Model Risk Management’s Role With BSA/AML Compliance
Posted in Financial Crime Consulting, Insights, MRM
On April 9, 2021, the Joint Regulatory Agencies issued a statement to address how the Supervisory Guidance on Model Risk Management (MRMG) applies to models used by financial institutions (FIs) to assist in complying with BSA laws and regulations. The statement is not meant to change or add requirements. Instead, it clarifies and highlights the importance of establishing sound risk management practices when implementing and maintaining models that are intended to assist with BSA/AML compliance. While this guidance does not explicitly outline specific requirements, it does highlight key points such as:
- FIs should formally evaluate their BSA/AML systems to determine if they are models:
- The MRMG defines what a model is by stating the following:
“The term model refers to a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.”
Some BSA/AML models may fit this definition while others will not. FIs are encouraged to evaluate their system to determine it if fits the definition of a model. Management should adequately document and support their conclusion.
- The MRMG is principles-based and is intended to assist FIs that rely on models:
- Many FIs, both large and small, are using automated monitoring systems to assist in the detection and reporting of suspicious activity. Effective model risk management is important because of the potential for noncompliance with laws and regulations due to deficiencies within the established AML model.
- The MMRG provides a good framework for developing, implementing, and updating BSA/AML models:
- FIs that are using automated monitoring systems should be periodically reviewing and testing suspicious activity detection scenarios to ensure they are still operating appropriately. The review should include an analysis of alert to case to SAR ratios to determine if false positive rates are within expectations. Additionally, adequate risk management includes independently validating the monitoring systems methodology. This is especially important after a major shift in an FI’s risk profile, expansion through merger or acquisition and material changes to the model such as the introduction of new transaction data.
- Third-Party Model Risk:
- There are many third-party BSA/AML models on the market. Sound risk management processes should be established when completing due diligence on prospective vendors. This includes obtaining sufficient documentation and information on how the model operates. Additionally, management may want to consider the reviewing the following while going through the vendor management due diligence process:
- “Third-Party Relationships: Risk Management Guidance” (OCC 2020-10)
- “Guidance for Managing Third-Party Risk” (FIL-44-2008)
- “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-19” (SR 13-19)
- There are many third-party BSA/AML models on the market. Sound risk management processes should be established when completing due diligence on prospective vendors. This includes obtaining sufficient documentation and information on how the model operates. Additionally, management may want to consider the reviewing the following while going through the vendor management due diligence process:
Since 2015, VBC has been providing MRMG compliant BSA/AML, Fraud and OFAC model validation services that are customized to meet each institution’s needs while adhering to and meeting all mandated regulatory guidelines. Our qualified CAMS certified specialists combine a risk-based approach with qualitative and quantitative validation methodologies to ensure the accuracy of data inputs and to offer strategies to enhance model processing and output efficiency. VBC is the leading independent provider of risk management solutions for financial institutions.
Get more information about our BSA/AML services.
What's the potential cost of not leveraging the experience, tools, and talent VBC brings to the table?