US agencies pronounce on model risk management for bank systems that support AML compliance

Chris Hamblin

14 April 2021

There is no definition in statute or regulation of what constitutes a model for the purposes of model risk management, but the model risk management guidance (non-binding guidelines which the agencies issued more than a decade ago) or MRMG say that a model refers to a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques and assumptions to process input data into quantitative estimates.

The MRMG lists the following three components of a model.

An information input component, which delivers assumptions and data to the model.
A processing component, which transforms inputs into estimates.
A reporting component, which translates the estimates into useful business information.

The agencies say that "effective model risk management is important because of the potential for...non-compliance with laws and regulations, or damage to a bank’s reputation arising from deficient or misapplied models."

Although the agencies state correctly that "this statement does not alter existing BSA/AML (Bank Secrecy Act/anti-money-laundering) legal or regulatory requirements," they are likely to expect this letter to sway banks in favour of their wishes.

The agencies say that a BSA/AML system may include a surveillance monitoring system, sometimes referred to as an automated transaction monitoring system. Some of these may involve the use of modelling. The agencies do not think that the following two systems are models.

Stand-alone, simple tools that flag up transactions that share a singular factor, such as reports that identify cash, wire transfer, or other transaction activity over certain value thresholds.
Systems used to aggregate cash transactions that occur at a bank’s branches for the purposes of filing Currency Transaction Reports.

The agencies do not require a bank to have a specific organisational structure for a model.