Client Alert

Compliance for a Digital World: BSA/AML

The New ABC's: Artificial Intelligence, Blockchain and How Each Complements the Other

16 Mar 2020

Under the Bank Secrecy Act of 1970 (BSA), buoyed by the USA PATRIOT Act of 2001, the United States instituted a compliance regime where financial institutions are required to collaborate with the government in order to prevent the occurrence of financial crimes, including money laundering and terrorist financing. The onus of these requirements falls on the financial institutions, which are responsible for setting up appropriate safeguards and for reporting any suspicious activities, usually referred to as BSA/anti-money laundering (AML) compliance programs.

BSA/AML compliance programs in the United States are often associated with high costs and inefficiencies. At the core of the problem is the lack of standardization across institutions and BSA/AML compliance processes, such as know your customer (KYC), customer due diligence/enhanced due diligence, and transaction monitoring and alerting. The BSA does not affirmatively set forth types of information that must be collected or parameters of what constitutes suspicious activity. Instead, BSA/AML compliance programs require financial institutions to have a risk-based compliance program, rather than a rule-based one. Each institution must establish and implement an adequate compliance program commensurate with such institution’s risk profile. Thus, no two BSA/AML compliance programs are the same.

This fragmented BSA/AML landscape has resulted in burdensome compliance costs for financial institutions and has also created tense relationships between such institutions and their customers. For example, costs relating to governance, risk, and compliance account for approximately 15-20% of the total “run in the bank” costs for most major banks.[1] Even though financial institutions with $10 billion or more in revenue each spent approximately $150 million in 2017 compared to $142 million in 2016 on BSA/AML, the average customer onboarding period increased to 26 days from 24 days in 2016.[2] In addition, BSA/AML still remains fallible and institutions are penalized for flaws, adding more costs as a result.[3] However, Artificial Intelligence (AI) and blockchain could help financial institutions tackle such issues by making BSA/AML compliance more efficient.

BSA/AML still remains a process largely driven by manual input and human analysis. Applying AI more broadly could drive down costs through workflow automation and through greater precision and speed in the analysis of large amounts of structured and unstructured data.

A prime example of where AI could add value is the suspicious activity report (SAR). According to a recent study, “over 95 percent of system-generated alerts are closed as ‘false positives’ in the first phase of review.”[4] All in all, such efforts lead to the financial industry wasting billions of dollars in investigations because a vast majority of all alerts never culminate in valid SARs.[5] Deploying an AI system that can “learn” as it encounters more data could result in more effectively weeding out false positives and fine tuning transaction monitoring scenarios to alert only on transactions that have a higher probability of resulting in an SAR filing.

Further, when a financial institution collects BSA/AML-related information, such information is largely siloed away from other financial institutions or even from other departments at the same financial institution. This means that, after Bank A completes BSA/AML diligence on potential customer Jane Doe, if she wishes to open an additional account at Bank B, Bank B must separately conduct its own process. This duplication is burdensome not only for Bank B but also for Jane. This is where blockchain could offer a solution to address the information portability problems of BSA/AML. Verified customer information could be placed on a permissioned blockchain once consensus is reached with respect to the accuracy of such information. The information recorded on such blockchain-enabled system would be tamper resistant given the cryptographically hashed nature of blockchain data entries. Financial institutions would be able to share access to such secure, transparent, and immutable BSA/AML information and would no longer need to duplicate the collection of BSA/AML-relevant information. However, since BSA/AML compliance programs must be commensurate with a financial institution’s specific risk profile, each institution would still have to conduct its own risk assessments with regard to its customers and their transactions.

AI + Blockchain, Beyond Compliance

The machine-driven processes of AI, combined with the inherently secure and collaborative properties of blockchain, can facilitate a windfall in cost reduction while optimizing regulatory compliance. It is incumbent upon legislators, regulators, developers, and the general public alike to understand this potential.

Do so, and we may craft laws that enable the synergies to be gained, find new means to combine these technologies more efficiently, and take full advantage of the power the unique combination of AI and blockchain technology has to offer us

[1] See Matthias Memminger, Mike Baxter and Edmund Lin, Banking Regtechs to the Rescue?, Bain & Company (Sept. 18, 2016), available at:

[2] See Thomson Reuters 2017 Global KYC Surveys Attest to Even Greater Compliance Pain Points, Reuters (Oct. 26, 2017), available at:

[3] See Joshua Fruth, Anti-Money Laundering Controls Failing to Detect Terrorists, Cartels, and Sanctioned States, Reuters (Mar. 14, 2018), available at:; see also Deepak Amirtha Raj, Spotlight on the Remarkable Potential of AI in KYC, LinkedIn Pulse (June 13, 2017), available at:

[4] See Fruth, supra note 13.

[5] See Fruth, supra note 13.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.