Risk & Resilience Practice

How generative AI can

help banks manage
risk and compliance
In the next five years, generative AI could fundamentally change
financial institutions’ risk management by automating, accelerating,
and enhancing everything from compliance to climate risk control.
by Rahul Agarwal, Andreas Kremer, Ida Kristensen, and Angela Luget

March 2024
Generative AI (gen AI) is poised to become a efficiency in risk-related decision making, and
catalyst for the next wave of productivity gains partial automation in drafting and updating policies
across industries, with financial services very and procedures to reflect changing regulatory
much among them. From modeling analytics to requirements. It would act as a reliable and efficient
automating manual tasks to synthesizing source of information, enabling risk managers to
unstructured content, the technology is already make informed decisions swiftly and accurately.
changing how banking functions operate, including
how financial institutions manage risks and stay For instance, McKinsey has developed a gen AI
compliant with regulations. virtual expert that can provide tailored answers
based on the firm’s proprietary information and
It’s imperative for risk and compliance functions assets. Banks’ risk functions and their stakeholders
to put guardrails around gen AI’s use in an can develop similar tools that scan transactions
organization. However, the tech can help the with other banks, potential red flags, market news,
functions themselves improve efficiency and asset prices, and more to influence risk decisions.
effectiveness. In this article, we discuss how banks These virtual experts can also collect data and
can build a flexible, powerful approach to using evaluate climate risk assessments to answer
gen AI in risk and compliance management and counterparty questions.
identify some crucial topics that function leaders
should consider. Finally, gen AI could facilitate better coordination
between the first and second LODs in the
organization while maintaining the governance
Seizing the promise of gen AI structure across all three. The improved
Gen AI has the potential to revolutionize the way coordination would enable enhanced monitoring
that banks manage risks over the next three to five and control mechanisms, thereby strengthening the
years. It could allow functions to move away from organization’s risk management framework.
task-oriented activities toward partnering with
business lines on strategic risk prevention and
having controls at the outset in new customer Emerging applications of gen AI in
journeys, often referred to as a “shift left” approach. risk and compliance
That, in turn, would free up risk professionals to Of the many promising applications of gen AI for
advise businesses on new product development financial institutions, there’s a set of candidates
and strategic business decisions, explore emerging that banks are exploring for a first wave of
risk trends and scenarios, strengthen resilience, adoption: regulatory compliance, financial crime,
and improve risk and control processes proactively. credit risk, modeling and data analytics, cyber risk,
and climate risk. Overall, we see applications of gen
These advances could lead to the creation of AI- AI across risk and compliance functions through
and gen-AI-powered risk intelligence centers that three use case archetypes.
serve all lines of defense (LODs): business and
operations, the compliance and risk functions, and Through a virtual expert, a user can ask a question
audits. Such a center would provide automated and receive a generated summary answer that’s
reporting, improved risk transparency, higher built from long-form documents and unstructured

How generative AI can help banks manage risk and compliance 2

data. With manual process automation, gen AI — Modeling and data analytics. Gen AI can
performs time-consuming tasks. With code accelerate the migration of legacy programming
acceleration, gen AI updates or translates old code languages, such as the switch from SAS and
or writes entirely new code. All these archetypes COBOL to Python. It can also automate the
can have roles in the key responsibilities of risk monitoring of model performance and generate
and compliance: alerts if metrics fall outside tolerance levels.
Companies are also using gen AI to draft model
— Regulatory compliance. Enterprises are using documentation and validation reports.
gen AI as a virtual regulatory and policy expert
by training it to answer questions about — Cyber risk. By checking cybersecurity
regulations, company policies, and guidelines. vulnerabilities, gen AI can use natural language
The tech can also compare policies, regulations, to generate code for detection rules and
and operating procedures. As a code accelerate secure code development. It can be
accelerator, it can check code for compliance useful in “red teaming” (simulating adversarial
misalignment and gaps. It can automate strategies and testing attack scenarios). The
checking of regulatory compliance and provide tech can also serve as a virtual expert for
alerts for potential breaches. investigating security data. It can make risk
detection smarter by speeding and aggregating
— Financial crime. Gen AI can generate security insights and trends from security
suspicious-activity reports based on customer events and behavior anomalies.
and transaction information. It can also
automate the creation and update of customers’ — Climate risk. As a code accelerator, gen AI can
risk ratings based on changes in know-your- suggest code snippets, facilitate unit testing,
customer attributes. By generating and and assist physical-risk visualization with
improving code to detect suspicious activity high-resolution maps. It can automate data
and analyze transactions, the tech can improve collection for counterparty transition risk
transaction monitoring. assessments and generate early-warning
signals based on trigger events. As a virtual
— Credit risk. By summarizing customer expert, gen AI can automatically generate
information (for example, transactions with reports on environmental, social, and
other banks) to inform credit decisions, gen governance (ESG) topics and sustainability
AI can help accelerate banks’ end-to-end sections of annual reports (see sidebar, “How
credit process. Following a credit decision, it generative AI can speed financial institutions’
can draft the credit memo and contract. climate risk assessments”).
Financial institutions are using the tech to
generate credit risk reports and extract Once companies have embedded gen AI in these
customer insights from credit memos. Gen AI roles and functions, they have seen a second wave
can generate code to source and analyze credit of emerging use cases across other aspects of risk
data to gain a view into customers’ risk profiles management. Gen AI can streamline enterprise risk
and generate default and loss probability by synthesizing enterprise-risk-management
estimates through models. summaries from existing data and reports. It can

How generative AI can help banks manage risk and compliance 3

How generative AI can speed financial institutions’ climate risk assessments

Risk functions can benefit from generate syntheses of counterparty Consider the benefits of gen AI
generative AI (gen AI) across a variety of transition plans and compare them against automation in helping customers move to
analyses. In the case of climate risk actual emissions to evaluate progress net zero. The tech can identify market
assessments, the technology—via tools toward goals. trends and environmental impact from
based on generative pretrained years of company reports. In turn, financial
Beyond measurement, gen AI can aid
transformers—can instantaneously draw institutions can use that new information
climate impact analysis by ultimately
from multiple, lengthy reports and distill to find investment opportunities.
automating reporting on environmental,
answers from source materials (exhibit).
social, and governance topics. It can aid
In addition, gen AI can provide support to risk by automating climate risk drafts, and
relationship managers to accelerate the it can spur growth by using customer data
assessment of climate risk for their to personalize green financial products.
counterparties. It can automatically

Exhibit

How generative AI can help banks manage risk and compliance 4

help accelerate the internal capital adequacy foundation models typically leverage internet-
assessment process and model capital adequacy by based data
sourcing relevant data. Banks can also use it to
summarize risk positions and draft risk reports and — privacy concerns, such as unauthorized public
executive briefings for senior management. disclosure of personal or sensitive information

Another area in which gen AI can play an important — malicious use, such as dissemination of false
role is operational risk. Banks can use it for content and use of gen AI by criminals to create
operational automation of controls, monitoring, and false identities, orchestrate phishing attacks, or
incident detection. It can also automatically draft scam customers
risk and control self-assessments or evaluate
existing ones for quality. — security threats, when vulnerabilities within gen
AI systems can be breached or exploited

Key considerations in gen AI adoption — performance and “explainability” risks, such as

While several compelling use cases exist in which models providing factually incorrect answers
gen AI can propel productivity, prioritizing them is and outdated information
critical to realizing value while adopting the tech
responsibly and sustainably. We see three critical — strategic risks through noncompliance with
dimensions that risk leaders can assess to ESG standards or regulations, creating societal
determine prioritization of use cases and maximize or reputational risks
impact (exhibit).
— third-party risks, such as leakage of proprietary
Chief risk officers can base their decisions on data to the public realm through the use of
assessments across qualitative and quantitative third-party tools
dimensions of impact, risk, and feasibility. This
process includes aligning with their banks’ overall
visions for gen AI and associated guardrails, Winning strategies for planning a
understanding relevant regulations (such as the EU gen AI journey
AI Act), and assessing data sensitivity. All leaders Organizations that can extract value from gen AI
need to be aware of the novel risks associated with should use a focused, top-down approach to start
this new tech. These risks can be broadly divided the journey. Given the scarcity of talent to scale gen
into eight categories: AI capabilities, organizations should start with three
to five high-priority risk and compliance use cases
— impaired fairness, when the output of a gen AI that align with their strategic priorities. They can
model may be inherently biased against a execute these use cases in three to six months,
particular group of users followed by an estimation of business impact.
Scaling the applications will require the
— intellectual property infringement, such as development of a gen AI ecosystem that focuses on
copyright violations and plagiarism incidents, as seven areas:

How generative AI can help banks manage risk and compliance 5

Exhibit

— a catalog of production-ready, reusable gen AI — integration with enterprise-grade foundation

services and solutions (use cases) that can be models and tools to enable fit-for-purpose
easily plugged into a range of business selection and orchestration across open and
scenarios and applications across the banking proprietary models
value chain
— automation of supporting tools, including
— a secure, gen-AI-ready tech stack that supports MLOps (machine learning operations), data,
hybrid-cloud deployments to enable support for and processing pipelines, to accelerate the
unstructured data, vector embedding, machine development, release, and maintenance of
learning training, execution, and pre- and gen AI solutions
postlaunch processing

How generative AI can help banks manage risk and compliance 6

— governance and talent models that readily organizations face inbound risks from gen AI, in
deploy cross-functional expertise empowered addition to the risks from developing gen AI use
to collaborate and exchange knowledge (such cases and embedding gen AI into standard
as language, natural-language processing, and workplace tools. So banks will need to evolve their
reinforcement learning from human feedback, risk mitigation capabilities accordingly.
prompt engineers, cloud experts, AI product
leaders, and legal and regulatory experts) The first wave heavily focuses on human-in-the-
loop reviews to ensure the accuracy of model
— process alignment for building gen AI to responses. Using gen AI to check itself, such as
support the rapid and safe end-to-end through source citations and risk scores, can make
experimentation, validation, and deployment human reviews more efficient. By moving gen AI
of solutions guardrails to real time and doing away with human-
in-the-loop reviews, some companies are already
— a road map detailing the timeline for when putting gen AI directly in front of their customers.
various capabilities and solutions will be To make this move, risk and compliance
launched and scaled that aligns with the professionals can work with development team
organization’s broader business strategy members to set the guardrails and create controls
from the start.
At a time when companies in all sectors are
experimenting with gen AI, organizations that fail to Risk functions need to be vigilant to manage gen AI
harness the tech’s potential are risking falling risks at the enterprise level. They can fulfill that
behind in efficiency, creativity, and customer obligation by taking the following steps:
engagement. At the outset, banks should keep in
mind that the move from pilot to production takes 1. Ensure that everyone across the organization is
significantly longer for gen AI than for classical AI aware of the risks inherent in gen AI, publishing
and machine learning. In selecting use cases, risk dos and don’ts and setting risk guardrails.
and compliance functions may be tempted to use a
siloed approach. Instead, they should align with an 2. Update model identification criteria and model
entire organization’s gen AI strategy and goals. risk policy (in line with regulations such as the
EU AI Act) to enable the identification and
For gen AI adoption by risk and compliance groups classification of gen AI models, and have an
to be effective and responsible, it is critical that appropriate risk assessment and control
these groups understand the need for new risk framework in place.
management and controls, the importance of data
and tech demands, and the new talent and
operating-model requirements.

Risk management and controls

With gen AI, a new level of risk management and
control is necessary. Winning responsibly requires
both defensive and offensive strategies. All

How generative AI can help banks manage risk and compliance 7

3. Develop gen AI risk and compliance experts Organizations with advanced data platforms will be
who can work directly with frontline the most effective at harnessing gen AI capabilities.
development teams on new products and
customer journeys. Talent and operating-model requirements
Since gen AI is a transformational technology
4. Revisit existing know-your-customer, requiring an organizational shift, organizations will
anti–money laundering, fraud, and cyber need to understand the related talent
controls to ensure that they are still effective requirements. Banks can embed operating-model
in a gen-AI-enabled world. changes into their culture and business-as-usual
processes. They can train new users not only on
Data and tech demands how to use gen AI but also on its limitations and
Banks shouldn’t underestimate the data and tech strengths. Assembling a team of “gen AI
demands related to a gen AI system, which requires champions” can help shape, build, and scale
enormous amounts of both. Why? For one, the adoption of this new tech.
process of context embedding is crucial to ensure
the accuracy and relevance of results. That process
requires the input of appropriate data and
addressing data quality issues. Moreover, the data We expect gen AI to empower banks’ entire risk
on hand may be insufficient. Organizations may and compliance functions in the future. This implies
need to build or invest in labeled data sets to a profound culture change that will require all risk
quantify, measure, and track the performance of professionals to be conversant with the new tech,
gen AI applications based on task and use. its capabilities, its limitations, and how to mitigate
those limitations. Using gen AI will be a significant
Data will serve as a competitive advantage in shift for all organizations, but those that navigate
extracting value from gen AI. An organization the delicate balance of harnessing the technology’s
looking to automate customer engagement using powers while managing the risks it poses can
gen AI must have up-to-date, accurate data. achieve significant productivity gains.

Rahul Agarwal is an associate partner in McKinsey’s New Jersey office, Andreas Kremer is a partner in the Berlin office, Ida
Kristensen is a senior partner in the New York office, and Angela Luget is a partner in the London office.

The authors wish to thank Adrija Banerjee, Stephan Beitz, Adrian Foerster, Yilin Li, Anke Raufuss, Ibtesam Siddiqui, and Claudia
Satrústegui for their contributions to this article.

Copyright © 2024 McKinsey & Company. All rights reserved.

How generative AI can help banks manage risk and compliance 8