ICC Digital Library

Documentary Credit World

Documentary Credit World (DCW) - January 2024 Vol. 28 No. 1 section - Conference report

2023 ABA/ABA Financial Crimes Enforcement Conference
28-30 November 2023

The 35th annual ABA/ABA Financial Crimes Enforcement Conference took place 28-30 November 2023. Conducted by the American Bar Association and the American Bankers Association at National Harbor, Maryland, the event featured five general sessions, 22 concurrent breakout sessions addressing a wide range of specific areas impacting financial crime enforcement, and breakfast and luncheon presentations.

In the program’s opening general session, American Bankers Association (ABA) President Rob Nichols addressed the state of the industry by outlining key focus areas: 1) the fight against fraud, particularly efforts to tackle check fraud; 2) education and awareness of fraud and scam indicators, including its anti-phishing campaign; 3) collaborative measures to facilitate information-sharing among banks to combat terrorist financing globally; and 4) training and certification of next-gen specialists counteracting financial crimes. Beyond these areas, Nichols also highlighted ABA’s influential role in the formulation of aspects of the Bank Secrecy Act (BSA), including the January 2024 implementation of US Financial Crimes Enforcement Network’s beneficial ownership reporting requirement.

ABA’s Heather Trew and Paul Benda then delved into top concerns. For Trew, they include beneficial ownership, “check-the-box” duties that distract from addressing risk priorities, and the uptick in sanctions enforcement actions. Benda identified the massive rise in check fraud, cybercrime vulnerabilities, and the dark side of artificial intelligence use. Expanding on their comments, Trew said industry advocates need to help banks grapple with existing BSA rules as well as the new beneficial ownership requirements and other sweeping changes. Among the major drivers of fraud, Benda contends the US CARES Act1 “turbocharged” fraud and a stronger commitment is needed to fight financial fraud. Public/private partnerships have been deficient and information-sharing must increase in order to curtail the outflow of funds due to fraud.

Conference attendees then heard a recorded keynote address from Brian Nelson, US Treasury’s Under Secretary for Terrorism and Financial Intelligence, who spoke of TFI’s priorities: cutting off the Hamas terrorist organization from access to the international financial system; degrading Russia’s war effort; and strengthening US regulatory efforts to close gaps available to illicit actors for financing. Hamas is uniquely set up to operate under the guise of legitimate businesses, including solicitation of funds from charities, but relies on a vast network of shell companies to launder and shift its proceeds. Since Hamas’ terrorist attacks of October 7, US Treasury has imposed three separate rounds of sanctions targeting operatives and financial facilitators. It has also adopted general humanitarian licenses to allow for legitimate humanitarian aid to Gaza. In striving to reduce Russia’s ability to build a wartime economy, US Treasury, along with the US Commerce Department, has issued five alerts and identified harmonized system (HS) codes to curb Russian sanctions evasion and Russia’s access to strategic goods and technologies. As regards efforts to bolster the US’ AML/ CFT regulatory regime, significant gaps must be addressed in order to prevent criminal elements from exploiting the financial system. Treasury’s three-pronged approach includes enhancing corporate transparency, exposing money laundering connected to the real estate sector, and confronting business individuals and entities that lack comprehensive AML/CFT obligations.

In a breakout session, “Government Entities Involved in Financial Crimes You May Not Know”, speakers introduced and informed attendees of government offices involved in the fight. Stan Svrlinga with the US Department of Commerce’s Office of Inspector General, explained that the office’s job is to help the US commerce improve overall; a mission that includes raising fraud awareness. It does so in five areas: Bid Rigging; Product Substitution; Defective Pricing & Cost Mischarging; Public Corruption; and Grant Fraud. Brooks Abramson, Senior Special Agent with the US Department of Labor ’s Office of Inspector General, informed that he and Labor ’s OIG special agents serve as detectives and investigate the influence of racketeering and organized crime on the labor force. Labor ’s OIG also looks into fraudulent activity involving labor trafficking, unemployment insurance, foreign guest workers, and medical providers. Michael C. Serra, Special Agent with the US Federal Deposit Insurance Corporation (FDIC) Office of the Inspector General then briefed on the bank fraud schemes that FDIC’s OIG investigates: Abuse of position within bank; Banking client fraud & abuse; Loan fraud; and BSA/AML violations. Serra also emphasized that the CARES Act served as a “gateway” to other frauds with many abusers of the program recruiting bank employees to advance their fraudulent activity. All three OIGs work together to fight financial crimes. They acknowledged bankers as experts in detecting suspicious activity and affirmed the value of effective SARs filings which make for a more efficient investigative process.

During an Innovation Showcase Luncheon, representatives of industry associations and companies informed attendees of their services and product offerings: American Bankers Association training programs; American Bar Association’s White Collar Crime Committee; HAWK:AI’s transaction monitoring; Quantexa’s decision intelligence solutions; Summit Technology Group’s Lenders Cooperative platform; and TRM Labs’ blockchain intelligence tools.

A breakout session addressed the question, “Does Your FinTech Third Party Risk Management Meet Regulatory Expectations for AML?” Fintechs offering banking-as-a-service is a source of regulatory concern and speakers began by referencing the spate of enforcement actions over the past year against banks for failing to monitor their fintech partners’ compliance with regulatory requirements. Commenting on themes and lessons from the actions, Daniel P. Stipano of Davis Polk & Wardwell LLP said that they emerge from the public’s ability to access bank products and services without contact with a bank. Many community banks are struggling, and partnering with fintechs has become an inviting way to bring in new business. Bank/fintech relationships can be layered and complex. Another problem is weakness in compliance oversight. To confront these areas, Stipano encouraged attendees to review Guidance on Third-Party Relationships: Risk Management, the US interagency guidance document released in June 2023. Stipano also reminded that the sophistication of a bank’s AML program needs to grow proportionally with its business. When banks on-board many new customers, they need to revisit their risk assessment capacity, including increasing its staff with expertise, boosting training, and compliance spending. The lack of clarity around bank/fintech compliance responsibilities has been another glaring issue. Banks can use fintechs to collect information, but they need to monitor this process. While regulators expect banks to have policies and procedures in place to govern all aspects of their fintech relationship, risk assessment should be dynamic and ongoing throughout the relationship. Likewise, the recent enforcement actions signal to fintechs that they need to “up their game”. While Stipano believes scrutiny of bank/fintech relationships will nudge upward, he thinks that the business proposition is attractive enough for bank/fintech relationships to continue.

A breakout session on “Transactional Typologies in Terrorist Financing” began by acknowledging that the geopolitical landscape has become more fragmented and diverse, but banks need situational awareness to grapple with the evolving trends in terrorist financing. For Dennis Lormel of DML Associates LLC, situational awareness involves recognition of the threat, where the money is coming from, and being proactive to deal with the threat within the confines of what banks are permitted to do. Heather Allen of Truist identified the importance of public/private partnership in coping with terrorist financing threats, but also the role of “front line” specialists within banks. Carlos Gonzalez, also of Truist, added the need of a pipeline of communication and holistic approach towards combating terrorist financing. The speakers said use of USA PATRIOT Act Section 314(b) information sharing and negative news searches are critical means for tracking the flow of money. Lormel explained that in the past terrorists got funded by organizations or groups, but now there is the added threat of individuals inspired to engage in terrorism who are self-funded. While detecting the self-funded is challenging, their radicalization process impacts their banking habits and how they spend their money. In closing remarks, speakers cautioned that bankers do not approach the terrorist financing threat as law enforcement officers but look at transactions. In so doing, bankers are called on to both file well-constructed SARs when appropriate and also document their decision-making when exiting customer relationships so as to not discriminate or derisk.

A general session on “New Ways of Thinking about Working with Law Enforcement” focused on tactics and success stories in effective public/private partnership in AML and fighting fraud. Guy Ficco of IRS Criminal Investigation (IRS:CI), informed of a joint investigation out of Arkansas involving mail theft and the setting up of fraudulent financial accounts totaling USD 2.2 million by an individual and coconspirators. Cooperative efforts among the IRS, FBI, state and local law enforcement led to indictment of the scheme leader and a 12-year prison term. Notably, Ficco said 15.8% of IRS:CI investigations opened during the 2022 reporting year originated from a BSA form filing. Raul Aguilar of US Homeland Security Investigations (HSI) highlighted a multi-million USD, cyber-enabled “boiler room” fraud case which illustrates how HSI worked with its international offices, partners, and the IRS. The investigation begun by HSI’s Tampa office was based on a SAR filing which ultimately led to 13 indictments, including the scam’s leader who was arrested in Serbia, extradited to the US, and sentenced to a 14-year prison term. Among the case’s red signals, those responsible had no investment licenses or experience, cited vague business purposes, relied on remote banking, and took in large volumes of overseas wire transfers. James Barnacle of the Federal Bureau of Investigation then reviewed a fraudulent foreign investment exchange case which initially had 60 bona fide SAR filings, leading some law enforcement officials to assume that someone was working on the case. After a de-conflicting exercise was performed, it was determined no investigation had yet been opened. Once an investigation commenced, US-based investors who had sent funds abroad were interviewed and none believed they were victims. The Ponzi scheme’s international dimension presented a strong challenge, but investigation and funds recovery were successful due to 314(b) information-sharing and cooperation among law enforcement in the US, Panama, and many banks of various sizes which had filed the SARs. Barnacle underscored that FBI analysis of bank-supplied information helps the agency to identify trends and typologies.

Discussion then turned to how bankers work with law enforcement agencies. Mindful that law enforcement has thousands of SARs to review, Dale Kasprzyk of M&T Bank has strived to have the most effective BSA Financial Investigations Unit program possible at his bank. Toward that goal, Kasprzyk and his team have presented notable SARs to law enforcement that they can act on immediately. Marilu Jimenez, Chief Compliance Officer of Nave Bank, agreed that billions are spent on the SARs system, so it has to function effectively. In Puerto Rico, Jimenez and her staff have provided training for law enforcement in subpoena and CDD processes. She also remarked that law enforcement must also contribute to information-sharing, providing details to banks about their SARs reviews. Speakers also emphasized the importance of data analytics for enhancing existing investigations and opening new ones to combat significant threats.

Following the session, Sepideh Rowland, Senior Managing Director of Financial Services Practice, was honored as recipient of the 2023 ABA Distinguished Service Award for Financial Crimes. The annual award, first presented last year posthumously to recognize the life and legacy of Rob Rowe, was instituted to recognize exemplary national leadership, initiative and accomplishment in financial crimes advocacy and compliance.

A two-part general session opened Day 2 of the conference, starting with a discussion of AML Regulatory Enforcement Concerns featuring US Treasury Counselor for Enforcement, Paul Ahern, JP Morgan Chase’s Global Head for Financial Crimes Compliance, Peter Neilson, and ABA Senior Vice President for AML and Sanctions, Heather Trew. Previewing the 2024 beneficial ownership reporting requirement, Ahern said the new requirement is about education and that FinCEN will only take enforcement action for willful disregard. In referencing FinCEN’s historic enforcement action against Binance, Ahearn encouraged attendees to review the Consent Order which details the egregious circumstances and conduct of Binance which did business as an unregistered “money services business” (MSB) over a 4-year period beginning 2017. The panel noted the importance of uplifting third party oversight of crypto exchanges and other non-banks. Ahern said that while FinCEN is an advocate for responsible innovation, entities need to build their compliance programs from the outset. Ahern added that the biggest complaint he has heard from banks is that FinCEN is a “black box”, but FinCEN is striving to give feedback to financial institutions in the form of guidance and advisories. Neilson said that information-sharing is critical and a “two-way street”, requiring dialogue between banks and law enforcement. By having leads and information to go on, banks can deploy resources to act in real-time instead of being reactive. While progress is being made, there is considerable work to do in shifting from business-as-usual investigations based on transaction monitoring and typologies towards a more concerted focus on law enforcement’s national priorities. In highlighting FinCEN’s recent enforcement actions which include first-ever actions against a trust company (Kingdom) and a Puerto Rican international banking entity (Bancrédito), speakers said they demonstrate FinCEN’s drive to take action against any institution for willful violations of the BSA. Discussion then turned to sanctions. No longer straightforward, sanctions are not just country-based, but sectoral, targeted, and frequently changing. As relates to Russia alone, there are some 5,000 sanctions across jurisdictions. Banks essentially serve as operational appliers of sanctions.

Neilson explained that his bank engages in two-way dialogue with Treasury to better understand intent so as to not disrupt markets while executing the national policy objective. The panel also drew attention to OFAC guidance that geolocation data is a key component of an effective sanctions program. Since IP addresses and virtual private networks (VPNs) can be manipulated, banks need to think about their controls in this area, as appropriate to their business. It was also pointed out that OFAC has the ability to bring an enforcement action against a non-US person for causing a US person to violate US sanctions. Additionally, the panel addressed the expectation that sanctions are to be implemented “without delay”. This primarily relates to the need for implementation of terrorism- related sanctions of the UN Security Council and certain committees within a matter of hours. There is no precise timing standard; rather the purpose is to stop terrorist financing as it transits the global financial system.

The second part of the general session was a Regulatory Roundtable featuring officials from four US regulatory bodies: FDIC; FinCEN; Office of the Comptroller of the Currency (OCC); and Board of Governors of the Federal Reserve System (FRB). Discussion began with FinCEN’s Customer Due Diligence (CDD) rule. Although the beneficial ownership information (BOI) reporting rule goes into effect 1 January 2024 and the BOI access rule takes effect 20 February 2024, the CDD rule – the third piece of rulemaking of the US Corporate Transparency Act (CTA) – is yet to be revised. The existing CDD rule of 2018 still applies and there is no change for banks until it is revised. James Martinelli, FinCEN Deputy Associate Director, explained that banks are not responsible for customers filling out their BO obligations, but can direct customers seeking to understand their BO obligations to the FinCEN website. The panel next took up discussion of account closures. The regulators said that banks need to understand why customer accounts are opened and maintained. They need to direct resources to higher risk customers and activities. At the same time, they must avoid using generalized factors for their fraud detection systems such as designating certain geographies as susceptible to fraud and also respect consumer protection requirements.

Turning to third party relationships, Donna Murphy, OCC Deputy Comptroller for Compliance Risk Policy, said that banks need to be very clear on regulatory requirement obligations when bringing on a third party. Lisa Arquette, Associate Director of FDIC’s Division of Risk Management Supervision, mentioned an August 2021 guidance document issued by FDIC for community banks addressing topics to consider when conducting due diligence of a fintech company. Banks need to understand and have a contractual agreement with third parties as to their responsibilities for collecting required information. Suzanne Williams, Deputy Associate Director of FRB’s Division of Supervision and Regulation, added that responsibility always remains with the bank so banks must carefully audit and monitor the relationship. She also emphasized the importance of banks being focused on the aspect of “by, at, and through” as relates to SARs requirements. That is, for any transaction flowing through a bank, irrespective of whether they originated within the bank or outside with a third party, the bank is responsible for monitoring the transaction for suspicious activity and need to ensure from the outset that they have sufficient information to do so. Areas of concern that regulators are seeing include changes to a bank’s risk profile – for instance, due to a merger – but the bank not keeping up and adjusting its compliance program accordingly. Another observation is that anytime a bank undertakes a conversion of its risk-based systems, the bank must be mindful that it remains responsible for compliance throughout the process. Commenting on enforcement trends, Williams remarked that banks typically do not get into problems due to implementation of new rules, but rather for not keeping pace with their risk profile when it changes. To guard against this, she urged banks to self-assess on a regular basis.

A breakout session intended to help banks meet regulatory expectations and manage risk offered insights for “Tuning Up Your AML Model Risk Management Program”. Discussion began with elements comprising an AML model including strategies for identifying; managing; monitoring; and controlling risk. Speakers also commented on lessons learned from deficiencies seen in consent orders including lack of coordination within financial institutions, lack of documentation of changes to the risk management process, and major concerns around data quality. Speakers then addressed the process and expertise needed to create, validate, and test the model. Of paramount importance is ensuring that data is correct; secondary are thresholds and coding. Regarding validating outcomes, banks should tighten their parameters if they are seeing many false positives. Banks should make sure they are testing what they are seeing in production and regularly conduct qualitative review of alert performances. If banks experience a significant drop off in SARs, they should investigate why. Additionally, specialists should talk with peers at other financial institutions to gauge if their hits on SARs are in line with others in the industry. Returning to the importance of data quality, speakers said the entire bank team is responsible for the data and the technology used to manage it. Third party vendors have attestations they follow, but banks must confirm this is the case. Commenting on best practices, speakers said risk managers need to safeguard against any team member going rogue and using their own spreadsheet. Managers need to have clear internal guidelines in place as regards models and enforce discipline to create a single source of truth.

In a midday presentation following lunch, ABA Cybersecurity Expert John Carlson and Liberty Group Ventures CEO Kiersten Todt briefed attendees on Cyber-Enabled Crime Threats. The 20-year evolution of cybercrime has gone from primarily opportunistic incidents to illicit campaigns orchestrated by more sophisticated actors. Iran, North Korea, Russia, and China were identified as the major adversaries. As for hot topics, the speakers highlighted the Securities & Exchange Commission’s (SEC) rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure finalized in September 2023, the ongoing efforts of the Cybersecurity & Infrastructure Security Agency (CISA) to develop rules on cybersecurity reporting, the uptick in breaches occurring through third party risk management, and the lengthy Executive Order on Artificial Intelligence issued in October 2023. No one industry can defend itself against cybercrime and collaboration is needed. Todt referenced MasterCard’s recognition that competitors need to come together in the fight. Turning to the striking problem of ransomware, Todt urged that basic cyber hygiene practices be elevated. There is also the outstanding question whether companies should be permitted or prohibited from making ransomware payments. Speakers also addressed crypto currency regulatory considerations, vehicles for revitalizing public/private information-sharing, and efforts to combat disinformation. Speakers emphasized that cyber risk is a business risk and having robust cyber security is not an option, but a necessity.

In a breakout session, “Sanctions: Connecting the Geopolitical Dots”, panelists first laid out the goals of sanctions programs: to accomplish policy objectives; to change behavior; and to impose costs against designated entities. They then addressed new key sanctions updates and risks. While cyptocurrency is a small piece of the terrorist financing puzzle, it has enabled illicit actors to move significant amounts of money rapidly. For years, Hamas has used cyptocurrency for fundraising, including for financing its 7 October 2023 terrorist attacks on Israel. In the weeks thereafter, OFAC has imposed four tranches of designations against Hamas operatives and financial facilitators. Speakers also discussed real risks around AML/CFT regulatory gaps. For instance, most countries do not regulate or enforce rules for virtual asset service providers, but AML/CFT obligations apply to VASPs and anything touching the US that violates the obligations is non-compliant. Considerable ongoing efforts by the US are striving to convince other jurisdictions to halt dealings with Hamas. At the same time, there has also been a good deal of engagement to mitigate unintended consequences and allow for humanitarian aid and other permissible actions. In this regard, it was pointed out there has been positive response overall to issuance of OFAC general licenses. There is also concern about how to ensure charitable organizations are legitimate and humanitarian aid is not misused. There are a host of possible red flags and organizations need to mitigate them. Over the past 20 years, US Treasury has offered voluntary guidelines as a means of assisting charities to ensure they have strong vetting programs and are in compliance with US laws. Speakers also addressed efforts to counteract virtual currency mixers that have been used by North Korea and other illicit actors for money laundering. Most recently, US Treasury sanctioned one such mixer, Sinbad. Mixers can operate legitimately and a FinCEN proposal to establish requirements for entities involved in convertible virtual currency mixing is currently pending.

Acknowledging that the compliance industry still has unbelievably high false positive rates of over 90% when monitoring for suspicious transactions, a breakout session addressed the question: Are the Old Ways of Transaction Monitoring Dead? No doubt, compliance programs have evolved over the past 20 years, especially with a vastly expanded field of vendors offering more specific strategic analytic options, but are improvements being made on a practical level? Speakers suggested a combination of metrics is needed to evaluate the quality of a bank’s risk models. A compliance department needs to understand the performance of its alerts. One bank tagged its SARs to design a better monitoring scenario. Once tolerance levels are adjusted, all stakeholders in the process are notified and reevaluation occurs at appropriate intervals. Fear of missing a SAR can paralyze, but compliance departments need to overcome this. One way is to seek a means of better connecting data with technology. If dealing with high false positives, a bank can prioritize factors or hone in on factors that give pause until something else occurs to elevate it to an alert. Speakers cautioned against vendors which promise they can reduce false positives. Banks need to know their products and the risks they have, understanding what is relevant to their institution. They also need to be aware that new products (for instance, Zelle was cited) will be opportunistic for illicit actors, but bank’s compliance processes have to adjust to customer behavior and focus accordingly on where the risks are. Commenting on lessons learned, speakers said banks should be very thoughtful in utilizing machine learning as banks need to have the resources and skills set in place to implement it at the transaction level. At the same time, banks should not shy away from making changes to transaction monitoring based on typologies as their model is intended to yield good results. Above all, data needs to be well-organized and accurate in order for bank’s compliance to be successful.

A Fireside Chat Between FinCEN and OFAC featured discussion with FinCEN Director Andrea Gacki and Lawrence Scheinert, OFAC Associate Director for Enforcement, Compliance, and Analysis on areas where collaboration is furthering efforts to disrupt illicit finance networks. Conversation began with reference to the agencies’ unprecedented action taken against Binance, the world’s largest virtual currency exchange. In holding it accountable for willful violations of AML and sanctions laws, FinCEN and OFAC each assessed record-setting penalties against Binance. Scheinert said the case shows the strength and coordination among the agencies. The action illustrates that the regulations apply to non-banks who must develop an effective compliance program from the outset and any institution that wants to play in the US market must also play by the US rules. Asked how bank-provided information is used by their agencies, Gacki explained that it is especially valuable in the sanctions space and has led to new investigations as well as bolstered existing ones. In the past 18 months, Gacki said FinCEN has published five alerts, based in part on bank-supplied information. Scheinert commented that SARs have helped OFAC see how Russia is seeking to evade sanctions and identify funds that should be blocked. Scheinert added that blocking reports also help OFAC with its licensing decisions and evaluate the impact of blocking. Another valuable tool is FinCEN Exchange, a voluntary public-private information sharing partnership. Two FinCEN Exchanges were conducted in November 2023 on Hamas & cyber-related terrorism financing and Russian attempts to evade sanctions controls. Regarding Hamas which has been subject to intense sanctions and is seeking ways to circumvent them, Scheinert said that OFAC is striving to get to Hamas’ secret investments. OFAC is combing through a significant number of tips from the private sector and is also working with vulnerable jurisdictions.

Addressing the FinCEN priority that is the beneficial ownership information (BOI) launch, Gacki explained that her agency needs to get the word out to some 32 million US small businesses – many of whom have never heard of FinCEN — that are required to file BOI reports. Gacki stressed that the BOI registry creates no regulatory requirement for banks, but many businesses will turn to their banks for direction. Banks should refer them to FinCEN’s BOI page which has resources available and is working on guidance for small businesses on why they need to file.

Other topics discussed included FinCEN’s AML/CFT Priorities issued June 2021 and banks’ desire since then for guidance from FinCEN about “prioritizing the priorities”. Gacki indicated that FinCEN is working on a proposed rule that would consider several important changes, including requiring financial institutions to incorporate FinCEN-issued priorities into risk-based programs. With regard to virtual currency mixers, Scheinert and Gacki underscored the need for enforcement in this space and indicated it is another area of great collaboration between their agencies. In their takeaway remarks, Scheinert said it is important to be mindful of the mission for the private sector to implement prohibitions to prevent sanctioned entities from accessing funds and for OFAC to hear from the private sector about their compliance challenges. Gacki emphasized the highly valuable reporting of information received from banks that assists law enforcement and other investigative bodies.

In another breakout session, speakers from the banking industry shared experiences and tips regarding “SAR Team Collaboration in Investigations: Fraud + AML”. Often banks have separate AML and Fraud departments but collaboration across these teams is critical for investigations and the fight against these and other types of financial crimes including sanctions breaches, corruption, and cyber violations. From the outset, one of the keys is to assess what information is coming in, what is going out, and what is leading to investigations. If teams come together, they can produce a SAR and file it holistically. This will also help guard against a bank filing contradictory SARs coming from their fraud and AML divisions. Speakers remarked that the line between fraud and AML is blurred more each day, yet terminology and nomenclature can differ across a bank’s defensive teams so this further reinforces the need for effective collaboration. Noting that law enforcement and regulators lag behind in detecting trends that banks tend to recognize first, speakers urged their peers not to wait for regulators to declare something a trend but instead give the problem area due attention. Speakers also acknowledged the shared skill set among AML and fraud professionals and highlighted the value of bringing them together for focused training. The panel also touched on politics within a bank and how rivalries need to be muted in order to confront the common enemy that is financial crime. In one case, a bank formed one department and labelled it financial crime compliance. With all information in one place, the model proved successful but speakers cautioned that such transformational changes require a well-coordinated effort among team members and even then there can be missteps along the convergence journey that need addressed. It is not “one size fits all” and speakers emphasized that any change contemplated needs to be directed toward achieving success; not for window-dressing. Fellow compliance specialists in the audience also shared about their challenges, including frustrations with obtaining information from law enforcement, the speed of fraud which makes it difficult to collaborate in a timely fashion, and improving coordination when filing SARs.

In an illuminating final general session on Generative AI: Potential or Peril, ABA Executive Vice President on Risk, Fraud and Cybersecurity Paul Benda and ABA Senior Vice President of Innovation and Strategy Brooke Ybarra demonstrated both the potential of generative AI tools to improve efficiency and enable enhanced customer experiences as well as the perils of this technology being used for fraudulent means and other malevolent pursuits. Ybarra began by referencing the unprecedented exponential growth of Chat GPT which reached 100 million users within just 60 days. She suggested that artificial intelligence be thought of as a “discipline” and a collection of many things. Ybarra then discussed AI as being the science and engineering of making intelligent machines and identified seven characteristics of AI, singling out as most important that AI needs a focused application. AI use is everywhere and brings benefits and risks. Among those highlighted by Ybarra, AI’s ability to generate unique insights is a massive potential benefit, but we cannot always explain or know why certain results are produced. Consequently, algorithmic bias is a big potential risk. Although it is still the early days for bank adoption of generative AI, banks are leveraging AI for internal tasks, customer facing uses, and decision-making purposes. Ybarra spotlighted as examples South State Bank’s employee manual and Ally Bank’s use of AI in a customer service call center. Ybarra and Benda next walked the audience through a few ChatGPT demos, including one about the risks of account takeover and how to prevent account takeover.

Benda then shed light on the darker side of AI. For starters, he reported on his asking of ChatGPT: “What risk does AI pose to humanity?” Responses evolve over time but have yielded results like job displacement, autonomous weapons, singularity, bias, misuse (including cyberattacks), and security compromises. The banking industry tends to be focused on these latter three. He also addressed vulnerabilities in generative AI such as permission issues, insecure output handling, data leakage, and overreliance as well as the major challenges including data privacy/ security concerns, regulatory/compliance constraints, lack of expertise, and budget limitations. Benda then spoke of “deepfakes” in the cyber world which pose serious concerns across the spectrum of reputable business, including the entertainment industry. To demonstrate how easy it is copy voices and mislead, Benda played sound clips he found of the real Drake (a famous Canadian singer), a fake Drake hit song, and a fake Drake spoof song. Benda then also demoed a recording of his own real voice and a copy of his voice, which was good enough to satisfy voice authentication testing for accessing his account. He spoke of how the compliance industry and other reputable individuals might effectively control these tools as they get faster and better. Among his strongest suggestions, Benda said banks need to have a “deepfake” response plan. Ybarra and Benda closed with a review of how AI has captured the attention of policymakers, including reference to the broad October 2023 Executive Order on Artificial Intelligence, and previewed things to come, including a US Treasury assessment of cyber risks for the financial sector that is projected for release in March 2024.

The 36th annual ABA/ABA Financial Crimes Enforcement Conference will be held 8-10 October 2024 in Arlington, Virginia.


1
Coronavirus Aid, Relief, and Economic Security Act (CARES Act).