FDIC’s Model Risk Management Guidelines Continue to Challenge Institutions
While the Federal Deposit Insurance Corporation (FDIC) updated its model risk management guidelines in June 2017, under FIL-22-2017, it has taken time for the full implications of the changes to filter through fully.
Modelling teams, risk teams, auditors, compliance teams, as well as senior management, are challenged with integrating these demands into their ‘business-as- usual’ processes, so that FDIC regulated institutions can comply with the requirements, while also achieving enhanced business efficiencies and cost savings.
The requirements of FIL-22-17 for modelling bring FDIC institutions into line with the Federal Reserve’s standards for Model Risk Management (SR 11 7) and the OCC’s requirements (2011-12). These requirements center on the way institutions manage their use of models, based on their risk profile, the complexity of the models and how reliant they are on their use.
The core of the FDIC’s requirements are around the implementation of a Model Risk Management (MRM) framework that encompasses:
- Disciplined and knowledgeable model development that is well documented and conceptually sound
- Controls to ensure proper implementation
- Processes to ensure correct and appropriate use
- Effective validation processes
- Strong governance, policies, and controls.
These requirements affect institutions with over $1bn in assets.
Models – once the main preserve of the largest and most sophisticated institutions – have become ubiquitous. Technology, and the wider availability of tools and expertise, have allowed institutions to leverage the capabilities of modelling to better manage their investments, their business, their insights and their product development.
An additional complication is that these models (together with the tools and calculators that support them) are increasingly the preserve of business users, rather than IT. These tools, commonly known as Shadow IT – which can comprise databases, development environments, or visualization tools for example – are often not subject to the same controls and management requirements as corporate IT applications.
This drives the speed and flexibility that business users value deeply. It also exposes institutions to operational, regulatory and reputational risks, and it is these risks – to institutions and the wider economy – that the FDIC is looking to address.
Institutions are challenged to build a framework that reflects the FDIC’s own requirements but which also provides a unified model risk management framework that covers both models, tools and calculators that run under the corporate IT umbrella, and that of different business units. The management framework must be unified, because models, regardless of who manages them, may take inputs from both business units as well as corporate IT. Flawed inputs can have a material impact on the business, regardless of the source and who controls it.
Addressing this challenge will require careful thought and planning, given the budget and resource constraints that are often in place. An effective MRM solution will address the need for speed and flexibility on the one hand, management controls and transparency on the other, alongside regulatory compliance, by including features such as:
A central inventory of models, tools, and calculators
- Comprehensive inventory identification, scanning and discovery capabilities.
- Risk assessment, criticality, and control assessment ratings.
- Highly configurable view and access management for a tailor-made user experience.
- Powerful data lineage, data interdependence and data connection mapping functions.
- Comprehensive document storage to support standardized model documentation across the enterprise.
Model lifecycle management
- Automated MRM workflow and task management capabilities.
- Flexible design functionality to quickly define, build and modify attributes, workflows, algorithms, and reporting.
- Comprehensive, proactive monitoring and alerting to ensure compliance.
- A flexible, robust and proven task management and attestation engine.
Security and audit management
- Complete audit trail of updates and interactions with the MRM framework.
- Full role-based security management including flexibility to define and refine roles and access to the platform.
The ideal MRM solution provides:
- A fully configurable and centralized model information management capability.
- Comprehensive document management and model tracking throughout the model lifecycle.
- Powerful insight into your model risk.
- Regulatory compliance support for FDIC MRM requirements.
- Extensive automation to drive efficiency savings.