good talent get bored or move into other roles after a few years. Therefore, the path to Compliance leadership is left to those that quickly engineer their careers into Heads of Compliance or senior people who left front/middle office roles and moved into back office.

Add to this the expectation nowadays that Compliance should be a whizz at Excel to manage the immense amount of regulatory reporting, and you find a jumble of talent and experience still trying to find the right way to do things.

Building for a (more compliant) brighter future

The future is actually bright. If we can better harness the collective experience of the best Compliance minds and fix the unnecessary fragmentation of technology, Compliance can be a seamless experience for both Compliance teams and the people being onboarded.

AI is the perfect wedge for this. What would have cost millions and taken years to train, today can done for a fraction of the cost and time. One can build a custom GPT ingesting their own compliance policies and reach answers faster than ever before, document reviews can use fast, more accurate document-reading technologies.

There are serious problems that face this mindset change:

(1) Agreeing a standard Confidence Level appropriate for using AI. The intuitive answer to this might be we should set this at 100% as the risks of non-compliance outweighs the gains. This view misses the point that currently the amount of manual input into the Compliance processes means that the accuracy rate is far lower than 100%. I would recommend a risk-based approach to how to apply AI backed by data.

(2) The change to an AI-led world, means cutting down or freezing the growth of your workforce. This can be counter-intuitive for teams. However, this is a similar issue facing many roles being threatened by AI. For instance, Klarna recently stated that it would stop hiring people as it expects to replace most jobs with AI.

Despite these objections, AI is already on executives’ minds: 68% of financial firms say AI in risk and compliance is a top priority. Couple this with the cost of models decreasing substantially, there is a bullish case for wide scale adoption across the industry in the short term.

Long story short, things might be broken, but not for long.