Technology is neither good nor bad, but humans make it so
Speech by Elizabeth McCaul, Member of the Supervisory Board of the ECB, at the conference on “The use of artificial intelligence to fight financial crime”, organised by Intesa Sanpaolo
Turin, 13 July 2022
Thank you very much for inviting me to this exciting conference on the use of artificial intelligence (AI) to fight financial crime. The recently created Anti Financial Crime Digital Hub is a welcome initiative for pooling resources to combat money laundering and terrorist financing through new technologies and AI.
In 1986, the historian Melvin Kranzberg stated his six laws of technology. The first is: “Technology is neither good nor bad, nor is it neutral.”
Let me unpack that a bit.
To state the obvious: technology is neither a panacea nor a poison. It is basically a tool that can serve multiple purposes. The proverbial hammer can be used to build a home or to hurt somebody. Chlorine can be used for sanitation but also for chemical warfare. And AI can help identify potentially suspicious transactions but, if used wrongly, it can also undermine fundamental rights such as the right to non-discrimination or privacy.
The challenges and opportunities of digital transformation often go hand in hand. While the digitalisation of banks’ value chains may create challenges for their know-your-customer obligations, machine learning solutions are already helping banks to become more efficient when conducting customer due diligence, identifying ultimate beneficial owners and monitoring transactions.
Technology is fundamentally a human activity. As such, it reflects not only the cultural context of the society in which it is used, but also its biases. Because technology is designed and programmed by humans, it is not neutral, just as our societies are not neutral. One of the most famous examples is the risk of bias in AI, which may lead to discriminatory outcomes if not properly identified, monitored and mitigated.
If you allow me to adapt a popular quote from Shakespeare’s “Hamlet”, I will say that technology is neither good nor bad, but humans make it so.
So, what does this mean for supervisors?
Technological solutions offer the possibility to deliver tremendous benefits and we should be ready to harness them. But any technology solution needs to be buttressed by three pillars: an appropriate regulatory framework, sufficient supervisory oversight and, last but not least, a deep understanding by users – banks and supervisors alike – not only of the potential but also the limitations and risks of new technologies.
Europe needs a strong AML authority and framework
Let me begin with a short overview of where Europe stands in the reform of its framework for anti-money laundering and combating the financing of terrorism, or the AML/CFT framework for short. Following various money laundering scandals in recent years, Europe has embarked on an ambitious endeavour to reform its AML/CFT framework.
Given the high-profile experiences that shined a light on shortcomings in our framework, it is important to fix the gaps we identified. While we are not responsible at the ECB for the supervision of compliance with AML/CFT regulations, as prudential supervisors, we are keenly aware of our responsibilities that arise where AML/CFT compliance failures ultimately create reputational and franchise threats or even threaten a bank’s survival. Deficiencies in a bank’s AML/CFT framework are often symptomatic of deeper structural problems in governance, risk management, and internal controls.
In my view, the proposed establishment of a new European AML authority should build upon some of the lessons learned when creating European banking supervision. These lessons cover three areas.
The first is the need for a single rulebook. Europe needs a strong AML authority underpinned by a single rulebook. A strong and credible European AML authority must from the outset have a sufficient level of responsibility for both direct supervision and supervisory oversight. This is important for creating a truly European supervisory culture and fostering supervisory convergence. A key vehicle for doing that is creating an underlying single rulebook.
Even though we already had the Capital Requirements Regulation and Directive when European banking supervision was created, we know what it means to supervise based on many different national rules. And let me tell you, it is essential to have a strong single rulebook to bring clarity about standards and foster harmonisation in ways of working. Even if it is not perfect at the start, it can be improved over time.
The second is the importance of building supervisory teams with a strong supervisory culture of excellence and independence. When it comes to joint supervisory teams, our experience shows that in order to create such a culture it helps for the coordinators of these teams to be ECB staff working at the ECB.
I am happy to see that the co-legislators are considering a similar approach for the AML authority as well. In terms of fostering independence, we have had good experiences with the principle we adopted that coordinators do not come from the country where supervised entities are headquartered. Similarly, adopting a rotation scheme for the coordinators limits the risk of regulatory capture. All of this helps to build a common supervisory culture.
The third area is naturally close to my heart. This is the seamless cooperation between AML/CFT and prudential supervisors. Cooperation between AML/CFT supervisors and prudential supervisors is essential for the ECB. While the ECB’s supervisory tasks explicitly exclude AML/CFT supervision of banks, we must take into account findings related to AML/CFT in our prudential supervision.
Having a strong central European AML/CFT authority should promote collaboration and information sharing between all relevant authorities: AML/CFT supervisors, financial intelligence units and prudential supervisors.
Otherwise, we will continue to have the gaps in oversight we already identified in significant European AML cases that led to the proposals to create a single AML authority for the EU. A central data hub would not only facilitate the exchange of information but also reduce possible duplications of data requests and thus minimise the reporting burden for banks.
I believe that information sharing is more important than ever, within Europe and also internationally. As the leader at the New York Banking Department during the events of 9/11, the need for information sharing across supervisors, law enforcement and financial institutions to protect the use of the financial system by terrorists became all too painfully apparent, especially in terms of the loss of life. Perhaps consideration could be given to developing certain information sharing arrangements for supervisors, law enforcement agencies and industry participants in Europe too.
Of course, it remains very much a federal crime in the US to disclose information related to a suspicious activity report (SAR). But it is possible to share suspicious activity reports within a group and between institutions in order to produce a joint SAR. And a pilot programme announced by the Financial Crimes Enforcement Network which allows US financial institutions to share suspicious activity reports with foreign affiliates is another step being taken to facilitate more information sharing.
Here in Europe such sharing arrangements will of course be more complicated to achieve given the national regimes, but steps in this direction will help to safeguard the financial system from terrorist, drug and human traffickers.
Digital transformation and AML/CFT: a two-way street
Let me now turn to the interaction between digitalisation and AML/CFT, starting with the challenges posed by the digital transformation of business models. I will then focus on the use and potential of artificial intelligence to overcome some of these challenges.
Digital transformation of business models and its AML/CFT challenges
AML/CFT risks are inherent in most banking activities but there are some specific challenges in the area of digital finance that are worth highlighting.
Some companies, in particular digital platforms or mixed activity groups – groups which provide both financial and non-financial services – may not be fully captured by the regulatory framework and thus fall outside the scope of the AML Directive.
Experience has also shown that certain new entrants such as some Fintech companies have an insufficient understanding of their AML/CFT obligations and suffer from structural weaknesses in their customer due diligence and know-your-customer frameworks.
And, there may be AML/CFT challenges inherent to the business models of some new entrants. For example, there is a challenge from the deployment of new payment processing methods that are developing that don’t use traditional identification information. While innovation is to be encouraged, it is important to also ascertain the source of wealth, the purpose of and the participants in the transactions. These are key elements of know-your-customer and AML/CFT compliance.
Another new business model that comes to mind is the provision of crypto-asset services. When I say “crypto-assets”, I essentially mean a private sector digital asset which depends primarily on cryptography and distributed ledger or similar technology.
One of the concerns about crypto-assets relates to the traceability of transactions and the lack of proper AML/CFT measures at many of the parties involved in these assets, particularly if they are outside the regulated financial system. So I am pleased that, under the new single rulebook, all crypto-asset service providers would become subject to the same level of AML/CFT requirements as other obliged entities, aligning the legal framework with the Financial Action Task Force Recommendations.
It is also encouraging that the co-legislators are taking steps towards including crypto-asset service providers in the scope of direct supervision of the new AML/CFT authority. However, while strengthening the regulation and supervision of crypto-asset service providers is a significant improvement, we should not lose sight of the crypto activities taking place in decentralised peer-to-peer exchanges which may also warrant further legislative action.
I am glad that the co-legislators have reached an agreement on the Markets in Crypto-assets Regulation, which will help to create more regulatory certainty. At the global level, the Basel Committee on Banking Supervision has just published its second consultative document to identify and close gaps in the regulatory treatment of crypto-assets.
While these regulatory discussions are ongoing, let me make it clear now: banks engaged in crypto-related services need to properly understand the associated ML/TF risks and have adequate internal control and governance arrangements in place to mitigate them. For that, we need to have the appropriate supervisory oversight in place and avoid gaps in our regulatory framework.
Least common denominator supervision delivered in the name of innovation leads to regulatory arbitrage and the opening of gaps in oversight that lead to AML headline failures. A lack of harmonization carries with it the possibility of creating reputational risk as a weaker AML counterparty for Europe as a whole. This is why harmonisation is so important.
How new technologies can help – the bank perspective
The title of this conference already alludes to the potential of AI to fight financial crime. For instance, machine learning tools based on AI can be used to detect unusual transactions or to identify patterns of potential criminal activity in networks of funds and entities.
However, AI’s potential in banking goes far beyond AML/CFT. Many banks are already using AI: for credit scoring, algorithmic trading, robo-advice or chatbots. It is already deeply ingrained in our financial system. When it is used well, it is subject to strong governance, risk management, and first line internal controls that have strong quality assurance components.
As I said earlier, digitalisation that harnesses innovation also needs to be supported by a strong regulatory framework and sufficient oversight. In this context, I strongly welcome the EU’s ambitious approach to spearhead the development of a regulatory framework to provide harmonised rules on trustworthy AI.
Having an established regulatory framework and proper supervisory oversight is a prerequisite for the mature use of AI and to foster responsible innovation with clear rules of the road for market participants.
Two of the most important challenges for AI are transparency and explainability. With that, I mean the ability of human users to understand and trust the results and output created by AI. We don’t want a black box AI. This is all the more important when AI is used for decision-making purposes, potentially leading to inaccurate or unfair outcomes and again illustrates my central thesis that technology is neither good nor bad, but humans make it so.
On the one hand, empirical evidence shows that algorithmic decision-making can reduce discrimination in consumer lending. On the other hand, there are also reports where the use of AI perpetuated racial, gender or other forms of discrimination. This reinforces my point that the use of AI needs to be complemented by a deep understanding of the limitations and risks of new technologies.
Properly harnessing the potential of technology means using it in a way that reduces risk, not exacerbates it. This includes paying particular attention to the programming of AI, its governance and quality assurance or backtesting which is particularly relevant for machine learning.
The potential lack of transparency and explainability could also undermine the use of AI for AML/CFT purposes. If not properly addressed, these issues could pose additional operational and reputational risks to a bank. Model risk management, and data governance need to be taken into account when implementing sound AI governance frameworks.
And there may be further challenges if AI tools end up being outsourced to third-party service providers.
How new technologies can help – suptech
So far I have primarily spoken about banks’ use of AI and related technologies, but these tools are just as relevant for us as supervisors. As many of you know, the use and promotion of supervisory technology – or suptech, as we call it – is one of ECB Banking Supervision’s flagship projects.
Just as for banks, suptech and especially AI do not just offer substantial efficiency gains but also improve risk identification processes. It also frees up the humans to be able to spend more time on assessing more complex risks. At the same time, we should be very clear that technology can only supplement supervisory judgement – it cannot replace it.
A key AI technology for banking supervision is natural language processing. This technology helps us to improve the processing of large amounts of unstructured information and different types of text documents.
And these are not just theoretical ideas – we are already implementing concrete applications now. Although not specifically intended for AML/CFT purposes, we have just launched the first version of a powerful natural language processing tool called Heimdall to help us with our fit and proper assessments. Heimdall automatically processes and pre-analyses documents that are submitted by banks for prospective board members and key function holders.
A natural language processing model reads information, analyses it based on pre-defined rules, structures the information for supervisors, and automatically translates documents if needed. It relieves our supervisors of various manual and very time-consuming tasks, reduces the potential for human errors and frees up time to focus the supervisory judgement on the most critical aspects of each candidate’s assessment.
Let me conclude.
New technologies such as AI and machine learning offer tremendous opportunities for both banks and supervisors. However, to use these technologies safely and soundly, we need an adequate regulatory framework, proper supervisory oversight and an understanding by all users – banks and supervisors alike – of not just the potential but also the limitations and risks of these technologies. Technology is neither good nor bad, but humans make it so.
Thank you very much for your attention.
Kranzberg, M. (1986), “Technology and History: ‘Kranzberg’s Laws’”, Technology and Culture, Vol. 27, No 3, pp. 544–560.
See also Fernandez-Bollo, E. (2022), “For a fully fledged European anti-money laundering authority”, The Supervision Blog, 21 February 2022.
McCaul, E. and Fernandez-Bollo, E. (2022), “Enhancing cooperation in the fight against money laundering”, The Supervision Blog, 24 May 2022.
Opinion of the European Central Bank of 30 November 2021 on a proposal for a regulation to extend traceability requirements to transfers of crypto-assets (CON/2021/37).
See European Commission (2021), Communication on Fostering a European approach to Artificial Intelligence, 21 April.
ECB opinion of 29 December 2021 on a proposal for a regulation laying down harmonised rules on artificial intelligence (CON/2021/40).
Bartlett, R., Morse, A., Stanton, R., and Wallace, N. (2022), “Consumer-lending discrimination in the FinTech Era”, Journal of Financial Economics, Vol. 143, No 1, pp. 30-56.