The GenAI Playbook
for Compliance Officers
Discover how GenAI can be used to transform anti-financial crime processes, exploring use cases, risks, and practical tips on its safe use and implementation.
Introduction
The role of AI in fighting financial crime
There has been much focus recently on the role of artificial intelligence (AI) in combating financial crime. It is estimated that by 2030 financial institutions can save $217bn by using AI in compliance. With that in mind, no doubt the question at the forefront of many anti-financial crime (AFC) professionals’ minds is: ‘How can I use it, and where can it help?’
The benefits that AI can bring, such as automation and streamlining processes, mean that many see it as an inevitable step forward. But it is not without risk. Firms need to understand how they can adapt their technology infrastructure and AFC controls to use AI in a way that is responsible and understandable and fosters trust. Striking the right balance between the capabilities of AI, the use of ‘traditional’ controls, and the value of human expertise is imperative to its effective use.
AI has woven itself into many facets of our day-to-day life; it has many different applications and subsets, and the pace at which it is evolving is rapidly changing the world in which we operate. Traditional AI, natural language processing (NLP), and machine learning techniques have found widespread application across a number of fields and technologies. We see them in their basic form through Siri or Alexa – conversational AI using NLP. They’re also used to provide your Netflix recommendations – leveraging machine learning to analyse user patterns and behaviour to make viewing suggestions tailored to individual end users.
Typically, machine learning algorithms operate in a deterministic manner: for a given input, a single output is always produced. These techniques are easier to explain and the output is much more strictly understood – often with a linked score or binary yes/no answer.
“By 2023, financial institutions could save $217bn by using AI in compliance”
Putting GenAI in the spotlight
A different form of AI which has recently come into the spotlight is generative AI (GenAI), illustrated by applications such as the popular ChatGPT – a specific implementation of generative AI tailored for text-based conversations. GenAI is a subset of AI that can generate credible and realistic content including text, images, music, video, and synthetic data. It uses existing technology, such as large language models (LLMs) and machine learning techniques to analyse patterns and relationships within data, and takes these learned patterns to create new and original content. The AFC industry’s focus is increasingly moving to GenAI and the power it can bring. Unlike more traditional AI techniques, these models come with a more common sense view of the world which can be adapted to AFC opportunities.
GenAI models have captured the imagination of what could be possible with their application – when used the right way, with the right task, they can approach human performance on many tasks. However, GenAI has not been without its challenges. GenAI has been shown to deliver results that cannot be relied upon, providing inaccurate or unverified information, with virtually no way to fully understand how it works. There is a risk that it may inadvertently amplify bias or be misused to spread misinformation, therefore, it is important to pay attention to the outputs generated.
Considering how and when to use AI
Many financial institutions are already using AI to analyse transactional and customer data to improve the detection and mitigation of financial crime threats. The industry commonly uses well-established monitoring of customer behaviours to identify fraudulent activity.
A study from The Economist shows that 57% of respondent banks in the EU are already using AI for fraud detection. One study shows that 60% of those that have embedded AI as part of their AFC framework attest to its effectiveness in enhancing their processes. However, AI use cases in AFC are initially used for lower risk, lower impact scenarios, before looking at wider applications. They often start by leveraging machine learning models and neural network models, trained on structured data, that have robust model governance that make them easier to explain and understand the outputs.
57% of respondent banks in the EU are already using AI for fraud detection
The reality is that many compliance professionals are still nervous about the use of AI in general and especially newer applications, like GenAI. These undoubtedly pose more questions, particularly as the level of explainability is much lower than other forms of AI. GenAI is essentially a black box, and to be able to harness it firms and regulators will need frameworks that tolerate the use of black box technologies within certain parameters. Early AI adopters are now looking at GenAI and assessing how it can be used to further enhance AFC controls. However, GenAI on its own is not a silver bullet and will not be the right solution for every problem. It should be seen as a powerful additional layer that can unlock information and trends that may not be seen by the human eye.
60% of organisations using AI say it has been effective at enhancing their AML processes
Through practical guidance, this playbook will address how firms can use GenAI in a targeted and value-adding way to improve their AFC processes without the need to rip them up and start again. By discussing the key considerations for adoption, this playbook provides a view of what AFC teams need to know to move forward on their AI journey.
How can GenAI be an AFC game changer?
Whilst GenAI has enormous potential to reshape how we consume information, communicate, and streamline our processes, malevolent actors are already using it for illicit purposes. Tech-forward criminals are deploying it alongside tried and tested money laundering techniques to create high-quality content such as images, documents, and voice-cloning technology to bypass controls and abuse the financial system.
“When deployed correctly, GenAI has the potential to shift how we fight financial crime”
Financial institutions need to keep up with how GenAI-led technologies are being used to facilitate financial crime, as well as exploring how they themselves can leverage the benefits it can provide. While GenAI will not be suitable for every AFC task, the generalised nature of GenAI models means that they can be deployed relatively simply to help unpick and understand data in specific formats without the need for data scientists or domain specific models. Deploying it correctly, alongside human analysts and other forms of AI, has the potential to shift how we fight financial crime, and it could be the pivot that is needed to make a difference to enable a true intelligence-led AFC approach.
Automation of routine tasks for efficient resource allocation
AI-backed tools are not only better at identifying suspicious activity that might otherwise go undetected, but can help firms enhance and simplify AFC processes. GenAI can be used to distil data sources such as adverse media and watchlists to create a summary narrative for analysts to use during investigations. Using relevant data from both structured and unstructured sources to build discrete profiles for individuals and organisations, it can improve analyst efficiency by allowing them to focus on complex cases in a more streamlined manner. It can also help with automated generation of summaries and reports e.g. suspicious activity reports, empowering analysts to focus on the investigation itself, leading to faster decision-making and better risk mitigation.
Enhanced risk investigations
Different types of AI can be useful for different tasks across an AFC programme, such as enhancing risk investigations. For example, AI-powered network analytics can find the relevant network information among vast data sets and detect connections, networks, and information that are undetectable to human analysts. GenAI can further enhance investigations by summarising unstructured and seemingly unconnected data and documents used in screening reviews or investigations, such as PDF documents, watchlists, websites, social media, and news articles. It can save time and hone investigations by allowing analysts to deep dive into the data through the use of targeted questions and refined investigative techniques.
Quality assurance
GenAI can generate efficiencies through quality assurance (QA) to help identify where more training and development is needed and if analysts have made the right decisions. Whilst a future end state may be a model completing the disposition of investigations, a QA process could be embedded in a staged approach so that the model looks at alerts and determines if the analysts made the right decision. Ultimately once confidence has been built and outputs have been proved, the process could be switched so the analysts validate the outputs of the work that GenAI has completed.
The use cases for GenAI are varied and increasing – and they extend beyond direct financial crime compliance. It can empower a financial services firm by providing information about their customers and their engagement and interactions that can be used not only to spot unusual behaviour but also for positive actions – buying decisions, ease of use of systems, and marketing preferences. However, large complex models can be slow to return outputs compared to other AI models and the costs can be higher – therefore having a clear understanding of the use case and the added value is essential.
Regulatory perspectives on AI in AFC
The regulatory landscape surrounding applications of AI is varied, with regulators adopting differing stances and approaches to supervision and regulation. Some are leading the way by setting out overarching frameworks, others are looking at the principles, and others are holding off from adopting any clear position at present. Dealing with the pace of regulatory change amidst the myriad of differing approaches means that many firms are understandably nervous about adopting this technology across a disparate landscape.
Supervisory and government bodies are working to build up their own expertise in AI in order to make informed decisions about its laws and regulations. Regulators have widely recognised that AI tools are important, as evidenced by regulator-led initiatives which promote innovation including the use of AI in regulatory technology in places like the US, the EU, and Singapore. Some regulators such as the UK’s Financial Conduct Authority (FCA) have stated they “are ready to lead and help make the UK the global home of AI regulation and safety”. Singapore has launched a revised National AI Strategy, announcing that it wishes to be “a place where AI is used to uplift and empower our people and our businesses”.
“Regulators worldwide have recognised the importance of AI tools”
Whilst there is no consistent regulatory or supervisory approach just yet, common themes emanating from most countries surround how to use AI responsibly, ethically and transparently. And with many discussions of late focusing on the risks of AI and the power of its incorrect application, it is crucial these principles are taken forward by financial institutions. This is especially important in the use of GenAI, which can be opaque and where the decision making process is not transparent.
The Financial Action Task Force
In 2021, the Financial Action Task Force (FATF) released a publication on the ‘Opportunities and Challenges of New Technologies for AML/CTF’, which acknowledged the potential of new technologies in making AML and CFT “faster, cheaper, and more effective”.
According to the FATF, new technologies have the ability to improve the implementation of FATF Standards to advance global AML/CFT efforts. The report states that using AI and its different subsets (machine learning, natural language processing) can potentially help to better identify risks and respond to, communicate, and monitor suspicious activity. Importantly, the report underscores that without sufficient explainability and transparency, it becomes challenging to evaluate the accuracy of an AI solution for detecting suspicious transactions and illicit activities.
The EU
The EU has taken a comprehensive and proactive approach to developing an overarching AI regulatory framework. A provisional deal on the EU AI Act was reached by EU countries and European Parliament members on 9 December 2023, paving the way for the EU to be the first major power to enact laws governing AI.
The bloc has developed a framework that is industry-agnostic and takes a risk-based approach to AI regulation, focusing on how AI systems are used and their associated risks. It will classify AI systems by level of risk and mandate regulations depending on what category they fall into. The priority of the Act is that AI should be “safe, transparent, traceable, non-discriminatory and environmentally friendly” and to prevent harm it should be”‘overseen by people, rather than by automation”.
The UK
The FCA has called itself a “technology-agnostic regulator”, emphasised its commitment to innovation, and shared how it is using AI to spot fraud and identify bad actors. It has invested in technological horizon scanning and synthetic data capabilities, establishing a digital sandbox designed to “be the first of its kind used by any global regulator, using real transaction, social media, and other synthetic data to support FinTech and other innovations to develop safely”.
It remains unclear if the UK will go down a similar route to the EU in terms of legislation. The National AI Strategy launched in 2021 highlights the government’s pro-innovation approach to regulating AI, and the UK’s Office for AI’s policy paper in 2022 refers to a “regulatory framework that is proportionate, light-touch and forward-looking”.
The FCA notes that it does not regulate technology; its focus is on how it is used and its effect within financial services. In conjunction with the Bank of England it launched an Artificial Intelligence Public-Private Forum in 2020, whose final report indicated that regulations should be principles-based and highlighted the risk that regulation could be too strict and come too early, which could bring risks such as a lack of international harmonisation.
The US
The Financial Crimes Enforcement Network (FinCEN) has previously recognised the potential of AI to “provide better strategies for banks of all sizes to better manage money-laundering and terrorist-financing risks, while reducing the cost of compliance”.
The US appears to have a more decentralised and sector-specific approach to AI than the EU, and has taken recent steps forward in developing regulations. On 30 October 2023, President Biden issued an Executive Order on Safe, Secure and Trustworthy Artificial Intelligence, which builds on the Algorithmic Accountability Act introduced in 2022. This required firms to assess the impacts of automated systems they use, in an effort to increase transparency and reduce biased, discriminatory, or harmful outcomes. There is a focus in the new Executive Order on transparency, with organisations required to share information with the government.
While there is limited guidance from regulators at present on how to implement AI, this is actually not uncommon for many topics across much of the AFC regulatory landscape. General expectations and principles are clearly outlined – for example, identifying suspicious activity through ongoing monitoring, and reporting it to the relevant authorities. However, how firms choose to do this is up to them. This means that when approaching AI adoption, firms need to ensure that the general approach they take falls in line with the common principles that have been raised by many regulators.
Building trust and credibility
Much focus on AI and GenAI adoption has been on the risks and issues that come with it. From deepfakes being sold as a service – $145 for a 3-minute video, to Google’s advertising algorithm showing gender bias by advertising high-paying roles to men more often than women, it is clear there is a lot of work to be done in terms of building trust and credibility in AI.
It is incumbent on financial services firms to have a clear understanding of the governance and control frameworks required to manage AI adoption based on common regulatory principles. Some of this relates to technical challenges, privacy and data protection, but perhaps the most prominent challenges are ethical considerations.
“Financial services firms must have a clear understanding of the governance and control frameworks required to manage AI adoption based on common regulatory principles”
AI, including GenAI, can produce biased outputs which can potentially be harmful or discriminatory. AI outputs will reflect human bias present in the material used to train the model – whether this is through the data itself or those involved in building the model. If these imbalances are unchecked, biased outputs can be generated which can marginalise individuals or groups and potentially lead to financial exclusion. The Alan Turing Institute’s guide on understanding AI ethics and safety noted to create an ethical platform for AI adoption the project must have the “active cooperation of all team members both in maintaining a deeply ingrained culture of responsibility and in executing a governance architecture that adopts ethically sound practices at every point in the innovation and implementation lifecycle”.
In support of this fundamental concept, the Wolfsberg Group published its ‘Principles for Using Artificial Intelligence and Machine Learning in Financial Crime Compliance’. In the publication, the group expressed its support for the use of AI and machine learning to manage and mitigate financial crime “as long as appropriate data ethics principles inform the use of these technologies to ensure fair, effective, and explainable outcomes”.
Key principles for AI in compliance
The Wolfsberg Group lays out five principles that are foundational to the responsible use of AI and machine learning in AFC compliance. These principles include:
Legitimate purpose
Integrating an assessment of ethical and operational risks into a firm’s risk governance approach, and maintaining a robust data and risk management framework.
Proportionate use
Finding a balance between the benefits of use and the appropriate management of risk of these new technologies.
Design and technical expertise
The teams responsible for developing, overseeing and managing AI/machine learning should consist of staff members with the necessary expertise and diverse experience to identify bias in the results.
The development and design of AI/machine learning systems should be driven by a clear understanding of the intended outcomes, ensuring that results can be adequately explained.
Accountability and oversight
Staff should be trained on correct usage of technology and oversight should be provided. Financial institutions should have a mechanism to question or challenge technical teams and scrutinise data usage.
Openness and transparency
Being open and transparent about the use of AI/machine learning, ensuring it is consistent with legal and regulatory requirements.
Putting principles into practice
These core principles are echoed by many regulators globally and should be incorporated when building AI governance models. Importantly, to bring all parties along an AI journey, compliance teams must be able to communicate AI outputs and decisions to a range of stakeholders including regulators, auditors, board members and banking partners. Being able to demonstrate they have visibility of the algorithms’ decision-making processes and understand the outputs will foster trust and credibility. It is equally important to ensure that these principles are considered not just at the build and implementation stage but also on an ongoing basis. AI is not a static model and its oversight and governance should evolve as the model does.
“Compliance teams must be able to communicate AI outputs and decisions to a range of stakeholders including regulators, auditors, board members and banking partners”
Principles for AI adoption
1.
Fairness and managing bias
Minimising unintentional algorithmic bias, and ensuring no one is systematically marginalised or disadvantaged.
2.
Accountability and responsibility
A clear understanding of roles and responsibilities for AI deployment and ongoing management with controls and procedures in place for approvals. Clearly defined oversight roles with regular reviews and audits.
3.
Transparency and explainability
Explainability refers to the ability to understand how and why a model makes a prediction or recommendation, while transparency refers to the ability to access and verify the data, algorithms, and processes behind a model. Both are essential for building trust, accountability, and ethical standards in AI/machine learning applications.
4.
Data privacy and protection
Implementing the right data protection measures to ensure end user data is secure and potential security vulnerabilities that might arise with AI integration are identified and managed.
The practicalities of GenAI adoption
The path to GenAI adoption will be different for each financial institution – the use case and application for one firm will not be the same for another. When firms are considering their AFC control framework and how to enhance it, they should approach GenAI adoption in the same way they would for any other system or tool.
Is GenAI the right solution for your problem?
The use of GenAI is not a silver bullet. Without the correct application and implementation it will not shift the needle to make you more effective and efficient. You should have a clear view and understanding of the potential use cases before deciding that GenAI is the solution.
The impact and value that can be derived from GenAI may be better suited to certain processes over others in initial roll-out phases. For example, it will be more effective to use GenAI to summarise the findings of adverse media searches undertaken by machine learning applications, rather than also generating the findings, which could be incorrect or biased. Firms should consider if it is better to start with a low-effort, high-impact use case to prove the value and learn from when they are considering potential use cases. It should be an iterative process that is learned from and built upon.
You don’t need to rip everything out and start again
To use GenAI you don’t need to rebuild your tech infrastructure from scratch. Many GenAI powered solutions support adoption through a staged and layered approach, maintaining existing controls while the user builds confidence in the new tools. GenAI can enhance rather than replace what you already have, by augmenting existing systems.
Don’t use GenAI to replace a process; run it in tandem to understand the performance before you commit to anything. This is often the case in transaction monitoring where some firms use both traditional rules-based systems alongside an AI overlay. Using a feedback loop from a rules-based system and feeding the outputs into an AI powered tool can also further enhance outputs from a screening perspective. The same principles should be applied to the use of GenAI.
To use GenAI you don’t need to rebuild your tech infrastructure from scratch
Don’t wait for perfect data
Having robust data sets will make any financial crime control more effective. The principle of ‘good inputs delivers good outputs’ works exactly the same for a GenAI powered tool compared to a traditional rules-based tool. However, just as your data will never be perfect within your existing control framework, you don’t need to wait for it to be perfect to start using GenAI.
Consider the potential use case for GenAI alongside your data quality. For example, if you know you have poor data feeding into transaction monitoring but better data in screening, focus on this area first. Have a clear understanding of the key data points that the tool will need and work on making sure they are as clean and complete as possible before you implement.
Can you build or buy the expertise?
Many larger financial institutions have the skillsets and resources to build and develop their own AFC controls. With access to data scientists, technology developers, and project managers, they have built up the expertise to build and deploy AI-led tools. When deciding that you want to invest in GenAI, consider if you have the right skills and expertise in your team. You may be in a position to acquire the talent by recruiting it into your business, or maybe finding a partner who can work with you to deploy a solution is the best route.
A fundamental consideration is the hidden costs in keeping GenAI up-to-date. The rate at which the technology is developing means that you need to consider if this is something you can support sustainably over time. Or if you are buying this intelligence, does your vendor have the capacity and investment to do this for you? Whatever direction you decide on, it will be important to ensure you have the right depth of knowledge and understanding within the teams to support the use of GenAI on an ongoing basis from a governance and ongoing management perspective.
Find the right partner
If you do decide to work with a vendor, you should look for a partner who can grow and adapt with your business. Find someone with whom you can have an open dialogue, that you can build a collaborative relationship with, and that has a clear understanding of your business and GenAI use case. It will be important to know how the design and deployment will be managed, what post-integration support is available, and if training can be provided if needed.
Define your model validation and testing approach
When approaching implementation consider the approach and time needed for model validation and testing. Factoring in the validation and testing of outputs of GenAI deployment will ensure results align with expectations, foster confidence, and detect and rectify potential issues early on. Having an understanding of current error rates in existing processes will support testing and build a better appreciation of the risks of moving to use GenAI.
Empower your people through GenAI
It is important to remember that GenAI solutions are not entirely autonomous – as you build and develop your GenAI controls, you will need to ensure that the outputs are accurate and relevant. You will need the right internal expertise to manage this and also to explain it to other parties such as audit teams and regulators.
Deploying GenAI should come with a focus on training and skills development for end users to ensure they understand the system, how it is powered and how to manage the outputs. If managed correctly it can provide great benefit to your teams and can empower them to have more time, information and insights to conduct complex investigations and make faster decisions. However without the right understanding, it will quickly be ineffective.
Deploying GenAI should come with a focus on training and skills development for end users
The power is in your hands
Advancements in GenAI can transform financial services, and there are many possibilities to use it holistically across the customer lifecycle, from assessing buying decisions to detecting suspicious activity. But firms need to recognise that GenAI will not do everything in the fight against financial crime, and it must be deployed and used carefully and safely. Yes – it can reduce the time and cost spent on investigations. Yes – it can allow firms to identify connections and bad actors earlier in the process. But – incorrect implementation will not make your controls more compliant or make you more effective at tackling financial crime.
In a world where firms and regulators are still seeking to understand how AI operates, it is important to remember GenAI can add a level of complexity to this – as AI models become more complex, understanding how they arrive at decisions or predictions becomes more difficult. GenAI can explain its reasoning, which can be used to improve model performance, but having a clear view of this and any potential limitations is important. Users must clearly understand the need to deploy it in appropriate situations where the task is constrained and there are safeguards in place against hallucination. Ideally organisations will mix different types of machine learning and AI to maximise their benefit and align to the best use case.
Organisations should ideally mix different types of machine learning and AI to maximise their benefit
The key thing to remember is that GenAI, and AI more broadly, is more than just the machine – it is the sum of ethical use, sound implementation, and the people it empowers. To harness the power of GenAI, firms need to evaluate potential use cases carefully against the existing data, tech stack and expertise. Once firms understand how and where they can use GenAI in their AFC framework, embedding sound governance principles is necessary to drive responsible and ethical use. Crucially, bringing people along the journey is fundamental to success. Training users on the outputs, and building the expertise to manage the inputs will ensure that whatever GenAI tools you invest in will deliver more effective results.
The use of GenAI in AFC is the start of an exciting time, and the continuation of a long journey of AI development. Its applications will increase and change over time, opening up new possibilities as the models become more mature.
GenAI is more than just the machine – it is the sum of ethical use, sound implementation, and the people it empowers
