The PRA’s Latest Expectations for Banks’ Model Risk Management
This past June 2022, the Prudential Regulation Authority (PRA) released its Supervisory Statement (SS) on their expectations for banks’ model risk management.
Just like the US supervisory guidance SR11-7, the PRA’s CP6/22 provides a model risk management framework for defining model risk as a risk in its own right. This follows hot on the heels of last September’s Dear CEO letter, where lack of control around models and spreadsheets in regulatory reporting were highlighted and resulted in a number of firms being fined later in the year as a consequence of these failings.
It is important to mention that this is not just a UK phenomenon.
The Federal Reserve Board’s Supervisory Report
In the US, the Federal Reserve Board highlighted non-financial weaknesses, such as IT governance and risk management issues, in US financial institutions for the first time in their 2019 Supervisory Report.
The FEDs report, for the most part, was reassuring and encouraging. Their findings were that the US banking system is sound, profitability is robust and capital and liquidity levels are as they should be.
However, of the supervisory findings in these institutions currently outstanding, over 60% pertain to these non-financial weaknesses.
This was a wake-up call for firms and a warning that they could have the regulator knocking at their door if the issues are left unaddressed – Citi’s consent order was evidence of this.
The OCC’s Model Risk Management Handbook
The OCC followed the FEDs report to release their model risk management handbook last year. Representatives from the OCC were clear that this was not to provide additional model risk management requirements, but to provide clarification of SR11-7 and their expectations from firms.
Nevertheless, for some of the firms affected by this model risk management handbook, these “clarifications” were far from straightforward and required significant policy and framework adjustments.
The PRA’s CP6/22 on Model Risk Management
Returning to CP6/22, we can foresee that highly dynamic, larger firms that have mature model risk management programs should be well set.
However, similar to when the OCC’s handbook was released, the more granular definitions are creating a number of work streams. To highlight some of these areas:
Principle 1
Introduces an expanded definition of models to include quantitative methods/tools as well as EUCs. The need to be able to identify, assess and attest to these models, as well as including materiality and complexity assessments in a consistent manner. These need to be recorded in an inventory with the appropriate metadata.
Principle 2
Defines the Governance expectations calling for a maturity of existing structures, as well as roles and responsibilities, and clearly highlights that this extends to third-party models as well.
Principle 3 – 5
Talk about embedding principles 1 and 2, as well as highlighting challenges of change control expectations and model mitigants that will be a particular challenge for any EUCs identified.
Whilst this is still in consultation, firms will not regret reviewing their policies as well as validating their current inventories of models, tools and EUCs, ensuring completeness and consistency.
Mitratech’s ClusterSeven solution suite can be used to assist with inventory validation as well as provide a platform to capture the inventory and risk assessments in a consistent manner with requite workflows and attestations to ensure the information is kept up to date. Boost your organization’s model risk management capabilities with the help of Mitratech.
Additionally, check out the 2022 EUC Management and Governance Market Update Report by Bloor Research which measures EUC applications, and learn why ClusterSeven was chosen as a Champion in it.
The RegTech Report
This podcast is the go-to source for all things RegTech including
RegTech news, connecting with industry pioneers, and updates on the the latest tech.