US Agencies on Model Risk Management for BSA/AML Compliance by Banks

The agencies seek this information to enhance their understanding of bank practices in these areas and determine whether additional explanation or clarification may increase transparency, effectiveness, or efficiency. Comments will be accepted for 60 days following publication of the request for information in the Federal Register. The US Agencies concurrently issued a joint statement to clarify that the risk management principles discussed in the supervisory guidance are appropriate considerations in the context of the BSA/AML statutory and regulatory requirements. The statement clarified the following key points

• The supervisory guidance on model risk management does not have the force and effect of law. Banks may use some or all of the principles in the supervisory guidance in their risk management processes to support meeting the regulatory requirements of an effective BSA/AML compliance program. Banks with limited model use may not have formal model risk management frameworks.
• The supervisory guidance is not meant to serve as a set of testing procedures, including with regard to BSA/AML systems.
• The supervisory guidance does not establish any requirements or supervisory expectations that banks have duplicative processes for complying with BSA/AML regulatory requirements.
• Certain processes and systems used in BSA/AML compliance may not be models. The determination by a bank of whether a system used for BSA/AML compliance is considered a model is bank-specific. When making this determination, a bank may consider the supervisory guidance model definition and the three components that characterize models.
• Banks assess different models in different ways. The nature of testing and analysis of models depends on the type of model and the context in which the models are used.
• The principles in supervisory guidance provide flexibility for banks in developing, implementing, and updating models. Banks may benefit from employing this flexibility, including for validation activities, to update BSA/AML models quickly in response to the evolving threat environment and to implement innovative approaches. Banks may establish policies that govern when the bank may implement less material changes to models without revalidation, or may choose to revalidate certain model components without revalidating the entire model.
• Banks may choose to use a third-party model. When doing so, banks may consider the principles discussed in the agencies’ third-party risk management issuances and the aspects of the supervisory guidance that address third-party models.
• Regardless of how a BSA/AML system is characterized, sound risk management is important, and banks may use the principles discussed in the supervisory guidance to establish, implement, and maintain their risk management framework.

Related Links

• FHFA Notice
• Accompanying Guidance from FHFA
• Press Release on Supervisory Guidance
• Request for Information on BSA/AML Compliance (PDF)
• Statement on Model Risk Management (PDF)

Comment Due Date: FR+60 Days

Keywords: Americas, US, Banking, Reporting, Stress Testing, Fannie Mae, Freddie Mac, Dodd-Frank Act, AML, EGRRCP Act, COVID-19, Regulatory Capital, BSA, Model Risk Management, FHFS, US Agencies