Digitising Risk: Don’t Give The Robots Free-Rein Just Yet

Featured in Global Risk Regulator

By Subas Roy, Jayant Raman and Michael Heaney
The article originally appeared in Global Risk Regulator on April 5, 2019.

Before giving artificial intelligence and machine learning free-rein, financial firms must ensure that the decisions these programmes make do not result in new risks and expensive regulatory breaches.

The risk and compliance standards put in place after the financial crisis are not going away. But what if financial institutions could turn the situation into a competitive advantage?

Some firms are beginning to recognise the possibilities and are working towards it. From increasing efficiency to lowering operating costs, digitising risk and compliance functions makes sense on many levels. In the past three years, several financial institutions in Europe, North America, and Asia have begun to use new digital technologies – including Application Programming Interfaces (APIs), digital analytics, machine learning, robotic process automation, and artificial intelligence.

Given the obvious upside of this new regulatory technology, known as RegTech, many financial institutions are embarking on ambitious yet vital risk digitisation programmes.

Yet, as seen in many high-profile cases of machine learning bias, AI is not foolproof. In some instances, technology solutions fail to catch issues that would almost certainly have been spotted by an experienced risk manager or compliance professional. In others, the risks of automation outweigh the benefits. 

As a result, for the next three to five years, financial institutions must approach the digitisation of risk and compliance with a healthy dose of human supervision, governance, and monitoring to ensure that automation is still within the perimeters of auditability and traceability. In short, digitisation must not become a new emerging risk in itself.

Financial institutions must approach the digitisation of risk and compliance with a healthy dose of human supervision, governance, and monitoring... In short, digitisation must not become a new emerging risk in itself

Within risk and compliance functions, there are many obvious, less risky, areas to automate. Yet, on the flipside, the consequences of mistakes can be severe, ranging from steep fines and regulatory scrutiny to customer attrition and reputational damages. To avoid these risks, companies should take the following three steps:

Control failures

Soon machines will be able to perform most of financial institutions’ risk and control assessment tasks just as well as humans – if not better. One such area is automated alerts for process failures which can be remediated by using combinations of robotics process automation, and advanced data analytics techniques. But we are still a long way off from allowing machines to make important strategic decisions on the impact of such control failures.

For now, human oversight and decision making are still crucial, including the correlation to any regulatory non-compliance. For example, machine-executable risk algorithms are not smart enough yet to perform a complete risk assessment of trades booked by an investment financial institution against all applicable regulations and then determine if such trades are in line with the regulatory obligations.

Capabilities such as this require multi-disciplinary data science and algorithmic reasoning skills, which are still scarce. As a result, algorithms might miss or overlook a few key hints or alerts that might account for less than 1 percent of the overall population but could lead to serious consequences. Human experience is still essential to make these types of judgment calls.

DiRi: An animated glimpse into the future of digitising risk

Eliminating algorithm biases

AI has the ability to learn from vast amounts of unstructured complex data and translate them into actionable insights. However, from flawed facial recognition to gender-skewed credit and insurance underwriting, there are plenty of high profile cases of algorithm biases that make us feel uncomfortable about machine learning within risk management.

Technology can greatly reduce the time required by manual processes from weeks to hours, but digitisation also comes at a price. For example, when onboarding new customers, digital financial institutions can detect patterns using digital identity-verification and pixel-matching technologies for facial recognition. This helps to clarify and authenticate the identity of applicants in real-time.

The problem lies in predicting a new customer’s authenticity by using the potential biases formed from previous customers’ demographics, and then making decisions when information provided is not conclusive. Worst case this can lead to significant financial-inclusion issues.

Crunching complexity

Management often struggles to keep pace with the onslaught of regulatory changes. Downloading and digesting thousands of new rules is a major drain on time and resources. Regtech advancements in the form of machine-readable regulations are now able to speed up and simplify assimilating new legislations, drastically reducing the time taken to do manual reviews and assessments. By collecting, cleaning up, and parsing data these tools can crunch huge datasets into succinct bullet points.

Undoubtedly, the potential for model-driven, machine-readable, and executable regulation will deliver significant efficiencies. But, these technologies still rely on identifying patterns, and because most of the regulations are principles-based, it is often difficult to develop practical data use cases for automation. Also, pattern-recognitions could ‘blindside’ financial institutions to specific risks and provide a false sense of comfort.

New regulatory technologies are a much welcome development to update outdated compliance processes and increase efficiency. As more tasks are automated, risk and compliance roles and jobs will also evolve. Digitising risk does not mean displacing humans with robots and advanced analytics. It is about adapting to new skills and ways of working. This will only work if financial institutions have viable modern learning programmes for the challenges of tomorrow’s workplace. Regulatory technologies will have a major impact on the way risk teams collaborate both internally and with the external ecosystem.