Blogpost

The new era of banking compliance: opportunities and risks of data and AI

Never before has the volume of data in compliance been so high – and never before has it been so difficult to manage risks in a timely, consistent and audit-proof manner. Data-based analyses and AI-supported processes promise relief. But not everything that is efficient is also compliant. How can AI tools be used in a compliant manner?

Sandra Leicht
Adela Kujovic
12
5 minutes reading time
Futuristic World

Banks today face a paradoxical situation: compliance has never been so data-rich – and never has it been so difficult to manage risks in a timely, consistent and audit-proof manner.

WpHG compliance, MaRisk compliance and anti-money laundering (AML) are often characterised by:

  • high transaction volumes,
  • complex process chains,
  • increasing documentation requirements and
  • growing expectations from regulators and auditors.

Data-based analyses and AI-supported processes promise relief: better risk detection, fewer manual checks, more targeted monitoring. And often they deliver on all these promises. But in the regulatory environment in particular, it is more true than ever that not everything that is efficient is also compliant.

Each IT system should be examined critically, because banking compliance has a clear goal: to identify risks early on – and to be able to justify decisions in a comprehensible manner at any time.

The transformation of the compliance model: from rules and lists to risk signals

Traditional banking compliance is heavily rule-based:

  • requirements from the Securities Trading Act (WpHG), MaRisk and the Money Laundering Act (GwG) are translated into policies,
  • controls check compliance,
  • and deviations are documented and addressed.

However, this model is increasingly reaching its limits. Today, many risks arise not from a single violation, but from patterns over time, such as

  • unusual trading sequences,
  • systematic circumvention of limit or approval logic,
  • atypical customer or payment profiles,
  • and combinations of circumstances that are unremarkable on their own.

This is where data-driven compliance comes in – with a clear change of perspective:

  • Data provides clues, not conclusions
  • Systems help with prioritisation, not with the final assessment
  • Compliance remains the decision-maker – not the executor of technology

This makes compliance more flexible, faster and more efficient. But it also makes it more vulnerable if control, documentation and responsibilities are not clearly regulated or traceable.

Concrete added value in WpHG, MaRisk and AML compliance

WpHG compliance: Understanding market behaviour, not just monitoring it

Enormous amounts of data are available in the context of market abuse, conflicts of interest and conduct of business obligations:

  • Trading and order data,
  • Communication data,
  • Information on employees, customers and related parties.

Analytical methods can help to reveal unusual patterns, such as:

  • Frequent occurrences of certain trading activities at specific times,
  • Deviations from the typical trading behaviour of individual actors, or
  • anomalies surrounding research publications or sensitive information.

The added value lies not in automated accusations, but in a more targeted selection of cases. Because one thing is clear: a system recognises anomalies – not market abuse. The legal assessment remains (as far as permitted by regulatory law) human and must be documented in a reliable manner.

MaRisk compliance: Combining process reality and regulatory monitoring

MaRisk compliance violations rarely arise from blatant disregard for the rules. They are often the result of gradual developments, such as:

  • permanently approved exceptions,
  • manual overrides,
  • unclear responsibilities or
  • historically developed process circumventions.

Data-based analyses can create transparency here by asking:

  • Where are limits regularly overridden?
  • Which processes systematically deviate from the defined target?
  • Where do functions accumulate contrary to the principle of separation?

There is also a second, often underestimated aspect: regulatory monitoring.

Regulatory requirements are constantly changing – through circulars, interpretation aids, guidelines or supervisory review priorities. Here, data- and text-based evaluations can help to

  • identify regulatory changes at an early stage,
  • assess their relevance for existing processes and
  • track implementation requirements in a structured manner.

The benefits are particularly high in the area of documentation – but only if it remains clear that technology cannot replace professional interpretation. Without clear definitions, reliable data sources and clear responsibilities, transparency quickly turns into a need to explain oneself to the supervisory authority.

AML, PSD3 and fraud prevention: greater clarity in mass business

Money laundering prevention and fraud prevention are particularly data-intensive due to:

  • Transaction monitoring,
  • Customer behaviour over time,
  • Network and relationship analyses,
  • Dynamic risk profiles

particularly data-intensive.

With PSD3 and the growing focus on payment fraud, the interlinking of AML and fraud is also coming to the fore. Suspicious payment flows, social engineering patterns or account takeovers can often only be detected when data is viewed holistically.

Modern approaches can:

  • reduce false alarms,
  • make new typologies visible more quickly and
  • escalate risks earlier.

At the same time, AML is the area with the highest regulatory sensitivity. The following are expected:

  • complete traceability of alert logic,
  • clear documentation of parameters and thresholds, and
  • the reproducibility of decisions – even retroactively.

A system that ‘learns’ without being explainable is hardly tenable from a regulatory perspective – regardless of its hit rate.

Reporting, documentation and communication with supervisory authorities

Technical support can be extremely helpful when it comes to reports, statements of facts and action plans – for example, in terms of structure, consistency and language. This saves time – but also carries risks.

Well-written texts are no substitute for sound reasoning. Especially when communicating with supervisory authorities and auditors, the following applies: What sounds good must be verifiable. This is why clear guidelines are needed:

msg_Gradient_BLAU
  • Systems provide text suggestions, not evaluations
  • Every statement must be traceable to data and decisions
  • Review, approval and documentation requirements remain indispensable

Governance decides: technology is not a free pass

Anyone who uses data-driven processes in banking compliance without putting governance first creates new risks – often precisely where the aim is to reduce the burden.

msg_Gradient_BLAU

Four questions are key from a regulatory perspective:

1. Explainability: Can we explain to the regulator why a situation became conspicuous?

2. Reproducibility: Can decisions still be understood months later?

3. Data protection and banking secrecy: What data is used and how – and who controls it?

4. Professional competence: Can compliance functions classify results or only pass them on?

If any of these questions remain unanswered, technology will not lead to progress, but to audit findings.

A pragmatic approach: regulatory compliance rather than ambitious goals

A viable approach to data-driven banking compliance does not always require a big bang – especially in small and medium-sized institutions:

  • A clearly defined use case (e.g. AML alerts, fraud patterns or WpHG trading anomalies)
  • Transparent database with clear responsibilities
  • Documented logic, thresholds and limits
  • Clear separation of notification, evaluation and decision
  • Quality assurance, logging and reproducibility
  • Scaling only after successful regulatory testing

This does not directly result in ‘smart’ compliance. But it usually results in regulatory-compliant, effective and sustainable banking compliance.

Event Tip

INSIDE FinAI: AI in banking compliance – but secure

Share: LinkedIn Xing X Facebook
Sandra Leicht

Sandra Leicht

is Head of Regulatory Compliance at msg for banking and has extensive compliance experience and expertise in the financial services sector. She herself has been working as an officer for many years and also advises and trains on all aspects of compliance functions. She also has extensive expertise in the successful management of companies and in advising financial institutions on topics such as WpHG compliance, MaRisk compliance, money laundering prevention and data protection.

linkedin
Write a comment

You must login to post a comment.

Related articles

Discover even more interesting articles on this topic.

Blogpost
4 minutes reading time

BaFin’s Digital Supervisory Briefing: Focus on governance and proportionality

Blogpost
2 minutes reading time

IReF: Implementation Plan Postponed to Mid‑2026

Andreas Reeb
Blogpost
11 minutes reading time

PSD3 and PSR on the home stretch: now is the time to prepare