OCC Puts Quantitative Models in Scope for Regulatory Compliance
The US Office of the Comptroller of the Currency (OCC), a primary US banking regulator, has recently published its Model Risk Management (MRM) Handbook. It details how the OCC expects its chartered banks to manage their MRM processes and how its examiners will assess them…including quantitative models.
This publication is a significant development and brings a bank’s MRM systems and processes into line with how the OCC expects banks to manage areas like interest risk management and liquidity management, which also have their handbooks.
In the US, MRM has not had the level of regulatory scrutiny experienced by other areas of banking. In 2011, the US Federal Reserve published SR 11 7, which provided a high-level overview of how best to manage MRM, but otherwise, there was little detailed guidance and direction.
The use of quantitative models has changed significantly
The publication of the MRM Handbook recognizes that the way that models feature in banking operations has changed out of all recognition in the last 10-15 years. While a critical element of credit risk management for many years, other areas, including market risk, operational risk, and even HR and marketing have more recently turned to models to get fresh insights from vast data sets.
Their use now covers all aspects of banking operations, including business management, customer relationship management, risk management, and product development.
The long-established credit risk models, for example, typically have been managed and delivered with the support of the corporate IT function. This brings with it all the controls and transparency you would expect from the IT department.
However, in more recent years, technological developments like cloud computing mean that modeling teams can access technology, databases, and data for models without any involvement from the IT department. Recent research from Deloitte suggests not all of these more recently created modeling teams necessarily follow best practice MRM.
Aiming for consistency in the use of models
The OCC aims to bring consistency to how models are used, regardless of how they are managed. The headline OCC requirements of needing to define models, their use and ownership, how they are controlled, and how they are managed will be familiar to many.
What is neu is that the OCC has extended the scope of what needs to be included in MRM, going beyond the core business models themselves.
What is neu is that the OCC has extended the scope of what needs to be included in MRM, going beyond the core business models themselves. The data sources and the quantitative models that support the core models will have to be managed the same way. They will need to be placed in a central inventory, like any core business model. This recognizes that an error in a data source or a modeling tool can have the same catastrophic impact as the core models.
Quantitative models – the tools and calculators used to support modeling – present a significant challenge. They represent the informal side of MRM, as they can be used to enhance models by providing new data and calculation inputs quickly, based on business need. Quantitative models typically use Excel spreadsheets, utilizing its powerful capabilities to deliver results quickly. The flexibility of Excel comes at a cost; it lacks the change controls and transparency that OCC now expects across the whole modeling estate.
The critical issue in using Excel…
The critical issue is that everyone in a bank uses Excel for many business applications, so the volume of spreadsheets in use will be huge. Nevertheless, the OCC will expect banks to find all, not just some, of the quantitative models used. Furthermore, banks will need to search for the tools and calculators in use regularly, as staff create new quantitative models all the time.
Lastly, there will be a need to regularly report to the OCC on a bank’s compliance with the requirements.
The focus on quantitative models means that many US banks will need to invest in powerful file search, filtering, and inventory management capabilities to manage them. These need to bring the type of management controls to quantitative models that are typically applied to the core business models. This will need to include document management, change controls, change approvals and automated reporting.
Verwalten Sie Ihre Schatten-IT-Tabellenkalkulationen
Mit ClusterSeven können Sie die Kontrolle über die in Ihrem Unternehmen versteckten Endbenutzer-Computer übernehmen, die ein verstecktes Risiko darstellen können.