The report: How Generative AI Can Help Banks Manage Risk and Compliance [March 2024]
Source: McKinsey & Company
Why we picked it: In the past year, McKinsey has produced considerable thought leadership about GenAI; this latest focuses how it can help banks manage risk and compliance.
Executive Summary
McKinsey argues in “How Generative AI Can Help Banks Manage Risk and Compliance” that GenAI is poised to drive new efficiencies and productivity across the entire economy, especially in the financial services industry. But while the technology can help risk and compliance functions improve efficiency and effectiveness, it is also imperative for risk and compliance functions to put guardrails around its use.
Key Takeaways
- GenAI has obvious and immediate applications for managing risk and compliance. Use cases include regulatory compliance, financial crime risk monitoring, credit risk and cyber risk monitoring, and modeling and data analytics.
- But GenAI also comes with its own risks, including impaired fairness, intellectual property infringement, privacy concerns, malicious use, security threats, and third-party risks.
- To make the most of GenAI tools, banks should ensure risk management and controls, be prepared to meet data and tech requirements, and embed the required talent and operating model changes into their culture and business processes.
What we liked: Most analyses of GenAI banking focus on customer service and operations; this report focuses on promising and potentially critical applications in risk and compliance.
What we didn’t: The report starts promisingly, but peters out into generalities — epitomized by a generic three-dimensional consultant’s matrix that is supposed to help prioritize AI use cases (below).
The Promise of GenAI
McKinsey analysts believe that over the next three to five years, GenAI has the potential to revolutionize how banks manage risks. Instead of task-oriented activities, it could allow functions to move towards partnering with business lines on strategic risk prevention with new controls at the outset.
This “shift left” mindset would reduce task-oriented activities and free up professionals to advise businesses on new product development and strategic business decisions, explore emerging risk trends, strengthen resilience, and improve risk controls.
Risk intelligence centers: New advances could help create GenAI-powered risk intelligence centers that service all lines of defense. This could offer automated reporting, improved risk transparency, greater efficiency, and help risk managers make informed decisions quickly and accurately.
Virtual experts: McKinsey has already developed a virtual expert to answer questions about company policies, regulations, and guidelines. GenAI applications can collect data, compare policies, regulations, and operating procedures, and evaluate risk.
Read more:
- Real-world Lessons for GenAI in Banking, According to Google
- Is it Too Late to Get Started with GenAI? No, But the Clock’s Ticking
Emerging Applications
Use case archetypes: There are three use case archetypes in these areas. A virtual expert enables users to obtain quick answers from unstructured data and long-form documents. Manual process automation enables GenAI to perform time-consuming tasks. Meanwhile, GenAI can update or translate old code or write entirely new code through code acceleration.
Regulatory compliance: GenAI tools can serve as virtual regulatory and policy experts by training them to answer questions about regulations, company policies, and guidelines. They can also serve as a code accelerator by checking code for compliance misalignment and gaps and as an automation tool by checking compliance and providing alerts for breaches.
Financial crime monitoring: GenAI tools can analyze customer and transitional information for suspicious activity and automate the customer’s risk ratings based on changes in KYC attributes. Improving the code can also enable it to continually enhance transaction monitoring.
“We expect GenAI to empower banks’ entire risk and compliance functions in the future. This implies a profound culture change that will require all risk professionals to be conversant with the new tech, its capabilities, its limitations and how to mitigate those limitations.”
Credit, cyber and climate risk: GenAI can summarize customer information to inform credit decisions and help accelerate banks’ end-to-end credit process, then draft credit memos and contracts. It can also generate credit risk reports by extracting customer information from memos and generating code to gain a deeper view of customer risk profiles and generate default and loss probability estimates. The technology can also serve as a virtual expert to investigate data security, check cybersecurity vulnerabilities, and generate code for detection rules. Finally, it can automatically generate reports and make recommendations on ESG topics.
Modeling and analytics: GenAI can help financial institutions work based on legacy languages and move from SAS to modern languages like Python and COBOL. It can also automate the monitoring of model performance reports and draft model documentation and validation reports.
Key Considerations
While GenAI offers many benefits, it is critical to prioritize use cases to adopt the technology responsibly and sustainably.
Decisions: Risk officers can evaluate and make decisions on assessments across qualitative and quantitative dimensions of impact, risk, and feasibility. They should align with their banks’ overall visions for GenAI, guardrails, and relevant regulations.
Categories of risk: McKinsey notes several risk categories related to GenAI technologies. One risk is impaired fairness, such as when the output may be inherently biased against a particular group of users. Other risks include intellectual property rights infringement, privacy concerns, and malicious use. The breach or exploitation of a GenAI system can also present security risks. Other vulnerabilities include noncompliance with regulations and third-party risks, such as leakage of proprietary data to the public realm.
Winning Strategies
To start the GenAI journey, McKinsey recommends a focused, top-down approach by identifying three to five high-risk risk and compliance use cases, then executing them in three to six months and evaluating the business impact.
Development of a GenAI ecosystem: A GenAI ecosystem has several vital components. One of the first is a catalog of production-ready, reusable GenAI services and solutions that can be easily plugged into various business scenarios and applications. Banks will also need a secure, GenAI-ready tech stack that can integrate with enterprise-grade foundation models. Other components include appropriate governance and talent models, process alignment, and a roadmap to launch and scale.
Start now: As many financial institutions are exploring GenAI, those that fail to harness the technology’s potential risk falling behind in creativity, efficiency, and customer management. As GenAI has a long timeframe from pilot to production, banks should start developing now.
Risk management and controls: When considering use cases, banks must consider offensive and defensive strategies. The first wave focuses on human-in-the-loop reviews to ensure the accuracy of model response and make these human reviews more efficient by enabling development team members to set guardrails and create controls from the start.
Data and tech demands: Banks must not underestimate the considerable data and tech demands of GenAI. Context embedding, which requires appropriate and quality data, is critical to ensure accurate and relevant results. Ensuring accurate and up-to-date data will also be key in harnessing the greatest capabilities.
Talent and operating models: As GenAI is a transformational technology requiring an organizational shift, organizations must understand the related talent requirements. Banks can embed operational model changes into their culture and train a team of “GenAI champions” to help shape, build, and scale the adoption of their new tech.