On April 9, 2021, the federal banking regulatory agencies (the Federal Reserve, FDIC and OCC) together with FinCEN and the National Credit Union Administration issued a joint statement addressing how risk management principles described in the Supervisory Guidance on Model Risk Management (Guidance) relate to systems or models used by banks to assist in complying with the requirements of Bank Secrecy Act (BSA) laws and regulations. While the joint statement states that it does not alter existing BSA/AML legal or regulatory requirements nor establish new supervisory expectations (because “no specific model risk management framework is required”), it publishes a Request for Information (RFI) regarding the extent to which the principles discussed in the Guidance support compliance by banks and credit unions with BSA/AML and Office of Foreign Assets Control (OFAC) requirements. The agencies are seeking comments and information to better understand bank practices and determine whether additional explanation or clarification may be helpful.
The RFI seeks information and comment on any aspects of the relationship between BSA/AML and OFAC compliance and the principles conveyed in the Supervisory Guidance on Model Risk Management; including how those principles support compliance and differences in perceptions regarding their application. The RFI seeks responses to:
- Suggested changes to guidance or regulation including, in as much detail as possible, the nature of the requested change and supporting data or other information on impacts, costs, and benefits.
- Specific identification of any aspects of the agencies’ approach to BSA/AML and OFAC compliance as it relates to the Supervisory Guidance on Model Risk Management that are working well and those that could be improved, including, in as much detail as possible, supporting data or other information on impacts, costs, and benefits.
There are 12 Questions in the RFI that address:
- The sorts of systems that banks employ to support BSA/AML and OFAC compliance that they consider models.
- The extent that the banks’ BSA/AML and OFAC models are subject to separate internal oversight based on the Supervisory Guidance on Model Risk Management in addition to the “normal” BSA/AML or OFAC compliance requirements.
- The extent to which banks utilize policies and procedures specific to BSA/AML and OFAC models or applicable to models generally governing the validation of BSA/AML and OFAC models, including but not limited to, the validation frequency, minimum standards, and areas of coverage.
- The extent to which the risk management principles discussed in the Supervisory Guidance on Model Risk Management are appropriate for BSA/AML and OFAC models.
- A Request for specific examples since some bankers report that their bank’s application of the Supervisory Guidance on Model Risk Management to BSA/AML and OFAC models has resulted in substantial delays during implementing, updating, and improving systems.
- A Request for specific examples since some bankers report that their banks’ application of the Supervisory Guidance on Model Risk Management to BSA/AML and OFAC models has been an impediment to developing and implementing more innovative and effective approaches to BSA/AML and OFAC compliance.
- The extent that the banks’ Supervisory Guidance on Model Risk Management frameworks include testing and validation processes that are more extensive than reviews conducted to meet the independent testing requirement of the BSA.
- The extent that banks use an outside party to perform validations of BSA/AML and OFAC compliance systems
- The extent that banks employ internally developed BSA/AML or OFAC compliance systems, third-party systems, or both.
- The extent that banks’ Supervisory Guidance on Model Risk Management frameworks apply to all models, including BSA/AML and OFAC models.
- Information about industry practices related to suspicious activity monitoring systems.
- The extent that banks calibrate the scope and frequency of the Supervisory Guidance on Model Risk Management testing and validation for BSA/AML and OFAC models based on their materiality.
The agencies are seeking better understand bank practices and determine whether additional explanation or clarification may be helpful.
Although the interagency statement expresses that the Supervisory Guidance on Model Risk Management does not have the force and effect of law, financial institutions’ BSA/AML systems are required by law to be reasonably designed and risk based. A financial institution’s BSA/AML compliance program must include at a minimum:
- Internal controls to assure ongoing compliance
- Independent testing for compliance
- Designation of an individual or individuals, also referred to as the BSA/AML compliance officer(s) responsible for coordinating and monitoring day-to-day compliance
- Training for appropriate personnel
- Suspicious activity reporting
- Customer identification
- Customer due diligence
- Beneficial ownership
Is your Financial Institution’s BSA/AML compliance program reasonably designed and risk based?
Could a financial regulator determine that any of the financial institutions system is deficient?
Who is your Corporate governance expert?