On April 9, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (collectively, the agencies), in consultation with the Financial Crimes Enforcement Network and the National Credit Union Administration, issued a statement to address industry issues that have arisen on model risk management (the statement). The statement incorporates and comments on the Supervisory Guidance on Model Risk Management (MMRG), which was issued in 2011 to assist banks with their Bank Secrecy Act and Anti-Money Laundering (BSA/AML) regulatory compliance protocols.

Per the agencies, the statement seeks to assist regulated entities with using the MMRG to effectively and efficiently manage their risk. Regulations require banks to have a BSA compliance program that includes, among other elements, internal controls to ensure regulatory compliance. The agencies note that each bank will produce different internal controls based on its risk profile, but emphasizes that the banks' BSA/AML "policies, procedures, and processes to identify, research, and report unusual activity, commonly known as suspicious activity monitoring and reporting systems, are critical internal controls for ensuring an effective BSA/AML compliance program."

Banks often use models in many of their business lines to provide effective service to their internal and external clients, including as part of BSA/AML statutory and regulatory compliance programs. [1] With respect to banks that utilize external vendors or other third parties to assist in their BSA/AML compliance, the statement reiterates that banks are ultimately responsible for their own compliance. Extensive due diligence on third-party providers and ongoing monitoring of the systems and activities utilized by such third parties, in addition to the development of a contingency plan, is extremely important to a successful BSA/AML campaign. Moreover, banks should negotiate the third-party provider agreements to include terms to protect the bank's interests, such as performance standards with testing and monitoring rights, termination rights if the vendor becomes subject to regulatory criticism, and monitoring and testing rights for the vendor’s models.

Conclusion and Implications

Bank leadership should continue to monitor the agencies for new regulations and guidance regarding BSA/AML compliance requirements. Legal teams should develop a minimum set of requirements for third-party providers and negotiate such minimum standards into these contractual relationships. Also, regulatory teams should continue to develop internal processes and procedures to comply with the requirements. Further, companies should lookout for proposed regulations under the recently passed Corporate Transparency Act, which could significantly affect reporting requirements for certain entities and change the demands that banks place on their BSA/AML systems and models.

[1] The MMRG defines the term "model" as a "quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates." Additionally, as noted in the MMRG, the three components of a model include (i) an input component, (ii) a processing component, and (iii) a reporting component. MMRG at 3. Although models can be helpful, missteps with any single part of a model can cause problematic decision-making based on incorrect assumptions.