On June 16, 2023, Michael J. Hsu, Acting Comptroller of the Currency made remarks to the American Bankers Association (“ABA”) Risk and Compliance Conference in San Antonio, Texas. In his remarks, Hsu discussed both the benefits and risks of artificial intelligence (“AI”) and tokenization. The core of Hsu’s remarks is that, given the rapid innovation of AI and tokenization in banking, banks should closely work with regulators to manage technological risks.
Hsu’s remarks came at the right time. Five days later, and as we discuss below, Google Cloud announced the launch of an AI anti-money laundering program. Early results seem promising, but only time will tell whether Hsu’s remarks concerning AI’s risks prove prophetic.
Hsu acknowledges that banks have generally approached machine learning and AI adoption cautiously. While he notes that the market has taken strong notice of AI’s rapid growth, his own observation is that “recent press reports of generative AI adoption by banks have been based more on speculative inference and, perhaps, attracting clicks than on reality.”
For banking in particular, Hsu believes that both the risks and benefits of widespread AI adoption are significant. For risks, Hsu notes that alignment is a core challenge. He explains that because AI requires training (unlike other software), it may or may not do what banks want or behave consistent with a financial institution’s values. According to Hsu, this alignment problem could create governance and accountability challenges. As Hsu puts it, the more an AI system learns, the further it gets from its initial programming. This discrepancy creates “‘opportunities for plausible deniability’” if or when things go awry. Hsu also notes the question of who should be held accountable – the bank or its third-party AI vendor – when things go wrong.
Hsu also warns of unique discrimination and bias challenges, in addition to alignment problems. Hsu notes that, even if an AI system could achieve complete color-blindness when engaging in decision-making at the individual level, there would still be unfair outcomes at the group level if baselines across groups differ.
Moreover, Hsu warns that banks and regulators should grapple with generative AI’s capacity for the spread of misinformation and enabling fraud. According to Hsu, because fraud has been generally increasing across all forms, AI’s ability to mimic human communications and the low cost of scaling AI agents, the opportunities for fraud will dramatically increase. As Hsu notes: “The speed and sophistication of such developments warrant close monitoring and coordination.”
Similarly, Hsu expresses concern for the potential for AI (and social media in general) to facilitate the spread of miscommunication. Hsu relayed an example of a fake Bloomberg Twitter account posting a fake picture of black smoke near the Pentagon, which verified Twitter accounts later shared. This triggered a short sell-off in the equity markets. According to Hsu, “[b]anks and regulators will need to update playbooks and strengthen defenses against such actions in the near future.”
Despite Hsu’s acknowledgement that AI has potential advantages, the overall tone of his remarks appears to be one of concern and skepticism. He urges a cautious pace, and his remarks employ the word “brakes” five times.
In regards to AML compliance programs, and as we have blogged (for example, here and here), the Financial Crimes Enforcement Network and other regulators have been talking about encouraging “technological innovation” for years. But as we have observed, for these aspirational statements to have real-world meaning, it is incumbent for regulators – and, perhaps most importantly, for front-line examiners of financial institutions – to allow financial institutions room for error in the implementation of any new technologies. Some financial institutions may be reluctant to pursue technological innovation in the day-to-day implementation of their AML compliance programs because they are concerned that examiners will respond negatively or will make adverse findings against the financial institution if the new technology creates unforeseen problems. Similarly, some financial institutions may be concerned that new technologies may reveal unwitting historical compliance failures that otherwise would not have been uncovered, and which then will haunt the financial institution in the absence of some sort of regulatory safe harbor. For innovation to succeed and be utilized to a meaningful degree, on-the-ground expectations and demands by regulators must be tempered. It is unclear whether Hsu’s remarks will be encourage financial institutions to take creative technological steps to try to enhance AML compliance.
AML AI in Action
Nonetheless, Hsu’s remarks are certainly timely. On June 21, 2023, just five days after his remarks, Google Cloud announced the launch of Anti Money Laundering AI (“AML AI”), an AI-powered product designed to help financial institutions more efficiently detect money laundering and terrorist financing. AML AI offers a consolidated machine learning-generated customer risk score as an alternative to rules-based transaction monitoring. The customer’s risk score draws on the bank’s own data, like transactional patterns, network behavior, and Know Your Customer (“KYC”) data in order to find instances and groups of customers with high risks.
According to Google at least, AML AI can outperform current transaction monitoring systems in identifying suspicious activity. HSBC Bank, a Google Cloud customer, has reported that it now experiences two to four times more “true positives” in the alerts generated by their transaction monitoring system, which enhances their ability to identify and illicit activity. Conversely, HBSC found that transaction monitoring alert volumes decreased by more than sixty percent. Google’s press release quotes HSBC’s Group Head of Financial Crime Risk and Compliance as follows: “By enhancing our customer monitoring framework with Google Cloud’s sophisticated AI-based product, we have been able to improve the precision of our financial crime detection and reduce alert volumes meaning less investigation time is spent chasing false leads. We have also reduced the processing time required to analyze billions of transactions across millions of accounts from several weeks to a few days.”
Hsu explains that the crypto industry, despite years in the spotlight, remains immature and filled with risk. According to Hsu, in 2022, losses from fraud exceeded $1 billion, losses from scams exceeded $2.5 billion, and losses from hacks exceeded $3.8 billion. Because of these risks, the OCC, Federal Reserve, and FDIC issued two interagency statements reminding banks of risk management expectations regarding crypto exposures and activities (here and here).
It should be noted that Hsu is a self-proclaimed crypto skeptic.
Hsu feels that public blockchains all suffer from a design flaw of “‘trustlessness.’” As Hsu explains, the goal of having a trustless blockchain will require a decentralized consensus mechanism, like proof of stake or proof of work. But, according to Hsu, these mechanisms are inefficient and can create problems between decentralization, security, and scale, all of which are not attainable with a public blockchain.
While Hsu is wary of blockchain technology generally, he notes that blockchain technology could drastically improve settlement efficiency (which occurs when a transaction is deemed final) through the tokenization of real-world assets and liabilities on trusted blockchains. As Hsu puts it, there is a usually a lag between when the terms of a transaction (like quantity and price) are agreed upon and when the transaction’s components are performed and when obligations are fully discharged. This is typically due to the interconnectedness between the many entities and steps needed for reconciliation and verification.
But, according to Hsu, tokenization of real-world liabilities and assets could dramatically improve settlement efficiency by minimizing those lags (and therefore lowering the associated frictions, risks, and costs). Hsu provides an example: if an individual wants to sell shares of stock with today’s current technology, that individual must send an instruction to a broker and then several other steps must occur across several entities before that transaction is deemed “final,” or “settled.” With each step comes risk. But, Hsu believes that tokenization could collapse all of those steps into a single step. This would remove those separate chances of risk, provided that the technology is “interoperable with central bank money and real-world settlement systems.”
In general, Hsu believes that, to the extent settlement efficiencies can provide real value to financial institutions, demand to tokenize real world assets and liabilities will grow. As of today, according to Hsu, trusted blockchains are better positioned than public blockchains to maneuver that growth at scale. But, Hsu warns that the legal foundations for tokenization must be developed. That legal development will inform the controls and risk management capabilities needed to support any necessary innovation.
A Proposed Approach to Innovation
Against this backdrop, Hsu proposes to banks and regulators that they need to prudently approach rapid innovation like AI and tokenization. To do so, Hsu keeps three principles in mind: (1) innovate in stages, (2) build the brakes while building the engine, and (3) engage regulators early and often.
To innovate in stages, banks and regulators must be disciplined according to Hsu. He urges banks to start with what can be controlled, expand only when ready, carefully monitor, adjust, and repeat the process. Hsu is confident that banks with robust new product approval processes are familiar with this approach, as it starts with adequate due diligence and approvals before starting a new activity.
According to Hsu, to build the brakes while building the engine, compliance/risk professionals need to be at the head of innovation and have their voices heard early. Hsu notes that, typically, a new product gets developed without any risk input. The product launches and becomes popular, the bank becomes a leader, and then the problems begin. When the problems start, according to Hsu, financial, legal, and reputational costs accrue, and risk, compliance, and operations professionals come in to “clean up the mess.” To avoid this trope, Hsu urges banks to give the risk and compliance professionals a “seat at the innovation table from the get-go.”
Engaging with regulators, as Hsu notes, is the best way to build the brakes alongside the engine. But, Hsu acknowledges that regulators must be responsive, agile, and knowledgeable. To that end, Hsu explains that his office expanded and upgraded its Office of Innovation to the Office of Financial Technology and hired a Chief Financial Technology Officer.