AI in Financial Services: Federal Banking Agencies Request Input Regarding Use of Models for Compliance with BSA/AML and OFAC Requirements

The federal banking agencies have maintained a focus on the use of artificial intelligence (AI) and management of AI models. While a previous RFI sought information regarding the use of AI by financial services businesses and its effect on various consumer protection issues, the most recent Request for Information examines the use of AI to support compliance. The regulators, including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and the National Credit Union Administration (NCUA), in conjunction with the Financial Crimes Enforcement Network (FinCEN),¹ seek information from financial institutions and from the public regarding the use of models, including those incorporating AI as part of measures taken to comply with the Bank Secrecy Act / Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) requirements.

The RFI comes against a backdrop of federal AML reform and continued advances in private sector technology. Earlier this year, Congress passed the most comprehensive reform of the Bank Secrecy Act (BSA) since the USA PATRIOT Act in 2001, including significant changes to beneficial ownership requirements (more on that here). At the same time, the privacy sector continues to develop new technologies to combat money laundering, fraud, and terrorist finance. In particular, AI is increasingly becoming a critical component of financial services operations. Banks and other financial services companies that use or develop AI—including the companies that design AI applications for the industry—should take advantage of the opportunity to comment on the RFI.

Comments are due soon, with the public comment period closing on June 11, 2021, so financial institutions and other industry participants looking to engage with the federal banking regulations on AI issues in the regulatory compliance context may want to consider responding.

Background

The Office of the Comptroller of the Currency (OCC), Federal Reserve Board (the "Board"), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), and Financial Crimes Enforcement Network (FinCEN) (collectively, the "Agencies") seek comments from financial institutions² and other stakeholders to better understand the respondents' views on a range of issues. The Agencies seek information and comments regarding the applicability of the interagency "Supervisory Guidance on Model Risk Management" (the "Model Risk Management Guidance," or MRMG), and whether this guidance continues to support compliance with the Bank Secrecy Act / Anti-Money Laundering (BSA/AML) and Office on Foreign Assets Control (OFAC) requirements. The Agencies' reassessment of this guidance presumably comes in the wake of recent advances in AI technology and its significant expansion in use by financial institutions, since the MRMG's release on April 4, 2011 (the MRMG was subsequently adopted by the FDIC in 2017).³ Concurrent with the April 12 RFI, the Agencies also published an "Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act / Anti-Money Laundering Compliance" (located here). Respondents are asked to consider the April 12 RFI and the Interagency Statement together in any response.

The Agencies intend to use the information gathered from the RFI process to "determine whether additional explanation or clarification may increase transparency, effectiveness, or efficiency." Accordingly, amendments to the MRMG, or additional and/or superseding guidance, may be expected to follow.

RFI Questions

The RFI encourages commenters to respond to 11 questions spanning several areas, summarized below:

1. What types of systems do banks employ for BSA/AML and OFAC compliance? What technologies do these systems use (e.g., AI, machine learning)?
2. How do banks internally oversee BSA/AML and OFAC models for model risk management purposes? Do those oversight functions extend beyond BSA/AML and OFAC compliance requirements?
3. Do banks have policies and procedures governing the validation of models (BSA/AML and OFAC models, as well as models generally), including such features as validation frequency, minimum standards, and areas of coverage?
4. Are the risk management principles in the MRMG appropriate for BSA/AML and OFAC models? Are there other principles not discussed in the MRMG which would be appropriate for banks to consider?
5. Do banks believe the application of model risk management to BSA/AML and OFAC models has caused substantial delays in implementing, updating, and improving systems? If yes, describe the factors creating delays.
6. Do banks consider the application of model risk management an impediment to implementing more innovative and effective approaches to BSA/AML and OFAC compliance? If yes, which factors?
7. Are the testing and validation processes employed through banks' existing model risk management frameworks more extensive than reviews conducted to meet the independent testing requirement of the BSA?
8. Do banks use outside parties to perform validations of BSA/AML and OFAC compliance systems? Are other types of models considered by those validations? Why are outside parties used?
9. Do banks employ internally-developed BSA/AML or OFAC compliance systems, third-party systems, or both? What challenges arise with such systems in the context of the MRMG principles?
10. Do banks' model risk management frameworks apply to all models, including BSA/AML and OFAC models? Why or why not?
11. For suspicious activity monitoring systems:
    1. Validation:
       • How are such systems validated?
       • Are systems validated before implementation? How frequently are they validated thereafter?
       • Can changes can be made to such systems without validation? Are such changes validated thereafter? For what reasons?
       • If such systems have been validated, what compensating controls are in place?
    2. Benchmarking:
       • What data or models are used to compare such systems' inputs and outputs for benchmarking purposes?
       • Are systems validated before implementation? How frequently are they validated thereafter?
       • Can changes be made to such systems without validation? Are such changes validated thereafter? For what reasons?
       • If such systems have been validated, what compensating controls are in place?
    3. Back-Testing:
       • How are outcomes from such systems compared with actual outcomes (i.e., because law enforcement outcomes are frequently unknown)?
    4. Sensitivity Analysis:
       • How are inputs, assumptions, and other factors tested to ensure they fall within an expected range?
       • How does materiality of BSA/AML and OFAC models play into calibration of the scope and frequency of model risk management testing and validation?

[1] The previous RFI, issued on March 31, 2021,was authored by a similar group of agencies; however, that group included the Consumer Financial Protection Bureau (CFPB) and did not include FinCEN.

[2] The RFI states that its primary focus is on institutions supervised by the Board, FDIC, NCUA, and OCC, but that non-bank financial institutions regulated by FinCEN may also submit information to be collected on behalf of FinCEN.

[3] See Federal Reserve Supervision and Regulation Letter 11-7; OCC Bulletin 2011-12; and FDIC Financial Institution Letter 22-2017. The RFI notes that although the MRMG does not apply to credit unions because it was not issued by the NCUA, for purposes of the RFI, the term "bank" includes "each agent, agency, branch, or office within the United States, banks, credit unions, savings associations, and foreign banks as defined in Bank Secrecy Act regulations at 31 CFR 1010.100(d)."