Nigel's Eyes

20231017 "Generative AI" in "AML".

This article explains the background to the Uncommon Sense programme "Financial Crime Risk and Compliance - Generative AI - Epic Fails" on FinCrimeTV.

This article is about a trend in marketing RegTech products to compliance officers who are not, and cannot be expected to be, familiar with what lies behind techy / marketing terms.

There is a current trend for RegTech companies to market their products to technologically unsophisticated compliance officers saying that they have improved performance by using “Generative AI.”

It is easy to see why this trend is developing: venture capital is drying up for "AI Powered" RegTech. Companies need to generate something new and exciting, a new wave for venture capitalists to ride before they find out it's a money pit not a money pot.

With the already waning interest in ChatGPT, the race is on for companies to capitalise on "generative ai" and across the spectrum of product development, not only in RegTech, there is a massive drive to incorporate it into products while it is still "a thing."

What if the entire global dataset were like the library at the end of your road?

The reality is that "generative ai" is woefully indiscriminate in both its sources and its output. Like all computerised activity, it is not intelligent. In this case, it is simply algorithmic analysis of data with which it is provided or from sources where it is told to look or, sometimes, not told not to look.

Think of the entire global dataset as if it's the small library at the end of your road: there are sections, some of which the librarian will direct you to when you are looking for something specific, some sections that you will browse because you are not sure what you are looking for but hope to come across it and there are sections where, because of a pre-determined criterion, you are not permitted to enter.

When you find information, which is all that "data" is, you perform some function on it: you dismiss it or you act upon it; you eventually give up looking for it and in doing so decide it is not there or that you'd rather be doing something else. That absence of data is, itself, data.

In computing, someone sits in a room and makes those decisions, tells the computer what those decisions are and tell it, in effect, to go to the library and behave as you do.

So, that's the background.

"Generative AI" is no different but there is a problem: it "interprets" the data in imprecise ways. Worse, the advocates for the technology say with glee that it "hallucinates". That means, in human terms, that it makes stuff up.

So, with a simple experiment, we decided to prove it so that compliance officers are not dazzled by the new shiny stuff and buy into a high-risk approach to the analysis of transaction monitoring and Know Your Customer / Customer Due Diligence data.

Computerised output must be reliable, accurate and consistent

It is vital that RegTech produces reliable output – it must be both accurate and consistent.

If it isn't, regulated businesses are not protected: instead they are put at risk.

We asked a selection of some of the most popular “Generative AI” image generators to create an image for us.

We used the same prompt for each.

“Man walking away from a burning bridge towards mountains. Sunset is behind him.”

The results were epic failures - and within those failures there were massive variations.

This is why there is no place for such technology in financial crime risk and compliance.

Almost all results were fundamentally wrong

We found that each program produced wildly different results from each of the others.

Almost all results were fundamentally wrong.

Some programs produced multiple results based on the same text.

In the world of financial crime risk and compliance these failures are often said to be

"false positives" - that is to say that they indicate that there is cause for suspicion when there is not - or
"false negatives" - that is to say that there is not cause for suspicion when there is.

A false negative puts the company and its staff at risk of prosecution and/or action by regulators.

A false positive puts customers at risk of investigation by law enforcement at risk of an action for damages by a falsely accused customer.

The relevance of the experiment

The experiment is relevant because

a) The background data is designed and set by the company that produces the program.

b) the algorithms that analyse the "prompt" are defined by that company

c) the background data is defined by that company. In these graphics platforms, the background data is examples of artwork, etc. which are sliced and diced and indexed.

The background data in financial crime risk and compliance is that obtained from the customer and other sources being both human intelligence, open source intelligence and confidential or proprietary sources.

So while the actual data is different, the nature of the data is the same.

c) when we enter the "prompt" it is unstructured data. This means that in operation, each person who enters data will do so slightly differently because people express facts in different ways.

There is, therefore, an inherent instability in the source data which is entered into the algorithms.

There is also a problem in that both the quality and integrity - that means whether it is all there but only relevant data is included in the analysis - will always be variable regardless of its source.

d) the interpretation of that data depends on the views of those setting the algorithms. It also depends on the order in which that data is processed.

e) in relation to financial crime risk and compliance, the quality and integrity of the data is paramount.

Pic and Mix

Several programs gave us several images to choose from.

In financial crime risk and compliance, we need clarity and certainty.

Such tools are supposed to reduce the opportunity for misinterpretation.

But as we can see, what actually happens is that we are presented with multiple interpretations all drawn from precisely the same query and data.

How proprietary is proprietary?

Separate from the reliability of results, it is important to know that very little of the programming and even data is actually originated by the company that sells the program.

There is a very small number of companies that produce the code and, even, the algorithms and data from scratch. The vast majority depend on code written by serious and very competent hobbyists, often those employed by very large software companies. "Snippets" of code are published on e.g. github (owned by Microsoft) or the less public Google Cloud Source Repositories.

Many companies use these code sources for rapid product development and while they may use different snippets to produce a unique end product, the results will be defined by the original code, even if it is slightly modified. Look at the similarity between some of the images: it is almost as if they were produced by a white label version of someone else's program with a common dataset.

Similar (sorry, mathematicians) but not the same.

And the data is also, in many cases, drawn from large data gathers under an arrangement to aggregate that data and to integrate it into a common output.

There is nothing good about the idea of using "generative ai" in relation to money laundering, etc, risk and control.


Regulators who are in some cases already promoting this tech need to get a grip on the reality of the situation and compliance officers need to reject it out of hand. It's just inviting trouble.

The FinCrimeTV Uncommon Sense programme is here:

An apology of sorts: the programme title "Financial Crime Risk and Compliance - Generative AI - Epic Fails" is a click-bait title for the YouTube masses. But the subject is far from the superficial content that click-bait usually prefaces.

And the headline to this article is also a bit click-baitish.

I'm not going to restate my established positions that there is no such thing as "artificial intelligence" and that the term "AML" is wrong. They are used to attract the attention of readers who are comfortable with the familiar, even when the familiar is incorrect.

But it is, I think, acceptable to use them in the headline for the simple reason that they are in widespread use and are being used by companies to target exactly the same people as I target for readership and services.

To be clear: I am not saying that the functions which are described as "artificial intelligence" are undesirable (unlike "generative ai" which is) but that the term "artificial intelligence" is fundamentally inaccurate and should not be used. The actual tech is immensely valuable.