Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

Model risk management: Regulatory priorities and best practices

Michelle M. Lucci, CSS, CRCM
May 20, 2022
Read Time: 0 min

Meet model risk management expectations

Updates to the FDIC Risk Management Manual should steer institutions toward a model that manages risk and drives growth.

Would you like other articles like this in your inbox?

FDIC update

Model risk management in the spotlight

Last April, the FDIC released an Interagency Statement titled Model Risk Management (MRM) for Bank Models and Systems Supporting BSA/AML Compliance. The statement assured financial institutions that no specific model risk management is required, and that the guidance is intended to provide flexibility in applying risk management principles commensurate with a bank’s risk profile and the complexity and materiality of its models.

While this statement softened the enforcement of regulatory guidance, the FDIC recently issued an update to its Risk Management Manual of Examination that incorporates model risk management into bank ratings. The update includes a new section titled “Model Risk Management,” which details how examiners will evaluate bank management’s performance under the CAMELS rating system to determine if the institution is run safely and soundly.

The CAMELS rating is a measure of a financial institution’s risk based on an evaluation and rating of six essential components of its financial condition and operations. Examiners assign ratings on a 1 to 5 scale, with 1 indicating low risk and 5 indicating high risk. “CAMELS” is an acronym for six different components: 

  • Capital Adequacy: The amount of capital that must be held in the financial institution relative to the institution’s asset amount and type of asset risk.
  • Asset Quality: The quality of the assets on a financial institution’s balance sheet.
  • Management: The capability of the board of directors and management to identify, measure, monitor, and control the risks of an institution’s fiduciary activities.
  • Earnings: The quality, trend, and sustainability of the net profits from a financial institution’s operations.
  • Liquidity: The ability of the bank to meet the demands of its depositors and other creditors when due. 
  • Sensitivity to Market Risk: The bank’s position relative to inherent market risks.

The update signals regulatory attention to model risk. It should encourage institutions to perform data integrity reviews annually and consider a full third-party model validation bi-annually or anytime there has been a significant change in an institution’s model. Aside from meeting examiner expectations, these ingredients are the basis for a strong and sound BSA/AML program that can protect your institution from unnecessary risk. 

Evaluating leadership

What regulators look for in top-down guidance

The FDIC update clarifies how examiners will evaluate a financial institution's executives and board of directors under the Management component. The board of directors and senior management provide model risk governance at the highest level when they establish a bank-wide approach to model risk management. Banks should formalize their existing model risk management activities with official policies and procedures to follow good business practices and existing supervisory expectations. Key concepts that now contribute to the Management rating include:

  • Whether the policies, procedures, standards, and monitoring practices the bank may have sufficiently address model risk management practices.
  • Whether the bank maintains a model inventory. While not required, model inventory can be an important practice to assist in model risk management.
  • Whether the bank has model documentation or validation reports for models used.
  • Whether model risk management is covered in the audit scope.
  • Whether the bank maintains any exception or findings tracking reports.

Although model validations are a vital component of monitoring an institution’s BSA/AML risk, some institutions don’t have formalized model risk procedures and don’t know when an independent third-party validation is required. This is, of course, assuming that the bank employs a model for BSA/AML transaction monitoring, as some manual monitoring processes don’t meet the definition of a model.

Lowering risk

Monitoring and managing high-risk customers

Regulatory agencies have shifted resources and attention to assessing how institutions model their transaction monitoring and high-risk customer management programs. In fact, one of the most cited areas of examiner AML criticism is about sound model risk management. The most frequent model deficiencies noted by regulators include the following:

  • The model has fundamental errors and may produce inaccurate outputs
  • The model is used incorrectly, leading to inaccurate outputs
  • The model is not tailored to the Bank’s specific AML risk profile

Model risk management is critical to a sound BSA program and is expected by regulators, especially after the AML Act of 2020 gave FinCEN the responsibility to review model validation to combat the financing of terrorism. Increasingly risk-focused examiners will be looking closely at how bank management uses their models, so banks should strongly consider establishing a protocol to perform periodic data integrity reviews. They should also seek out a full third-party model validation on a rotating risk-focused timeline or anytime there has been a significant change in an institution’s model.

Developing and maintaining strong governance, policies, and controls over the model risk management framework is fundamentally important to its effectiveness.  After the ups and downs of the COVID era, it is more apparent than ever that banks should ensure that their model risk management framework extends beyond satisfying the regulatory regimes and serves the true purpose of adding value. Model risk validation, done correctly, is an investment that can help place financial institutions in a more comfortable position in crisis, leading to increased value for the shareholders.

Learn what to expect from an independent model validation.

keep me informed Watch Webinar
About the Author

Michelle M. Lucci, CSS, CRCM

Regulatory Compliance Director
Michelle Lucci, Abrigo’s Regulatory Compliance Director, has over 30 years of banking experience and is a Certified Sanctions Specialist (CSS), a Certified Regulatory Reporting Manager (CRCM) and a Certified Anti–money Laundering Specialist (CAMS). Prior to joining Abrigo, she served as a Commissioned FDIC Bank Examiner for both Risk Management and Consumer Compliance in the New York and Atlanta FDIC regions, acted as Examiner-In-Charge

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.