The core of AML is knowing more than the bad guys, and that’s a problem.
Let’s do a quick review of AML methodology. AML relies on an institution conducting due diligence on a client and his transaction. Conceptually, this is known as “Know Your Customer”, or KYC, and “Know Your Transaction”, or KYT. Information gathered is checked against patterns of behavior (“typologies”) and risk factors to determine whether or not money laundering is taking place.
Typologies change all the time. New developments in markets present fresh opportunities for criminals to launder money, and even existing organizations can expose new opportunities as they offer new products and services to the public. Financial crime experts and regulators occasionally publish typology reports to update AML professionals.
(Incidentally, allow me to point out that the Anti-Money Laundering Council (AMLC) also publishes typology reports, the latest being a COVID-19-themed report in July 2020 – you can find it here. The AMLC’s Web site has a number of useful publications – unfortunately their visibility is hampered somewhat by a baffling design choice to put the “Publications” link in a submenu beneath the main carousel.)
By their nature, typology reports are industry-specific. Typologies relevant to banks are not necessarily relevant to money remittance businesses and those would be different from typologies relevant to online gaming operators. The genius of the “risk-based approach” espoused by the FATF is that it disincentivizes organizations from taking a one-size-fits-all approach to AML and instead grounds AML in an understanding of the specific risks an organization faces. Unfortunately, it also means that organizations with a limited understanding of the risks they face will find it challenging to develop an adequately robust AML practice.
By their nature, typology reports are industry-specific. Typologies relevant to banks are not necessarily relevant to remittance businesses. Similarly, they may not be relevant to gaming operators. The genius of the “risk-based approach” is that it forces organizations to understand its risks and develop appropriate safeguards. Unfortunately, it also means that organizations can only be as effective as they are insightful.
For AML to be effective, three standards need to be met: 1) adequate information is collected by the institution, 2) the institution is updated regarding relevant typologies and trends, and 3) the institution’s systems can adequately detect bad behavior. Developing a robust AML practice is a continuous process of learning, application, and review.
Two movements in IT promise to improve AML effectiveness.
The first, artificial intelligence, is very much in vogue at the moment. AI (and its sub-discipline, machine learning – abbreviated often as “AI/ML” – yes, I know it’s confusing,) excel at identifying and surfacing patterns hidden in the chaos of a large data set. There are a number of AI/ML solutions on the market today, but they are still expensive. Unfortunately, technology really works like this: early adopters tend to bear the costs of development and refinement; later versions of the products will be cheaper, more effective and feature-rich.
The second is knowledge management – not at all in vogue, but central to so much of modern enterprise IT. Knowledge management focuses on how knowledge and information are managed and shared in an organization. Please note that this looks at expertise as well. Good knowledge management systems expand the reach and influence of expertise within an organization, lowering barriers to learning and encouraging sharing. Effective knowledge management systems can improve the effectiveness of an organization’s AML efforts.
As a technologist, I can’t help but be optimistic about growing adoption of technology in AML. I don’t see AI/ML or knowledge management tools as replacements for compliance officers or AML specialists. Instead, I see them as force multipliers, enabling knowledge workers to be better at their jobs. After all, new typologies call for new methods of addressing ML risk. The creativity and insight that an AML professional brings to his role can’t be replicated by a technological tool.