...
Skip to content Skip to footer
Request a demo
Contact us
Close
Anti-corruption

LUCIA: A turning point in ACPR audits and sanctions!

ACPR uses an AI tool called LUCIA for the first time, and it changes everything!

The Autorité de Contrôle Prudentiel et de Résolution (ACPR) has just published a new sanction against a regional mutual of a major French group. The novelty lies not so much in the grievances cited as in the reprimand and fine of 1.5 million euros , but rather in the use of an artificial intelligence tool during the audit.

An AI tool for an ACPR inspection, what will it change?

For the first time, the ACPR used an artificial intelligence tool called LUCIA (Software for Artificial Intelligence-Assisted Control). In less than six months, this tool processed more than 500 GB of data. This representsapproximately 1 million customers and more than 750 million payment transactions(more than two and a half years of transactions!).

The purpose of using LUCIA is not clearly defined in the ACPR publication, but the commission already states that :

  1. Even if LUCIA has played a role in identifying cases to be investigated, this has no bearing on the grievances mentioned or on the regularity of the procedure.
  2.  Even if LUCIA enables us to process an immense amount of data, this does not appear disproportionate, nor does it call into question the fairness of the control.

In any case, this latest sanction only reveals around ten cases of AML-CFT breaches. Even though the ACPR auditdoes not highlight deficiencies in the overall AML-CFT system, butonly isolated failures, this does not prevent the ACPR from sanctioning this professional, who is subject to the obligations, with areprimand and a financial penalty.

This unprecedented use of an AI tool therefore ushers in a new era in audits by supervisory authorities. From now on, audits will be :

  •  Faster
  • Exhaustive (the audit will no longer be limited to samples)
  • More precise
  • And therefore... more of them!

What are the ACPR's criticisms?

Data quality and quantity

Like most of the ACPR's sanctions, this one does not escape criticism for the level and quality of customer knowledge, right from the start of the relationship:

  • Information that is too vague or too imprecise does not allow for acceptable customer profiling and risk classification.
  • In addition, proof of identity and knowledge of the customer is essential.
  • Customer knowledge based on declarations is still tolerated for customers deemed "low risk", but is not recommended.

APS opinion: It is essential that all actions, decisions (manual or automatic), supporting documents, comments, etc. aretracked and stored in your AML-CFT tool, with the option of making them available at any time. ACPR audit reports show that investigators know exactly what to ask for in order to verify AML-CFT compliance. In addition, your system must be ableto integrate and analyze any datayou may send it. Thequality of this informationis essential for the ACPR AML-CFT your AML-CFT system AML-CFT .

Frequency of customer data updates

The ACPR, in its decision to impose a penalty, did not question the frequency of customer data updates defined by the bank in question:

  • 2 years for very high-risk customers,
  • 3 years for high-risk customers,
  • 5 years for standard-risk customers

However, the ACPR criticizes the failure to apply this theoretical policy in practice, and also points out that an inactive customer does not escape the rule.

The ACPR also states that scenarios for detecting atypical transactions should not differentiate between occasional customers and customers in a business relationship.

APS's opinion: In addition to the daily updating of lists of sensitive persons, regular updating of customer files ensures better data quality and therefore better detection of sensitive persons.

AML-CFT tools should filter and analyze your entire customer portfolio on a daily basis. This automated screening should then highlight only new alerts or alerts that have undergone a major change. For the sake of productivity, previously decided alerts that have not undergone a major change should not be resubmitted to the decision of an operator/analyst AML-CFT.

Inconsistent compliance policy

The ACPR points out 2 inconsistencies (which we frequently encounter):  

  1. inconsistency between theoretical compliance procedures/policies and those implemented on a day-to-day basis (the ACPR is uncompromising on this point!)
  2. the inadequacy of the system for monitoring and analyzing transactions in relation to the obligations AML-CFT facing the reporting institution.

APS's view : It is essential that AML-CFT tools be parameterizable and take precise account of all internal Compliance criteria. We note that the ACPR is adamant about any inconsistencies found between the theoretical compliance policy and the configuration of its tools AML-CFT. What's more, this parameterization must be easily exportable, so that an auditor can be presented with an explanation of how the system works at any time.

This parameterization should also enable certain decisions to be automated, in order to streamline the customer/KYC process.

This parameterization should also enable certain decisions to be automated, in order to streamline (digitized) customer and KYC paths, offering :

  • Productivity
  • Security
  • Coherence
Tags:

You may also like

Legal professionals facing the risk of involuntary complicity
Anti-corruption, Compliance
Episode 5 - AML-CFT : the legal professional in turmoil
Due diligence: tools and methods to make controls more reliable
Anti-corruption
Optimizing due diligence: tools to avoid mistakes