On April 9, 2021, the Federal Reserve, FDIC and OCC jointly issued an interagency statement regarding the applicability of the model risk management guidelines on the systems used to support bank secrecy / anti-money laundering compliance programs (“Interagency MRM Statement 2021”). The 2021 interagency statement on MRM responds to some concerns raised by members of the industry, namely that previous guidance on model risk management applied to anti-money laundering (“AML”) and Sanctions programs can hamper the industry’s ability to adopt and deploy new solutions to address AML and sanctions risks.
In 2011, the OCC and the Federal Reserve issued general and comprehensive guidelines for banks detailing what an effective model risk management framework should look like (“2011 MRM Guidance”). The 2011 MRM guide defines models broadly to cover quantitative methods, systems or approaches that apply statistical, economic, financial or mathematical theories, techniques and assumptions to treat data and model risk as the potential for consequences negative decisions based on incorrect or misused models.
For the purposes of the MRM 2011 guide, a model typically consists of three main components:
- An information input component, which provides assumptions and data to the model;
- A processing component, which transforms inputs into estimates; and
- A reporting component, which translates estimates into useful business information.
Although the model was broadly defined in the 2011 MRM Guide, since its initial publication, members of the industry have questioned how the risk management principles described therein should be applied to the systems and models used for the compliance with the AMLA and sanctions. Industry members have also raised concerns that the application of new data science approaches to address AML and sanction risks, such as machine learning, could be hampered by an overly mechanical application of the risk management principles detailed therein.
The MRM 2021 interagency declaration
In response to these concerns, federal banking agencies issued the 2021 Interagency MRM Statement, expressly reminding industry members that the 2011 MRM Guide was provided as a guide on the benefits of implementing a model risk management framework and that the 2011 MRM Guide did not do so, and has no force and effect of law. Specifically, the 2021 Inter-Agency MRM Statement attempts to provide additional certainty to members of the industry by explaining that:
- Whether a system used specifically for anti-money laundering is considered a “model” is a decision specific to the industry member;
- Industry members can use the 2011 MRM Guide inform their AML practices, but are not obligated to do so in all cases; and
- Industry members who are currently effectively managing the risks of their AML and sanctions programs without relying on the 2011 MRM Guide are not required to update existing practices.
For example, the 2021 Interagency MRM Reporting explains that most industry participants use automated transaction monitoring or anti-money laundering monitoring systems to mitigate AML and sanction risks or identify transactions for reporting purposes. suspicious activity. Simple tools that report transactions based on a single criteria (i.e. reports that identify cash, wire transfers, or other transaction activity above certain value thresholds) or report transactions by Aggregated species are generally not considered models for the purposes of the 2021 interagency MRM reporting. However, more advanced tools should be assessed on the basis of the three key criteria detailed in the 2011 MRM Guide and on the basis of the individual characteristics of the AML and sanctions program. Regardless of whether an industry participant defines an automated transaction monitoring or AML monitoring system as a model, the 2021 Interagency MRM Statement reminds industry participants that the 2011 MRM Guide is not binding and that no specific organizational structure is required for monitoring. Specifically, the 2021 interagency MRM statement confirms that there is “no prudential requirement or expectation that banks have duplicate processes to comply with BSA / AML regulatory requirements” and “no requirement that a bank perform. duplicate independent testing activities. “
Depending on the specifics of the models used, banks should consider whether implementing the model risk management guidelines would be beneficial or binding for their individual AML program, as the ultimate goal of the model risk management guidelines is to provide flexibility to banks in developing and implementing their models.
Brokers and other industry participants should keep in mind the guidance contained in the 2011 MRM Guidelines and the 2021 Interagency Statement, as the SEC and FINRA may use these statements as a guide to assess the tools that businesses rely on. to comply with their BSA. and AML obligations.