I. INTRODUCTION
The federal banking agencies have issued a joint statement to address how the risk management principles described in the “Supervisory Guidance on Model Risk Management” (Model Risk Management Guidance) relate to systems or models used by banks to assist in complying with the requirements of Bank Secrecy Act/Anti–Money Laundering (BSA/AML) laws and regulations. (See, Federal Reserve SR letter 11–7; OCC Bulletin 2011–12; and FDIC FIL 22–2017).
The joint statement clarifies that the risk management principles discussed in the model risk management guidance may be appropriate considerations in the context of the BSA/AML statutory and regulatory requirements but do not require any specific model risk management framework or application. The statement also explains that the model risk management guidance may be a useful resource for a bank’s model risk management framework and to assist with BSA/AML compliance.
Whether a bank characterizes a BSA/AML system (or portions of that system) as a model, a tool, or an application, risk management of such a system should be consistent with safety and soundness principles and the system should promote compliance with applicable laws and regulations.
II. BSA/AML SYSTEMS AND THE MODEL RISK MANAGEMENT GUIDANCE (MRMG)
The agencies’ BSA program regulations require a bank to have a reasonably designed compliance program that includes, among its components, a system of internal controls to assure ongoing compliance with BSA regulatory requirements. In this context, effective internal controls are typically based on the bank’s risk profile.
BSA/AML systems and a bank’s policies, procedures, and processes to identify, research, and report unusual activity, commonly known as suspicious activity monitoring and reporting systems, are critical internal controls for ensuring an effective BSA/AML compliance program. BSA/AML systems may include a surveillance monitoring system, sometimes referred to as an automated transaction monitoring system. Some of these automated transaction monitoring systems may involve the use of modeling.
There is no definition in statute or regulation of what constitutes a model for the purposes of model risk management; however, the MRMG uses the following definition of a model:
The term model refers to a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.
The MRMG lists the following three components of a model:
1. An information input component, which delivers assumptions and data to the model.
2. A processing component, which transforms inputs into estimates.
3. A reporting component, which translates the estimates into useful business information.
While some BSA/AML systems may constitute models under this description, others may not. The determination by a bank of whether a BSA/AML system is considered a model is bank specific, and a conclusion regarding the system’s categorization should be based on a consideration of all relevant information. There are no required categorizations of particular BSA/AML systems, including those used to monitor for suspicious activity. Categorizations vary based on the bank’s BSA/AML program and the individual features of the bank’s BSA/AML systems. The following examples likely would not be considered models, as defined by the MRMG, because they may lack one or more of the three components discussed above:
• Stand-alone, simple tools that flag transactions based on a singular factor, such as reports that identify cash, wire transfer, or other transaction activity over certain value thresholds.
• Systems used to aggregate cash transactions occurring at the bank’s branches for the purposes of filing Currency Transaction Reports.
Regardless of whether a bank characterizes a BSA/AML system as a model, a tool, or an application, there is no specific organizational structure required for oversight by the bank. Oversight of BSA/AML systems might be conducted solely by the bank’s compliance area, an MRM group, another functional area, or some combination of these functions. Sound risk management and procedures for evaluating the effectiveness of compliance programs are both key components to an effective BSA/AML compliance program.
The MRMG is non-binding. It provides a set of principles designed to be helpful in management. There is no requirement for a bank to apply duplicative processes, although all applications deemed to be models should be periodically reviewed and tested for effectiveness. There is also no expectation for duplicative efforts when it comes to independent testing, including model validation, to ensure compliance.
The MRMG lays out multiple expectations for model validations. Validations should be performed by independent parties with sufficient knowledge and expertise. The nature of the testing and model assumptions can vary across models and may not include the same techniques as other models. For example, one may place greater emphasis on coverage than efficiency. Banks typically make these decisions based on risk and change or update controls to ensure are appropriate controls are in place.
III. THIRD PARTY MODELS
Third party models can help banks increase the efficacy of their BSA/AML programs, provided reasonable due diligence is applied before a contract has been signed along with ongoing monitoring of the performance of the third party. The MRMG standards are the same for a BSA/AML model developed internally as for one provided by a third party or one used by a third party when assisting the bank in BSA/AML compliance. While the proprietary nature of a third party model is a consideration, sound risk management requires an understanding of how the model works to ensure that it performs as expected and can be tailored to the unique attributes of the bank.
IV. CONCLUSION
The extent and nature of model risk varies across models and banks, and effective risk management is commensurate with the nature and materiality of the risk. The agencies clarify, in the joint statement, the following points:
a. The MRMG, like all supervisory guidance, does not have the force and effect of law.
b. The MRMG does not stipulate specific testing procedures.
c. The MRMG does not create expectations for duplicative procedures.
d. Certain BSA/AML processes may not be models; that determination is bank specific.
e. Banks assess different models in different ways – testing and analysis depends on the type of model and the context in which it is used.
f. The MRMG is principles-based and provides flexibility for developing, implementing, and updating models. Banks may take advantage of this flexibility when updating a model in response to changes in the threat environment or may adapt less material changes without invalidating the entire model.
g. Banks may use third party models.
h. Sound risk management is important. Banks can use these principles for establishing, implementing, and maintaining a risk management framework.