ACPR uses an AI tool called LUCIA for the first time, and it changes everything!
The Autorité de Contrôle Prudentiel et de Résolution (ACPR) has just published a new sanction against a regional mutual of a major French group. The novelty lies not so much in the grievances cited as in the reprimand and fine of 1.5 million euros , but rather in the use of an artificial intelligence tool during the audit.
An AI tool for an ACPR inspection, what will it change?
For the first time, the ACPR has used an artificial intelligence tool called LUCIA (Logiciel à l'Usage du Contrôle assisté par l'Intelligence Artificielle). In less than 6 months, this tool was able to process over 500gb of data. This represents around 1 million customers and over 750 million payment transactions (more than two and a half years' worth!).
The purpose of using LUCIA is not clearly defined in the ACPR publication, but the commission already states that :
- Even if LUCIA has played a role in identifying cases to be investigated, this has no bearing on the grievances mentioned or on the regularity of the procedure.
- Even if LUCIA enables us to process an immense amount of data, this does not appear disproportionate, nor does it call into question the fairness of the control.
In any case, this latest sanction reveals only a dozen or so cases of non-compliance AML-CFT. Even if the ACPR audit does not highlight any shortcomings in the AML-CFT system as a whole, but only isolated failings, this does not prevent the ACPR from imposing a reprimand and a fine on this professional subject to the obligations.
This unprecedented use of an AI tool therefore ushers in a new era in audits by supervisory authorities. From now on, audits will be :
- Faster
- Exhaustive (the audit will no longer be limited to samples)
- More precise
- And therefore... more of them!
What are the ACPR's criticisms?
Data quality and quantity
Like most of the ACPR's sanctions, this one does not escape criticism for the level and quality of customer knowledge, right from the start of the relationship:
- Information that is too vague or too imprecise does not allow for acceptable customer profiling and risk classification.
- In addition, proof of identity and knowledge of the customer is essential.
- Customer knowledge based on declarations is still tolerated for customers deemed "low risk", but is not recommended.
APS's opinion : It is essential that all actions, decisions (manual or automatic), supporting documents, comments, etc. are traced and stored in your AML-CFT tool, with the possibility of making them available at any time. ACPR inspection reports prove that investigators know exactly what to ask to verify compliance of AML-CFT systems. What's more, your system must be capable of integrating and analyzing any data you may transmit to it. The quality of the information transmitted is essential if the ACPR is to consider your AML-CFT system compliant.
Frequency of customer data updates
The ACPR, in its decision to impose a penalty, did not question the frequency of customer data updates defined by the bank in question:
- 2 years for very high-risk customers,
- 3 years for high-risk customers,
- 5 years for standard-risk customers
However, the ACPR criticizes the failure to apply this theoretical policy in practice, and also points out that an inactive customer does not escape the rule.
The ACPR also states that scenarios for detecting atypical transactions should not differentiate between occasional customers and customers in a business relationship.
APS's opinion: In addition to the daily updating of lists of sensitive persons, regular updating of customer files ensures better data quality and therefore better detection of sensitive persons.
AML-CFT tools should filter and analyze your entire customer portfolio on a daily basis. This automated screening should then highlight only new alerts or alerts that have undergone a major change. For the sake of productivity, previously decided alerts that have not undergone a major change should not be resubmitted to the decision of an operator/analyst AML-CFT.
Inconsistent compliance policy
The ACPR points out 2 inconsistencies (which we frequently encounter):
- inconsistency between theoretical compliance procedures/policies and those implemented on a day-to-day basis (the ACPR is uncompromising on this point!)
- the inadequacy of the system for monitoring and analyzing transactions in relation to the obligations AML-CFT facing the reporting institution.
APS's view : It is essential that AML-CFT tools be parameterizable and take precise account of all internal Compliance criteria. We note that the ACPR is adamant about any inconsistencies found between the theoretical compliance policy and the configuration of its tools AML-CFT. What's more, this parameterization must be easily exportable, so that an auditor can be presented with an explanation of how the system works at any time.
This parameterization should also enable certain decisions to be automated, in order to streamline the customer/KYC process.
This parameterization should also enable certain decisions to be automated, in order to streamline (digitized) customer and KYC paths, offering :
- Productivity
- Security
- Coherence