On April 12, 2021, the Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System (“Board”), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”) and the Financial Crimes Enforcement Network (“FinCEN”) issued a Request for Information (“RFI”) requesting comment on the extent to which the agencies’ previous guidance on model risk management supports banks’ compliance with Bank Secrecy Act (“BSA) and Anti-Money Laundering (“AML”) regulations and Office of Foreign Asset Control (“OFAC”) requirements.
The RFI asks for comments from interested parties on suggested changes to guidance or regulations, and whether aspects of the agencies’ approaches to BSA/AML and OFAC compliance are either working well, or could be improved. The agencies explained that the reason for the RFI is to further understand current bank practices, and determine whether additional explanation or clarification of their guidance may be helpful. Although the genesis of the RFI is not entirely clear, it appears that it was issued in response to certain financial institution inquiries or comments regarding how the maintenance of their BSA/AML compliance programs should incorporate principles set forth in earlier, more general regulatory guidance on model risk management for banks, which we describe below. Further, the RFI has not occurred in a vacuum, but rather has appeared in the midst of a major, ongoing overhaul of the BSA/AML legislative, regulatory and enforcement regime. Comments to the RFI must be received by June 11, 2021.
In conjunction with the RFI, the Board, FDIC, and OCC (in consultation with FinCEN and NCUA) issued an interagency statement (“Interagency Statement”) regarding model risk management and BSA/AML compliance. Addressing the philosophy and intention of the agencies’ previous model risk management guidance, the statement offers recommendations on how that guidance could be utilized by banks in developing, implementing and maintaining effective BSA/AML risk management programs.
The Model Risk Management Guidance
The agencies’ previous guidance is encompassed by the “Supervisory Guidance on Model Risk Management”, Federal Reserve Supervision and Regulation Letter 11-7, OCC Bulletin 2011-12, and FDIC Financial Institution Letter 22-2017 (collectively referred to as the model risk management guidance, or “MRMG”). The MRMG was issued with the intention that banks and supervisors use it to assess management of model risk. The guidance encompasses how models could be developed, implemented, and used, and covers ongoing validation of models. The MRMG describes “model” broadly as a “quantitative method, system, or approach” that applies a number of different types of “theories, techniques and assumptions that process input data into quantitative estimates.” In addition to development and validation of models, the MRMG espouses sound risk management and governance principles. Recognizing the variations in banking organizations’ size, nature, complexity and sophistication, the MRMG recommends the guidance be applied as appropriate. It is important to note that the MRMG addresses models in general terms and does not specifically reference their use in conjunction with BSA/AML and OFAC compliance.
The recent Interagency Statement clarified the following points with respect to the MRMG:
- The MRMG does not have the force and effect of law, and it is not meant to serve as testing procedures for BSA/AML systems.
- There are no requirements or supervisory expectations in the MRMG that banks have duplicative processes for complying with BSA/AML regulations.
- Not every BSA/AML system may be considered a model, and this determination can be bank-specific in conjunction with the MRMG’s description of a model.
- The agencies recognize that banks assess models in a variety of ways, often depending on the type of model and how it is used.
- The MRMG principles are designed to provide flexibility for banks in developing, implementing, and updating models, allowing banks to update models quickly in response to evolving threats, and to pursue innovation.
- If a bank chooses to use a third party model, they may consider principles discussed in the agencies’ third-party risk management issuances along with the portions of the MRMG that discuss third-party models.
- No matter how a BSA/AML system is characterized, sound risk management is paramount. Banks may use the MRMG to implement and maintain a risk management framework.
Within the RFI, the agencies request information about the relationship between BSA/AML and OFAC compliance and the MRMG, and express interest in both individual bank and common industry practices. They specifically asked for comments about the following:
- Systems and methodologies used to support BSA/AML and OFAC compliance;
- The extent of internal oversight of models in addition to compliance requirements;
- The extent of policies and procedures specific to BSA/AML and OFAC models that govern validation of such models;
- Whether risk management principles in the MRMG are appropriate for BSA/AML and OFAC models and whether there are other principles that would be appropriate;
- Factors that may create delays in implementing, updating and improving systems due to the application of model risk management to BSA/AML and OFAC models;
- Whether banks consider model risk management with respect to BSA/AML an impediment to innovative and effective approaches;
- The extent to which banks’ model risk management frameworks include testing/validation processes that are more extensive than reviews conducted to meet the independent testing requirement of the BSA;
- The extent to which banks use third parties to perform validation of BSA/AML and OFAC compliance systems, and why third parties may be used;
- The extent to which banks employ internally developed BSA/AML or OFAC compliance systems, third party systems, or both, and what challenges arise with these systems considering the MRMG principles;
- Whether banks’ model risk management frameworks apply to all models, including BSA/AML and OFAC models, and why or why not;
- Several specific questions as to the validation of suspicious activity monitoring systems (how and how often do banks validate such systems, whether they benchmark internal or external data, whether they compare data with actual outcomes, and how they monitor the impact of changes to systems to ensure accuracy); and
- The extent to which, based on materiality, banks adjust model risk management testing and validation for BSA/AML and OFAC models, and how they do so.
Although the potential practical implications of the RFI are not entirely clear at this time, it appears that the RFI fits into a wider, ongoing inquiry into basic principles underlying the BSA and AML/CTF compliance, including the stated purpose of the BSA and the factors which regulators should consider when examining financial institutions’ AML program compliance.