There have been a number of vendors getting in to Robotic Process Automation (RPA) to address some of the tedious aspects of AML compliance. As many know, even the best AML compliance systems tend to produce large numbers of false positives that analysts
must review and clear. Large backlogs can lead to enforcement actions and generally lead to high operational costs.
The promise of RPA is in automating these repetitive, human capital intensive tasks without expensive and time consuming IT projects with back-end and middleware systems. In essence, RPA uses existing user interfaces to replicate the actions a human user
would take. In theory, this enables automation, reducing the FTE load and overall operational cost, without the overhead of substantial IT integration, shifting the effort to the business to define processes without a lot of IT support.
All of this sounds pretty great, and for many purposes the approach makes a lot of sense. There are many day-by-day compliance activities that are repetitive and require limited subject matter expertise to handle. These seem like great opportunities for
RPA, but it seems there are some risks that need to be carefully considered.
- As RPA is, by design, intended to avoid making changes to back-end or middleware systems. This is great for agility, but could tip the cost-benefit analysis against making much needed changes to those systems. It is entirely possible a temporary fix could
become permanent, to the detriment of long-term structural improvements.
- RPA creates a new risk, or at least a different, risk to manage. What happens when a RPA process misses a sanctioned entity? This is not a one-off mistake made by a human analyst, but a systemic process failure that will call in to question all similar
circumstances. Managing the risk of RPA should be taken as seriously as model risk validation and process validation.
- It could be tempting to “over-automate” some processes – many activities may seem simple on the surface, there are times were subtle aspects of human interaction make all the difference. Call it “gut feeling” or “sniff test” if you’d like, but I can’t how
many times I’ve talked to folks working AML or fraud cases that started by noticing something small, or something small repeatedly over time through the course of those tedious reviews.
I’m not suggesting RPA is wrong or a poor approach, the cost reduction benefits are clear. What I’m suggesting is that firms should really think carefully about if and how to implement such solutions, how long term strategic plans could be impacted, and
how such solutions impact a holistic AML compliance program.