In Part One, we established why the CBN’s new Baseline Standards for Automated AML Solutions rank among the world’s best. Here, we examine the risks those Standards create and the hard governance work that genuine compliance requires.
A regulatory framework is only as valuable as the quality of its implementation.
The CBN has been explicit on this point from the opening pages of its new Baseline Standards – they are designed to ensure “demonstrable effectiveness and not merely feature-based compliance or vendor-driven implementation”.
That phrase is both an aspiration and a warning. It tells institutions precisely what the CBN will be looking for when it examines compliance and what will not satisfy it.
What follows is an analysis of the ten most significant risks embedded in the new framework, explained in terms that non-technical readers can follow, with the supporting detail and specific Standards references that Compliance Officers and Risk Managers need to act on.
The AI model validated and deployed at the point of compliance will not remain equally accurate indefinitely. Financial crime typologies evolve. Products change. Customer behaviour shifts. Sophisticated financial criminals actively probe detection systems and adapt their methods to evade learned patterns. A model can degrade significantly between annual reviews while continuing to generate alerts and maintaining the outward appearance of function – what practitioners call silent deterioration.
The Standards require annual independent validation covering performance drift (§5.5b.i) and ongoing scenario tuning (§5.5b.iii). Annual validation is the regulatory floor. For institutions with material transaction volumes or rapidly evolving portfolios, it is not sufficient as a stand-alone control.
What institutions must do – Track three metrics monthly between validation cycles – alert generation rate per thousand transactions, true positive rate among investigated alerts and the rate of alerts resulting in Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) filings. Define threshold values such that material deviation triggers an out-of-cycle review without waiting for the annual schedule. The model governance committee is required under §5.5b. We should review these metrics at every meeting.
