Interagency statement on model risk management for bank systems

ARTICLE | July 14, 2021

Authored by RSM US LLP

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, Financial Crimes Enforcement Network (FinCEN), and the National Credit Union Administration have requested responses from all OCC-supervised banks regarding the supervisory guidance stated on model risk management for bank systems supporting Bank Secrecy Act/anti-money laundering (BSA/AML) compliance. This article will summarize the supervisory guidance issued April 12, 2021, related to model risk management on systems supporting banks’ BSA/AML compliance programs.

There is no predefined definition for a model within the regulation or statute for model risk management; however, the model risk management guidance utilizes the following definition for the term model:

The term model refers to a quantitative method, system or approach that applies statistical, economic, financial or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.

The guidance is called the Supervisory Guidance on Model Risk Management and it focuses on three core areas that should be considered when a model is used to support a financial institution’s BSA/AML compliance program:

• An information input component, which delivers data and assumptions into the model
• A processing component, which transforms the data into estimates
•  A reporting component, which transforms the estimates into useable business information

The model risk management guidance also brings to the attention of financial institutions’ examples of what are not models because they lack one or more of the components noted above:

• Stand-alone, simple tools that flag transactions based on singular factors, such as reports that identify cash, wire transfer, or other transaction activity over certain value thresholds
• Systems used to aggregate cash transactions occurring at the bank’s branches to file currency transaction reports.

For automated transaction monitoring systems to have diligent risk management requires periodic reviews and tests of the system’s filtering criteria and thresholds to determine if the current settings are effective and have an independent validation of the system. These reviews are generally performed using a risk-based approach with the frequency of the review determined by the financial institution’s risk profile.

Financial institutions may rely on a third-party monitoring system to support their BSA/AML program; however, the model risk management guidance establishes the following considerations when financial institutions utilize a third-party model:

• Perform reasonable due diligence before entering a contractual relationship
• Establish ongoing monitoring of the third party and the model when the model is utilized for compliance-related activities (currency transaction reporting, monitoring transactions, detection of suspicious activities or suspicious activity reporting)

Financial institutions are ultimately responsible for complying with BSA/AML requirements when utilizing a third-party model so the following risk management approach should be considered:

• Obtain sufficient information from the third party to understand how the model operates and performs (Thresholds, parameters and other settings should be tailored to the specific risk profile of the financial institution.)
• Establish a contingency plan(s) if a third-party model is no longer available or service is disrupted

All of the points of consideration noted within the model risk management guidance are not intended to have the force or effect of law. The points are guidance for a sound risk management approach of the models that are utilized by financial institutions to support their BSA/AML compliance systems. The guidance recognizes that there are many factors to study when considering the model risk management guidance, like the financial institution’s risk profile and the extent to which the model is used to support the BSA/AML compliance program. The model risk management guidance specifically states the use of flexibility as follows:

The model risk management guidance principles provide flexibility for banks in developing, implementing and updating models. Banks may benefit from employing this flexibility, including validation activities, to update BSA/AML models quickly in response to the evolving threat environment and to implement innovative approaches. Banks may establish policies that govern when the bank may implement fewer material changes to models without revalidation or may choose to revalidate certain model components without revalidating the entire model.

The publication of the model risk management guidance reminds financial institutions of the necessary points that should be considered when assessing model(s) used to support a financial institution’s BSA/AML compliance program. The guidance highlights a financial institution’s understanding of what should be considered a model, and how to assess third-party models as key initial steps. In addition, the guidance covered how the financial institution’s risk profile is another consideration when taking a risk-based approach to assessing the BSA/AML models. In closing, the guidance presented is flexible based on the financial institution’s risk profile and the risk-based approach should be implemented over the models that are utilized.