Know Your World – Closing the circle of due diligence (Frank Cummings)

Financial institutions globally have enhanced Customer Due Diligence/Know Your Customer procedures to the point of pure art. In some cases, institutions collect over 600 individual fields of information, and some use upwards of 14 data interfaces to support
a mix of internal systems and external data providers. It’s getting to the point where we know more about our customers, their related parties, and their owners than we know about ourselves. But like the saying goes, “No good deed goes unpunished,” and CDD/KYC
doesn’t end with data collection on just customers.

All that work of due diligence—the question collection, the data interfaces and ping services, the analysis of extended relationships, the flagging and following up–likely need to be repeated to mitigate Risk more fully and more realistically. I think of
this broader approach as “Know Your World,” or KYW.

In KYW, you have several major categories in need of Due Diligence:

1. Customers
2. All related parties of customers
3. Vendors
4. Employees
5. Managers
6. AI/ML applications
7. All known relationships between categories other than category 2 to category 1

All the due diligence you do with all the categories is for one purpose: to identify and mitigate the risk of financial crimes.

Let’s chat a bit about the additional categories in a KYW approach:

Vendors: There is no difference in the level of due diligence you would do on a vendor than you do for a customer. Understand and mitigate the myriad risks posed by vendors.

Employees and Managers:  This is the one most people in financial institutions have a problem with: “Why would we want to do this? These are employees and managers of the institution.” The due diligence you do on employees and managers is different, but
it’s just due diligence to establish what the expected behavior of the employees or managers are. Later–similar to how you monitor your customer data when looking for unexpected behavior–you would do the same with employees and managers. You are monitoring
the data–not the customer or the employee. Only when a concerning-behavior flag is triggered would the right people know about it in order to follow up.

AI Applications:  This is the category that at first causes people to do a doubletake–until they stop and think about it. In an industry that follows the “Show me” model in literally every process and procedure we do, AI seems to be an exception—a problematic
exception.

 Let’s start by framing what we are talking about when we say AI Applications. The Artificial Intelligence systems you regularly see on TV dramas are just fictional vehicles for entertainment; the true thinking machine is still far off. 

What we often call AI tends truly to be ML, or machine learning. And while it’s not independently intelligent, it can learn. That is where the problem lies in a show-me industry. 

There are three methods a computer algorithm can learn from now: supervised learning, reinforcement, and unsupervised. The supervised method seems to be the most transparent because you see the data that was used to train the system. This method is limited
in the rules you can apply, and you must create all conditions in the data you feed it. 

A second option is the reinforcement method, which requires human validation as it learns. 

Then we come to the wild, wild west: unsupervised learning. Unsupervised learning is just like it sounds.  In unsupervised, you give the algorithm the data and let the system figure out by the rules you provide regarding what the data means. This is why
you would need to onboard, risk rate, and monitor your ML/AI Applications. Given the industry’s show-me imperative, you may think you know what your ML/AI applications are doing, but you can’t prove it very easily. 

Unknown relationships:  Non-obvious or unknown relationships among your different categories can mean nothing or can be the Ah-Ha moment to legitimize or delegitimize someone’s behavior.

In conclusion, a Know Your World approach takes both a broader and deeper look at sources of serious Risk in your institution. And because it’s behavior monitoring via data, we can monitor for Risk without being overly invasive or unfair to individuals.
When we do behavioral monitoring, we never look at the subject. Rather, we look for the behavior or different behaviors evident in data. And when we find them, then and only then is the behavior tied to an entity of some kind: a customer, a vendor, or an AI/ML
Application.