AuditOne Advisory – FDIC Issues Guidance on Model Risk Management

Our Co-CEO Jeremy Taylor has prepared (below) a summary of the Guidance recently issued by the FDIC on model risk management. It’s an important topic as more and more institutions make use of models, whether in-house or vendor-supplied, for a widening range of purposes. To the extent models feed into (or even substitute for) decision-making in various banking contexts, it’s important to have a disciplined process for ensuring the integrity of the models themselves, of the data and assumptions fed into them, and of the governance and controls surrounding model access, changes, back-testing, etc.

Please share this with colleagues having responsibilities related to models and how they’re being used within your organization. Thank you, Bud

FDIC Issues Guidance on Model Risk Management

The FDIC has just released FIL-22-2017, Supervisory Guidance on Model Risk Management, identical to what was previously issued back in 2011 by both the OCC (Bulletin 2011-12, superseding 2000-16) and the FRB (SR Letter 11-7).  The NCUA has yet to follow suit; its website refers readers to the OCC and FRB publications.

The first thing to note is that the FIL specifically exempts sub-$1 billion banks unless they have significant reliance on models.  But that applies to putting in place a framework or program for model risk management (MRM).  Many of the FIL’s provisions instead apply to managing risk associated with individual models, such as IRR, suspicious activity monitoring, ALLL, each of them already widely used by smaller banks and already covered by previous guidance statements.  For most small banks, therefore, FIL-22-2017 reinforces existing guidance rather than introducing new requirements.

It’s unclear where “significant” model reliance will kick in.  But for larger banks, at or closing in on the $1 billion threshold, there are some key steps to keep in mind, if they’re not already in place:

  1. Assign model management responsibility.  The vendor management (VM) process provides a useful parallel.  Each vendor will have primary contact(s) within the bank, but it is expected that someone (typically within Compliance, IT or Finance) will be assigned overall VM program management/coordination responsibility.  The same general comment applies to MRM.
  2. Compile an inventory of all models (both vendor-supplied and in-house-developed) in use across the bank.  That database should include updated information on key things like model validation, SOC reporting[1].
  3. Develop a Model Risk Policy document.  As with any new policy development, it’s probably easiest to start with a template from a vendor (like LexisNexis/Sheshunoff, BCG or Young & Associates) and then customize it.

While smaller (i.e., exempted) institutions may not want to worry about #3, the first two items above are relatively straightforward – and prudent for institutions of any size.  Besides, it never hurts to get out ahead of formal requirements (and to impress your regulator in the process).


[1] We have issued two recent Advisories on these important topics: