There have been a number of vendors getting in to Robotic Process Automation (RPA) to address some of the tedious aspects of AML compliance. As many know, even the best AML compliance systems tend to produce large numbers of false positives that analysts must review and clear. Large backlogs can lead to enforcement actions and generally lead to high operational costs.

The promise of RPA is in automating these repetitive, human capital intensive tasks without expensive and time consuming IT projects with back-end and middleware systems. In essence, RPA uses existing user interfaces to replicate the actions a human user would take. In theory, this enables automation, reducing the FTE load and overall operational cost, without the overhead of substantial IT integration, shifting the effort to the business to define processes without a lot of IT support.

All of this sounds pretty great, and for many purposes the approach makes a lot of sense. There are many day-by-day compliance activities that are repetitive and require limited subject matter expertise to handle. These seem like great opportunities for RPA, but it seems there are some risks that need to be carefully considered.

• As RPA is, by design, intended to avoid making changes to back-end or middleware systems. This is great for agility, but could tip the cost-benefit analysis against making much needed changes to those systems. It is entirely possible a temporary fix could become permanent, to the detriment of long-term structural improvements.
• RPA creates a new risk, or at least a different, risk to manage. What happens when a RPA process misses a sanctioned entity? This is not a one-off mistake made by a human analyst, but a systemic process failure that will call in to question all similar circumstances. Managing the risk of RPA should be taken as seriously as model risk validation and process validation.
• It could be tempting to “over-automate” some processes – many activities may seem simple on the surface, there are times were subtle aspects of human interaction make all the difference. Call it “gut feeling” or “sniff test” if you’d like, but I can’t how many times I’ve talked to folks working AML or fraud cases that started by noticing something small, or something small repeatedly over time through the course of those tedious reviews.

I’m not suggesting RPA is wrong or a poor approach, the cost reduction benefits are clear. What I’m suggesting is that firms should really think carefully about if and how to implement such solutions, how long term strategic plans could be impacted, and how such solutions impact a holistic AML compliance program.